feat: move mymx to it's own service

2026-03-05 00:51:49 -08:00
16 changed files with 26 additions and 3109 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -11,7 +11,7 @@
    ./modules/monitoring.nix
    ./modules/ntfy.nix
    ./modules/uptime-kuma.nix
-    ./modules/mymx.nix
+    # mymx module is imported via flake input in flake.nix
    ./secrets/secrets-scheme.nix
    # Impure Secrets
    ./secrets/secrets.nix
@ -87,7 +87,14 @@
  # Secrets handled via ./secrets.nix importing to config.mySecrets
  environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey;
  environment.etc."secrets/mymx-webhook".text = config.mySecrets.mymxWebhookSecret;
  services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
  # MyMX
  services.mymx = {
    enable = true;
    webhookSecretFile = "/etc/secrets/mymx-webhook";
  };
  # Allow Tailscale traffic
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771881364,
+        "lastModified": 1772699110,
-        "narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=",
+        "narHash": "sha256-jkyo/9fZVB3F/PHk3fVK1ImxJBZ71DCOYZvAz4R4v4E=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6",
+        "rev": "42affa9d33750ac0a0a89761644af20d8d03e6ee",
        "type": "github"
      },
      "original": {
@ -28,22 +28,26 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "path": "./services/mymx",
+        "lastModified": 1772700454,
-        "type": "path"
+        "narHash": "sha256-oy425GeM6KjK2NLUnWnoQVbtFD6lDgEXDtTOM6swjkM=",
        "ref": "refs/heads/main",
        "rev": "8daedbd5b627eba945054f2606adda69e985b6b2",
        "revCount": 1,
        "type": "git",
        "url": "https://git.extremist.software/jet/mymx"
      },
      "original": {
-        "path": "./services/mymx",
+        "type": "git",
-        "type": "path"
+        "url": "https://git.extremist.software/jet/mymx"
-      },
+      }
      "parent": []
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1772198003,
+        "lastModified": 1772624091,
-        "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=",
+        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61",
+        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -7,7 +7,7 @@
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
-    mymx.url = "path:./services/mymx";
+    mymx.url = "git+https://git.extremist.software/jet/mymx";
    mymx.inputs.nixpkgs.follows = "nixpkgs";
@ -19,6 +19,7 @@
      specialArgs = { inherit inputs; };
      modules = [
        disko.nixosModules.disko
        inputs.mymx.nixosModules.default
        ./disk-config.nix
        ./configuration.nix
--- a/modules/mymx.nix
+++ b/modules/mymx.nix
@ -1,40 +0,0 @@
 { config, pkgs, inputs, ... }:
 {
  users.users.mymx = {
    isSystemUser = true;
    group = "mymx";
    description = "MyMX webhook service user";
  };
  users.groups.mymx = {};
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "mymx" ];
    ensureUsers = [{
      name = "mymx";
      ensureDBOwnership = true;
    }];
  };
  systemd.services.mymx = {
    description = "MyMX Webhook Receiver";
    after = [ "postgresql.service" "network.target" ];
    requires = [ "postgresql.service" ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      DATABASE_URL = "postgres:///mymx?host=/run/postgresql";
      LISTEN_ADDR = "127.0.0.1:4002";
      MYMX_WEBHOOK_SECRET = config.mySecrets.mymxWebhookSecret;
    };
    serviceConfig = {
      ExecStart = "${inputs.mymx.packages.x86_64-linux.default}/bin/mymx-server";
      User = "mymx";
      Group = "mymx";
      Restart = "on-failure";
      RestartSec = 5;
    };
  };
 }
--- a/services/mymx/.envrc
+++ b/services/mymx/.envrc
@ -1 +0,0 @@
 use flake
--- a/services/mymx/.gitignore
+++ b/services/mymx/.gitignore
@ -1,2 +0,0 @@
 target/
 .direnv
--- a/services/mymx/Cargo.lock
