summaryrefslogtreecommitdiff
path: root/hosts/surtr/email
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/email')
-rw-r--r--hosts/surtr/email/default.nix24
1 files changed, 23 insertions, 1 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 57883864..404e9e4b 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -19,6 +19,8 @@ let
19 done 19 done
20 ''; 20 '';
21 }; 21 };
22
23 spmDomains = ["bouncy.email"];
22in { 24in {
23 config = { 25 config = {
24 nixpkgs.overlays = [ 26 nixpkgs.overlays = [
@@ -567,7 +569,7 @@ in {
567 "mailsub.bouncy.email" = {}; 569 "mailsub.bouncy.email" = {};
568 "imap.bouncy.email" = {}; 570 "imap.bouncy.email" = {};
569 "surtr.yggdrasil.li" = {}; 571 "surtr.yggdrasil.li" = {};
570 }; 572 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
571 573
572 systemd.services.postfix = { 574 systemd.services.postfix = {
573 serviceConfig.LoadCredential = [ 575 serviceConfig.LoadCredential = [
@@ -597,5 +599,25 @@ in {
597 ]; 599 ];
598 }; 600 };
599 }; 601 };
602
603 services.nginx.virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" {
604 forceSSL = true;
605 sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem";
606 sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem";
607 extraConfig = ''
608 ssl_stapling off;
609 ssl_verify_client on;
610 ssl_client_certificate ${toString ./ca/ca.crt};
611 '';
612 locations."/".extraConfig = ''
613 default_type text/plain;
614 return 200 "$ssl_client_verify $ssl_client_s_dn ${domain}";
615 '';
616 }) spmDomains);
617
618 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
619 "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
620 "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
621 ]) spmDomains;
600 }; 622 };
601} 623}