From db983fadeaf415d854ce2654f8f20274ec9b000f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 5 May 2022 14:20:08 +0200 Subject: ... --- hosts/surtr/email/default.nix | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) (limited to 'hosts/surtr/email') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index da1c005d..ddb2e32f 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -157,29 +157,25 @@ with lib; }; }; - security.acme.domains = let - mkSNI = '' - cat key.pem full.pem > sni.pem - ''; - in { - "bouncy.email" = { - certCfg.postRun = mkSNI; - }; - "mailin.bouncy.email" = { - certCfg.postRun = mkSNI; - }; - "mailsub.bouncy.email" = { - certCfg.postRun = mkSNI; - }; + security.acme.domains = { + "bouncy.email" = {}; + "mailin.bouncy.email" = {}; + "mailsub.bouncy.email" = {}; "surtr.yggdrasil.li" = {}; }; - systemd.services.postfix.serviceConfig.LoadCredential = [ - "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" - "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" - "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem" - "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem" - "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem" - ]; + systemd.services.postfix = { + preStart = concatMapStringsSep "\n" (domain: '' + cat /var/lib/acme/${domain}/key.pem /var/lib/acme/${domain}/full.pem > /var/lib/acme/${domain}/sni.pem + '') ["bouncy.email" "mailin.bouncy.email" "mailsub.bouncy.email" "surtr.yggdrasil.li"]; + + serviceConfig.LoadCredential = [ + "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" + "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" + "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem" + "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem" + "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem" + ]; + }; }; } -- cgit v1.2.3