Add utility mail account and password; improve secret handling for dry-run in the most hecking scuffed arse secret management in the mail server configuration.

2026-02-16 17:29:42 +01:00 · 2026-02-16 17:29:42 +01:00 · 908c90ff49
commit 908c90ff49
parent 27610eca0f
4 changed files with 54 additions and 20 deletions
--- a/nix-system-configs/modules/secrets-config/sops-mail.nix
+++ b/nix-system-configs/modules/secrets-config/sops-mail.nix
@ -42,6 +42,13 @@
    mode = "0400";
  };

+  sops.secrets."utility-password" = {
+    format = "yaml";
+    sopsFile = ../../secrets/mail/secrets.yaml;
+    owner = "root";
+    mode = "0400";
+  };
+
  sops.secrets."cloudflare-dns-token" = {
    format = "yaml";
    sopsFile = ../../secrets/mail/secrets.yaml;
--- a/nix-system-configs/modules/system/mail-server.nix
+++ b/nix-system-configs/modules/system/mail-server.nix
@ -9,10 +9,17 @@
  # generated stalwart config contains the actual secret values (not the
  # literal "$FOO" placeholders). Using builtins.readFile here ensures the
  # values are placed into the TOML at build time.
-  adminPassword = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."admin-password".path);
-  boardPassword = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."board-member-password".path);
-  cloudflareUsername = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-username".path);
-  cloudflareToken = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-dns-token".path);
+  # Use a safe helper that handles missing secret attributes or missing files
+  # during a dry-run (returns empty string if absent).
+  getSecret = secretAttr:
+    if secretAttr != null && builtins.pathExists secretAttr.path
+    then builtins.replaceStrings ["\n"] [""] (builtins.readFile secretAttr.path)
+    else "";
+  adminPassword = getSecret config.sops.secrets."admin-password";
+  boardPassword = getSecret config.sops.secrets."board-member-password";
+  utilityPassword = getSecret config.sops.secrets."utility-password";
+  cloudflareUsername = getSecret config.sops.secrets."cloudflare-username";
+  cloudflareToken = getSecret config.sops.secrets."cloudflare-dns-token";
 in {
  options.local = {
    hostname = lib.mkOption {
@ -53,6 +60,8 @@ in {
    environment.etc = {
      "stalwart/mail-pw1".text = boardPassword; # principal password (board)
      "stalwart/mail-pw1".mode = "0777";
+      "stalwart/mail-pw2".text = utilityPassword; # principal password (utility)
+      "stalwart/mail-pw2".mode = "0777";
      "stalwart/admin-pw".text = adminPassword; # admin fallback password
      "stalwart/admin-pw".mode = "0777";
      "stalwart/acme-secret".text = cloudflareToken; # API token for ACME (Cloudflare)
@ -117,14 +126,14 @@ in {
          hostname = "mail.prg-radio.org";
          domain = "prg-radio.org";
        };
-           acme."letsencrypt" = {
-             directory = "https://acme-v02.api.letsencrypt.org/directory";
-            challenge = "dns-01";
-           # reference the contact and secret via files under /etc/stalwart
-            contact = "%{file:/etc/stalwart/cloudflare-username}%";
-           domains = ["prg-radio.org" "mailadmin.prg-radio.org" "mail.prg-radio.org"];
-           provider = "cloudflare";
-           secret = "%{file:/etc/stalwart/acme-secret}%";
+        acme."letsencrypt" = {
+          directory = "https://acme-v02.api.letsencrypt.org/directory";
+          challenge = "dns-01";
+          # reference the contact and secret via files under /etc/stalwart
+          contact = "%{file:/etc/stalwart/cloudflare-username}%";
+          domains = ["prg-radio.org" "mailadmin.prg-radio.org" "mail.prg-radio.org"];
+          provider = "cloudflare";
+          secret = "%{file:/etc/stalwart/acme-secret}%";
        };
        session.auth = {
          mechanisms = ["plain"];
@ -148,6 +157,18 @@ in {
              secret = "%{file:/etc/stalwart/mail-pw1}%";
              email = ["postmaster@prg-radio.org"];
            }
+            {
+              class = "individual";
+              name = "no-reply";
+              secret = "%{file:/etc/stalwart/mail-pw2}%";
+              email = ["no-reply@prg-radio.org"];
+            }
+            {
+              class = "individual";
+              name = "service";
+              secret = "%{file:/etc/stalwart/mail-pw2}%";
+              email = ["service@prg-radio.org"];
+            }
          ];
        };
        authentication.fallback-admin = {
@ -157,11 +178,11 @@ in {
      };
    };

-        networking.firewall.allowedTCPPorts = [
-            25
-        ];
-        networking.firewall.allowedUDPPorts = [
-            25
-        ];
+    networking.firewall.allowedTCPPorts = [
+      25
+    ];
+    networking.firewall.allowedUDPPorts = [
+      25
+    ];
  };
 }
--- a/nix-system-configs/modules/system/system_list.md
+++ b/nix-system-configs/modules/system/system_list.md
@ -0,0 +1,5 @@
+## Mail Server
+
+Todo: Resolve the issue with the Three / 3 about the IP PTR Record mismatch where the mail.prg-radio.org off the IP
+record is XXX.XXX.XXX.XXX.mobile.3.dk and not XXX.XXX.XXX.XXX, which hecks up the secure reverse DNS lookup.
+Current solution uses SMPT2Go, which has limited outbound mail limits.