WIP: Configure rspamd #3

Merged
DarkKirb merged 7 commits from rspamd-nas into main 2022-04-29 12:40:20 +00:00
7 changed files with 205 additions and 45 deletions

View file

@ -20,7 +20,6 @@
./services/minio.nix
./services/loki.nix
./services/reverse-proxy.nix
./services/rspamd.nix
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];

View file

@ -11,6 +11,7 @@
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-pc-ssd
./services/rspamd.nix
];
hardware.cpu.amd.updateMicrocode = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp" ];

View file

@ -32,8 +32,8 @@
virtual_alias_maps = "pgsql:/run/secrets/services/postfix/virtual_alias_maps.cf";
virtual_mailbox_domains = "pgsql:/run/secrets/services/postfix/virtual_mailbox_domains.cf";
virtual_transport = "lmtp:unix:/run/dovecot2/lmtp";
#smtpd_milters = "inet:localhost:11332";
#non_smtpd_milters = "inet:localhost:11332";
smtpd_milters = "inet:rspamd.int.chir.rs:11332";
non_smtpd_milters = "inet:rspamd.int.chir.rs:11332";
disable_vrfy_command = "yes";
smtpd_banner = "mail.chir.rs ESMTP NO UCE NO UBE NO RELAYCLIENT=yes YES OwO";
message_size_limit = "20971520";

View file

@ -1,40 +1,199 @@
{ config, ... }: {
services.rspamd = {
enable = true;
locals."dkim_signing.conf".text = ''
domain {
darkkirb.de {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
}
miifox.net {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
}
chir.rs {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
}
}
allow_hdrfrom_mismatch = true;
allow_hdrfrom_mismatch_sign_networks = true;
allow_username_mismatch = true;
use_domain = "header";
sign_authenticated = true;
use_esld = true;
'';
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [ "[::1]:11332" ];
{ config, lib, ... }:
{
services = {
# TODO: Antivirus
rspamd = {
enable = true;
locals = {
"dkim_signing.conf".text = builtins.toJSON {
domain = {
"darkkirb.de" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
};
"miifox.net" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
};
"chir.rs" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
};
};
};
"dmarc.conf".text = builtins.toJSON {
actions = {
reject = "reject";
quarantine = "quarantine";
softfail = "add_header";
};
};
"greylist.conf".text = builtins.toJSON {
greylist_min_score = 0;
};
"hfilter.conf".text = builtins.toJSON {
helo_enabled = true;
hostname_enabled = true;
url_enabled = true;
from_enabled = true;
rcpt_enabled = true;
mid_enabled = true;
};
"history.conf".text = builtins.toJSON {
nrows = 1000;
subject_privacy = true;
};
"milter.conf".text = builtins.toJSON {
use = [
"authentication-results"
"fuzzy-hashes"
"spam-header"
"stat-signature"
"x-rspamd-queue-id"
"x-rspamd-result"
"x-rspamd-server"
"x-rspamd-bar"
"x-spam-status"
];
};
"mx_check.conf".text = builtins.toJSON {
enabled = true;
};
"neural.conf".text = builtins.toJSON {
enabled = true;
rules = {
LONG = {
train = {
max_trains = 5000;
max_usages = 200;
max_iterations = 25;
learning_rate = 0.01;
};
symbol_spam = "NEURAL_SPAM_LONG";
symbol_ham = "NEURAL_HAM_LONG";
ann_expire = "365d";
};
SHORT = {
train = {
max_trains = 5000;
max_usages = 2;
max_iterations = 25;
learning_rate = 0.01;
};
symbol_spam = "NEURAL_SPAM_SHORT";
symbol_ham = "NEURAL_HAM_SHORT";
ann_expire = "30d";
};
};
};
"neural_group.conf".text = builtins.toJSON {
symbols = {
NEURAL_SPAM_LONG = {
weight = 3.0; # sample weight
description = "Neural network spam (long)";
};
NEURAL_HAM_LONG = {
weight = -3.0; # sample weight
description = "Neural network ham (long)";
};
NEURAL_SPAM_SHORT = {
weight = 2.0; # sample weight
description = "Neural network spam (short)";
};
NEURAL_HAM_SHORT = {
weight = -1.0; # sample weight
description = "Neural network ham (short)";
};
};
};
"phishing.conf".text = builtins.toJSON {
openphish_enabled = true;
};
"reputation.conf".text = builtins.toJSON {
rules = {
ip_reputation = {
selector.type = "ip";
backend.type = "redis";
symbol = "IP_REPUTATION";
};
spf_reputation = {
selector.type = "spf";
backend.type = "redis";
symbol = "SPF_REPUTATION";
};
dkim_reputation = {
selector.type = "dkim";
backend.type = "redis";
symbol = "DKIM_REPUTATION";
};
asn_reputation = {
selector.type = "generic";
selector.selector = "asn";
backend.type = "redis";
symbol = "ASN_REPUTATION";
};
country_reputation = {
selector.type = "generic";
selector.selector = "country";
backend.type = "redis";
symbol = "COUNTRY_REPUTATION";
};
};
};
"replies.conf".text = builtins.toJSON {
expire = "7d";
symbol = "REPLY";
};
"redis.conf".text = builtins.toJSON {
servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}";
};
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "[::1]:11334" ];
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [ "*:11332" ];
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "*:11334" ];
};
};
};
redis.servers.rspamd = {
enable = true;
bind = "127.0.0.1";
databases = 1;
port = 6380;
settings = {
maxmemory = "500mb";
maxmemory-policy = "volatile-ttl";
};
};
nginx.virtualHosts."rspamd.int.chir.rs" =
let
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
add_header Alt-Svc 'h3=":443"';
'';
in
{
listenAddresses = listenIPs;
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:11334/";
proxyWebsockets = true;
};
};
};
sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };
networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
networking.firewall.interfaces."wg0".allowedTCPPorts = [
11332
11334
];
}

