From 97a05b0837e27e8d73d3a16185fb07169de65d7b Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 15 May 2022 16:32:21 +0200 Subject: surtr: ... --- hosts/surtr/email/default.nix | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'hosts/surtr/email/default.nix') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 57883864..404e9e4b 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -19,6 +19,8 @@ let done ''; }; + + spmDomains = ["bouncy.email"]; in { config = { nixpkgs.overlays = [ @@ -567,7 +569,7 @@ in { "mailsub.bouncy.email" = {}; "imap.bouncy.email" = {}; "surtr.yggdrasil.li" = {}; - }; + } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); systemd.services.postfix = { serviceConfig.LoadCredential = [ @@ -597,5 +599,25 @@ in { ]; }; }; + + services.nginx.virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; + sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; + extraConfig = '' + ssl_stapling off; + ssl_verify_client on; + ssl_client_certificate ${toString ./ca/ca.crt}; + ''; + locations."/".extraConfig = '' + default_type text/plain; + return 200 "$ssl_client_verify $ssl_client_s_dn ${domain}"; + ''; + }) spmDomains); + + systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ + "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" + "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" + ]) spmDomains; }; } -- cgit v1.2.3