X-Git-Url: https://git.distorted.org.uk/~mdw/zones/blobdiff_plain/2e7d38520d29a60055fbc2283504be3c91e89870..e8d49c402db2c19994f12a3551255ed5250ea2a2:/distorted.lisp

diff --git a/distorted.lisp b/distorted.lisp
index e17768b..ec82871 100644
--- a/distorted.lisp
+++ b/distorted.lisp
@@ -150,25 +150,37 @@
 				      :public-key :sha-256 #p"https-jazz")))
   ((bugs lists db ftp) (colo :svc telecaster.colo :sshfp "telecaster")
 		       (jump :svc telecaster.jump :sshfp "telecaster"))
-  ((bugs lists ftp) :tlsa (:https (:service-certificate-constraint
-				   :public-key :sha-256
-				   #p"https-telecaster")))
+  ((bugs lists ftp) :tlsa (:https #3=(:service-certificate-constraint
+				      :public-key :sha-256
+				      #p"https-telecaster")))
   (dyndns :svc telecaster.jump :sshfp "telecaster")
   ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster")
 		  (jump :svc stratocaster.jump :sshfp "stratocaster"))
-  ((www git mail @) :tlsa (:https (:service-certificate-constraint
-				   :public-key :sha-256
-				   #p"https-stratocaster")))
+  ((www git mail @) :tlsa (:https #2=(:service-certificate-constraint
+				      :public-key :sha-256
+				      #p"https-stratocaster")))
   (www-cache :tlsa (3127 #1=(:trust-anchor-assertion
 			     :certificate :sha-256 #p"distorted-ca")))
-  ((bugs lists) :tlsa (:smtp #1#))
-  (mail :tlsa ((:smtp :submission :imap :imaps) #1#))
+  (mail :tlsa ((:submission :imap :imaps) #1#))
+  (mail :tlsa (:smtp
+	       #+view/inside #1#
+	       #-view/inside (:domain-issued-certificate
+			      :public-key :sha-256
+			      #p"smtps-stratocaster")))
+  ((bugs lists) :tlsa (:smtp
+		       #+view/inside #1#
+		       #-view/inside (:domain-issued-certificate
+				      :public-key :sha-256
+				      #p"smtps-telecaster")))
   :svc #+view/inside stratocaster.colo
        #-view/inside stratocaster.jump
   (cabal :svc stratocaster.colo :sshfp "stratocaster")
 
   ;; Local services.
-  ((rawk pifi) (unsafe :svc artist.unsafe) (dmz :svc artist.dmz))
+  (rawk (unsafe :svc artist.unsafe) (dmz :svc artist.dmz))
+  (rawk :tlsa (:https (:service-certificate-constraint
+		       :public-key :sha-256
+		       #p"https-artist")))
   (mirror (dmz :svc roadstar.dmz :sshfp "roadstar")
 	  (unsafe :svc roadstar.unsafe :sshfp "roadstar"))
 
@@ -183,6 +195,7 @@
 
   ;; Fancy connectivity.
   (iodine (jump :svc jazz.jump))
+  (hippotat (jump :svc jazz.jump))
 
   ;; Colocated hosts.
   (colo :net colo)
@@ -209,7 +222,8 @@
   (jazz (colo :addr jazz.colo :sshfp "jazz")
 	(jump :addr jazz.jump :sshfp "jazz")
 	(vpn :addr jazz.vpn :sshfp "jazz")
-	(iodine :addr jazz.iodine :sshfp "jazz"))
+	(iodine :addr jazz.iodine :sshfp "jazz")
+	(hippo :addr jazz.hippo :sshfp "jazz"))
 
   ;; Virtual hosts.
   (national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
@@ -292,13 +306,17 @@
   ;; Virtual network.
   (vpn :net vpn)
   (crybaby :abbrev cb)
-  (crybaby (vpn :addr crybaby.vpn :sshfp "crybaby"))
+  (crybaby (vpn :addr crybaby.vpn :sshfp "crybaby")
+	   (hippo :addr crybaby.hippo :sshfp "crybaby"))
+  (spirit (vpn :addr spirit.vpn :sshfp "spirit")
+	  (hippo :addr spirit.hippo :sshfp "spirit"))
   (terror (vpn :addr terror.vpn :sshfp "terror"))
   (orange :abbrev o)
   (orange (vpn :addr orange.vpn :sshfp "orange"))
   (haze :abbrev h)
   (haze (vpn :addr haze.vpn :sshfp "haze"))
   (iodine :net iodine)
+  (hippo :net hippo)
 
   ;; ITS.
   (its :net its)
@@ -354,6 +372,7 @@
   (crybaby :addr crybaby.unsafe)
   (lespaul :addr lespaul.unsafe)
   (gretsch :addr gretsch.unsafe)
+  (spirit :addr spirit.unsafe)
   (haze :addr haze.unsafe)
   (invader :addr invader.safe)
   (marauder :addr marauder.safe))