Fix printer not supporting elliptic curve keys

3 files changed, 31 insertions, 2 deletions

diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index b50e346..d893ec4 100644
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -22,6 +22,18 @@
         mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
       in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
     };
+    # This is for clients that don’t support elliptic curves (e.g.
+    # printer)
+    security.acme.certs."mail-rsa" = config.myServices.certificates.certConfig // {
+      domain = config.hostEnv.fqdn;
+      keyType = "rsa4096";
+      extraDomains = let
+        zonesWithMx = builtins.filter (zone:
+          lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
+        ) config.myEnv.dns.masterZones;
+        mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
+      in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
+    };
     services.duplyBackup.profiles = {
       mail = {
         rootDir = "/var/lib";
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index 77f9bd7..0304b89 100644
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -80,6 +80,12 @@ in
       sslServerKey = "/var/lib/acme/mail/key.pem";
       sslCACert = "/var/lib/acme/mail/fullchain.pem";
       extraConfig = builtins.concatStringsSep "\n" [
+        # For printer which doesn’t support elliptic curve
+        ''
+          ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem
+          ssl_alt_key = </var/lib/acme/mail-rsa/key.pem
+        ''
+
         ''
           postmaster_address = postmaster@immae.eu
           mail_attribute_dict = file:%h/dovecot-attributes
@@ -269,6 +275,15 @@ in
       [
         "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders"
       ];
+    security.acme.certs."mail-rsa" = {
+      postRun = ''
+        systemctl restart dovecot2.service
+      '';
+      extraDomains = {
+        "imap.immae.eu" = null;
+        "pop3.immae.eu" = null;
+      };
+    };
     security.acme.certs."mail" = {
       postRun = ''
         systemctl restart dovecot2.service
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 4791b41..92fa580 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -350,6 +350,10 @@
           "unix:${config.myServices.mail.milters.sockets.openarc}"
           "unix:${config.myServices.mail.milters.sockets.opendmarc}"
         ];
+
+        smtp_use_tls = true;
+        smtpd_use_tls = true;
+        smtpd_tls_chain_files = builtins.concatStringsSep "," [ "/var/lib/acme/mail/full.pem" "/var/lib/acme/mail-rsa/full.pem" ];
       };
       enable = true;
       enableSmtp = true;
@@ -388,8 +392,6 @@
       # This needs to reverse DNS
       hostname = config.hostEnv.fqdn;
       setSendmail = true;
-      sslCert = "/var/lib/acme/mail/fullchain.pem";
-      sslKey = "/var/lib/acme/mail/key.pem";
       recipientDelimiter = "+";
       masterConfig = {
         submissions = {