dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/middleman: Add script to deploy mailcow SSL certs

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-08-27 00:58:55 +01:00
parent ea03795dca
commit f10ce00f04
5 changed files with 89 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.keys/mail-vm-host.pub Normal file
View File

@ -0,0 +1,3 @@
mail.nul.ie ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAsMbpbTmXpN0TWn7/knSJxA5NMZ5mkNuEpGkrU2LzoK/0R+W785ANVgzXbsMGSAn7DzvlVgXiXfWWeK6kTX3YByGs4Qurt9FPN7YWrX++oJQxpPH3HQ0iu76+W9C3aXeAYEuvQoDmCFpxAv9ixWQNGfysFHP48QscyXY5htO1Q75YLV0W8kZ4aIZSJRLePBPsFC2mO/LsfyQ6jV6g5mgmMcYQW43D2kIU+EcvYE9ruHm3Ua0vI74afAV8ND9yv9WhE0uf+7sAlSj1i2JhT28OpxBHdN9HG1Tzt56UWRXkE82eupVvJ3cFe9Mlu9xQyz8w6yvRpi5pWVd1JtnB8UjetnQ/P8Zw2pR+XEMdG78kAZNM1E9ZOsCl80U0U4uawqlFA/M2Qak4y0KjS6d3ruSf/NWhqRAvPCxB878vPOSe+vksUrgfkp0kztH4XyEHydXKWifclgVNDz/+3XvooBQihljfecSDKUSiqqy4DqEcceBgEwL0kqvRd4ylKtYGCYE=
mail.nul.ie ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNrg7CJC2On7gYLpShEYy2AhhJfUYs0nOwLlQ9ua9KcrLxv1LZKI9vh18phtQpA+JCM2Fh+z9xpPwQ9YONYBD8Y=
mail.nul.ie ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJelp0F1tIqJNBZT4nmQjXxkIroDzVdh1c8aNd8F6N3X

1
.keys/mailcow-acme.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDe2AjrLdanqS8taaHZns/0KDmF2nYE2l5oGmUds4yhLoBMKV+YiTDdEeITa9w0+1X01urFQ3IHrzbKthelkzVuecHj4bU9KahbGB8oQaVIu5HGrbW1yGE+48eVGPbT/ooIHEvAw8nMp/uluF5KsaXbeXhyhGZHO4wEo40SFVgVpFg0UYKCgAJMdEADOuJY0af5HNNCbDiInDtNoPyP9SZYsjCXb567UoNwmRRd1Eb0hjFyYKT5WyxLqjG646wy/x0q9WitaODif8vNy0tWlf1ajOtBRa+FoXSM7kCwFbnXJAsal1Z6vsKE5R2qdFHF240u63NL0kCrJ3wDfH3odTG2Y47D70yZ8FaVemMUJ5CKrVnHnCi8wmQF6pq5W1NDoLO7qf1WRrrh8wCz9ocDE5YWvszUNgO3ZpA7BxxRO6RvFoRMQ3VFKBB49MyGbcfZ8nNgL+muynJDKF9Jp8jqR4Kk8ZAsKLqwSqLV0rB2nLRfzI4NL7wBxREy4VvhkSwyxNU= dev@castle

4
lib/default.nix
View File

@ -271,5 +271,9 @@ rec {
me = ../.keys/me.pub; me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub; deploy = ../.keys/deploy.pub;
rsyncNet = ../.keys/zh2855.rsync.net.pub; rsyncNet = ../.keys/zh2855.rsync.net.pub;
mailcowAcme = ../.keys/mailcow-acme.pub;
};
sshHostKeys = {
mail-vm = ../.keys/mail-vm-host.pub;
}; };
} }

17
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@ -50,6 +50,11 @@ in
owner = "acme"; owner = "acme";
group = "acme"; group = "acme";
}; };
"middleman/mailcow-ssh.key" = {
owner = "acme";
group = "acme";
mode = "400";
};
"middleman/nginx-sso.yaml" = { "middleman/nginx-sso.yaml" = {
owner = "nginx-sso"; owner = "nginx-sso";
group = "nginx-sso"; group = "nginx-sso";
@ -175,11 +180,23 @@ in
]; ];
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path; credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
postRun =
let
sshKey = config.age.secrets."middleman/mailcow-ssh.key".path;
in
''
${pkgs.openssh}/bin/scp -i ${sshKey} key.pem fullchain.pem acme@mail.nul.ie:/tmp/
${pkgs.openssh}/bin/ssh -i ${sshKey} acme@mail.nul.ie mailcow-ssl-reload
'';
}; };
}; };
}; };
}; };
programs = {
ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ];
};
services = { services = {
netdata = { netdata = {
enable = true; enable = true;

