8 files changed, 24 insertions, 87 deletions

diff --git a/disk-config.nix b/disk-config.nix
deleted file mode 100644
index f717e6d..0000000
--- a/disk-config.nix
+++ /dev/null
@@ -1,58 +0,0 @@
-# # Example to create a bios compatible gpt partition
-{lib, ...}: {
-  disko.devices = {
-    disk = {
-      sda = {
-        device = "/dev/sda";
-        type = "disk";
-        content = {
-          type = "gpt";
-          partitions = {
-            boot = {
-              size = "1M";
-              type = "EF02";
-            };
-            sda2 = {
-              size = "1G";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/boot";
-              };
-            };
-
-            sda3 = {
-              size = "100%";
-              content = {
-                type = "bcachefs";
-                filesystem = "mounted_subvolumes_in_multi";
-                label = "group_a.sda2";
-                extraFormatArgs = [];
-              };
-            };
-          };
-        };
-      };
-    };
-    bcachefs_filesystems = {
-      mounted_subvolumes_in_multi = {
-        type = "bcachefs_filesystem";
-        extraFormatArgs = [
-          "--compression=lz4"
-          "--background_compression=lz4"
-        ];
-        subvolumes = {
-          "subvolumes/root" = {
-            mountpoint = "/";
-            mountOptions = [
-              "verbose"
-            ];
-          };
-          "subvolumes/nix" = {
-            mountpoint = "/nix";
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/hosts/experimental-nixos/services/acme.nix b/hosts/experimental-nixos/services/acme.nix
index 3ea342b..1517b19 100644
--- a/hosts/experimental-nixos/services/acme.nix
+++ b/hosts/experimental-nixos/services/acme.nix
@@ -2,7 +2,7 @@
   security.acme = {
     acceptTerms = true;
     defaults = {
-      email = "sirimaharjan@proton.me";
+      email = "contact@m4siri.com";
     };
     certs."m4siri.com" = {
       webroot = "/var/lib/acme/acme-challenge/";
diff --git a/hosts/experimental-nixos/services/ldap.nix b/hosts/experimental-nixos/services/ldap.nix
index 47e67d5..92a7c1a 100644
--- a/hosts/experimental-nixos/services/ldap.nix
+++ b/hosts/experimental-nixos/services/ldap.nix
@@ -8,10 +8,6 @@
     mode = "444";
   };
 
