1 files changed, 18 insertions, 2 deletions

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index b952070b..e3437a6b 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -580,6 +580,7 @@ in {
       "mailin.bouncy.email" = {};
       "mailsub.bouncy.email" = {};
       "imap.bouncy.email" = {};
+      "mta-sts.bouncy.email" = {};
       "surtr.yggdrasil.li" = {};
     } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
 
@@ -637,13 +638,28 @@ in {
             proxy_set_header SPM-DOMAIN "${domain}";
           '';
         };
-      }) spmDomains);
+      }) spmDomains) // {
+        "mta-sts.bouncy.email" = {
+          locations."/".root = pkgs.runCommand "mta-sts" {} ''
+            mkdir -p $out/.well-known
+            cp ${pkgs.writeText "mta-sts.txt" ''
+              version: STSv1
+              mode: testing
+              mx: mailin.bouncy.email
+              max_age: 604800
+            ''} $out/.well-known/mta-sts.txt
+          '';
+        };
+      };
     };
 
     systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
       "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
       "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
-    ]) spmDomains;
+    ]) spmDomains ++ [
+      "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
+      "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
+    ];
 
     systemd.services.spm = {
       serviceConfig = {