From ffac1727b92167ca6847b7ae3adc71f091d8048f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 10 Jul 2022 11:51:34 +0200 Subject: ... --- hosts/surtr/email/default.nix | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'hosts/surtr/email') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index b952070b..e3437a6b 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -580,6 +580,7 @@ in { "mailin.bouncy.email" = {}; "mailsub.bouncy.email" = {}; "imap.bouncy.email" = {}; + "mta-sts.bouncy.email" = {}; "surtr.yggdrasil.li" = {}; } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); @@ -637,13 +638,28 @@ in { proxy_set_header SPM-DOMAIN "${domain}"; ''; }; - }) spmDomains); + }) spmDomains) // { + "mta-sts.bouncy.email" = { + locations."/".root = pkgs.runCommand "mta-sts" {} '' + mkdir -p $out/.well-known + cp ${pkgs.writeText "mta-sts.txt" '' + version: STSv1 + mode: testing + mx: mailin.bouncy.email + max_age: 604800 + ''} $out/.well-known/mta-sts.txt + ''; + }; + }; }; systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" - ]) spmDomains; + ]) spmDomains ++ [ + "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" + "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" + ]; systemd.services.spm = { serviceConfig = { -- cgit v1.2.3