Complete MTA-STS setup

1 files changed, 23 insertions, 6 deletions

diff --git a/mail.nix b/mail.nix
index 2909d36..91cadd9 100644
--- a/mail.nix
+++ b/mail.nix
@@ -16,7 +16,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
 
-{ config, options, ... }:
+{ config, options, pkgs, ... }:
 let
   certDir = config.security.acme.certs.${hostname}.directory;
   domain = config.networking.domain;
@@ -72,11 +72,28 @@ in {
       };
     };
 
-    nginx.virtualHosts.${hostname} = let alps = config.services.alps;
-    in {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://${alps.bindIP}:${toString alps.port}";
+    nginx.virtualHosts = {
+      "mta-sts.${domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".root = pkgs.writeTextFile {
+          name = "mta-sts.txt";
+          text = ''
+            version: STSv1
+            mode: enforce
+            max_age: 604800
+            mx: ${hostname}
+          '';
+          destination = "/.well-known/mta-sts.txt";
+        };
+      };
+
+      ${hostname} = let alps = config.services.alps;
+      in {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${alps.bindIP}:${toString alps.port}";
+      };
     };
   };