4 files changed, 84 insertions, 16 deletions

diff --git a/hosts/cloud/hetzner/configuration.nix b/hosts/cloud/hetzner/configuration.nix
index a432391..bc23cf7 100644
--- a/hosts/cloud/hetzner/configuration.nix
+++ b/hosts/cloud/hetzner/configuration.nix
@@ -14,7 +14,7 @@
     ../users.nix
     ../packages.nix
     ../../server.nix
-    ./mail.nix
+    # ./mail.nix
   ];
   boot = {
     loader.grub = {
@@ -50,5 +50,45 @@
   #   };
   # };
 
+  services.nostr-rs-relay = {
+    enable = true;
+    settings = {
+      info = {
+        description = "Oorbit coming";
+        pubkey = "npub1ll29wev5zztj7mugxnqlzpa45m0t779zte4x90ugf3psxxqyzr6sk9nq94";
+        relay_url = "wss://n.urbit.cloud";
+        name = "UrNostr";
+      };
+
+      network = {
+        # Bind to this network address
+        address = "0.0.0.0";
+        # Listen on port 12849 (this is the default). I have not managed to find any way to change it. KEEP IT default!
+      };
+
+      authorization = {
+        pubkey_whitelist = [
+          "npub1ll29wev5zztj7mugxnqlzpa45m0t779zte4x90ugf3psxxqyzr6sk9nq94"
+        ];
+      };
+
+      options = {
+        max_event_size = 16384;
+        reject_future_seconds = 1800;
+      };
+
+      limits = {
+        max_subscriptions = 20;
+        max_filters = 100;
+      };
+    };
+  };
+
+  # Open firewall for the relay port
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ]; # Add 80/443 if using a reverse proxy
+
   system.stateVersion = "24.11"; # Did you read the comment?
 }
diff --git a/hosts/cloud/hetzner/mail.nix b/hosts/cloud/hetzner/mail.nix
index 9ef4de8..4e218e7 100644
--- a/hosts/cloud/hetzner/mail.nix
+++ b/hosts/cloud/hetzner/mail.nix
@@ -1,8 +1,4 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
+{pkgs, ...}: {
   environment.etc = {
     "stalwart/mail-pw1".text = "poguo";
     "stalwart/mail-pw2".text = "shahezai";
@@ -29,26 +25,37 @@
           submissions = {
             bind = "[::]:465";
             protocol = "smtp";
+            tls.implicit = true;
           };
           imaps = {
             bind = "[::]:993";
             protocol = "imap";
+            tls.implicit = true;
           };
-          jmap = {
+          http = {
             bind = "[::]:8888";
             url = "https://mail.urbit.cloud";
-            protocol = "jmap";
-          };
-          management = {
-            bind = ["127.0.0.1:8888"];
             protocol = "http";
+            use-x-forwarded = true;
           };
+          # management = {
+          #   bind = ["127.0.0.1:8888"];
+          #   protocol = "http";
+          # };
         };
       };
       lookup.default = {
         hostname = "mail.urbit.cloud";
         domain = "urbit.cloud";
       };
+      acme."letsencrypt" = {
+        directory = "https://acme-v02.api.letsencrypt.org/directory";
+        challenge = "dns-01";
+        contact = "postmaster@urbit.cloud";
+        domains = ["urbit.cloud" "mail.urbit.cloud"];
+        provider = "cloudfare";
+        secret = "%{file:/etc/stalwart/acme-secret}";
+      };
       session.auth = {
         mechanisms = "[plain]";
         directory = "'in-memory'";
diff --git a/hosts/cloud/hetzner/nginx.nix b/hosts/cloud/hetzner/nginx.nix
index 2e88843..0e8dbb2 100644
--- a/hosts/cloud/hetzner/nginx.nix
+++ b/hosts/cloud/hetzner/nginx.nix
@@ -25,6 +25,25 @@
         proxy_cache off;
       '';
     };
+    virtualHosts."n.urbit.cloud" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:12849";
+        # TODO NIP 11
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+      extraConfig = ''
+        chunked_transfer_encoding off;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_cache off;
+      '';
+    };
     # virtualHosts."bridge.urbit.cloud" = {
     #   enableACME = true;
     #   forceSSL = true;
@@ -48,6 +67,8 @@
       forceSSL = true;
       serverAliases = [
         "mail.urbit.cloud"
+        "autoconfig.urbit.cloud"
+        "autodiscover.urbit.cloud"
         "mta-sts.urbit.cloud"
       ];
       locations."/" = {
diff --git a/hosts/local/s15/configuration.nix b/hosts/local/s15/configuration.nix
index 8e06c2f..9c59a8b 100644
--- a/hosts/local/s15/configuration.nix
+++ b/hosts/local/s15/configuration.nix
@@ -36,11 +36,11 @@
     # ../../network.nix
     # ../../gpg.nix
   ];
-  environment.systemPackages = [
-    # wrappers
-    pkgs.superhtml
-    pkgs.broken-sword-25
-  ];
+  # environment.systemPackages = [
+  #   # wrappers
+  #   pkgs.superhtml
+  #   pkgs.broken-sword-25
+  # ];
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It's perfectly fine and recommended to leave