+++ b/services/mymx/Cargo.lock
--- a/services/mymx/Cargo.toml
+++ b/services/mymx/Cargo.toml
@ -1,3 +0,0 @@
 [workspace]
 resolver = "2"
 members = ["mymx-sdk", "mymx-server"]
--- a/services/mymx/flake.lock
+++ b/services/mymx/flake.lock
@ -1,48 +0,0 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1772542754,
        "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs",
        "rust-overlay": "rust-overlay"
      }
    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1772593411,
        "narHash": "sha256-47WOnCSyOL6AghZiMIJaTLWM359DHe3be9R1cNCdGUE=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "a741b36b77440f5db15fcf2ab6d7d592d2f9ee8f",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/services/mymx/flake.nix
+++ b/services/mymx/flake.nix
@ -1,40 +0,0 @@
 {
  description = "MyMX webhook receiver service";
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    rust-overlay.url = "github:oxalica/rust-overlay";
    rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, rust-overlay, ... }:
    let
      system = "x86_64-linux";
      pkgs = import nixpkgs {
        inherit system;
        overlays = [ rust-overlay.overlays.default ];
      };
      rustToolchain = pkgs.rust-bin.nightly.latest.default;
    in
    {
      packages.${system}.default = pkgs.rustPlatform.buildRustPackage {
        pname = "mymx-server";
        version = "0.1.0";
        src = ./.;
        cargoLock.lockFile = ./Cargo.lock;
        nativeBuildInputs = [ pkgs.pkg-config ];
        buildInputs = [ pkgs.openssl ];
        env.SQLX_OFFLINE = "true";
      };
      devShells.${system}.default = pkgs.mkShell {
        buildInputs = [
          rustToolchain
          pkgs.postgresql
          pkgs.pkg-config
          pkgs.openssl
          pkgs.sqlx-cli
        ];
      };
    };
 }
--- a/services/mymx/mymx-sdk/Cargo.toml
+++ b/services/mymx/mymx-sdk/Cargo.toml
@ -1,14 +0,0 @@
 [package]
 name = "mymx-sdk"
 version = "0.1.0"
 edition = "2021"
 [dependencies]
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 hmac = "0.12"
 sha2 = "0.10"
 hex = "0.4"
 subtle = "2"
 thiserror = "2"
 chrono = { version = "0.4", features = ["serde"] }
--- a/services/mymx/mymx-sdk/src/lib.rs
+++ b/services/mymx/mymx-sdk/src/lib.rs
@ -1,274 +0,0 @@
 use chrono::Utc;
 use hmac::{Hmac, Mac};
 use serde::Deserialize;
 use sha2::Sha256;
 use subtle::ConstantTimeEq;
 use thiserror::Error;
 type HmacSha256 = Hmac<Sha256>;
 #[derive(Debug, Error)]
 pub enum Error {
    #[error("invalid signature header format")]
    InvalidSignatureHeader,
    #[error("signature verification failed")]
    SignatureVerificationFailed,
    #[error("timestamp too old (replay protection)")]
    TimestampTooOld,
    #[error("failed to parse webhook body: {0}")]
    ParseError(#[from] serde_json::Error),
    #[error("HMAC error: {0}")]
    HmacError(String),
 }
 #[derive(Debug, Deserialize)]
 pub struct EmailReceivedEvent {
    pub id: String,
    pub event: String,
    pub version: String,
    pub delivery: Delivery,
    pub email: Email,
 }
 #[derive(Debug, Deserialize)]
 pub struct Delivery {
    pub endpoint_id: String,
    pub attempt: u32,
    pub attempted_at: String,
 }
 #[derive(Debug, Deserialize)]
 pub struct Email {
    pub id: String,
    pub received_at: String,
    pub smtp: SmtpEnvelope,
    pub headers: EmailHeaders,
    pub content: Content,
    pub parsed: ParsedEmail,
    pub analysis: Option<Analysis>,
    pub auth: Option<Auth>,
 }
 #[derive(Debug, Deserialize)]
 pub struct SmtpEnvelope {
    pub helo: Option<String>,
    pub mail_from: String,
    pub rcpt_to: Vec<String>,
 }
 #[derive(Debug, Deserialize)]
 pub struct EmailHeaders {
    pub message_id: Option<String>,
    pub subject: Option<String>,
    pub from: String,
    pub to: String,