View file

@ -18,6 +18,11 @@ services:
s3:
key_id: ENC[AES256_GCM,data:zb6l+BVvjvwrFAuFvuTn89qWyb9scwSQgA==,iv:ZIqMAM2m+TLooWRKy0JDEh1Cz7dEqhc9u1fJr/YJsRo=,tag:u9cxbL+0VBrzM7w2tCXrVg==,type:str]
secret_key: ENC[AES256_GCM,data:F67XmNAgVIRpTKooQBDtk9BAKv6oD/p+Poos62ox8A==,iv:oU4KKjTjFoeNkLngiMPkqGqINKm6nHf8HyD7C4BmFXc=,tag:5zJCkejgW7preo0f80Zf3w==,type:str]
rspamd:
dkim:
darkkirb.de: ENC[AES256_GCM,data:BWh1VbxBjMKMLPsFHrLIHWZGyzy8bJGYC22f1FXPWxy4WD23tfXuFMiM5TOjSgd7/7nImpndtYMXqKwyoAePGtGhpk6xogH9ObeuVisOvI8HnDZS2uuSxqWA9qA3fmP867DCDl4h3eeclpUburidCDuS4ZriA467fbvbLynX5EqntnWmrWZdTnnXs7WTAL+4ePj6optoL33BgLOvh7PREyLfzgaoBrMhJdW4mBp6XNfIbuY9JH5sUXKV4rNHDBZNoBi6UJXK69futQ+Q6Dj95OKE7l8iY/HfpF7nt1Lb9Prr1wyCQdfEd233NfUgfz6EomuKbhu3bUKau3wwIxF0qAnU+gW1BxMPzDOAS9Pm8XByJ4R9H6gHuTyleCDyq2t1TfJe7FtbIE3I9HsvrpqHGt1NETtwXrdK508PI3WrLGJusCND8KpRA0G4NMazQNPrvrFlQcQcTRe7QmZv3SLNqB4OemWSlS4uDwDYyxeaMnaKqgrwX3emRlIrrKk/eEGyCFG+FtBqsLlAiGHNE44kfjQQCrqNLFgYPWeTzgnpO0uwscYmCik6xFlpxn/0EEUtFnfOcRq3rCt9NNMX4zpJk+lFTu21LG42whDvxw4EpskLWYtdfHwob2o3IbrzuL1R7WknKMvn02asVLmn5YlOgX4dJA6J9eT17Omeq08VUnAxuOEDOZENNKMIxzoEoX90ZkjpHYqyCwJ/1ITZ1WXAaFnp8ow+wySVOYFCnw5x16A6GpDzz1rDZnXr4DY39W/yXabD9M4EAdRZHuJPEbnww5XR3n5NgYxvA9sQsKsgu4j0erJWda31Jwko6YXvJ6jMG8iySMzaD9UHZhtp3+E0kTgMzJB5gVCXuG90AUWQ4+ODK/9yO0aswi6pTakQr/y3k/XbKi85Ndt7YqhOYJZxuZdnWa519Q1Bsnyr64bbfQrRjCWeDl150G18/u5FES9dSgB0nHxIdvu8M/Xhgk0dCiQiGNWNF6XFfFFgTBu0uw8x5fIGgMrV2pp6OKUmz7Ty/UGH30c8BCTECAsafWi4WCAfpxOu5PXC9oi8QOjJegW/tetGK9S2G8+jFQvvONdQImB6IC0zzaW7BKipa3IVdc4KYtZ9NxxNKp6X2GcXEF2l6spmcZOtSeDNgKXHQE7b9wViGSdjj5KQK5RuMsxO4BAeGuLB+3jGNGiK3RijhjAIEvlSOIVoipf1lu+9QYa4wBmCOQ==,iv:uvRzwnbFMKT6EKGBfxst7CCD+uu0n/pYrjEtcHF2TIA=,tag:v4sWaO5ek6su907Z/RRPtw==,type:str]