64
secrets/middleman/mailcow-ssh.key.age Normal file
View File

@ -0,0 +1,64 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZGY3c1ZyBVaHhs
SGhzV25ic1JMaS8xTW15NFh3UW43SWZkMUgwRkxYU3R0UXU2dVJrCjBDaEl0bXFI
N0VsZnZuaEFnNnlZaWRXRzNvZTB1b01uNVdKSHd1U1g5aEEKLT4gWDI1NTE5IDdZ
aGgwekJ5eXV1TUdySWhVSVNpWDlNWXNJUk5KcSs0K1laOFhHS2F4bWcKenptOXAw
dERXN05meWM5SllYb0xjVkVMaFlvYmhvWTlKT1M4WExPR29BTQotPiBqLWdyZWFz
ZQpCWkE4YmJDVVB5Qk1LS0VYTzV1d2VtdwotLS0gai8vaFBtUy82MWV1WDN1b2dC
SS9DTGxJNCtNWEx4YnIzU2FnSmNabllKMAqXJ9W+nbNcSr4YFj5wdgDUgJo0R5YM
DFmnEQqG0HPW/Eol2b7nivWp3LpI+0BJ/Cp7ZR3mp8ILWTsU9N4P5tHhQx0/uHTl
yE89H8uDWtDIQndOn22HK6Qfuq24rCdC/bRo+HPC0NWIuuePoDgKWkbOf7r/8EYO
lKf1Ff0RaEvnni97PPSo93eJwoa9KsLtlFHDwOPxgYzaR5n/TkyOkoGbIhN42LT3
yg8CmrQCYXnGxYE3ai/3nYsLQkXxLxWSwwzAJMaAUG/3WdpxxW9WLkmcjqbC+JIv
+ArN4AOnuG0BfvMLrcXy07W4+aaL7BD+xlOmwqRW8BhzJTzXDgsPQvOezD9Dv7sq
1pDwc8Oa/r8e+L0eqog/eYirkk/FwZfL++rCnIxwfELxobTZ5aSn8hSJdZ9oTShc
h9W5nXGRB/09Orp3OpCQVVLiiLuMA89y64Tj25L6uTvM3GHczy6LzBsmNiT8gvwr
rWjM61fDUSIl6/8kC4dV91L6Xroi2tOeEmQFq0dQMy53ayGJNyLey28Xent4NPUe
uWO+Lue6MGU/vQE02w7yQdcQBBiBaFdT1kgL7rNI0BocB2YtLLcNulPdvfkn4AuL
Spr3RRXjv66Frv90LVmWqjE/8m49xpClU6O/xL54DI3ZR56QWk3S42L7y3ErhFSa
cNPOivc1ZIidrbCS796iUtsJaxh7g/ks7fkoYkQgF+svyQPaX2/iIW9q8OO9oobT
S7DlfjZapCr4xxp0E85Mz/09ZLz/Hyq0+PQlEk7xrdsQJALlU3fX71U1cyszb5zn
TOJb80MexjwOFD8W4EscVVJnMjr+2z2pQT1gVaEV9U7mQMzfc9iHu9Gu1wk4kPZS
r9LZHtiQ7vKBFc5vssq/fAsmz/2EW1LocMswQZA6aYhZoukcjDwaYyC4jwy1FTQD
Cs0KQa/bGJ+oANXSHtbWPc7lkblJ2RXrHq4Q+7jBhsWGIb3mt1Lqd6pXoC5tgJo8
3L6sOsSDgbkSz7Z4eLc7CNnqAlrwTymayCXsRMJ83+0BnhoHm30p6yoBKCL7RUbq
DvydVvC5Eg8v2dw//MwjAZ3pk3ugZvMWqGQWRmwBqZLzBug2xHunmLT1udzybgJF
ZxdfPbMzrzAivd3t1cOn3Nzq1dNaCW/4HZxcASEBKo/bnFr41XSUwQ1CNUpRzjON
cqqUZlF18q5CUj4GHGCMVoC1pF06HIulLiGKwQcS5V/kskenKYtCtiAcYqgUoEHH
b36gnWuJyr63+WN3ulbCItoeevJw8gUjWhR0ZLrKNGzQ/JPHvrGlvayOOGNWoS7+
QNfA/9dXS3hMNy2Dy9YleD/SPD4CqbKEw+4UF9uwZvUJzqnn2NEA5+J7CdQkD/66
FG4SnEWmC8BZg75FVxsCBU41Bvzwplt4G2VwTITOWGwGi532hL3x/ePji2Imwbuq
ojoYrvbbu3YyWzTozrM7DpMjmO89MY6utvPhdY6UaqwGKQjiSj+2gkAPlij8aUnK
