acme: procure a cert for mx.uninsane.org

we can use this later to allow SMTPS

config/net.nix

@@ -58,6 +58,8 @@
         ${iproute2}/bin/ip link set ovpns-veth-b netns ovpns
         ${iproute2}/bin/ip -n ovpns addr add 10.0.1.6/24 dev ovpns-veth-b
         ${iproute2}/bin/ip -n ovpns link set ovpns-veth-b up
+        # forward HTTP traffic, which we need for letsencrypt to work
+        ${iproute2}/bin/ip netns exec ovpns ${socat}/bin/socat TCP4-LISTEN:80,reuseaddr,fork,su=nobody TCP4:10.0.1.5:80 &
       '';
 
       ExecStop = with pkgs; writeScript "wg0veth-stop" ''

config/services/nginx.nix

@@ -182,11 +182,16 @@
     };
   };
 
-  # exists only to manage acme for dovecot
+  # exists only to manage certs for dovecot
   services.nginx.virtualHosts."imap.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
   };
+  # exists only to manage certs for Postfix
+  services.nginx.virtualHosts."mx.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+  };
 
   security.acme.acceptTerms = true;
   security.acme.email = "acme@uninsane.org";

config/users.nix

@@ -39,8 +39,9 @@
       pkgs.nettools
       pkgs.nmap
       pkgs.ripgrep
-      pkgs.telnet
+      pkgs.socat
       pkgs.sudo
+      pkgs.telnet
       pkgs.wireguard
       pkgs.zola
       (pkgs.vim_configurable.customize {