From 8aa83e2bcc11f33eedff9e19fbb32f0bcda4b53e Mon Sep 17 00:00:00 2001
From: Rory& <root@rory.gay>
Date: Sun, 3 Nov 2024 00:31:17 +0100
Subject: Portable changes, email server

---
 host/Rory-nginx/services/email/maddy.nix | 46 ++++++++++++++++++++++++++++++++
 host/Rory-nginx/services/email/nginx.nix | 21 +++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 host/Rory-nginx/services/email/maddy.nix
 create mode 100644 host/Rory-nginx/services/email/nginx.nix

(limited to 'host/Rory-nginx/services')

diff --git a/host/Rory-nginx/services/email/maddy.nix b/host/Rory-nginx/services/email/maddy.nix
new file mode 100644
index 0000000..995d6a2
--- /dev/null
+++ b/host/Rory-nginx/services/email/maddy.nix
@@ -0,0 +1,46 @@
+{
+  pkgs,
+  options,
+  config,
+  ...
+}:
+{
+  services.maddy = {
+    enable = true;
+    primaryDomain = "rory.gay";
+    hostname = "mail.rory.gay";
+    ensureAccounts = [
+      "root@rory.gay"
+    ];
+    ensureCredentials = {
+      "root@rory.gay".passwordFile = "/var/lib/maddy/passwd/root";
+    };
+    config =
+      builtins.replaceStrings
+        [
+          "imap tcp://0.0.0.0:143"
+          "submission tcp://0.0.0.0:587"
+        ]
+        [
+          "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
+          "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+        ]
+        options.services.maddy.config.default;
+
+    tls = {
+      loader = "file";
+      certificates = [
+        "/var/lib/acme/certs/mail.rory.gay/fullchain.pem"
+        "/var/lib/acme/certs/mail.rory.gay/privkey.pem"
+      ];
+    };
+  };
+  networking.firewall.allowedTCPPorts = [
+    993
+    465
+  ];
+
+  security.acme.certs."mail.rory.gay" = {
+    group = config.services.maddy.group;
+  };
+}
diff --git a/host/Rory-nginx/services/email/nginx.nix b/host/Rory-nginx/services/email/nginx.nix
new file mode 100644
index 0000000..a55a65a
--- /dev/null
+++ b/host/Rory-nginx/services/email/nginx.nix
@@ -0,0 +1,21 @@
+{ config, ... }:
+{
+  services.nginx.virtualHosts = {
+    "mta-sts.rory.gay" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/.well-known/mta-sts.txt" = {
+          # age 604800
+          return = ''
+            200 'version: STSv1
+                 mode: enforce
+                 max_age: 120
+                 mx: mail.rory.gay
+                 ';'';
+
+        };
+      };
+    };
+  };
+}
-- 
cgit 1.4.1