    pub date: Option<String>,
 }
 #[derive(Debug, Deserialize)]
 pub struct Content {
    pub raw: RawContent,
    pub download: Option<Download>,
 }
 #[derive(Debug, Deserialize)]
 pub struct Download {
    pub url: String,
    pub expires_at: String,
 }
 #[derive(Debug, Deserialize)]
 pub struct RawContent {
    pub included: bool,
    pub data: Option<String>,
    pub sha256: Option<String>,
    pub encoding: Option<String>,
    pub size_bytes: Option<u64>,
    pub max_inline_bytes: Option<u64>,
 }
 #[derive(Debug, Deserialize)]
 pub struct ParsedEmail {
    pub status: String,
    pub body_text: Option<String>,
    pub body_html: Option<String>,
    #[serde(default)]
    pub attachments: Vec<serde_json::Value>,
    pub cc: Option<String>,
    pub bcc: Option<String>,
    pub error: Option<String>,
    pub reply_to: Option<String>,
    pub references: Option<String>,
    pub in_reply_to: Option<String>,
    pub attachments_download_url: Option<String>,
 }
 #[derive(Debug, Deserialize)]
 pub struct Analysis {
    pub spamassassin: Option<SpamScore>,
 }
 #[derive(Debug, Deserialize)]
 pub struct SpamScore {
    pub score: Option<f64>,
 }
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct Auth {
    pub spf: Option<String>,
    pub dmarc: Option<String>,
    pub dmarc_policy: Option<String>,
    pub dkim_signatures: Option<Vec<DkimSignature>>,
    pub dmarc_spf_strict: Option<bool>,
    pub dmarc_dkim_strict: Option<bool>,
    pub dmarc_from_domain: Option<String>,
    pub dmarc_spf_aligned: Option<bool>,
    pub dmarc_dkim_aligned: Option<bool>,
 }
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct DkimSignature {
    pub algo: String,
    pub domain: String,
    pub result: String,
    pub aligned: bool,
    pub key_bits: Option<u32>,
    pub selector: String,
 }
 /// Parse the MyMX-Signature header to extract timestamp and signature.
 /// Format: `t=<unix_ts>,v1=<hmac_hex>`
 fn parse_signature_header(header: &str) -> Result<(i64, String), Error> {
    let mut timestamp = None;
    let mut signature = None;
    for part in header.split(',') {
        let part = part.trim();
        if let Some(t) = part.strip_prefix("t=") {
            timestamp = Some(
                t.parse::<i64>()
                    .map_err(|_| Error::InvalidSignatureHeader)?,
            );
        } else if let Some(v) = part.strip_prefix("v1=") {
            signature = Some(v.to_string());
        }
    }
    match (timestamp, signature) {
        (Some(t), Some(s)) => Ok((t, s)),
        _ => Err(Error::InvalidSignatureHeader),
    }
 }
 /// Verify the webhook signature from MyMX.
 ///
 /// 1. Parse the signature header to extract timestamp and HMAC
 /// 2. Construct the signed payload: `"{timestamp}.{raw_body}"`
 /// 3. Compute HMAC-SHA256 with the webhook secret
 /// 4. Constant-time compare
 /// 5. Reject timestamps older than 5 minutes
 pub fn verify_signature(raw_body: &str, signature_header: &str, secret: &str) -> Result<(), Error> {
    let (timestamp, expected_sig) = parse_signature_header(signature_header)?;
    // Replay protection: reject timestamps older than 5 minutes
    let now = Utc::now().timestamp();
    if now - timestamp > 300 {
        return Err(Error::TimestampTooOld);
    }
    // Construct signed payload
    let payload = format!("{}.{}", timestamp, raw_body);
    // Compute HMAC-SHA256
    let mut mac =
        HmacSha256::new_from_slice(secret.as_bytes()).map_err(|e| Error::HmacError(e.to_string()))?;
    mac.update(payload.as_bytes());
    let result = hex::encode(mac.finalize().into_bytes());
    // Constant-time compare
    if result.as_bytes().ct_eq(expected_sig.as_bytes()).into() {
        Ok(())
    } else {
        Err(Error::SignatureVerificationFailed)
    }
 }
 /// Parse the raw webhook body into an `EmailReceivedEvent`.
