diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml index f06f7ab0f6228e975f0488c35e28af2200ccf6f9..70272765dd331e51ecbc7846eabceccc27fac214 100644 --- a/playbooks/mail.archlinux.org.yml +++ b/playbooks/mail.archlinux.org.yml @@ -8,6 +8,8 @@ - { role: root_ssh } - { role: borg_client, tags: ['borg'] } - { role: certbot } + - { role: nginx } + - { role: mta_sts } - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] } - { role: dovecot } - { role: rspamd, tags: ["mail"] } diff --git a/roles/mta_sts/defaults/main.yml b/roles/mta_sts/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..4ec5575a8677bcfca826ed435c86a8cdd7e00e77 --- /dev/null +++ b/roles/mta_sts/defaults/main.yml @@ -0,0 +1 @@ +mta_sts_domain: mta-sts.archlinux.org diff --git a/roles/mta_sts/tasks/main.yml b/roles/mta_sts/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..26dca3eac9f44418d6bd6ced040f8357f628a738 --- /dev/null +++ b/roles/mta_sts/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: create ssl cert + command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mta_sts_domain }}' creates='/etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem' + +- name: make nginx log dir + file: path=/var/log/nginx/{{ mta_sts_domain }} state=directory owner=root group=root mode=0755 + +- name: set up nginx + template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644 + notify: reload nginx + tags: ['nginx'] diff --git a/roles/mta_sts/templates/nginx.d.conf.j2 b/roles/mta_sts/templates/nginx.d.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..894a56f53ec9053a7b476b1805e575b426663d19 --- /dev/null +++ b/roles/mta_sts/templates/nginx.d.conf.j2 @@ -0,0 +1,38 @@ +server { + listen 80; + listen [::]:80; + server_name {{ mta_sts_domain }}; + + access_log /var/log/nginx/{{ mta_sts_domain }}/access.log reduced; + error_log /var/log/nginx/{{ mta_sts_domain }}/error.log; + + include snippets/letsencrypt.conf; + + location / { + access_log off; + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ mta_sts_domain }}; + + access_log /var/log/nginx/{{ mta_sts_domain }}/access.log reduced; + error_log /var/log/nginx/{{ mta_sts_domain }}/error.log; + + ssl_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ mta_sts_domain }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/chain.pem; + + location /.well-known/mta-sts.txt { + default_type text/plain; + return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: mail.archlinux.org\n'; + } + + location / { + access_log off; + return 404; + } +} diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf index 152812b040acdb1bc4f13d1eb4e2a195e44376dd..b3ebb51ec174228831ae4a93c039ee40551bd7d0 100644 --- a/tf-stage1/archlinux.tf +++ b/tf-stage1/archlinux.tf @@ -613,6 +613,22 @@ resource "hetznerdns_record" "archlinux_org_mail_aaaa" { type = "AAAA" } +resource "hetznerdns_record" "archlinux_org_mtasts_cname" { + zone_id = hetznerdns_zone.archlinux.id + name = "mta-sts" + value = "mail" + type = "CNAME" +} + +resource "hetznerdns_record" "archlinux_org__mtasts_txt" { + zone_id = hetznerdns_zone.archlinux.id + name = "_mta-sts" + ttl = 600 + # date +%s + value = "\"v=STSv1; id=1608210175\"" + type = "TXT" +} + resource "hetznerdns_record" "archlinux_org_origin_mx" { for_each = toset(["@", "aur", "master-key"]) @@ -657,6 +673,13 @@ resource "hetznerdns_record" "archlinux_org_dmarc_txt" { type = "TXT" } +resource "hetznerdns_record" "archlinux_org_smtp_tlsrpt_txt" { + zone_id = hetznerdns_zone.archlinux.id + name = "_smtp._tls" + value = "\"v=TLSRPTv1;rua=mailto:postmaster@archlinux.org\"" + type = "TXT" +} + resource "hetznerdns_record" "archlinux_org_openpgpkey_a" { zone_id = hetznerdns_zone.archlinux.id name = "openpgpkey"