miifox.net: ENC[AES256_GCM,data:nDkVZKozQVUZNODB5i7Eow4KH7GE8Pc2vh6UEah5t8DlZZvoi/lCIppwkaQA68WmXOK4tOii/KLJRhxdHqbHQF2D1LPfPRWJ4zHxjShcBlaNMWRGubycwmhljJURGteWbTd+kKueQd6JpWx3N+MzczAX2rIVqwahXuMyninWt1BVYRDNVTUs7PByVtnw1/Eo2pOjdj1OYowdo5ku87NZpNwyCu3pQfflH0TN3jL2W36Utvmk6m4ZgC2S1u/tNlzGDau3CLhb05rpkh5vb5Kv067rPF+ijELb9v+rjvGQNpwztzbxg6p+5rLZSSTvWwBYgKnLldbaUVxApJXCBSWwTUC8uu0VR78Wzn+sC0l/aE9SGudk1skiVQHK/nR6AppNvVzFQl99gWOWwJNHgHpLvYfTT39ECyfzYcvhFU8/7N8HpAs4/rOb6v4fUPfcqnaHEWE++J7Zw7v7IEFpxIBd8M45DrOUfGNGubfwI95/8XZJPGfNNvTloUv+RCQgiZcDaGRnKim5S22XdXyT4NiYMZq631FtQDsG8cstwqmmqedLPAjYLQoSuCr4PeRAtOs6Y+fJdzBYMqugCIvE21aEq38pWXKkRl8U7/dn12Ec9Gp7aJE/bP1/aHbzlbbJN9uIaL1veIPiU1Kk0zA75G6UqULOwSeCQMFRoHG5RBJ/weErgSayqR2TiQX04PUhIEr+YjDYO3367S3uWO5HmGTUhm1BM4qLlBKIEDmQElS34NzproAbnUVr5yeaHPNOkKkBTSRNBGjuaIQ4whUX5d3UUaEFYkDg3I2wsRtIfHQkX4F/K7T6rYrbZOK7ZHHmM2K5x5+gJnE/jvNSS99kasLd33eySw5p+Dyk0ZHM9DvFFKZ97C354IquVxh6Cs69fTYfeQvh7CRDxsHSh+0qHVbORAoXYk32/bFZaMtonnliL7u2kU41zLtMrxF56DDmBKVz1uZrYxdyKJXITOijU85gGPfauTcAXVdN9//rvddl6DIIQEJi2y8HnsQo/j/4i7rckrjB4v7lHJiCRnW7yfeKK06JgKsjONYMPpj5ooZ2cEpmnrXWXLyQnUm/4+LiXWPjjxeuijVxmKj2kmq+ZIEQfNCTppz5+3d+X80jIwyNJFyj+0bR62LLNVZFvCXtwAgatZS7Zgsa+sRRtdZ4WhIyeRHOvWxpYKIJSkoxntljlhg9Ek2c54Y9wDA7xTtBMLYYZ/RaWg==,iv:WUqqrEQUGAuoCMJcb4suQKIr3FPG83lrM6u5alzSctk=,tag:vT6VqlnOuMSIXGSW5Islww==,type:str]
chir.rs: ENC[AES256_GCM,data:sQnsfllMKiKJFGmhuaEP4gMpXM0Kx8+xJmrhoBIu1jq5fy7P0Bm/hryskKm98QXRCcK2bRmrdKGZ9XQSDtwSjBW+SX541Abated4ZqS/l5G48sW3QalWIdkYFg0Cc+1Ugn+i1XOjxt+yDS6yXVmAWLon6xYAp0s1G5AUZ5RG3bxMhYaFy9DwWRKkvrQ+/dCieYbtIfm8PXIh99PjdtxQpS1UlfvuqaZWfLYaa/GeeoCrsJfC9uC9rk+9YXMrDDdvQdq3ZFbv1RmoqTWJZWz0UxFvKqOLDF7gAnLG77O2XAWeHxJ/YHNJgGkAgpmssKXw55EM7E9YvFzmODg1PI1L6OXTnU9E86UzdqCTUbxPFcP9ACg51ABZMaRu0Cerz2qwO0CCRVaS6tUDK8zJcxHxlqHW+piZ3rnvWsn/qdacM4d9liheYHZsaOcUEijk+Z+ESrXKiYsuQg3aMV5HlaFzNLuGiPo5AS6oA3wmIFSKi1vpxB0gjb9CPrzpBdZWb+fVVHvu+CgxdKEmbosYxZuCauHriRvrQIUmtWSCS/LGvwJRjl+b4biyjdijIGp/zcpkulLa7Ap8Py9FopxS6FNL6ql7RboxIwdKv/NRBHDl3Dh6mHtKcWB8YLowW+6yJTnGV6kJ1HP6RuoiZ57FSI10bEqQ24SkeGgaULZo8BQqBATd79JzJHAMFrcFHHZEH698qVE144ueFgsuny7siVuWf0UWiVq2VNxqsyPqxtVDqctl3x7ll8kNDx2CK38a3THpN/cB/2Q0nt6rM9Tgpux8yhwnQXjOhTpujkmnLeQcVLNFEeFa/xbG96kF8j4m5MfEoO4+e3DWMnGqm2n7W91d++3/KAL5949ItS1GPLmMPMa7mntar91JiwzN0NDe11bcwGmrV1QlX6banUjeJV0s+brElR72zu9NI80go8xnMztzpC5G7XK40jyD/9rnVDFO9FweQumeDaBysSs5AKsnvo8GfR+2kcUGhJavi8ze3DZN+G/1ioYl0SOSGL2MCqZMs061qDlIB5b9Q6kwhd/t8om1DndoYAuMNIL4XCnNxYuGSQdPgPy6vaKPT15jeTBfux+MaosMEOmJy76mL0ZAMYItWXoIH2o7RdUSfyZKzlpzu8X7umRWXVQ/gkAXcqmaYIaHUN1L+anQwLlH+c0fekW+UIW89oWkTDfKK+RDRYnudm4hNSfQk+ZX3oOK7LszZKte7Q==,iv:REakVWfw/PW9k8pCpvuDwjUdWVVFgzsGR3476uXjbko=,tag:vd5ZacLILKx5Dl4KG8ZdOA==,type:str]
security:
restic:
password: ENC[AES256_GCM,data:n+M6pfe0YrONaYo3HSnijHxhThg=,iv:0J2t+58tYRJD1GmnJa8w30U+RwOl67eWeHhvLk0eeks=,tag:ivuZqpGrU7ZHFZ4IiMvxBw==,type:str]
@ -48,8 +53,8 @@ sops:
WnV3QWxtalIzWFdoQmpDTmJsNGdNOW8K++rFGXy0G6Gcu2gQwSP6xfXInQ/y5nh5
2oGp8sfOLFWnNI4SWL0ChP47K3C/9ysUHwQnUYPbRafZ/4X6cN40ZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-04-26T09:09:07Z"
mac: ENC[AES256_GCM,data:rkUKL4ctiymKsh0XN/Y/agP0DkSKaf8fCoOy0sIiz2YNDXufRuxG2VVYq3l3VAqEHFnSo/owaIQYSBzyS9mVTlgxZWZr+ENilR/jGZzenYF+vd/t983EKzJUVCc9lpxYswSz0NeToM3hCbcQIVNvKtahQMYpWwFd/he6wP0bsZc=,iv:LK4H+/ZfrSxIrXMT/Xqwzg5r/6+V+wAkMWIrMatNc0k=,tag:Zhk7Csl7Pj9+L5kgeF+wnw==,type:str]
lastmodified: "2022-04-28T20:36:41Z"
mac: ENC[AES256_GCM,data:9ivESeylU2vmyhdZfJVHhmSd792C8zDjIlyG8jF4Ktu/Pm2hM/eMsy4E86EjCb1h+K+8cq33e6Qp5BHamlo/Y3WDip2yD+se4zoHRAnZixFD/cxNSrXuY3DxL0TQ69jruNuyPRaopRZkN+dOmFIlyjYjr+MKE/tDlesNvOXYLB4=,iv:qsG2E8CpD2gl/3VgS8gcKQ0rkfc7rB3Mv7j15UDiykg=,tag:exAR3Ck3Ihte+zUCAEekxg==,type:str]
pgp:
- created_at: "2022-04-24T10:34:20Z"
enc: |