 pub fn parse_webhook(raw_body: &str) -> Result<EmailReceivedEvent, Error> {
    Ok(serde_json::from_str(raw_body)?)
 }
 /// Verify signature and parse the webhook in one step.
 pub fn handle_webhook(
    raw_body: &str,
    signature_header: &str,
    secret: &str,
 ) -> Result<EmailReceivedEvent, Error> {
    verify_signature(raw_body, signature_header, secret)?;
    parse_webhook(raw_body)
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn test_parse_signature_header() {
        let (t, sig) = parse_signature_header("t=1234567890,v1=abcdef").unwrap();
        assert_eq!(t, 1234567890);
        assert_eq!(sig, "abcdef");
    }
    #[test]
    fn test_parse_signature_header_invalid() {
        assert!(parse_signature_header("invalid").is_err());
        assert!(parse_signature_header("t=abc,v1=def").is_err());
        assert!(parse_signature_header("t=123").is_err());
    }
    #[test]
    fn test_verify_signature() {
        let secret = "test_secret";
        let body = r#"{"test": true}"#;
        let now = Utc::now().timestamp();
        // Compute expected signature
        let payload = format!("{}.{}", now, body);
        let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).unwrap();
        mac.update(payload.as_bytes());
        let sig = hex::encode(mac.finalize().into_bytes());
        let header = format!("t={},v1={}", now, sig);
        assert!(verify_signature(body, &header, secret).is_ok());
    }
    #[test]
    fn test_parse_real_payload() {
        let payload = r#"{"id":"evt_8fe3f76b51ffd44da96bbb98","email":{"id":"e90fef93-9549-4e17-b86f-295c13089645","auth":{"spf":"fail","dmarc":"pass","dmarcPolicy":"reject","dkimSignatures":[{"algo":"rsa-sha256","domain":"extremist.software","result":"pass","aligned":true,"keyBits":2048,"selector":"202602r"},{"algo":"ed25519-sha256","domain":"extremist.software","result":"pass","aligned":true,"keyBits":null,"selector":"202602e"}],"dmarcSpfStrict":false,"dmarcDkimStrict":false,"dmarcFromDomain":"extremist.software","dmarcSpfAligned":false,"dmarcDkimAligned":true},"smtp":{"helo":"extremist.software","rcpt_to":["mail@mymx.extremist.software"],"mail_from":"jet@extremist.software"},"parsed":{"cc":null,"bcc":null,"error":null,"status":"complete","reply_to":null,"body_html":null,"body_text":"hello","references":null,"attachments":[],"in_reply_to":null,"attachments_download_url":null},"content":{"raw":{"data":"dGVzdA==","sha256":"2c0e0a77","encoding":"base64","included":true,"size_bytes":1189,"max_inline_bytes":262144},"download":{"url":"https://example.com/download","expires_at":"2026-03-05T21:19:50.000Z"}},"headers":{"to":"mail@mymx.extremist.software","date":"Wed, 4 Mar 2026 13:19:42 -0800","from":"Jet <jet@extremist.software>","subject":"hello","message_id":"<2c7d9c88@extremist.software>"},"analysis":{"spamassassin":{"score":2}},"received_at":"2026-03-04T21:19:45.686Z"},"event":"email.received","version":"2025-12-14","delivery":{"attempt":1,"endpoint_id":"eb257e74-566c-4110-a35e-c7e02d00b035","attempted_at":"2026-03-04T21:19:50.626Z"}}"#;
        let event = parse_webhook(payload).unwrap();
        assert_eq!(event.email.headers.from, "Jet <jet@extremist.software>");
        assert_eq!(event.email.parsed.body_text.as_deref(), Some("hello"));
        assert_eq!(event.email.headers.subject.as_deref(), Some("hello"));
        assert_eq!(event.email.id, "e90fef93-9549-4e17-b86f-295c13089645");
    }
    #[test]
    fn test_verify_signature_replay() {
        let secret = "test_secret";
