From 27e8fdd5fc1fd81a6923eac221e31661ed30738e Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Thu, 25 Jul 2024 10:31:05 +0100
Subject: [PATCH] Add hedwig host cert for satellite email use.

---
 states/certificates/dehydrated/dnsapi.config.txt       |  2 ++
 states/certificates/dehydrated/domains.txt             |  1 +
 .../email-satellite/exim4/conf.d/main/00_localmacros   | 10 ++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 states/email-satellite/exim4/conf.d/main/00_localmacros

diff --git a/states/certificates/dehydrated/dnsapi.config.txt b/states/certificates/dehydrated/dnsapi.config.txt
index 0888221..1833375 100644
--- a/states/certificates/dehydrated/dnsapi.config.txt
+++ b/states/certificates/dehydrated/dnsapi.config.txt
@@ -16,6 +16,8 @@ hg.lunch.org.uk {{ keyid }} {{ secret }}
 jenkins.lunch.org.uk {{ keyid }} {{ secret }}
 lists.lunch.org.uk {{ keyid }} {{ secret }}
 mail.lunch.org.uk {{ keyid }} {{ secret }}
+{# Satellite host certs for email -#}
+hedwig.lunch.org.uk {{ keyid }} {{ secret }}
 {# -#}
 {#- cryhavoc.org.uk domains -#}
 {#- -#}
diff --git a/states/certificates/dehydrated/domains.txt b/states/certificates/dehydrated/domains.txt
index 9c4e0cf..f7d99a9 100644
--- a/states/certificates/dehydrated/domains.txt
+++ b/states/certificates/dehydrated/domains.txt
@@ -8,3 +8,4 @@ mail.lunch.org.uk webmail.lunch.org.uk imap.cryhavoc.org.uk smtp.cryhavoc.org.uk
 lists.lunch.org.uk lists.cryhavoc.org.uk
 cryhavoc.org.uk www.cryhavoc.org.uk
 dottes.cryhavoc.org.uk
+hedwig.lunch.org.uk
diff --git a/states/email-satellite/exim4/conf.d/main/00_localmacros b/states/email-satellite/exim4/conf.d/main/00_localmacros
new file mode 100644
index 0000000..0dec881
--- /dev/null
+++ b/states/email-satellite/exim4/conf.d/main/00_localmacros
@@ -0,0 +1,10 @@
+# Trusted users and groups
+MAIN_TRUSTED_USERS=mail:www-data
+
+# User account UID range
+FIRST_USER_ACCOUNT_UID=1000
+
+# TLS configuration
+MAIN_TLS_ENABLE=true
+MAIN_TLS_CERTIFICATE=/var/local/certificates/hedwig.lunch.org.uk/fullchain.pem
+MAIN_TLS_PRIVATEKEY=/var/local/certificates/hedwig.lunch.org.uk/privkey.pem