Expose mail web admin UI via Traefik under /management and update file permissions

2026-02-15 20:06:23 +01:00 · 2026-02-15 20:06:23 +01:00 · a3249aa479
commit a3249aa479
parent a8c4486c20
2 changed files with 32 additions and 9 deletions
--- a/nix-system-configs/modules/system/mail-server.nix
+++ b/nix-system-configs/modules/system/mail-server.nix
@ -52,19 +52,21 @@ in {
    # Create /etc/stalwart secret files so the generated TOML can reference them
    environment.etc = {
      "stalwart/mail-pw1".text = boardPassword; # principal password (board)
-      "stalwart/mail-pw1".mode = "0440";
-      "stalwart/mail-pw1".user = "stalwart";
+      "stalwart/mail-pw1".mode = "0777";
      "stalwart/admin-pw".text = adminPassword; # admin fallback password
-      "stalwart/admin-pw".mode = "0440";
-      "stalwart/admin-pw".user = "stalwart";
+      "stalwart/admin-pw".mode = "0777";
      "stalwart/acme-secret".text = cloudflareToken; # API token for ACME (Cloudflare)
-      "stalwart/acme-secret".mode = "0440";
-      "stalwart/acme-secret".user = "stalwart";
+      "stalwart/acme-secret".mode = "0777";
      "stalwart/cloudflare-username".text = cloudflareUsername; # contact email for ACME
-      "stalwart/cloudflare-username".mode = "0440";
-      "stalwart/cloudflare-username".user = "stalwart";
+      "stalwart/cloudflare-username".mode = "0777";
    };

+
+    systemd.tmpfiles.rules = [
+      # z = create/modify file or directory, set mode and owner
+      "z /etc/stalwart 0555 root root - -"
+    ];
+
    # Enable Tailscale for remote access to Traefik dashboard and configuration
    services.tailscale.enable = true;

@ -111,7 +113,7 @@ in {
              protocol = "http";
            };
            management = {
-              bind = ["127.0.0.1:8080"];
+              bind = ["127.0.0.1:8080" "[::]:8081"];
              protocol = "http";
            };
          };