diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-15 16:32:21 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-15 16:32:21 +0200 |
commit | 97a05b0837e27e8d73d3a16185fb07169de65d7b (patch) | |
tree | 947e9a97b05f99d65b7f2253e7b6db937bc239d2 /hosts/surtr/email | |
parent | 355b6d4ec02ad535b93ce314dd5734e8c6028dbc (diff) | |
download | nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.gz nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.bz2 nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.xz nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.zip |
surtr: ...
Diffstat (limited to 'hosts/surtr/email')
-rw-r--r-- | hosts/surtr/email/default.nix | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 57883864..404e9e4b 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -19,6 +19,8 @@ let | |||
19 | done | 19 | done |
20 | ''; | 20 | ''; |
21 | }; | 21 | }; |
22 | |||
23 | spmDomains = ["bouncy.email"]; | ||
22 | in { | 24 | in { |
23 | config = { | 25 | config = { |
24 | nixpkgs.overlays = [ | 26 | nixpkgs.overlays = [ |
@@ -567,7 +569,7 @@ in { | |||
567 | "mailsub.bouncy.email" = {}; | 569 | "mailsub.bouncy.email" = {}; |
568 | "imap.bouncy.email" = {}; | 570 | "imap.bouncy.email" = {}; |
569 | "surtr.yggdrasil.li" = {}; | 571 | "surtr.yggdrasil.li" = {}; |
570 | }; | 572 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); |
571 | 573 | ||
572 | systemd.services.postfix = { | 574 | systemd.services.postfix = { |
573 | serviceConfig.LoadCredential = [ | 575 | serviceConfig.LoadCredential = [ |
@@ -597,5 +599,25 @@ in { | |||
597 | ]; | 599 | ]; |
598 | }; | 600 | }; |
599 | }; | 601 | }; |
602 | |||
603 | services.nginx.virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { | ||
604 | forceSSL = true; | ||
605 | sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; | ||
606 | sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; | ||
607 | extraConfig = '' | ||
608 | ssl_stapling off; | ||
609 | ssl_verify_client on; | ||
610 | ssl_client_certificate ${toString ./ca/ca.crt}; | ||
611 | ''; | ||
612 | locations."/".extraConfig = '' | ||
613 | default_type text/plain; | ||
614 | return 200 "$ssl_client_verify $ssl_client_s_dn ${domain}"; | ||
615 | ''; | ||
616 | }) spmDomains); | ||
617 | |||
618 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ | ||
619 | "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" | ||
620 | "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" | ||
621 | ]) spmDomains; | ||
600 | }; | 622 | }; |
601 | } | 623 | } |