        let body = r#"{"test": true}"#;
        let old_ts = Utc::now().timestamp() - 600; // 10 minutes ago
        let payload = format!("{}.{}", old_ts, body);
        let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).unwrap();
        mac.update(payload.as_bytes());
        let sig = hex::encode(mac.finalize().into_bytes());
        let header = format!("t={},v1={}", old_ts, sig);
        assert!(matches!(
            verify_signature(body, &header, secret),
            Err(Error::TimestampTooOld)
        ));
    }
 }
--- a/services/mymx/mymx-server/Cargo.toml
+++ b/services/mymx/mymx-server/Cargo.toml
@ -1,17 +0,0 @@
 [package]
 name = "mymx-server"
 version = "0.1.0"
 edition = "2021"
 [dependencies]
 mymx-sdk = { path = "../mymx-sdk" }
 axum = "0.8"
 tokio = { version = "1", features = ["full"] }
 sqlx = { version = "0.8", features = ["runtime-tokio", "tls-rustls", "postgres", "chrono"] }
 sha2 = "0.10"
 hex = "0.4"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 tracing = "0.1"
 tracing-subscriber = "0.3"
 chrono = { version = "0.4", features = ["serde"] }
--- a/services/mymx/mymx-server/migrations/20260304000000_create_emails.sql
+++ b/services/mymx/mymx-server/migrations/20260304000000_create_emails.sql
@ -1,6 +0,0 @@
 CREATE TABLE IF NOT EXISTS emails (
    id SERIAL PRIMARY KEY,
    body TEXT NOT NULL,
    subject TEXT,
    received_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
--- a/services/mymx/mymx-server/migrations/20260305000000_add_from_and_email_id.sql
+++ b/services/mymx/mymx-server/migrations/20260305000000_add_from_and_email_id.sql
@ -1,2 +0,0 @@
 ALTER TABLE emails ADD COLUMN from_address TEXT;
 ALTER TABLE emails ADD COLUMN mymx_email_id TEXT UNIQUE;
--- a/services/mymx/mymx-server/src/main.rs
+++ b/services/mymx/mymx-server/src/main.rs
@ -1,299 +0,0 @@
 use axum::{
    extract::State,
    http::{HeaderMap, StatusCode},
    response::{Html, IntoResponse},
    routing::{get, post},
    Json, Router,
 };
 use chrono::{DateTime, Utc};
 use sha2::{Digest, Sha256};
 use sqlx::postgres::PgPoolOptions;
 use sqlx::{FromRow, PgPool};
 use std::env;
 #[derive(Clone)]
 struct AppState {
    db: PgPool,
    webhook_secret: String,
 }
 #[derive(serde::Serialize)]
 struct WebhookResponse {
    received: bool,
 }
 #[derive(serde::Serialize)]
 struct ErrorResponse {
    error: String,
 }
 #[derive(serde::Serialize)]
 struct HealthResponse {
    status: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    error: Option<String>,
 }
 #[derive(FromRow)]
 struct EmailRow {
    body: String,
    subject: Option<String>,
    from_address: Option<String>,
    received_at: DateTime<Utc>,
 }
 fn map_webhook_error(e: mymx_sdk::Error) -> (StatusCode, Json<ErrorResponse>) {
    match &e {
        mymx_sdk::Error::InvalidSignatureHeader => {
            tracing::warn!("Webhook rejected: invalid signature header format");
            (
                StatusCode::UNAUTHORIZED,
                Json(ErrorResponse {
                    error: "invalid signature header".into(),
                }),
            )
        }
        mymx_sdk::Error::SignatureVerificationFailed => {
            tracing::warn!("Webhook rejected: signature verification failed");
            (
                StatusCode::UNAUTHORIZED,
                Json(ErrorResponse {
                    error: "signature verification failed".into(),
                }),
            )
        }
        mymx_sdk::Error::TimestampTooOld => {
