1 files changed, 27 insertions, 1 deletions

diff --git a/ops/modules/depot-inbox.nix b/ops/modules/depot-inbox.nix
index 1f9acc3aab..3193f8d0ca 100644
--- a/ops/modules/depot-inbox.nix
+++ b/ops/modules/depot-inbox.nix
@@ -41,14 +41,38 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # Having nginx *and* other services use ACME certificates for the
+    # same hostname is unsupported in NixOS without resorting to doing
+    # all ACME configuration manually.
+    #
+    # To work around this, we duplicate the TLS certificate used by
+    # nginx to a location that is readable by public-inbox daemons.
+    systemd.services.inbox-cert-sync = {
+      startAt = "daily";
+
+      script = ''
+        ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
+          /var/lib/acme/inbox.tvl.su/fullchain.pem /var/lib/public-inbox/tls/fullchain.pem
+
+        ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
+          /var/lib/acme/inbox.tvl.su/key.pem /var/lib/public-inbox/tls/key.pem
+      '';
+    };
+
     services.public-inbox = {
       enable = true;
 
       http.enable = true;
       http.port = 8053;
-      # imap.enable = true;
       # nntp.enable = true;
 
+      imap = {
+        enable = true;
+        port = 993;
+        cert = "/var/lib/public-inbox/tls/fullchain.pem";
+        key = "/var/lib/public-inbox/tls/key.pem";
+      };
+
       inboxes.depot = rec {
         address = [
           "depot@tvl.su" # primary address
@@ -72,6 +96,8 @@ in
       settings.publicinbox.wwwlisting = "all";
     };
 
+    networking.firewall.allowedTCPPorts = [ /* imap = */ 993 ];
+
     age.secrets.depot-inbox-imap = {
       file = depot.ops.secrets."depot-inbox-imap.age";
       mode = "0440";