root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Expose mail web admin UI via Traefik under /management and update file permissions

Browse source
This commit is contained in:
Root User 2026-02-15 20:06:23 +01:00
parent a8c4486c20
commit a3249aa479
Signed by: root
GPG key ID: 087F0A95E5766D72
2 changed files with 32 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

20
nix-system-configs/modules/system/mail-server.nix
View file

@ -52,19 +52,21 @@ in {
# Create /etc/stalwart secret files so the generated TOML can reference them # Create /etc/stalwart secret files so the generated TOML can reference them
environment.etc = { environment.etc = {
"stalwart/mail-pw1".text = boardPassword; # principal password (board) "stalwart/mail-pw1".text = boardPassword; # principal password (board)
"stalwart/mail-pw1".mode = "0440"; "stalwart/mail-pw1".mode = "0777";
"stalwart/mail-pw1".user = "stalwart";
"stalwart/admin-pw".text = adminPassword; # admin fallback password "stalwart/admin-pw".text = adminPassword; # admin fallback password
"stalwart/admin-pw".mode = "0440"; "stalwart/admin-pw".mode = "0777";
"stalwart/admin-pw".user = "stalwart";
"stalwart/acme-secret".text = cloudflareToken; # API token for ACME (Cloudflare) "stalwart/acme-secret".text = cloudflareToken; # API token for ACME (Cloudflare)
"stalwart/acme-secret".mode = "0440"; "stalwart/acme-secret".mode = "0777";
"stalwart/acme-secret".user = "stalwart";
"stalwart/cloudflare-username".text = cloudflareUsername; # contact email for ACME "stalwart/cloudflare-username".text = cloudflareUsername; # contact email for ACME
"stalwart/cloudflare-username".mode = "0440"; "stalwart/cloudflare-username".mode = "0777";
"stalwart/cloudflare-username".user = "stalwart";
}; };
systemd.tmpfiles.rules = [
# z = create/modify file or directory, set mode and owner
"z /etc/stalwart 0555 root root - -"
];
# Enable Tailscale for remote access to Traefik dashboard and configuration # Enable Tailscale for remote access to Traefik dashboard and configuration
services.tailscale.enable = true; services.tailscale.enable = true;
@ -111,7 +113,7 @@ in {
protocol = "http"; protocol = "http";
}; };
management = { management = {
bind = ["127.0.0.1:8080"]; bind = ["127.0.0.1:8080" "[::]:8081"];
protocol = "http"; protocol = "http";
}; };
}; };

21
nix-system-configs/modules/system/traefik.nix
View file

@ -309,6 +309,10 @@ in {
scheme = "https"; scheme = "https";
}; };
}; };
# Middleware to strip the /management prefix when proxying to the mail admin
mail-strip-management = {
stripPrefix = { prefixes = ["/management"]; };
};
}; };
http.routers = { http.routers = {
@ -372,6 +376,16 @@ in {
entryPoints = ["websecure"]; entryPoints = ["websecure"];
tls = {certresolver = "acme";}; tls = {certresolver = "acme";};
}; };
# Mail web administration UI (Stalwart management) - exposed under /management
mail-webadmin = {
rule = "Host(`mail.prg-radio.org`) && PathPrefix(`/management`)";
service = "mail-webadmin";
entryPoints = ["websecure"];
tls = { certresolver = "acme"; };
# strip the /management prefix before proxying to the backend
middlewares = ["mail-strip-management"];
};
}; };
http.services = { http.services = {
@ -414,6 +428,13 @@ in {
mail-jmap.loadBalancer = { mail-jmap.loadBalancer = {
servers = [{url = "http://10.1.1.15:8080";}]; servers = [{url = "http://10.1.1.15:8080";}];
}; };
# Mail webadmin backend (management). Traefik will strip the /management
# prefix and forward the remainder to the management listener on the mail
# server which is bound to port 8081.
mail-webadmin.loadBalancer = {
servers = [{url = "http://10.1.1.15:8081";}];
};
}; };
# TCP routing for TeamSpeak # TCP routing for TeamSpeak