ErQ6aF4xMPx8qlK7iG5Lt42oHoJls/PA+TRWSeCt21Lj4cHxD/N2U4iosro4uD3M
bkp//Zp0vsRgMwtGHbVa2eixG9b4BGorw7LhHpHIwCKO0Bjpvi2aG/qZfnDdXfVV
zppC/mKHKI6L/ZZ/+K4ec5IFvwnloMOPVXqiNPbyWL9ltmv5TjnPDgEQgP9KmqVp
uCv35wNKoG2xIMSTD5xEKLiqw1z6R2hSkWzMirkgE196TZhiUyvEp/H3PJyJoumA
58x5KRprffau3pUlxNcbpnIHHRKU/YoftQCsMtP2G04/Lw6Rrbg1P5R0aYVa4uDH
5LJC3D1XZtkFD9TOyMxWgXeW9O5KkLuBp8aw3AcJAcMDuu6SgQoWBIAgvXyzHuh2
wa6I0OwSsOvNOX2mZDMe5RTTOn3EVR4isIKis+gorFTQ+KiSojZ+hf0G7jIkWSbX
fYqN7JhpVz4+EbNpNYn9ITjbbAhTU7dGz0IHyqgxEjyq0KtnVmfM0ANZuQznXtlL
VMsxNQypkE3oTCgAVTmFZAM5t0edQiWIUTnRCxrf8cDr6148/MQ7VNkMTjUUA3iJ
n48U5yVNRNSY6cYUl7PDRkMWYBVY8Yk3d/kJg0Ckle7WSiXEo1I84N8MOs8OeYpB
q/o3fQAUqLLiWBAMtdtKNfPbTcO29mHX00Ehw8RbYtfsVj98JaTPV7xEvoV9X0Di
1YmgtBv6Hw5wZ088WC4A46Q04gfYLrj/pGV7DQQUgvFtfm9IhgA6IvtTBg4NG1uS
RAeLXTdFRcTXxsW0QaMwJHgqHOrb8GUwxa357pDy+rPrcZqd24qpKNk+RO1aIqFE
3IthKkPPvIeBKQ4R70gWQNXrpudK5sP6WcBrhd4JAmVNMSEP4uAN1t/2XGzF0xu9
GjoHddff4NOEdZEwgvuzVgElpm5EmJ31ZtckI5mxzJT4iHpIi9RBMA0MXt7/nrqq
sIpBcL9GuNLiK/LkRrnIm7uz3iO+qOe8Eiwqfgahb1vQrzfZwBsWXEyTxuiD1DZY
Cegt8ioS7CLulXfmR6SSkhN+bpjND2CYhtNWdQ5oA3ed3iHs2sG9j3t1TFtYokvG
SPDVmwibeur+EToKrP+urEmvDu3mWQfILixWXpliqJdhjj0CAFy43Y3UoM9bQSbL
mfhRuMfAwOtq0fadpIpALaH7o4v/2eMhVdYNmccrLM5dK95+yS7w2zthAkknvawf
t3Pq+PrKCtnxuGXwFxxIfP0J02dl8ERw4+uGVd45YGTI7ZORCWzvU5L7GnuRXUBy
JPy4tc3FirvpIhVmBW+Pq2aWelZc0I5Lxzb+FiquGLMgYloXiZm1QEOaNtLLlby4
GEy6s6qUW9HOE+XVftnzcxeFJw1ZNW8rsqYEdP0i3i4qob6WJQO7Am4FE6c6Mc1j
UZVMTslvXhy/GACR4UTdEI4fVxGZtBaArfEv/WqNqL01942cUECtTF2v8ko0YJ1o
h9g0mLovCLVF3SpLzgL7viIbQWTawo/zQWfBycfZEwKF9Js3CA+SHCHYfOgORl70
uPs3sc2PfcqZScxbC/fBwagPHLZ+M92cOMi8UCoc62AirrrsQH/Jxtc9ohkSSrLt
InoPBcE72x7J2wzoPW42fUekkhIQVW7WQsCMX4Km6UTegh3XifUVLVwknSOUgW97
2UdqxmoMjFIs1aKf4w7sJPAVldDaX3LNifD697dSbsFwfSFDZS/kdN87v3mNPObp
cbZapEJwzjhcfGD2SVGspbOFT/vnIHaU8hnS79ueUZnbWdnlz7v4lWk2wJGnDGKl
bkzUDulbTbniwfB1cifWWx6vrKQK3W4OFiOYtKCHMRkTzlCVKmG/pAnb9LyZ3Cq2
kGdFE8T/kZc6LgsUSsym376nSK9usElTn1OVOceOCTU3w16xnykJDMo3kDs2v9SQ
Oyv+AAxxUxTVNGOzwIw4Hh7zMsUO42iQkh7zjbRU9z0ZeeqaQFyFfFJ2CKvvdUfA
YVi/+AgpkV4=
-----END AGE ENCRYPTED FILE-----