From dc7cd068d7934177c342fd0e115958d0f0dd1e52 Mon Sep 17 00:00:00 2001
From: Nguyễn Gia Phong <cnx@loang.net>
Date: Sun, 25 Jun 2023 16:49:54 +0900
Subject: Complete MTA-STS setup

---
 mail.nix | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/mail.nix b/mail.nix
index 2909d36..91cadd9 100644
--- a/mail.nix
+++ b/mail.nix
@@ -16,7 +16,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
 
-{ config, options, ... }:
+{ config, options, pkgs, ... }:
 let
   certDir = config.security.acme.certs.${hostname}.directory;
   domain = config.networking.domain;
@@ -72,11 +72,28 @@ in {
       };
     };
 
-    nginx.virtualHosts.${hostname} = let alps = config.services.alps;
-    in {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://${alps.bindIP}:${toString alps.port}";
+    nginx.virtualHosts = {
+      "mta-sts.${domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".root = pkgs.writeTextFile {
+          name = "mta-sts.txt";
+          text = ''
+            version: STSv1
+            mode: enforce
+            max_age: 604800
+            mx: ${hostname}
+          '';
+          destination = "/.well-known/mta-sts.txt";
+        };
+      };
+
+      ${hostname} = let alps = config.services.alps;
+      in {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${alps.bindIP}:${toString alps.port}";
+      };
     };
   };
 
-- 
cgit 1.4.1