            tracing::warn!("Webhook rejected: timestamp too old (replay protection)");
            (
                StatusCode::UNAUTHORIZED,
                Json(ErrorResponse {
                    error: "timestamp too old".into(),
                }),
            )
        }
        mymx_sdk::Error::HmacError(msg) => {
            tracing::warn!("Webhook rejected: HMAC error: {}", msg);
            (
                StatusCode::UNAUTHORIZED,
                Json(ErrorResponse {
                    error: "hmac error".into(),
                }),
            )
        }
        mymx_sdk::Error::ParseError(parse_err) => {
            tracing::warn!("Webhook body parse failed: {}", parse_err);
            (
                StatusCode::UNPROCESSABLE_ENTITY,
                Json(ErrorResponse {
                    error: format!("failed to parse webhook body: {}", parse_err),
                }),
            )
        }
    }
 }
 #[tokio::main]
 async fn main() {
    tracing_subscriber::fmt::init();
    let database_url = env::var("DATABASE_URL").expect("DATABASE_URL must be set");
    let webhook_secret =
        env::var("MYMX_WEBHOOK_SECRET").expect("MYMX_WEBHOOK_SECRET must be set");
    let listen_addr = env::var("LISTEN_ADDR").unwrap_or_else(|_| "127.0.0.1:4002".to_string());
    let pool = PgPoolOptions::new()
        .max_connections(5)
        .connect(&database_url)
        .await
        .expect("Failed to connect to database");
    sqlx::migrate!()
        .run(&pool)
        .await
        .expect("Failed to run migrations");
    let state = AppState {
        db: pool,
        webhook_secret,
    };
    let app = Router::new()
        .route("/webhook", post(webhook_handler))
        .route("/health", get(health_handler))
        .route("/", get(index_handler))
        .with_state(state);
    let listener = tokio::net::TcpListener::bind(&listen_addr)
        .await
        .expect("Failed to bind listener");
    tracing::info!("Listening on {}", listen_addr);
    axum::serve(listener, app).await.unwrap();
 }
 async fn webhook_handler(
    State(state): State<AppState>,
    headers: HeaderMap,
    body: String,
 ) -> Result<Json<WebhookResponse>, (StatusCode, Json<ErrorResponse>)> {
    let signature = headers
        .get("MyMX-Signature")
        .and_then(|v| v.to_str().ok())
        .ok_or((
            StatusCode::BAD_REQUEST,
            Json(ErrorResponse {
                error: "missing MyMX-Signature header".into(),
            }),
        ))?;
    mymx_sdk::verify_signature(&body, signature, &state.webhook_secret)
        .map_err(map_webhook_error)?;
    let event = mymx_sdk::parse_webhook(&body).map_err(map_webhook_error)?;
    let email_body = event
        .email
        .parsed
        .body_text
        .or(event.email.parsed.body_html)
        .unwrap_or_default();
    let subject = event.email.headers.subject;
    let from_address = event.email.headers.from;
    let mymx_email_id = event.email.id;
    let received_at = chrono::DateTime::parse_from_rfc3339(&event.email.received_at)
        .map(|dt| dt.with_timezone(&Utc))
        .unwrap_or_else(|_| Utc::now());
    sqlx::query(
        "INSERT INTO emails (body, subject, from_address, mymx_email_id, received_at)
         VALUES ($1, $2, $3, $4, $5)
         ON CONFLICT (mymx_email_id) DO NOTHING",
    )
    .bind(&email_body)
    .bind(&subject)
    .bind(&from_address)
    .bind(&mymx_email_id)
    .bind(received_at)
    .execute(&state.db)
    .await
    .map_err(|e| {
        tracing::error!("Database insert failed: {}", e);