View file

@ -32,11 +32,6 @@ services:
virtual_alias_domains.cf: ENC[AES256_GCM,data:1wMqormP9Mj1wef/J1l5Dnkp7NbbUX0xT9RbxtHH5DdBZb9rPOedtY5wQ9LukGNQiRm863EhIfgsJ4IRij9LOApHb9Do3mJmBIYyjJlzf6vj7Ap5yuy5+m8y12Aj6LpnjxZf0JkWLKbt0e36Rf2ex6RCI0MCFMWw5tMy2riioWNo/I2LCpsmmGSzLk9oc74Fei6wD8Aj5x4=,iv:0D5uBmkWD2aPbFGXSIb1VNQL2TA3QlzLSwYkIpFJfI0=,tag:kN/LAKmaPHRXW9c8Idokbg==,type:str]
virtual_alias_maps.cf: ENC[AES256_GCM,data:FgHuBbf2e/3Fq8A2WY0n8XWMjohpkHUsZdddG44PLHY4//UdFeWUzcGUyJ4G4RsqEZo3thTOPxMzkXEV+eWThtdDzEtw+njdFAzltP0HRM3VtKn0LhXVP4SvyAKwGAFtCPz3R/EiutHhOv5o/4NmbRQrWByIPvWMZCfTO1NYz/P6,iv:jYMHwhCSGMdUgolGxHJxPTaUu5U0Z3uc/+JHUNPjKXo=,tag:88THWp6r3SDNSd77uUBEbw==,type:str]
virtual_mailbox_domains.cf: ENC[AES256_GCM,data:mu0oxzRVddXcue7e7XHuulAYgJDpKA+TZd5l7jPzK8xRHxdfzD+fsqm/Kl/bDWGAOlXsltbiBoaIruddywhAOGWwSgMJ8iu2NMx1u1aMvBC2qI4usfjVhp9N0jOkWmIG8YAgYgQaA6qhQorJFXeJjDNX86J5JNBdKAxwQFk20+fOZ1MtVg==,iv:5llgcXLkoRzXwHIDvwZ1qRTf/TBwMgjsxfNGo9I7Blc=,tag:AcCz4LJxacYVButRO/zl9A==,type:str]
rspamd:
dkim:
darkkirb.de: ENC[AES256_GCM,data:DMDRuQw8CYnbkMpfiJU2KXb4XL1D3DscMCGwfrp9fh+BAD5rE1wKYznW9d3GaFnpbp0lo54oeNxLdNNniHUIC4sCDZ+ZC++BEszGKuUztOR5CYEf3pTMvblX81ug67UVC9n46FkYW1LSkTE4wkijK9FuaFb41NsHSn+MHXYbWHisFwnVhM7OHB0n/h5t5st13CQD99FSSWMrW4K+2yC6TM4RJ5Q5k8cyDtYehY05govdxOJzkbR1NEywXdItbq3B1ytISD60dUT4mzag1NGCoGq8SPcaCGro7mTiRHb1ukLBXIPnP3lJv/OE1cpkx4Jq4smbjpIezcSltknNQNsjHYabeSI6aA2P4Tcqg+ZTaVDlxJiur1y26mlqW4guyQ84CONdtmk3pIKN803NmLSXnXIwuphOBkBQ4qH5BL8rsIYqcRClJ6Sbg+qzpwpjbYJSFH0GVyCAwrpR24g88dF0/dvkRqd2uIDSXzecj2/Yy9Xpy643E4F2NPVzZ717tCVZam5CCsGiM2hcLIAh9V6+1kqeK6RZquAJmIBlW3MIRi0XjvLAFf5ujjeFI0dciTsTqTk5L0oNl6pGdUX2HW0beULKlyq+YBDe+h1E+Uh2sUA3z/1ladaBxHvZqjAGOiPtOsZc0zoc4S8nTVY9WX0tjPAfmYD/K1gi6J3v0ZMY/laeVxBRhsq96N4rBPujsdM/P9VnVbHziv90U6kJzE0MqKHdkMVETVKU0ppgIIMLnNt1B8VXzcTBtXxSjSzxdmlRHiiOvhQZiQ5NpUI4N8d5OHn8qa7YaaDnYnDMY3UWLamx54Uo1ZMTjChpbCNhY8pylmW7o6htdYo4xys3MaM1QSeyh5EQSCS4Z7a++nrLLBF5hPSccgUUK10pWbcY+3DupZw65UHqsxuGTUE6CR0OQEL4GfOZPLKxLgjCLNkcSnYyVLWCjarSWzMPPDidLkvlwtQfrnwOQnecfeOpXx1mtBAeu/lRuIVR5SLLbjz0bxEpQtDr3GRM2GTtlwTbcpuoBd0fp71h84YMvPAxlHrE8Rc1oLUuNMA53/QhcxlHJodHuUlfPldp7yIJ88usO0x7M+I73zT2u0j/iD1FA12t2eDpISZxrxhLtJDQMLipk3HNwDOnWBCN6sFBgI793BLaj/AWPoysAb5aDA9Ngr0gE7NEFUACOMmKQiJ4UNjtknTW5NooT4wteUAxXy1pPS6HUg7UiQ==,iv:4Q6feGSN5cg0qRsiSGGoYcmZkUzEYu+gBEDamWIeysE=,tag:nuTbDStPrgY8QYeFWumPrg==,type:str]
miifox.net: ENC[AES256_GCM,data:jKaLHITYtL9T2bIivaaTNjzhkKEQwBs12fsEF4kjruBSGnZz7BipWAOKwQnN58g9rJ56AHHBBWyHhLxrxj8FWitppxPZctX3okta80MHWydn0C85Ok6EdAJgy48HFocZXYgNAQuWH3R7trT3HSe2uXMQlAY90J9NtmB49xV5xWPl389CDecFq6ze+Hoif5GV83eFu8BhNn/QKz8o2YKbIiOUKWzIccgpF5xBGubDXFnlLucXm8kaYJ+rMFgkjj/0+gGtqb1M49yVQXaXWpns15xyWYzjOPCI6CtcrCVkNQ6K8i9e0aZh3TJwbjmAKgP2506zu2z02Ew/2c/E+TyzQj5YD/jNSibdene5K1Kg/miCexJjCnKnqaOqk53gU9Uez8NObSVB9ZN3hoD8R6XlHSeDiOuI/KxRpAWxqTuOGUM84ustp/wdf07kk0X6SuaYUZ0BT8/2WBgGJv8YwcjgG/1MxoULOmNzMb/frLkguD14zp8O/lmlaZFhka62v8ajeBqH0YoD+XdLwTcVa3WR6rs8Zpji41qSwWNaLlqTmD/ONz7hMYNLkIwG+4536YoJJzYxpisDZsEJy4ZBO28iaqG6wZxqfPFM2nSfkGKAZMzlCJL5pAvvuiV0GH0o1JnpGhzkCk713JbzpKyKHZ/shb1YfhGPELyzgGdktsD1HbS3f57LtCZAZ/EY+UPrRiDgWUnx49c0clBnmZBfkwc2BX7pJegMf2hLWrck2bFsJGedhL2QHoFR5khi4JcCLTeYTcNLzRRdJ+kHJjofm7Vkcu2AtoScappWcTDsjFapdedSj5warn0tGBNSml7XfodXHZkE5D7bYlCCNwB94xInrns36T2bOmu3C99/ZS45yDCOfexoWRERNM76fu5UKyERMsxqfyUEKhJ6aJKBXUpHYAUXybqDbkDvuHCckPbl2Mat2/d/KfoBgZ+GAMitIK1lu43cQF/gJQBYz/j5VRfXO4Vod3lWow7FlNtd6FBfzIykWAwZKuUSDfJLYf/DmUqI2BDyuHtHbkDFCpZL7TsyBVFWRmQyt7meeOS3OIJ01/jC/pOLyQMGoSjptIcBiTnXFd1jdPlSj/vawTi5Uch2hLgIgHZlwKtnxNfJ7HAz1AYKMEjaUYwMKRfttX8V4aDEqKVQ6AGjDM1RDiphpfBZPwXk4gepZB5MdSP9RQ1TZFdDaTxhbkIpshsUxbDE52xcV3tV7A==,iv:w9x4/SYJTuGAc6CdQ0VaEAFbTbgesOPNAEIqgaKvzXI=,tag:Jpyr69XQkLQoJBhX/EG4bQ==,type:str]
chir.rs: ENC[AES256_GCM,data:vu/JBtOJDRAxrESSU9/9O95Kyjl7LHyXE1/5JEF/AXhX/aW2tBYTKA1Lt8HYV+k2YLJOmN6EhO2V7y/by4my+SeNuxuyLHun3+K0o83N7a5Abir3YbL8m4tw4yXT7CVmDo3GOVqHPwPd1kYS2AjRVtZEffMCoSSfg+vtcDiFEg1N9OzddMIlh83gr8TRAdGdbvrMNIf2G1FhlU8mQli9IRTJXY8/gvm0aCV+fThiZyWYUTwLZAJ4B4KLQ3AEpBExmZW7QpeYNgTxqSn9I12jPJwRBQS7oFCQR+TDyuSOSET7abyPHNd8UWhr+jdi6596rp0HCBP8PZoUIjCu1DH/4Oo9ojS0lM+6ckoLg5X5ve3CZUv/MdFgrLXoUc8ofoP8m+ku6Z3NOx2+gigb//z/w7XnhW/7P6TiTgZIn4eDUl2ziJyFZ+azhVRsKCRXCW1y9qUei9aBUKsG6QMAUy0O+ZTcYZvW+waKMsbl9lGXs1BTMMmSuqgYGVEyf9MM8DNS402TirHYckFv63PLISiDc7ET3o26WD3rTqtk6113vDEMcuSSTz9YIBQMKD8sjl+kHMfEZNhgo/E70PRWebBusX2OpsYlEFWsAiYjbFJrKS++AFhwM19DVWE1V6FLXvmhwpEH8WPue3OwQFtiepYcgix+RUF9SAJihyNyIBbwO+yGrYftHW/7M4OoLf1nZtKV+b1NjYiraIRlmJ7Lmyt3b5FLAp8zdpDtmhGKbk1xRYPbXCl0aXdLPHRZKz1xQ9PqCOcBYJ6VZX3Siv81BJIQ6WBU7sLlI9IZ6dlX122In1aMpQ+dLRLyqwl2ys0vZucoDN2jQmZORX1zfv+z0JA6JxMSEa2aGHAjFlQysUKtPsGfdaugo3UifRdbC5eRWfF7RGD5WtlDH8+/pqxd4hNVT+2I7y1s0HMrH6KSzaSuWbjwF/S0dGLEXqYFbIH1YbOGMrCLRYbZaYmAyCAFpRY6q+wV5tqORU/UTaDVoTRSbOuKnBE/tSknLQ8YLGDmhLs3Eakhx5LRKtqBmrrmfhR29jmLOUviGPVdaXA8LNoXZ/YwvWLeFNY4Q1GATr3K7sOHFnyhHuXSPb2XXcltJG18YXVCawhiZN+fbvyW9XXTFKF+da3XYy7u2fR+8BfZqEsX1zV1+gBq3fzwtR6d/t7nyz7IW3Rc8PCsPm96p9+/pGpues7see4rBI4QcZAUL+Wi4ybXNw==,iv:ysIGIB15/5sc7ycg6oNYohqd1XbT6zy26YUqgVbezP0=,tag:gQj5PdFxaTcnXoIPR7yDfQ==,type:str]
