From ad8194721a5ef49dc8c0e0817d790d5cc190f384 Mon Sep 17 00:00:00 2001
From: alex <alex@garbash.com>
Date: Wed, 22 Sep 2021 22:06:21 -0400
Subject: [PATCH] Add initial httpd, acme-client, smtpd configs

From our first night of hacking!
---
 Makefile             | 10 ++++++++++
 README               |  2 ++
 etc/acme-client.conf | 31 +++++++++++++++++++++++++++++++
 etc/httpd.conf       | 25 +++++++++++++++++++++++++
 etc/mail/smtpd.conf  | 39 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 107 insertions(+)
 create mode 100644 Makefile
 create mode 100644 etc/acme-client.conf
 create mode 100644 etc/httpd.conf
 create mode 100644 etc/mail/smtpd.conf

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..60db053
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,10 @@
+# Simple Makefile to pull from /etc
+FILES = /etc/httpd.conf \
+	/etc/acme-client.conf \
+	/etc/mail/smtpd.conf
+
+.PHONY: pull
+pull:
+	for f in $(FILES); do \
+		cp $$f .$$f; \
+	done
diff --git a/README b/README
index 9382aca..05a8aa9 100644
--- a/README
+++ b/README
@@ -1,3 +1,5 @@
 config
 ======
 System config files for garbash.com
+
+Run `make` to sync up with what's installed in the system!
diff --git a/etc/acme-client.conf b/etc/acme-client.conf
new file mode 100644
index 0000000..389313c
--- /dev/null
+++ b/etc/acme-client.conf
@@ -0,0 +1,31 @@
+#
+# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $
+#
+authority letsencrypt {
+	api url "https://acme-v02.api.letsencrypt.org/directory"
+	account key "/etc/acme/letsencrypt-privkey.pem"
+}
+
+authority letsencrypt-staging {
+	api url "https://acme-staging-v02.api.letsencrypt.org/directory"
+	account key "/etc/acme/letsencrypt-staging-privkey.pem"
+}
+
+authority buypass {
+	api url "https://api.buypass.com/acme/directory"
+	account key "/etc/acme/buypass-privkey.pem"
+	contact "mailto:me@example.com"
+}
+
+authority buypass-test {
+	api url "https://api.test4.buypass.no/acme/directory"
+	account key "/etc/acme/buypass-test-privkey.pem"
+	contact "mailto:me@example.com"
+}
+
+domain garbash.com {
+	alternative names { waste.garbash.com, mail.garbash.com }
+	domain key "/etc/ssl/private/garbash.com.key"
+	domain full chain certificate "/etc/ssl/garbash.com.fullchain.pem"
+	sign with letsencrypt
+}
diff --git a/etc/httpd.conf b/etc/httpd.conf
new file mode 100644
index 0000000..70cdbfd
--- /dev/null
+++ b/etc/httpd.conf
@@ -0,0 +1,25 @@
+# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $
+
+server "garbash.com" {
+	listen on * port 80
+	location "/.well-known/acme-challenge/*" {
+		root "/acme"
+		request strip 2
+	}
+	location * {
+		block return 302 "https://$HTTP_HOST$REQUEST_URI"
+	}
+}
+
+server "garbash.com" {
+	listen on * tls port 443
+	tls {
+		certificate "/etc/ssl/garbash.com.fullchain.pem"
+		key "/etc/ssl/private/garbash.com.key"
+	}
+	directory auto index
+	location "/.well-known/acme-challenge/*" {
+		root "/acme"
+		request strip 2
+	}
+}
diff --git a/etc/mail/smtpd.conf b/etc/mail/smtpd.conf
new file mode 100644
index 0000000..c6fee63
--- /dev/null
+++ b/etc/mail/smtpd.conf
@@ -0,0 +1,39 @@
+#	$OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
+
+# This is the smtpd server system-wide configuration file.
+# See smtpd.conf(5) for more information.
+
+pki mail.garbash.com cert "/etc/ssl/garbash.com.fullchain.pem"
+pki mail.garbash.com key "/etc/ssl/private/garbash.com.key"
+
+filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
+    disconnect "550 no residential connections"
+
+filter check_rdns phase connect match !rdns \
+    disconnect "550 no rDNS is so 80s"
+
+filter check_fcrdns phase connect match !fcrdns \
+    disconnect "550 no FCrDNS is so 80s"
+
+filter senderscore \
+    proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000"
+
+filter "dkimsign" proc-exec "filter-dkimsign -d garbash.com -s 20210921 -k /etc/mail/dkim/garbash.com.key" user _dkimsign group _dkimsign
+
+table aliases file:/etc/mail/aliases
+
+listen on socket filter "dkimsign"
+
+# To accept external mail, replace with: listen on all
+#
+listen on all tls pki mail.garbash.com \
+    filter { check_dyndns, check_rdns, check_fcrdns, senderscore, dkimsign }
+
+listen on lo0 port submission tls-require pki mail.garbash.com auth filter "dkimsign"
+
+action "local_mail" maildir alias <aliases>
+action "outbound" relay helo mail.garbash.com
+
+match from any for domain "garbash.com" action "local_mail"
+match from local for local action "local_mail"
+match from local for any action "outbound"
--
libgit2 1.1.1