Update password management... again.

nix-system-configs/modules/system/mail-server.nix

@@ -44,15 +44,14 @@ in {
     # Pass secrets to Stalwart Mail service via environment variables
     systemd.services.stalwart-mail = {
       serviceConfig = {
-        EnvironmentFile = [
+        Environment = [
-          config.sops.secrets."cloudflare-username".path
+          (let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-username".path); in "CLOUDFLARE_USERNAME=${v}")
-          config.sops.secrets."cloudflare-dns-token".path
+          (let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-dns-token".path); in "CLOUDFLARE_API_TOKEN=${v}")
-          config.sops.secrets."admin-password".path
+          (let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."admin-password".path); in "ADMIN_PASSWORD=${v}")
-          config.sops.secrets."board-member-password".path
+          (let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."board-member-password".path); in "BOARD_PASSWORD=${v}")
         ];
       };
     };
-
     # Enable Tailscale for remote access to Traefik dashboard and configuration
     services.tailscale.enable = true;
 

nix-system-configs/secrets/mail/secrets.yaml

@@ -1,7 +1,7 @@
-admin-password: ENC[AES256_GCM,data:1teK0r2L01ZJEdrF343El6GhHnLiqLMItDwy5XAU+uqZyKDb+gvRUaWP2L4BzSSHNqYDGmolyaJnvrMsxW1v3A4=,iv:d7J5vgeX6ZByBcw0im61Uj+hzbSiMdYKEdgqNohPSCA=,tag:gOAVtTGaQJTr4OjWa+7zOA==,type:str]
+admin-password: ENC[AES256_GCM,data:GxV2THg8b6sa1B9kjoBpN5nPgIUIzGdCE3kUJx+Ik8mO9VGwLU//giTXrd983QDqNVc=,iv:0qbCOVT5z53gqEjFHAXLsyD+nCHGk+3Rn2Qt+ifgRJw=,tag:HDEir7oY5mpfpeyaVOUMJw==,type:str]
-board-member-password: ENC[AES256_GCM,data:eVQfHApjGtffBJgfAFvThhjMg6IF0zdtATWdYQ3YtKG50hEKrxMW2WoKuadPPlqC3S1D0AId3lg4VxPKY/fN1og=,iv:t92IVJD5ot7gVXkSsWIPJ6LmXVy9Fw6nDSS1ENcOG1w=,tag:lznVB7enNtVYdR+nbGXeZQ==,type:str]
+board-member-password: ENC[AES256_GCM,data:IHpjcweY0hQZObrrfbq67cQYJuYBS4zgcGoWcY487wqk2pPbNUOMAun9RzWXAk4X6N0=,iv:aVZArmVCSADLozsnDDhxKUizJ5CVmymKfaANcrniFvY=,tag:TGrpwrEUd5fdLyvYx8olZw==,type:str]
-cloudflare-dns-token: ENC[AES256_GCM,data:TT5DaSvU97VPOsgspfbbf4REYByAy37lwRr8CPkGj0sEbYPvzV/Yw/ZMKWVu/SThPloGw/59FSx6o7yW/A==,iv:XfE73U60QguxsQlf5vzsy6dn1CkJLn4OplWAEwOSGe0=,tag:OaUhgMsOJ7npozoLblw/2w==,type:str]
+cloudflare-dns-token: ENC[AES256_GCM,data:IpgU7An3IW/LFL+5OJ3oYH4c3eZjZFP+qK8/oFsNCorYKVaWPVOIVA==,iv:49UwRT8DfbC9ZIXgx7nCSxjHeIIAkiHD70ti3rWUexA=,tag:Vn9wVUhTgRlGG9E+i9NzGw==,type:str]
-cloudflare-username: ENC[AES256_GCM,data:i7pLjCmZDFZK/LcjO4vGrvhLtZqexF8X0ARmg0i/LsdP357OaPo=,iv:+841JT7nsdhqTWEMdEfJTYqqOoM2g9hoSz24q6aL4pw=,tag:Uqds4MZ179VcsicfifbHXQ==,type:str]
+cloudflare-username: ENC[AES256_GCM,data:AMgWBFP90f1ML/I6es0HIUoW,iv:64GGNMSdTrmurEsgdI82iTqD9FUW8leKu/JvT7Ls6Og=,tag:3rTWNF3NfTExCnV+RRwyVA==,type:str]
 sops:
     age:
         - recipient: age1746rvsvsc3snxfl7cndm222wd5kck4aqj3x7nednlegq0gdjhfcqx0qv7m
@@ -22,7 +22,7 @@ sops:
             OFE3aWxZNThlWUUrUWlwZmtGYjJGT2sKFkoNZt6ThwzwQ2MMFjncrVrLKEhJ1hxh
             uJuOfYFlQI80k3etChD64mTRMSK7Cr/BIc2625+jGJK4kOc+JpFDEQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-15T16:35:00Z"
+    lastmodified: "2026-02-15T17:16:50Z"
-    mac: ENC[AES256_GCM,data:LShVAjb1lCGq91O2mAwa7OzzOC01NrrSxnhLFPdbf8M93xXJSpz7U2GDQwfQ/3BsnIJiSgSLhrMYkNhDITaDWY90SrnL+tm0MhozQeiuKyfVal2Dr8P0VvxTxSaqemoFeyUvmJwe7rSjoEQnJYduilMqzhOcB/MkAivNeHnhQMQ=,iv:7zeV6HANpV0zGAg7UnM9l45FhO3jsOkzxMbJ1pTIIxU=,tag:3078xKYVrObEYSr8LAh9eg==,type:str]
+    mac: ENC[AES256_GCM,data:4FZe4zCBQY01TcsX8yU5cMz8C1C64L80QJFhhdC+3xxS0URw/QkpyevUnkT7gzmuHjwBbrdY/NpNTyNfzacxpw2dVt4MhvdDcKWqXV802DmBpaZcvfFlsjpSBIhXiudu428tQOwWgY3WmQfmg2wh46fRM8+QoZyaxOaX188Pu9U=,iv:EUuzxfz3cGK2yf555PQNpRCzOvlSVKLihBkUxNp8JjQ=,tag:L92aHzdQAY5K0QxkFpFvOQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0