root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revamp password, change password...

Browse source
This commit is contained in:
Root User 2026-02-15 18:54:16 +01:00
parent 5289fc4a20
commit 8963c8d048
Signed by: root
GPG key ID: 087F0A95E5766D72
2 changed files with 32 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

46
nix-system-configs/modules/system/mail-server.nix
View file

@ -5,6 +5,14 @@
...
}: let
choose = paths: lib.findFirst builtins.pathExists null paths;
# Read secrets from sops-managed files and trim trailing newlines so the
# generated stalwart config contains the actual secret values (not the
# literal "$FOO" placeholders). Using builtins.readFile here ensures the
# values are placed into the TOML at build time.
adminPassword = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."admin-password".path);
boardPassword = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."board-member-password".path);
cloudflareUsername = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-username".path);
cloudflareToken = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-dns-token".path);
in {
options.local = {
hostname = lib.mkOption {
@ -41,17 +49,18 @@ in {
];
config = {
# Pass secrets to Stalwart Mail service via environment variables
systemd.services.stalwart-mail = {
serviceConfig = {
Environment = [
(let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-username".path); in "CLOUDFLARE_USERNAME=${v}")
(let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-dns-token".path); in "CLOUDFLARE_API_TOKEN=${v}")
(let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."admin-password".path); in "ADMIN_PASSWORD=${v}")
(let v = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."board-member-password".path); in "BOARD_PASSWORD=${v}")
];
};
# Create /etc/stalwart secret files so the generated TOML can reference them
environment.etc = {
"stalwart/mail-pw1".text = boardPassword; # principal password (board)
"stalwart/mail-pw1".mode = "0400";
"stalwart/admin-pw".text = adminPassword; # admin fallback password
"stalwart/admin-pw".mode = "0400";
"stalwart/acme-secret".text = cloudflareToken; # API token for ACME (Cloudflare)
"stalwart/acme-secret".mode = "0400";
"stalwart/cloudflare-username".text = cloudflareUsername; # contact email for ACME
"stalwart/cloudflare-username".mode = "0400";
};
# Enable Tailscale for remote access to Traefik dashboard and configuration
services.tailscale.enable = true;
@ -110,17 +119,18 @@ in {
acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01";
contact = "$CLOUDFLARE_USERNAME";
# reference the contact and secret via files under /etc/stalwart
contact = "%{file:/etc/stalwart/cloudflare-username}%";
domains = ["prg-radio.org" "mail.prg-radio.org"];
provider = "cloudflare";
secret = "$CLOUDFLARE_API_TOKEN";
secret = "%{file:/etc/stalwart/acme-secret}%";
};
session.auth = {
mechanisms = "[plain]";
directory = "'in-memory'";
mechanisms = ["plain"];
directory = "in-memory";
};
storage.directory = "in-memory";
session.rcpt.directory = "'in-memory'";
session.rcpt.directory = "in-memory";
directory."imap".lookup.domains = ["prg-radio.org"];
directory."in-memory" = {
type = "memory";
@ -128,20 +138,20 @@ in {
{
class = "individual";
name = "Polyteknisk Radiogruppe Board Member";
secret = "$BOARD_PASSWORD";
secret = "%{file:/etc/stalwart/mail-pw1}%";
email = ["board@prg-radio.org"];
}
{
class = "individual";
name = "postmaster";
secret = "$BOARD_PASSWORD";
secret = "%{file:/etc/stalwart/mail-pw1}%";
email = ["postmaster@prg-radio.org"];
}
];
};
authentication.fallback-admin = {
user = "admin";
secret = "$ADMIN_PASSWORD";
secret = "%{file:/etc/stalwart/admin-pw}%";
};
};
};