root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update password management.

Browse source
This commit is contained in:
Root User 2026-02-15 17:40:37 +01:00
parent 70f6cc7930
commit e7d4f3d4a1
Signed by: root
GPG key ID: 087F0A95E5766D72
2 changed files with 23 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

22
nix-system-configs/modules/system/mail-server.nix
View file

@ -41,6 +41,18 @@ in {
];
config = {
# Pass secrets to Stalwart Mail service via environment variables
systemd.services.stalwart-mail = {
serviceConfig = {
EnvironmentFile = [
config.sops.secrets."cloudflare-username".path
config.sops.secrets."cloudflare-dns-token".path
config.sops.secrets."admin-password".path
config.sops.secrets."board-member-password".path
];
};
};
# Enable Tailscale for remote access to Traefik dashboard and configuration
services.tailscale.enable = true;
@ -99,10 +111,10 @@ in {
acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01";
contact = config.sops.secrets."cloudflare-username";
contact = "$CLOUDFLARE_USERNAME";
domains = ["prg-radio.org" "mail.prg-radio.org"];
provider = "cloudflare";
secret = config.sops.secrets."cloudflare-dns-token";
secret = "$CLOUDFLARE_API_TOKEN";
};
session.auth = {
mechanisms = "[plain]";
@ -117,20 +129,20 @@ in {
{
class = "individual";
name = "Polyteknisk Radiogruppe Board Member";
secret = config.sops.secrets."board-member-password";
secret = "$BOARD_PASSWORD";
email = ["board@prg-radio.org"];
}
{
class = "individual";
name = "postmaster";
secret = config.sops.secrets."board-member-password";
secret = "$BOARD_PASSWORD";
email = ["postmaster@prg-radio.org"];
}
];
};
authentication.fallback-admin = {
user = "admin";
secret = config.sops.secrets."admin-password";
secret = "$ADMIN_PASSWORD";
};
};
};