From f10ce00f0433f9d5b6d7c1a6f2138d918436883e Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Sun, 27 Aug 2023 00:58:55 +0100 Subject: [PATCH] nixos/middleman: Add script to deploy mailcow SSL certs --- .keys/mail-vm-host.pub | 3 + .keys/mailcow-acme.pub | 1 + lib/default.nix | 4 ++ .../shill/containers/middleman/default.nix | 17 +++++ secrets/middleman/mailcow-ssh.key.age | 64 +++++++++++++++++++ 5 files changed, 89 insertions(+) create mode 100644 .keys/mail-vm-host.pub create mode 100644 .keys/mailcow-acme.pub create mode 100644 secrets/middleman/mailcow-ssh.key.age diff --git a/.keys/mail-vm-host.pub b/.keys/mail-vm-host.pub new file mode 100644 index 0000000..edace5a --- /dev/null +++ b/.keys/mail-vm-host.pub @@ -0,0 +1,3 @@ +mail.nul.ie ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAsMbpbTmXpN0TWn7/knSJxA5NMZ5mkNuEpGkrU2LzoK/0R+W785ANVgzXbsMGSAn7DzvlVgXiXfWWeK6kTX3YByGs4Qurt9FPN7YWrX++oJQxpPH3HQ0iu76+W9C3aXeAYEuvQoDmCFpxAv9ixWQNGfysFHP48QscyXY5htO1Q75YLV0W8kZ4aIZSJRLePBPsFC2mO/LsfyQ6jV6g5mgmMcYQW43D2kIU+EcvYE9ruHm3Ua0vI74afAV8ND9yv9WhE0uf+7sAlSj1i2JhT28OpxBHdN9HG1Tzt56UWRXkE82eupVvJ3cFe9Mlu9xQyz8w6yvRpi5pWVd1JtnB8UjetnQ/P8Zw2pR+XEMdG78kAZNM1E9ZOsCl80U0U4uawqlFA/M2Qak4y0KjS6d3ruSf/NWhqRAvPCxB878vPOSe+vksUrgfkp0kztH4XyEHydXKWifclgVNDz/+3XvooBQihljfecSDKUSiqqy4DqEcceBgEwL0kqvRd4ylKtYGCYE= +mail.nul.ie ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNrg7CJC2On7gYLpShEYy2AhhJfUYs0nOwLlQ9ua9KcrLxv1LZKI9vh18phtQpA+JCM2Fh+z9xpPwQ9YONYBD8Y= +mail.nul.ie ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJelp0F1tIqJNBZT4nmQjXxkIroDzVdh1c8aNd8F6N3X diff --git a/.keys/mailcow-acme.pub b/.keys/mailcow-acme.pub new file mode 100644 index 0000000..70de748 --- /dev/null +++ b/.keys/mailcow-acme.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDe2AjrLdanqS8taaHZns/0KDmF2nYE2l5oGmUds4yhLoBMKV+YiTDdEeITa9w0+1X01urFQ3IHrzbKthelkzVuecHj4bU9KahbGB8oQaVIu5HGrbW1yGE+48eVGPbT/ooIHEvAw8nMp/uluF5KsaXbeXhyhGZHO4wEo40SFVgVpFg0UYKCgAJMdEADOuJY0af5HNNCbDiInDtNoPyP9SZYsjCXb567UoNwmRRd1Eb0hjFyYKT5WyxLqjG646wy/x0q9WitaODif8vNy0tWlf1ajOtBRa+FoXSM7kCwFbnXJAsal1Z6vsKE5R2qdFHF240u63NL0kCrJ3wDfH3odTG2Y47D70yZ8FaVemMUJ5CKrVnHnCi8wmQF6pq5W1NDoLO7qf1WRrrh8wCz9ocDE5YWvszUNgO3ZpA7BxxRO6RvFoRMQ3VFKBB49MyGbcfZ8nNgL+muynJDKF9Jp8jqR4Kk8ZAsKLqwSqLV0rB2nLRfzI4NL7wBxREy4VvhkSwyxNU= dev@castle diff --git a/lib/default.nix b/lib/default.nix index f666a1e..03d7309 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -271,5 +271,9 @@ rec { me = ../.keys/me.pub; deploy = ../.keys/deploy.pub; rsyncNet = ../.keys/zh2855.rsync.net.pub; + mailcowAcme = ../.keys/mailcow-acme.pub; + }; + sshHostKeys = { + mail-vm = ../.keys/mail-vm-host.pub; }; } diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix index d04a49a..ccdc49d 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix @@ -50,6 +50,11 @@ in owner = "acme"; group = "acme"; }; + "middleman/mailcow-ssh.key" = { + owner = "acme"; + group = "acme"; + mode = "400"; + }; "middleman/nginx-sso.yaml" = { owner = "nginx-sso"; group = "nginx-sso"; @@ -175,11 +180,23 @@ in ]; dnsProvider = "cloudflare"; credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path; + postRun = + let + sshKey = config.age.secrets."middleman/mailcow-ssh.key".path; + in + '' + ${pkgs.openssh}/bin/scp -i ${sshKey} key.pem fullchain.pem acme@mail.nul.ie:/tmp/ + ${pkgs.openssh}/bin/ssh -i ${sshKey} acme@mail.nul.ie mailcow-ssl-reload + ''; }; }; }; }; + programs = { + ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ]; + }; + services = { netdata = { enable = true; diff --git a/secrets/middleman/mailcow-ssh.key.age b/secrets/middleman/mailcow-ssh.key.age new file mode 100644 index 0000000..c2ea6ad --- /dev/null +++ b/secrets/middleman/mailcow-ssh.key.age @@ -0,0 +1,64 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZGY3c1ZyBVaHhs +SGhzV25ic1JMaS8xTW15NFh3UW43SWZkMUgwRkxYU3R0UXU2dVJrCjBDaEl0bXFI +N0VsZnZuaEFnNnlZaWRXRzNvZTB1b01uNVdKSHd1U1g5aEEKLT4gWDI1NTE5IDdZ +aGgwekJ5eXV1TUdySWhVSVNpWDlNWXNJUk5KcSs0K1laOFhHS2F4bWcKenptOXAw +dERXN05meWM5SllYb0xjVkVMaFlvYmhvWTlKT1M4WExPR29BTQotPiBqLWdyZWFz +ZQpCWkE4YmJDVVB5Qk1LS0VYTzV1d2VtdwotLS0gai8vaFBtUy82MWV1WDN1b2dC +SS9DTGxJNCtNWEx4YnIzU2FnSmNabllKMAqXJ9W+nbNcSr4YFj5wdgDUgJo0R5YM +DFmnEQqG0HPW/Eol2b7nivWp3LpI+0BJ/Cp7ZR3mp8ILWTsU9N4P5tHhQx0/uHTl +yE89H8uDWtDIQndOn22HK6Qfuq24rCdC/bRo+HPC0NWIuuePoDgKWkbOf7r/8EYO +lKf1Ff0RaEvnni97PPSo93eJwoa9KsLtlFHDwOPxgYzaR5n/TkyOkoGbIhN42LT3 +yg8CmrQCYXnGxYE3ai/3nYsLQkXxLxWSwwzAJMaAUG/3WdpxxW9WLkmcjqbC+JIv ++ArN4AOnuG0BfvMLrcXy07W4+aaL7BD+xlOmwqRW8BhzJTzXDgsPQvOezD9Dv7sq +1pDwc8Oa/r8e+L0eqog/eYirkk/FwZfL++rCnIxwfELxobTZ5aSn8hSJdZ9oTShc +h9W5nXGRB/09Orp3OpCQVVLiiLuMA89y64Tj25L6uTvM3GHczy6LzBsmNiT8gvwr +rWjM61fDUSIl6/8kC4dV91L6Xroi2tOeEmQFq0dQMy53ayGJNyLey28Xent4NPUe +uWO+Lue6MGU/vQE02w7yQdcQBBiBaFdT1kgL7rNI0BocB2YtLLcNulPdvfkn4AuL +Spr3RRXjv66Frv90LVmWqjE/8m49xpClU6O/xL54DI3ZR56QWk3S42L7y3ErhFSa +cNPOivc1ZIidrbCS796iUtsJaxh7g/ks7fkoYkQgF+svyQPaX2/iIW9q8OO9oobT +S7DlfjZapCr4xxp0E85Mz/09ZLz/Hyq0+PQlEk7xrdsQJALlU3fX71U1cyszb5zn +TOJb80MexjwOFD8W4EscVVJnMjr+2z2pQT1gVaEV9U7mQMzfc9iHu9Gu1wk4kPZS +r9LZHtiQ7vKBFc5vssq/fAsmz/2EW1LocMswQZA6aYhZoukcjDwaYyC4jwy1FTQD +Cs0KQa/bGJ+oANXSHtbWPc7lkblJ2RXrHq4Q+7jBhsWGIb3mt1Lqd6pXoC5tgJo8 +3L6sOsSDgbkSz7Z4eLc7CNnqAlrwTymayCXsRMJ83+0BnhoHm30p6yoBKCL7RUbq +DvydVvC5Eg8v2dw//MwjAZ3pk3ugZvMWqGQWRmwBqZLzBug2xHunmLT1udzybgJF +ZxdfPbMzrzAivd3t1cOn3Nzq1dNaCW/4HZxcASEBKo/bnFr41XSUwQ1CNUpRzjON +cqqUZlF18q5CUj4GHGCMVoC1pF06HIulLiGKwQcS5V/kskenKYtCtiAcYqgUoEHH +b36gnWuJyr63+WN3ulbCItoeevJw8gUjWhR0ZLrKNGzQ/JPHvrGlvayOOGNWoS7+ +QNfA/9dXS3hMNy2Dy9YleD/SPD4CqbKEw+4UF9uwZvUJzqnn2NEA5+J7CdQkD/66 +FG4SnEWmC8BZg75FVxsCBU41Bvzwplt4G2VwTITOWGwGi532hL3x/ePji2Imwbuq +ojoYrvbbu3YyWzTozrM7DpMjmO89MY6utvPhdY6UaqwGKQjiSj+2gkAPlij8aUnK +ErQ6aF4xMPx8qlK7iG5Lt42oHoJls/PA+TRWSeCt21Lj4cHxD/N2U4iosro4uD3M +bkp//Zp0vsRgMwtGHbVa2eixG9b4BGorw7LhHpHIwCKO0Bjpvi2aG/qZfnDdXfVV +zppC/mKHKI6L/ZZ/+K4ec5IFvwnloMOPVXqiNPbyWL9ltmv5TjnPDgEQgP9KmqVp +uCv35wNKoG2xIMSTD5xEKLiqw1z6R2hSkWzMirkgE196TZhiUyvEp/H3PJyJoumA +58x5KRprffau3pUlxNcbpnIHHRKU/YoftQCsMtP2G04/Lw6Rrbg1P5R0aYVa4uDH +5LJC3D1XZtkFD9TOyMxWgXeW9O5KkLuBp8aw3AcJAcMDuu6SgQoWBIAgvXyzHuh2 +wa6I0OwSsOvNOX2mZDMe5RTTOn3EVR4isIKis+gorFTQ+KiSojZ+hf0G7jIkWSbX +fYqN7JhpVz4+EbNpNYn9ITjbbAhTU7dGz0IHyqgxEjyq0KtnVmfM0ANZuQznXtlL +VMsxNQypkE3oTCgAVTmFZAM5t0edQiWIUTnRCxrf8cDr6148/MQ7VNkMTjUUA3iJ +n48U5yVNRNSY6cYUl7PDRkMWYBVY8Yk3d/kJg0Ckle7WSiXEo1I84N8MOs8OeYpB +q/o3fQAUqLLiWBAMtdtKNfPbTcO29mHX00Ehw8RbYtfsVj98JaTPV7xEvoV9X0Di +1YmgtBv6Hw5wZ088WC4A46Q04gfYLrj/pGV7DQQUgvFtfm9IhgA6IvtTBg4NG1uS +RAeLXTdFRcTXxsW0QaMwJHgqHOrb8GUwxa357pDy+rPrcZqd24qpKNk+RO1aIqFE +3IthKkPPvIeBKQ4R70gWQNXrpudK5sP6WcBrhd4JAmVNMSEP4uAN1t/2XGzF0xu9 +GjoHddff4NOEdZEwgvuzVgElpm5EmJ31ZtckI5mxzJT4iHpIi9RBMA0MXt7/nrqq +sIpBcL9GuNLiK/LkRrnIm7uz3iO+qOe8Eiwqfgahb1vQrzfZwBsWXEyTxuiD1DZY +Cegt8ioS7CLulXfmR6SSkhN+bpjND2CYhtNWdQ5oA3ed3iHs2sG9j3t1TFtYokvG +SPDVmwibeur+EToKrP+urEmvDu3mWQfILixWXpliqJdhjj0CAFy43Y3UoM9bQSbL +mfhRuMfAwOtq0fadpIpALaH7o4v/2eMhVdYNmccrLM5dK95+yS7w2zthAkknvawf +t3Pq+PrKCtnxuGXwFxxIfP0J02dl8ERw4+uGVd45YGTI7ZORCWzvU5L7GnuRXUBy +JPy4tc3FirvpIhVmBW+Pq2aWelZc0I5Lxzb+FiquGLMgYloXiZm1QEOaNtLLlby4 +GEy6s6qUW9HOE+XVftnzcxeFJw1ZNW8rsqYEdP0i3i4qob6WJQO7Am4FE6c6Mc1j +UZVMTslvXhy/GACR4UTdEI4fVxGZtBaArfEv/WqNqL01942cUECtTF2v8ko0YJ1o +h9g0mLovCLVF3SpLzgL7viIbQWTawo/zQWfBycfZEwKF9Js3CA+SHCHYfOgORl70 +uPs3sc2PfcqZScxbC/fBwagPHLZ+M92cOMi8UCoc62AirrrsQH/Jxtc9ohkSSrLt +InoPBcE72x7J2wzoPW42fUekkhIQVW7WQsCMX4Km6UTegh3XifUVLVwknSOUgW97 +2UdqxmoMjFIs1aKf4w7sJPAVldDaX3LNifD697dSbsFwfSFDZS/kdN87v3mNPObp +cbZapEJwzjhcfGD2SVGspbOFT/vnIHaU8hnS79ueUZnbWdnlz7v4lWk2wJGnDGKl +bkzUDulbTbniwfB1cifWWx6vrKQK3W4OFiOYtKCHMRkTzlCVKmG/pAnb9LyZ3Cq2 +kGdFE8T/kZc6LgsUSsym376nSK9usElTn1OVOceOCTU3w16xnykJDMo3kDs2v9SQ +Oyv+AAxxUxTVNGOzwIw4Hh7zMsUO42iQkh7zjbRU9z0ZeeqaQFyFfFJ2CKvvdUfA +YVi/+AgpkV4= +-----END AGE ENCRYPTED FILE-----