Squash changes containing private information

[perso/Immae/Config/Nix.git] / systems / eldiron / websites / mail / mta-sts.nix

diff --git a/systems/eldiron/websites/mail/mta-sts.nix b/systems/eldiron/websites/mail/mta-sts.nix
new file mode 100644 (file)
index 0000000..2438702
--- /dev/null
+++ b/systems/eldiron/websites/mail/mta-sts.nix
@@ -0,0 +1,42 @@
+{ lib, pkgs, config,  ... }:
+let
+  getDomains = p: lib.mapAttrsToList (n: v: v) (lib.filterAttrs (n: v: v.receive) p.emailPolicies);
+  bydomain = builtins.mapAttrs (n: getDomains) config.myServices.dns.zones;
+  domains = lib.flatten (builtins.attrValues bydomain);
+  mxes = lib.mapAttrsToList
+    (n: v: v.mx.subdomain)
+    (lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers);
+  file = d: pkgs.writeText "mta-sts-${d.fqdn}.txt" (
+    builtins.concatStringsSep "\r\n" ([ "version: STSv1" "mode: testing" ]
+    ++ (map (v: "mx: ${v}.${d.domain}") mxes)
+    ++ [ "max_age: 604800" ]
+    ));
+  root = pkgs.runCommand "mta-sts_root" {} ''
+    mkdir -p $out
+    ${builtins.concatStringsSep "\n" (map (d:
+      "cp ${file d} $out/${d.fqdn}.txt"
+    ) domains)}
+    '';
+  cfg = config.myServices.websites.tools.email;
+in
+{
+  config = lib.mkIf cfg.enable {
+    security.acme.certs.mail.extraDomainNames = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
+    services.websites.env.tools.vhostConfs.mta_sts = {
+      certName   = "mail";
+      hosts = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
+      root = root;
+      extraConfig = [
+        ''
+          RewriteEngine on
+          RewriteCond %{HTTP_HOST} ^mta-sts.(.*)$
+          RewriteRule ^/.well-known/mta-sts.txt$ %{DOCUMENT_ROOT}/%1.txt [L]
+          <Directory ${root}>
+            Require all granted
+            Options -Indexes
+          </Directory>
+        ''
+      ];
+    };
+  };
+}