dns:
named-keys: ENC[AES256_GCM,data:iEQR1cBxq1H58CCzA02MDCXHT1xEvFawTjW7XkPUYXnxt48tOSsCm8VQDM6q2+oi0MikZ846dgD7P19xhmsF84JBY7OMn1v6BdnTxCu1JwNMnFQlAvmOAVDU0e2sawqmcdOsUIFR01MRPheU/G0Qb5V5Vymwi6VgVEfsHpgVe8Gj0WKLEML9C/TnJsLXDiKWbgktjMOs,iv:gJamBEa/QAzPCm6tiUiQqRR18l6dwhIqq8ffMbde178=,tag:RKLogb8O02hRuwjeuybPXw==,type:str]
de:
@ -77,8 +72,8 @@ sops:
N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-04-24T10:49:45Z"
mac: ENC[AES256_GCM,data:DCPWnxNjzEq95x8CaxrSeMQaMwIjIiKEo0KVBSivODoGBUYv9CFz1XDkUXqdxr7WO8Ag1OzXGPWpltJvwzyHanI2TC5m3Y14iJP09H2bMtSkAHLx5uDAv3SlpYSjHNRtTZ/INPVScuTx+duGkUyGRIKd8SFbM6Z+6YH2PXPV/cE=,iv:nMrIVbSeB8teZsErymSRUzpCC+zUWbtdUZvZtL3Jujw=,tag:UGxJI8Zt3qyH++iUJvwouA==,type:str]
lastmodified: "2022-04-28T20:36:29Z"
mac: ENC[AES256_GCM,data:Q4uNgHUAF9jkpOmKnJcpZGwLiOjTMNnngIBMUrIt/GkUsS2R7W/Burz8iVHCuXuasxYmMjt9lLsS0YChI/F5BwkQPqpiOGyTqH1fpNKQ6WjzNcKqG3RToQ1nPzJBrzz0oKPIc2ykH7GQGttmOogUr1xf43BeQyuDgFnx9Zb1wgw=,iv:owYIrS7G0Iea7xj1itutU0bh+WWZz4r6GyckEcrlEpA=,tag:6FdMLhCYAQKA23P2u3VWCw==,type:str]
pgp:
- created_at: "2022-02-02T17:50:42Z"
enc: |

View file

@ -8,7 +8,7 @@ in
SOA = {
nameServer = "ns1.chir.rs.";
adminEmail = "lotte@chir.rs";
serial = 11;
serial = 12;
};
NS = [
"ns1.chir.rs."
@ -247,6 +247,7 @@ in
backup.CNAME = [ (ttl zoneTTL (cname "nas")) ];
hydra.CNAME = [ (ttl zoneTTL (cname "nas")) ];
mastodon.CNAME = [ (ttl zoneTTL (cname "nas")) ];
rspamd.CNAME = [ (ttl zoneTTL (cname "nas")) ];
_acme-challenge = delegateTo [
"ns1.chir.rs."
"ns2.chir.rs."