about summary refs log tree commit diff
diff options
context:
space:
mode:
authorNguyễn Gia Phong <cnx@loang.net>2023-06-25 16:49:54 +0900
committerNguyễn Gia Phong <cnx@loang.net>2023-06-25 16:49:54 +0900
commitdc7cd068d7934177c342fd0e115958d0f0dd1e52 (patch)
treec825cdd95518061934297cc2a5e6c76c7aa567f3
parent5a785f54a02d6770d71b26b060bf809eddf13452 (diff)
downloadnixos-conf-dc7cd068d7934177c342fd0e115958d0f0dd1e52.tar.gz
Complete MTA-STS setup
-rw-r--r--mail.nix29
1 files changed, 23 insertions, 6 deletions
diff --git a/mail.nix b/mail.nix
index 2909d36..91cadd9 100644
--- a/mail.nix
+++ b/mail.nix
@@ -16,7 +16,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
 
-{ config, options, ... }:
+{ config, options, pkgs, ... }:
 let
   certDir = config.security.acme.certs.${hostname}.directory;
   domain = config.networking.domain;
@@ -72,11 +72,28 @@ in {
       };
     };
 
-    nginx.virtualHosts.${hostname} = let alps = config.services.alps;
-    in {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://${alps.bindIP}:${toString alps.port}";
+    nginx.virtualHosts = {
+      "mta-sts.${domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".root = pkgs.writeTextFile {
+          name = "mta-sts.txt";
+          text = ''
+            version: STSv1
+            mode: enforce
+            max_age: 604800
+            mx: ${hostname}
+          '';
+          destination = "/.well-known/mta-sts.txt";
+        };
+      };
+
+      ${hostname} = let alps = config.services.alps;
+      in {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${alps.bindIP}:${toString alps.port}";
+      };
     };
   };