[perso/Immae/Config/Nix.git] / systems / eldiron / websites / mail / mta-sts.nix

{ lib, pkgs, config,  ... }:
let
  getDomains = p: lib.mapAttrsToList (n: v: v) (lib.filterAttrs (n: v: v.receive) p.emailPolicies);
  bydomain = builtins.mapAttrs (n: getDomains) config.myServices.dns.zones;
  domains = lib.flatten (builtins.attrValues bydomain);
  mxes = lib.mapAttrsToList
    (n: v: v.mx.subdomain)
    (lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers);
  file = d: pkgs.writeText "mta-sts-${d.fqdn}.txt" (
    builtins.concatStringsSep "\r\n" ([ "version: STSv1" "mode: testing" ]
    ++ (map (v: "mx: ${v}.${d.domain}") mxes)
    ++ [ "max_age: 604800" ]
    ));
  root = pkgs.runCommand "mta-sts_root" {} ''
    mkdir -p $out
    ${builtins.concatStringsSep "\n" (map (d:
      "cp ${file d} $out/${d.fqdn}.txt"
    ) domains)}
    '';
  cfg = config.myServices.websites.tools.email;
in
{
  config = lib.mkIf cfg.enable {
    security.acme.certs.mail.extraDomainNames = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
    services.websites.env.tools.vhostConfs.mta_sts = {
      certName   = "mail";
      hosts = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
      root = root;
      extraConfig = [
        ''
          RewriteEngine on
          RewriteCond %{HTTP_HOST} ^mta-sts.(.*)$
          RewriteRule ^/.well-known/mta-sts.txt$ %{DOCUMENT_ROOT}/%1.txt [L]
          <Directory ${root}>
            Require all granted
            Options -Indexes
          </Directory>
        ''
      ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
afcc5de0	2	let
1a64deeb IB	3	getDomains = p: lib.mapAttrsToList (n: v: v) (lib.filterAttrs (n: v: v.receive) p.emailPolicies);
	4	bydomain = builtins.mapAttrs (n: getDomains) config.myServices.dns.zones;
	5	domains = lib.flatten (builtins.attrValues bydomain);
619e4f46 IB	6	mxes = lib.mapAttrsToList
	7	(n: v: v.mx.subdomain)
	8	(lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers);
1a64deeb	9	file = d: pkgs.writeText "mta-sts-${d.fqdn}.txt" (
8cc7cb6b	10	builtins.concatStringsSep "\r\n" ([ "version: STSv1" "mode: testing" ]
1a64deeb	11	++ (map (v: "mx: ${v}.${d.domain}") mxes)
8cc7cb6b IB	12	++ [ "max_age: 604800" ]
8cc7cb6b IB	13	));
afcc5de0 IB	14	root = pkgs.runCommand "mta-sts_root" {} ''
	15	mkdir -p $out
	16	${builtins.concatStringsSep "\n" (map (d:
1a64deeb	17	"cp ${file d} $out/${d.fqdn}.txt"
afcc5de0 IB	18	) domains)}
afcc5de0 IB	19	'';
8415083e	20	cfg = config.myServices.websites.tools.email;
afcc5de0 IB	21	in
afcc5de0 IB	22	{
8415083e	23	config = lib.mkIf cfg.enable {
1a64deeb	24	security.acme.certs.mail.extraDomainNames = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
8415083e IB	25	services.websites.env.tools.vhostConfs.mta_sts = {
8415083e IB	26	certName = "mail";
1a64deeb	27	hosts = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
750fe5a4	28	root = root;
8415083e IB	29	extraConfig = [
	30	''
	31	RewriteEngine on
	32	RewriteCond %{HTTP_HOST} ^mta-sts.(.*)$
	33	RewriteRule ^/.well-known/mta-sts.txt$ %{DOCUMENT_ROOT}/%1.txt [L]
750fe5a4	34	<Directory ${root}>
8415083e IB	35	Require all granted
	36	Options -Indexes
	37	</Directory>
	38	''
	39	];
	40	};
afcc5de0	41	};
afcc5de0	42	}