surtr: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-05-15 16:32:21 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-05-15 16:32:21 +0200
commit: 97a05b0837e27e8d73d3a16185fb07169de65d7b (patch)
tree: 947e9a97b05f99d65b7f2253e7b6db937bc239d2 /hosts/surtr/email
parent: 355b6d4ec02ad535b93ce314dd5734e8c6028dbc (diff)
download: nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar
nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.gz
nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.bz2
nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.xz
nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.zip
1 files changed, 23 insertions, 1 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 57883864..404e9e4b 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -19,6 +19,8 @@ let
      done
    '';
  };
+  spmDomains = ["bouncy.email"];
 in {
  config = {
    nixpkgs.overlays = [
@@ -567,7 +569,7 @@ in {
      "mailsub.bouncy.email" = {};
      "imap.bouncy.email" = {};
      "surtr.yggdrasil.li" = {};
-    };
+    } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
    systemd.services.postfix = {
      serviceConfig.LoadCredential = [
@@ -597,5 +599,25 @@ in {
        ];
      };
    };
+    services.nginx.virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" {
+      forceSSL = true;
+      sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem";
+      sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem";
+      extraConfig = ''
+        ssl_stapling off;
+        ssl_verify_client on;
+        ssl_client_certificate ${toString ./ca/ca.crt};
+      '';
+      locations."/".extraConfig = ''
+        default_type text/plain;
+        return 200 "$ssl_client_verify $ssl_client_s_dn ${domain}";
+      '';
+    }) spmDomains);
+    systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
+      "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
+      "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
+    ]) spmDomains;
  };
 }
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-05-15 16:32:21 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-05-15 16:32:21 +0200
commit	97a05b0837e27e8d73d3a16185fb07169de65d7b (patch)
tree	947e9a97b05f99d65b7f2253e7b6db937bc239d2 /hosts/surtr/email
parent	355b6d4ec02ad535b93ce314dd5734e8c6028dbc (diff)
download	nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.gz nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.bz2 nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.xz nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.zip

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 57883864..404e9e4b 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -19,6 +19,8 @@ let
19	done	19	done
20	'';	20	'';
21	};	21	};
		22
		23	spmDomains = ["bouncy.email"];
22	in {	24	in {
23	config = {	25	config = {
24	nixpkgs.overlays = [	26	nixpkgs.overlays = [
@@ -567,7 +569,7 @@ in {
567	"mailsub.bouncy.email" = {};	569	"mailsub.bouncy.email" = {};
568	"imap.bouncy.email" = {};	570	"imap.bouncy.email" = {};
569	"surtr.yggdrasil.li" = {};	571	"surtr.yggdrasil.li" = {};
570	};	572	} // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
571		573
572	systemd.services.postfix = {	574	systemd.services.postfix = {
573	serviceConfig.LoadCredential = [	575	serviceConfig.LoadCredential = [
@@ -597,5 +599,25 @@ in {
597	];	599	];
598	};	600	};
599	};	601	};
		602
		603	services.nginx.virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" {
		604	forceSSL = true;
		605	sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem";
		606	sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem";
		607	extraConfig = ''
		608	ssl_stapling off;
		609	ssl_verify_client on;
		610	ssl_client_certificate ${toString ./ca/ca.crt};
		611	'';
		612	locations."/".extraConfig = ''
		613	default_type text/plain;
		614	return 200 "$ssl_client_verify $ssl_client_s_dn ${domain}";
		615	'';
		616	}) spmDomains);
		617
		618	systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
		619	"spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
		620	"spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
		621	]) spmDomains;
600	};	622	};
601	}	623	}