about summary refs log tree commit diff
path: root/modules/nixos/nsd.nix
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-05-06 18:55:06 +0300
committerAzat Bahawi <azat@bahawi.net>2023-05-06 18:55:06 +0300
commit8f7371998f813857f25afef4160075665f924ab7 (patch)
tree7bffc723cbed32ab8aacae2feaf60de039bd3ff3 /modules/nixos/nsd.nix
parent2023-05-04 (diff)
2023-05-06
Diffstat (limited to 'modules/nixos/nsd.nix')
-rw-r--r--modules/nixos/nsd.nix58
1 files changed, 49 insertions, 9 deletions
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index 255c787..f8d9e4b 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -19,6 +19,27 @@ in {
   };
 
   config = mkIf cfg.enable {
+    nixfiles.modules.nginx = let
+      domain = my.domain.shire;
+    in {
+      enable = true;
+      virtualHosts = mapAttrs' (_: v:
+        nameValuePair "mta-sts.${v}" {
+          locations."= /.well-known/mta-sts.txt" = {
+            extraConfig = ''
+              add_header default_type text/plain;
+            '';
+            return = "200 '${concatStringsSep "\\r\\n" [
+              "version: STSv1"
+              "mode: enforce"
+              "max_age: 2419200"
+              "mx: ${domain}"
+            ]}'";
+          };
+        })
+      my.domain;
+    };
+
     services = {
       nsd = {
         enable = true;
@@ -40,8 +61,8 @@ in {
               domain ? my.domain.shire,
               dkimKey ? null,
             }: {
-              MX = [(mx.mx 10 "${domain}.")];
-              TXT = [(spf.strict ["a" "mx"])];
+              MX = [(mx.mx 10 "${my.domain.shire}.")];
+              TXT = [(spf.soft ["a"])];
               DMARC = [
                 {
                   p = "quarantine";
@@ -54,6 +75,7 @@ in {
                 selector = "mail";
                 p = dkimKey;
               };
+              subdomains._mta-sts.TXT = ["v=STSv1; id=20230506134541Z"];
             };
 
             mkZone = {
@@ -88,10 +110,11 @@ in {
             ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"];
           in
             mkMerge [
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.shire;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
@@ -103,6 +126,8 @@ in {
                       yavanna = ips "yavanna";
                       "*.yavanna" = yavanna;
 
+                      mta-sts = manwe;
+
                       ns1 = manwe;
                       # ns2 = varda;
 
@@ -124,37 +149,52 @@ in {
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.azahi;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   ariadneIdProof
                   {
-                    subdomains.git = ips "manwe";
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      git = ips "manwe";
+                    };
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.gondor;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe" // ariadneIdProof;
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      frodo = ips "manwe" // ariadneIdProof;
+                    };
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.rohan;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe" // ariadneIdProof;
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      frodo = ips "manwe" // ariadneIdProof;
+                    };
                   }
                 ];
               })

Consider giving Nix/NixOS a try! <3