# Lookup table matching next-hop destinations to TLS security policies;
# this allows pining the key material for chosen recipient domains.
#
# {{ ansible_managed }}
# Do NOT edit this file directly!
{% for nexthop in ['fripost.org','.fripost.org'] %}

{{ nexthop }} fingerprint ciphers=high protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
{% for h in groups.MX | sort %}
  match={{ lookup('pipe', 'openssl pkey -pubin -outform DER <"certs/public/mx'+(hostvars[h].mxno | default('') | string)+'.fripost.org.pub" | openssl dgst -sha256 -c | sed "s/[^=]*=\s*//"') }}
{% endfor %}
{% endfor %}