        (
            StatusCode::INTERNAL_SERVER_ERROR,
            Json(ErrorResponse {
                error: "internal server error".into(),
            }),
        )
    })?;
    tracing::info!(
        subject = subject.as_deref().unwrap_or("(none)"),
        from = %from_address,
        email_id = %mymx_email_id,
        "Received email"
    );
    Ok(Json(WebhookResponse { received: true }))
 }
 async fn health_handler(State(state): State<AppState>) -> impl IntoResponse {
    match sqlx::query_scalar::<_, i32>("SELECT 1").fetch_one(&state.db).await {
        Ok(_) => (
            StatusCode::OK,
            Json(HealthResponse {
                status: "ok".into(),
                error: None,
            }),
        ),
        Err(e) => (
            StatusCode::SERVICE_UNAVAILABLE,
            Json(HealthResponse {
                status: "unhealthy".into(),
                error: Some(e.to_string()),
            }),
        ),
    }
 }
 async fn index_handler(State(state): State<AppState>) -> Result<Html<String>, StatusCode> {
    let emails: Vec<EmailRow> = sqlx::query_as::<_, EmailRow>(
        "SELECT body, subject, from_address, received_at FROM emails",
    )
    .fetch_all(&state.db)
    .await
    .map_err(|e| {
        tracing::error!("Database query failed: {}", e);
        StatusCode::INTERNAL_SERVER_ERROR
    })?;
    let mut rows: Vec<(String, String, String, DateTime<Utc>)> = emails
        .into_iter()
        .map(|email| {
            let mut hasher = Sha256::new();
            hasher.update(email.body.as_bytes());
            let hash = hex::encode(hasher.finalize());
            let subject = email.subject.unwrap_or_default();
            let from = email.from_address.unwrap_or_default();
            (hash, subject, from, email.received_at)
        })
        .collect();
    // Sort alphabetically by hash
    rows.sort_by(|a, b| a.0.cmp(&b.0));
    let table_rows: String = rows
        .iter()
        .map(|(hash, subject, from, received_at)| {
            format!(
                "<tr><td><code>{}</code></td><td>{}</td><td>{}</td><td>{}</td></tr>",
                hash,
                html_escape(from),
                html_escape(subject),
                received_at.format("%Y-%m-%d %H:%M:%S UTC")
            )
        })
        .collect::<Vec<_>>()
        .join("\n");
    let html = format!(
        r#"<!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>MyMX Emails</title>
    <style>
        body {{ font-family: monospace; margin: 2rem; background: #1a1a1a; color: #e0e0e0; }}
        h1 {{ color: #ffffff; }}
        table {{ border-collapse: collapse; width: 100%; }}
        th, td {{ border: 1px solid #333; padding: 0.5rem; text-align: left; }}
        th {{ background: #2a2a2a; }}
        tr:nth-child(even) {{ background: #222; }}
        code {{ font-size: 0.85em; word-break: break-all; }}
    </style>
 </head>
 <body>
    <h1>MyMX Emails</h1>
    <table>
        <thead>
            <tr><th>SHA-256 Hash</th><th>From</th><th>Subject</th><th>Received</th></tr>
        </thead>
        <tbody>
            {}
        </tbody>
    </table>
 </body>
 </html>"#,
        table_rows
    );
    Ok(Html(html))
 }
 fn html_escape(s: &str) -> String {
    s.replace('&', "&amp;")
        .replace('<', "&lt;")
        .replace('>', "&gt;")
        .replace('"', "&quot;")
 }
		`@ -1,2 +0,0 @@`
			`ALTER TABLE emails ADD COLUMN from_address TEXT;`
			`ALTER TABLE emails ADD COLUMN mymx_email_id TEXT UNIQUE;`