surtr: mta-sts & dane

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-07-10 12:19:09 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-07-10 12:19:09 +0200
commit: bd0de692664cd608bedac7dc2bd7b113df82989c (patch)
tree: 9b1c8835d4d0a0d46e9f44f5e853453be69e56ae /hosts/surtr/email
parent: ffac1727b92167ca6847b7ae3adc71f091d8048f (diff)
download: nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.gz
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.bz2
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.xz
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.zip
1 files changed, 29 insertions, 8 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index e3437a6b..357ee668 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -640,15 +640,35 @@ in {
        };
      }) spmDomains) // {
        "mta-sts.bouncy.email" = {
-          locations."/".root = pkgs.runCommand "mta-sts" {} ''
+          forceSSL = true;
-            mkdir -p $out/.well-known
+          sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem";
-            cp ${pkgs.writeText "mta-sts.txt" ''
+          sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem";
-              version: STSv1
+          sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem";
-              mode: testing
-              mx: mailin.bouncy.email
+          extraConfig = ''
-              max_age: 604800
+            add_header Strict-Transport-Security "max-age=63072000" always;
-            ''} $out/.well-known/mta-sts.txt
+            add_header Access-Control-Allow-Origin '*';
+            add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
+            add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization';
+            add_header Access-Control-Max-Age 7200;
          '';
+          locations."/" = {
+            extraConfig = ''
+              charset utf-8;
+              source_charset utf-8;
+            '';
+            root = pkgs.runCommand "mta-sts" {} ''
+              mkdir -p $out/.well-known
+              cp ${pkgs.writeText "mta-sts.txt" ''
+                version: STSv1
+                mode: testing
+                mx: mailin.bouncy.email
+                max_age: 604800
+              ''} $out/.well-known/mta-sts.txt
+            '';
+          };
        };
      };
    };
@@ -659,6 +679,7 @@ in {
    ]) spmDomains ++ [
      "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
      "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
+      "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem"
    ];
    systemd.services.spm = {
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-07-10 12:19:09 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-07-10 12:19:09 +0200
commit	bd0de692664cd608bedac7dc2bd7b113df82989c (patch)
tree	9b1c8835d4d0a0d46e9f44f5e853453be69e56ae /hosts/surtr/email
parent	ffac1727b92167ca6847b7ae3adc71f091d8048f (diff)
download	nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.gz nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.bz2 nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.xz nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.zip

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index e3437a6b..357ee668 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -640,15 +640,35 @@ in {
640	};	640	};
641	}) spmDomains) // {	641	}) spmDomains) // {
642	"mta-sts.bouncy.email" = {	642	"mta-sts.bouncy.email" = {
643	locations."/".root = pkgs.runCommand "mta-sts" {} ''	643	forceSSL = true;
644	mkdir -p $out/.well-known	644	sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem";
645	cp ${pkgs.writeText "mta-sts.txt" ''	645	sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem";
646	version: STSv1	646	sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem";
647	mode: testing	647
648	mx: mailin.bouncy.email	648	extraConfig = ''
649	max_age: 604800	649	add_header Strict-Transport-Security "max-age=63072000" always;
650	''} $out/.well-known/mta-sts.txt	650
		651	add_header Access-Control-Allow-Origin '*';
		652	add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
		653	add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization';
		654	add_header Access-Control-Max-Age 7200;
651	'';	655	'';
		656
		657	locations."/" = {
		658	extraConfig = ''
		659	charset utf-8;
		660	source_charset utf-8;
		661	'';
		662	root = pkgs.runCommand "mta-sts" {} ''
		663	mkdir -p $out/.well-known
		664	cp ${pkgs.writeText "mta-sts.txt" ''
		665	version: STSv1
		666	mode: testing
		667	mx: mailin.bouncy.email
		668	max_age: 604800
		669	''} $out/.well-known/mta-sts.txt
		670	'';
		671	};
652	};	672	};
653	};	673	};
654	};	674	};
@@ -659,6 +679,7 @@ in {
659	]) spmDomains ++ [	679	]) spmDomains ++ [
660	"mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"	680	"mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
661	"mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"	681	"mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
		682	"mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem"
662	];	683	];
663		684
664	systemd.services.spm = {	685	systemd.services.spm = {