Implement mta-sts and move mail services to specific domain

[perso/Immae/Config/Nix.git] / modules / private / websites / tools / mail / mta-sts.nix

diff --git a/modules/private/websites/tools/mail/mta-sts.nix b/modules/private/websites/tools/mail/mta-sts.nix
new file mode 100644 (file)
index 0000000..bedefda
--- /dev/null
+++ b/modules/private/websites/tools/mail/mta-sts.nix
@@ -0,0 +1,55 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  domains = (lib.remove null (lib.flatten (map
+    (zone: map
+      (e: if e.receive
+      then {
+        domain = "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}";
+        mail = zone.name;
+      }
+      else null
+      )
+      (zone.withEmail or [])
+    )
+    myconfig.env.dns.masterZones
+  )));
+  # FIXME: increase the id number in modules/private/dns.nix when this
+  # file change (date -u +'%Y%m%d%H%M%S'Z)
+  file = domain: pkgs.writeText "mta-sts-${domain.domain}.txt" ''
+    version: STSv1
+    mode: testing
+    mx: mx-1.${domain.mail}
+    mx: mx-2.${domain.mail}
+    max_age: 604800
+    '';
+  root = pkgs.runCommand "mta-sts_root" {} ''
+    mkdir -p $out
+    ${builtins.concatStringsSep "\n" (map (d:
+      "cp ${file d} $out/${d.domain}.txt"
+    ) domains)}
+    '';
+in
+{
+  config.myServices.websites.webappDirs = {
+    _mta-sts = root;
+  };
+
+  config.services.websites.env.tools.vhostConfs.mta_sts = {
+    certName   = "mail";
+    addToCerts = true;
+    hosts = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.domain}") domains;
+    root = "/run/current-system/webapps/_mta-sts";
+    extraConfig = [
+      ''
+        RewriteEngine on
+        RewriteCond %{HTTP_HOST} ^mta-sts.(.*)$
+        RewriteRule ^/.well-known/mta-sts.txt$ %{DOCUMENT_ROOT}/%1.txt [L]
+        <Directory /run/current-system/webapps/_mta-sts>
+          Require all granted
+          Options -Indexes
+        </Directory>
+      ''
+    ];
+  };
+
+}