root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add utility mail account and password; improve secret handling for dry-run in the most hecking scuffed arse secret management in the mail server configuration.

Browse source
This commit is contained in:
Root User 2026-02-16 17:29:42 +01:00
parent 27610eca0f
commit 908c90ff49
Signed by: root
GPG key ID: 087F0A95E5766D72
4 changed files with 54 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

57
nix-system-configs/modules/system/mail-server.nix
View file

@ -9,10 +9,17 @@
# generated stalwart config contains the actual secret values (not the
# literal "$FOO" placeholders). Using builtins.readFile here ensures the
# values are placed into the TOML at build time.
adminPassword = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."admin-password".path);
boardPassword = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."board-member-password".path);
cloudflareUsername = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-username".path);
cloudflareToken = builtins.replaceStrings ["\n"] [""] (builtins.readFile config.sops.secrets."cloudflare-dns-token".path);
# Use a safe helper that handles missing secret attributes or missing files
# during a dry-run (returns empty string if absent).
getSecret = secretAttr:
if secretAttr != null && builtins.pathExists secretAttr.path
then builtins.replaceStrings ["\n"] [""] (builtins.readFile secretAttr.path)
else "";
adminPassword = getSecret config.sops.secrets."admin-password";
boardPassword = getSecret config.sops.secrets."board-member-password";
utilityPassword = getSecret config.sops.secrets."utility-password";
cloudflareUsername = getSecret config.sops.secrets."cloudflare-username";
cloudflareToken = getSecret config.sops.secrets."cloudflare-dns-token";
in {
options.local = {
hostname = lib.mkOption {
@ -53,6 +60,8 @@ in {
environment.etc = {
"stalwart/mail-pw1".text = boardPassword; # principal password (board)
"stalwart/mail-pw1".mode = "0777";
"stalwart/mail-pw2".text = utilityPassword; # principal password (utility)
"stalwart/mail-pw2".mode = "0777";
"stalwart/admin-pw".text = adminPassword; # admin fallback password
"stalwart/admin-pw".mode = "0777";
"stalwart/acme-secret".text = cloudflareToken; # API token for ACME (Cloudflare)
@ -117,14 +126,14 @@ in {
hostname = "mail.prg-radio.org";
domain = "prg-radio.org";
};
acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01";
# reference the contact and secret via files under /etc/stalwart
contact = "%{file:/etc/stalwart/cloudflare-username}%";
domains = ["prg-radio.org" "mailadmin.prg-radio.org" "mail.prg-radio.org"];
provider = "cloudflare";
secret = "%{file:/etc/stalwart/acme-secret}%";
acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01";
# reference the contact and secret via files under /etc/stalwart
contact = "%{file:/etc/stalwart/cloudflare-username}%";
domains = ["prg-radio.org" "mailadmin.prg-radio.org" "mail.prg-radio.org"];
provider = "cloudflare";
secret = "%{file:/etc/stalwart/acme-secret}%";
};
session.auth = {
mechanisms = ["plain"];
@ -148,6 +157,18 @@ in {
secret = "%{file:/etc/stalwart/mail-pw1}%";
email = ["postmaster@prg-radio.org"];
}
{
class = "individual";
name = "no-reply";
secret = "%{file:/etc/stalwart/mail-pw2}%";
email = ["no-reply@prg-radio.org"];
}
{
class = "individual";
name = "service";
secret = "%{file:/etc/stalwart/mail-pw2}%";
email = ["service@prg-radio.org"];
}
];
};
authentication.fallback-admin = {
@ -157,11 +178,11 @@ in {
};
};
networking.firewall.allowedTCPPorts = [
25
];
networking.firewall.allowedUDPPorts = [
25
];
networking.firewall.allowedTCPPorts = [
25
];
networking.firewall.allowedUDPPorts = [
25
];
};
}