root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update password management.

Browse source
This commit is contained in:
Root User 2026-02-15 17:40:37 +01:00
parent 70f6cc7930
commit e7d4f3d4a1
Signed by: root
GPG key ID: 087F0A95E5766D72
2 changed files with 23 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

22
nix-system-configs/modules/system/mail-server.nix
View file

@ -41,6 +41,18 @@ in {
]; ];
config = { config = {
# Pass secrets to Stalwart Mail service via environment variables
systemd.services.stalwart-mail = {
serviceConfig = {
EnvironmentFile = [
config.sops.secrets."cloudflare-username".path
config.sops.secrets."cloudflare-dns-token".path
config.sops.secrets."admin-password".path
config.sops.secrets."board-member-password".path
];
};
};
# Enable Tailscale for remote access to Traefik dashboard and configuration # Enable Tailscale for remote access to Traefik dashboard and configuration
services.tailscale.enable = true; services.tailscale.enable = true;
@ -99,10 +111,10 @@ in {
acme."letsencrypt" = { acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory"; directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01"; challenge = "dns-01";
contact = config.sops.secrets."cloudflare-username"; contact = "$CLOUDFLARE_USERNAME";
domains = ["prg-radio.org" "mail.prg-radio.org"]; domains = ["prg-radio.org" "mail.prg-radio.org"];
provider = "cloudflare"; provider = "cloudflare";
secret = config.sops.secrets."cloudflare-dns-token"; secret = "$CLOUDFLARE_API_TOKEN";
}; };
session.auth = { session.auth = {
mechanisms = "[plain]"; mechanisms = "[plain]";
@ -117,20 +129,20 @@ in {
{ {
class = "individual"; class = "individual";
name = "Polyteknisk Radiogruppe Board Member"; name = "Polyteknisk Radiogruppe Board Member";
secret = config.sops.secrets."board-member-password"; secret = "$BOARD_PASSWORD";
email = ["board@prg-radio.org"]; email = ["board@prg-radio.org"];
} }
{ {
class = "individual"; class = "individual";
name = "postmaster"; name = "postmaster";
secret = config.sops.secrets."board-member-password"; secret = "$BOARD_PASSWORD";
email = ["postmaster@prg-radio.org"]; email = ["postmaster@prg-radio.org"];
} }
]; ];
}; };
authentication.fallback-admin = { authentication.fallback-admin = {
user = "admin"; user = "admin";
secret = config.sops.secrets."admin-password"; secret = "$ADMIN_PASSWORD";
}; };
}; };
}; };