-  secrets.ldap-search = {
-    file = ./secrets/ldap-search-pw.age;
-    mode = "444";
-  };
   services.openldap = {
     enable = true;
     urlList = ["ldap:///"];
diff --git a/hosts/experimental-nixos/services/secrets/ldap-content.age b/hosts/experimental-nixos/services/secrets/ldap-content.age
index ec16d56..a0616e2 100644
--- a/hosts/experimental-nixos/services/secrets/ldap-content.age
+++ b/hosts/experimental-nixos/services/secrets/ldap-content.age
diff --git a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age b/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
deleted file mode 100644
index a0cbba9..0000000
--- a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBScERE
-MEZFdm9LbWh5b0xqdTd1TGJxTTU0L01pSk5zWHhlcWFKZzgvNGdzClY0ZHVNdWhm
-MWk4aHpYcnhoMlJLemZXL2g0VG8vVHc4YThUR21kSjEyOEEKLT4gc3NoLWVkMjU1
-MTkgbC94dFF3IHFHand2TGJUYUNDeExLemtvRUYxY0N0MW51WXk4ZzFqLzlWTnBI
-WmlueUEKeUZsSFNUWUVqcmtSbU9CZzVkTmM0SkUxUzJLZ2xNeUxyenZrWmZESFJL
-QQotPiAiLWdyZWFzZSBEWSBlWUlsditRCjk3aHdYYUdmS2ZRWTF5bmRQNkNjN2px
-ODJyaTh2Nk5NbXRsZXY4WTlmaEdEb0xVYlQvUVRIcFNBTS9vZmcwWVkKUkFTbTFo
-QjRRNmlOR1hjd1Z6RnJQcVlWdlZFanNMazRVREVuazVxazliR3NJdi9Ca3FSL3JH
-VG8KLS0tIFUvV1F4YVg2UGJtS1U0a3JidEh2elRDZEViUmI5RSt4MWZEdU1VOFN3
-VHMKbS4mptDGnMfvSjnBm+eKrYhg/VFqR2jovtL3KgViBNhWAh3Sg5Mdua0GEfhM
-oNuLTadgM+lAIIdsjAej6Kba0uhjr7P+M+8=
------END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/secrets/stalwart-env.age b/hosts/experimental-nixos/services/secrets/stalwart-env.age
new file mode 100644
index 0000000..97bc743
--- /dev/null
+++ b/hosts/experimental-nixos/services/secrets/stalwart-env.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBZVmpj
+YnB4TFF1V014MFFQYmx5VUdBTEdWaFpacUpuSjI4bjdHR0hGc1RBClBINngzTHZm
+MVlvVHFGK1hiTGN4MjI4OG9qTW45L3l1aHhuNTloSzVyb00KLT4gc3NoLWVkMjU1
+MTkgbC94dFF3IHVldFQvUDN5bUJmRVdGb09nT3c5OElBK2h1K2taU3BscGtDU1RE
+RkxMRjAKMzFSK3N0RkJXdUxFeDdMWVFXblowMDhGQWZob1FYTFczMFNoRUdEYWpB
+ZwotPiAzQzAoM0Jrei1ncmVhc2UKZ3Z6TktRbEo3RE1WaE9mcGlQQktFZnltNThK
+QVEzZ3RJMG1zdmRjTUthT2JxK1hmZi9IczdRdDFTQXlvMHNJdAphd3BweXhBZFFm
+SG4wNWRJdUEKLS0tIHZUWk5Ibm5SSFNZOTlZTHNWL0t3MXZ0S3NPM2E2UGt5MXBj
+VkdiRFdnVmMKiAAplQ40OPheiB2L/46dZd8uVOKZuVk/efYCNrGQaKwHpUcRGqhW
+MsihC8atXegTBs45pry0bqQp0G4aRw6WvMErKlD5cmedfsgDY3nFTWBuSHuGLxd2
++jWaaB6OIsFVKPY7XVYT+8Yfe3omiyn9
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix
index 665fb6e..4321234 100644
--- a/hosts/experimental-nixos/services/stalwart.nix
+++ b/hosts/experimental-nixos/services/stalwart.nix
@@ -10,10 +10,13 @@
     "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix"
   ];
 
-  environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path;
+  secrets.stalwart-env = {
+    file = ./secrets/stalwart-env.age;
+    mode = "444";
+  };
 
   systemd.services.stalwart-mail.serviceConfig = {
-    EnvironmentFile = config.age.secrets.ldap-search.path;
+    EnvironmentFile = config.age.secrets.stalwart-env.path;
   };
 
   users.users.stalwart-mail.extraGroups = ["acme"];
@@ -22,11 +25,6 @@
     enable = true;
     package = unstable.stalwart-mail;
     openFirewall = true;
-    credentials = {
-      user_admin_password = config.secrets.ldap-root.path;
-      user_search_password = config.secrets.ldap-search.path;
-    };
-
     settings = {
       certificate.default = {
         cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
@@ -37,14 +35,13 @@
       tracer.stdout = {
         level = "trace";
       };
-      auth.search = "%{file:/etc/stalwart-mail/search-pw}%";
       server = {
         hostname = "mail.m4siri.com";
         tls = {
           implicit = false;
         };
         auto-ban = {
-          auth.rate = "10/1d";
+          auth.rate = "100/1d";
         };
         listener = {
           smtp = {
@@ -114,7 +111,7 @@
 
       authentication.fallback-admin = {
         user = "fallback-admin";
-        secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%";
+        secret = "%{env:STALWART_ADMIN_PW}%";
       };
 
       directory.ldap = {
diff --git a/secrets.nix b/secrets.nix
index 20e8868..4395365 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,5 +5,7 @@ let
   ];
 in {
   "hosts/experimental-nixos/services/secrets/ldap-root.age".publicKeys = siri;
-  "hosts/experimental-nixos/services/secrets/ldap-search-pw.age".publicKeys = siri;
+  "hosts/experimental-nixos/services/secrets/stalwart-env.age".publicKeys = siri;
+  "hosts/experimental-nixos/services/secrets/ldap-content.age".publicKeys = siri;
 }
+