summaryrefslogtreecommitdiff
path: root/hosts/surtr/email/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/email/default.nix')
-rw-r--r--hosts/surtr/email/default.nix20
1 files changed, 18 insertions, 2 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index b952070b..e3437a6b 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -580,6 +580,7 @@ in {
580 "mailin.bouncy.email" = {}; 580 "mailin.bouncy.email" = {};
581 "mailsub.bouncy.email" = {}; 581 "mailsub.bouncy.email" = {};
582 "imap.bouncy.email" = {}; 582 "imap.bouncy.email" = {};
583 "mta-sts.bouncy.email" = {};
583 "surtr.yggdrasil.li" = {}; 584 "surtr.yggdrasil.li" = {};
584 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); 585 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
585 586
@@ -637,13 +638,28 @@ in {
637 proxy_set_header SPM-DOMAIN "${domain}"; 638 proxy_set_header SPM-DOMAIN "${domain}";
638 ''; 639 '';
639 }; 640 };
640 }) spmDomains); 641 }) spmDomains) // {
642 "mta-sts.bouncy.email" = {
643 locations."/".root = pkgs.runCommand "mta-sts" {} ''
644 mkdir -p $out/.well-known
645 cp ${pkgs.writeText "mta-sts.txt" ''
646 version: STSv1
647 mode: testing
648 mx: mailin.bouncy.email
649 max_age: 604800
650 ''} $out/.well-known/mta-sts.txt
651 '';
652 };
653 };
641 }; 654 };
642 655
643 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ 656 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
644 "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" 657 "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
645 "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" 658 "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
646 ]) spmDomains; 659 ]) spmDomains ++ [
660 "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
661 "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
662 ];
647 663
648 systemd.services.spm = { 664 systemd.services.spm = {
649 serviceConfig = { 665 serviceConfig = {