commit ad8194721a5ef49dc8c0e0817d790d5cc190f384 (patch)
parent 650268f21ce54d447e3f2351a24f304195e826ed
Author: alex <alex@garbash.com>
Date: Wed, 22 Sep 2021 22:06:21 -0400
Add initial httpd, acme-client, smtpd configs
From our first night of hacking!
Diffstat:
5 files changed, 107 insertions(+), 0 deletions(-)
diff --git a/Makefile b/Makefile
@@ -0,0 +1,10 @@
+# Simple Makefile to pull from /etc
+FILES = /etc/httpd.conf \
+ /etc/acme-client.conf \
+ /etc/mail/smtpd.conf
+
+.PHONY: pull
+pull:
+ for f in $(FILES); do \
+ cp $$f .$$f; \
+ done
diff --git a/README b/README
@@ -1,3 +1,5 @@
config
======
System config files for garbash.com
+
+Run `make` to sync up with what's installed in the system!
diff --git a/etc/acme-client.conf b/etc/acme-client.conf
@@ -0,0 +1,31 @@
+#
+# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $
+#
+authority letsencrypt {
+ api url "https://acme-v02.api.letsencrypt.org/directory"
+ account key "/etc/acme/letsencrypt-privkey.pem"
+}
+
+authority letsencrypt-staging {
+ api url "https://acme-staging-v02.api.letsencrypt.org/directory"
+ account key "/etc/acme/letsencrypt-staging-privkey.pem"
+}
+
+authority buypass {
+ api url "https://api.buypass.com/acme/directory"
+ account key "/etc/acme/buypass-privkey.pem"
+ contact "mailto:me@example.com"
+}
+
+authority buypass-test {
+ api url "https://api.test4.buypass.no/acme/directory"
+ account key "/etc/acme/buypass-test-privkey.pem"
+ contact "mailto:me@example.com"
+}
+
+domain garbash.com {
+ alternative names { waste.garbash.com, mail.garbash.com }
+ domain key "/etc/ssl/private/garbash.com.key"
+ domain full chain certificate "/etc/ssl/garbash.com.fullchain.pem"
+ sign with letsencrypt
+}
diff --git a/etc/httpd.conf b/etc/httpd.conf
@@ -0,0 +1,25 @@
+# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $
+
+server "garbash.com" {
+ listen on * port 80
+ location "/.well-known/acme-challenge/*" {
+ root "/acme"
+ request strip 2
+ }
+ location * {
+ block return 302 "https://$HTTP_HOST$REQUEST_URI"
+ }
+}
+
+server "garbash.com" {
+ listen on * tls port 443
+ tls {
+ certificate "/etc/ssl/garbash.com.fullchain.pem"
+ key "/etc/ssl/private/garbash.com.key"
+ }
+ directory auto index
+ location "/.well-known/acme-challenge/*" {
+ root "/acme"
+ request strip 2
+ }
+}
diff --git a/etc/mail/smtpd.conf b/etc/mail/smtpd.conf
@@ -0,0 +1,39 @@
+# $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
+
+# This is the smtpd server system-wide configuration file.
+# See smtpd.conf(5) for more information.
+
+pki mail.garbash.com cert "/etc/ssl/garbash.com.fullchain.pem"
+pki mail.garbash.com key "/etc/ssl/private/garbash.com.key"
+
+filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
+ disconnect "550 no residential connections"
+
+filter check_rdns phase connect match !rdns \
+ disconnect "550 no rDNS is so 80s"
+
+filter check_fcrdns phase connect match !fcrdns \
+ disconnect "550 no FCrDNS is so 80s"
+
+filter senderscore \
+ proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000"
+
+filter "dkimsign" proc-exec "filter-dkimsign -d garbash.com -s 20210921 -k /etc/mail/dkim/garbash.com.key" user _dkimsign group _dkimsign
+
+table aliases file:/etc/mail/aliases
+
+listen on socket filter "dkimsign"
+
+# To accept external mail, replace with: listen on all
+#
+listen on all tls pki mail.garbash.com \
+ filter { check_dyndns, check_rdns, check_fcrdns, senderscore, dkimsign }
+
+listen on lo0 port submission tls-require pki mail.garbash.com auth filter "dkimsign"
+
+action "local_mail" maildir alias <aliases>
+action "outbound" relay helo mail.garbash.com
+
+match from any for domain "garbash.com" action "local_mail"
+match from local for local action "local_mail"
+match from local for any action "outbound"