12
nix-system-configs/secrets/mail/secrets.yaml
View file

@ -1,7 +1,7 @@
admin-password: ENC[AES256_GCM,data:o8nD9CDNzufxVjfH7TqUY4QO6Xkz1xbpFu74jMVRR57NDKpKsg3ijRmBvvq1/QuJ2TM=,iv:xVGjzrRFpCyjriW6yB/UjuGiNhK4oeBiDA+Pk/BTOWc=,tag:H/ZuqffTDGsGTWTTKplvvA==,type:str] admin-password: ENC[AES256_GCM,data:1teK0r2L01ZJEdrF343El6GhHnLiqLMItDwy5XAU+uqZyKDb+gvRUaWP2L4BzSSHNqYDGmolyaJnvrMsxW1v3A4=,iv:d7J5vgeX6ZByBcw0im61Uj+hzbSiMdYKEdgqNohPSCA=,tag:gOAVtTGaQJTr4OjWa+7zOA==,type:str]
board-member-password: ENC[AES256_GCM,data:8KLyqyGFi/ehvbNU6HsWilMO42UnXYL6puc/OOPgMDiU2fuDM2o7TibUCn1BXi9UyiE=,iv:UyLOFSARK/5p/zin7vqQic9C5qlryd/O/mjcw3eZ3ao=,tag:N2RJC6nZC+V3XoAw/eWYfA==,type:str] board-member-password: ENC[AES256_GCM,data:eVQfHApjGtffBJgfAFvThhjMg6IF0zdtATWdYQ3YtKG50hEKrxMW2WoKuadPPlqC3S1D0AId3lg4VxPKY/fN1og=,iv:t92IVJD5ot7gVXkSsWIPJ6LmXVy9Fw6nDSS1ENcOG1w=,tag:lznVB7enNtVYdR+nbGXeZQ==,type:str]
cloudflare-dns-token: ENC[AES256_GCM,data:W0S9WWmhQMwjKbKI60vBjYlSb0chZUYcVs3A4DsVRfJwErcIqDWoJg==,iv:nRH8hLvCavydVC16M93N+r/t9WwNY4339CE4zGSINsk=,tag:yIUKs/XB3arhApGeik6p1A==,type:str] cloudflare-dns-token: ENC[AES256_GCM,data:TT5DaSvU97VPOsgspfbbf4REYByAy37lwRr8CPkGj0sEbYPvzV/Yw/ZMKWVu/SThPloGw/59FSx6o7yW/A==,iv:XfE73U60QguxsQlf5vzsy6dn1CkJLn4OplWAEwOSGe0=,tag:OaUhgMsOJ7npozoLblw/2w==,type:str]
cloudflare-username: ENC[AES256_GCM,data:5QCWOZcv6RKlk1/5LWjjCW0m,iv:9VzhRDlLq36pMfv0tu7POxheLFKdXP8tLLiKlTOr/30=,tag:MiijON1+mKJj6VMdnaJTkA==,type:str] cloudflare-username: ENC[AES256_GCM,data:i7pLjCmZDFZK/LcjO4vGrvhLtZqexF8X0ARmg0i/LsdP357OaPo=,iv:+841JT7nsdhqTWEMdEfJTYqqOoM2g9hoSz24q6aL4pw=,tag:Uqds4MZ179VcsicfifbHXQ==,type:str]
sops: sops:
age: age:
- recipient: age1746rvsvsc3snxfl7cndm222wd5kck4aqj3x7nednlegq0gdjhfcqx0qv7m - recipient: age1746rvsvsc3snxfl7cndm222wd5kck4aqj3x7nednlegq0gdjhfcqx0qv7m
@ -22,7 +22,7 @@ sops:
OFE3aWxZNThlWUUrUWlwZmtGYjJGT2sKFkoNZt6ThwzwQ2MMFjncrVrLKEhJ1hxh OFE3aWxZNThlWUUrUWlwZmtGYjJGT2sKFkoNZt6ThwzwQ2MMFjncrVrLKEhJ1hxh
uJuOfYFlQI80k3etChD64mTRMSK7Cr/BIc2625+jGJK4kOc+JpFDEQ== uJuOfYFlQI80k3etChD64mTRMSK7Cr/BIc2625+jGJK4kOc+JpFDEQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-15T14:13:19Z" lastmodified: "2026-02-15T16:35:00Z"
mac: ENC[AES256_GCM,data:7hFjuvictSbcXLqXwG0VgWErKJpFsy1PfDyepQQXpszpMT4Z/BwvXlk4ppKo8C0PaCLv2qi86yBmFm/O6xUBhsMEFWYHQ+mJpYtqLX0GDvj1cn4LwDEnRa+2SiHkkZeHSwrtOHCBw8vE2R2sXBaNMkUoSXkcQ4lPS6YjulpO1vw=,iv:5aZxEnPymcvNpsUyGvvRI3o7hnfExSFWlBrzoIhQkFQ=,tag:6JJGvBL9XeiPw+TdN2qEgA==,type:str] mac: ENC[AES256_GCM,data:LShVAjb1lCGq91O2mAwa7OzzOC01NrrSxnhLFPdbf8M93xXJSpz7U2GDQwfQ/3BsnIJiSgSLhrMYkNhDITaDWY90SrnL+tm0MhozQeiuKyfVal2Dr8P0VvxTxSaqemoFeyUvmJwe7rSjoEQnJYduilMqzhOcB/MkAivNeHnhQMQ=,iv:7zeV6HANpV0zGAg7UnM9l45FhO3jsOkzxMbJ1pTIIxU=,tag:3078xKYVrObEYSr8LAh9eg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0