From bdb52bca2f047282b1b0e766134905eda6948231 Mon Sep 17 00:00:00 2001
From: Nguyễn Gia Phong <cnx@loang.net>
Date: Mon, 11 Sep 2023 17:25:05 +0900
Subject: Automate WKD setup

---
 mail.nix    | 27 ++++++++++++++++++++++++++-
 wkd/cnx.asc | 13 +++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 wkd/cnx.asc

diff --git a/mail.nix b/mail.nix
index 9e363ef..1fd2d01 100644
--- a/mail.nix
+++ b/mail.nix
@@ -88,6 +88,31 @@ in {
         };
       };
 
+      ${domain}.locations."^~ /.well-known/openpgpkey" = {
+        root = with pkgs; stdenvNoCC.mkDerivation {
+          pname = "wkd";
+          version = domain;
+          src = ./wkd;
+          nativeBuildInputs = [ gnupg ];
+          installPhase = let
+            printWKDHash = "${gnupg}/libexec/gpg-wks-client --print-wkd-hash";
+          in ''
+            hu=$out/.well-known/openpgpkey/hu
+            mkdir -p $hu
+            for key in *.asc
+            do
+              mb="''${key%.asc}@${domain}"
+              hash=$(echo "$mb" | ${printWKDHash})
+              gpg --dearmor < "$key" > $hu/''${hash%" $mb"}
+            done
+            touch $out/.well-known/openpgpkey/policy
+          '';
+        };
+        extraConfig = ''
+          add_header Access-Control-Allow-Origin *;
+        '';
+      };
+
       ${hostname} = let alps = config.services.alps;
       in {
         enableACME = true;
@@ -97,6 +122,6 @@ in {
     };
   };
 
-  systemd.services.alps.serviceConfig.Requires = "maddy.service";
+  systemd.services.alps.unitConfig.Requires = "maddy.service";
   users.extraUsers.maddy.extraGroups = [ "nginx" "shadow" ];
 }
diff --git a/wkd/cnx.asc b/wkd/cnx.asc
new file mode 100644
index 0000000..b68790d
--- /dev/null
+++ b/wkd/cnx.asc
@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZJNzBhYJKwYBBAHaRw8BAQdAP0qkVDz61+YSM9wEVZYBCteR16KPuhDnBVc5
+e4cpd/a0Ik5ndXnhu4VuIEdpYSBQaG9uZyA8Y254QGxvYW5nLm5ldD6IkwQTFgoA
+OxYhBIOK/g1V3AdONg+UOoS2nObz9rdnBQJkk3MGAhsDBQsJCAcCAiICBhUKCQgL
+AgQWAgMBAh4HAheAAAoJEIS2nObz9rdnmIgA/2xHKXXMK3rKFJBBzCsNy9kK7KqB
+vUEXXKHESboqm4LrAP0aVwPCI8cTJSSawTdaFLJVYfB7/L1vn2sFX6l/s8fqCbg4
+BGSTcwYSCisGAQQBl1UBBQEBB0CZwCQZj698YZA73ha6nmTPGTX572iI1mgxMB1T
+Kse+LAMBCAeIeAQYFgoAIBYhBIOK/g1V3AdONg+UOoS2nObz9rdnBQJkk3MGAhsM
+AAoJEIS2nObz9rdn2TIA/iK8eHNWGZZwdRCbSe3P6bPxEKwg/gOUjpcitu01hu6R
+AP0cRmHKJAnKAnQKzlM0Whsipiow3bBGqvLkfGBd6L+sDg==
+=Ckk3
+-----END PGP PUBLIC KEY BLOCK-----
-- 
cgit 1.4.1