1 files changed, 7 insertions, 10 deletions

diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix
index 665fb6e..4321234 100644
--- a/hosts/experimental-nixos/services/stalwart.nix
+++ b/hosts/experimental-nixos/services/stalwart.nix
@@ -10,10 +10,13 @@
     "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix"
   ];
 
-  environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path;
+  secrets.stalwart-env = {
+    file = ./secrets/stalwart-env.age;
+    mode = "444";
+  };
 
   systemd.services.stalwart-mail.serviceConfig = {
-    EnvironmentFile = config.age.secrets.ldap-search.path;
+    EnvironmentFile = config.age.secrets.stalwart-env.path;
   };
 
   users.users.stalwart-mail.extraGroups = ["acme"];
@@ -22,11 +25,6 @@
     enable = true;
     package = unstable.stalwart-mail;
     openFirewall = true;
-    credentials = {
-      user_admin_password = config.secrets.ldap-root.path;
-      user_search_password = config.secrets.ldap-search.path;
-    };
-
     settings = {
       certificate.default = {
         cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
@@ -37,14 +35,13 @@
       tracer.stdout = {
         level = "trace";
       };
-      auth.search = "%{file:/etc/stalwart-mail/search-pw}%";
       server = {
         hostname = "mail.m4siri.com";
         tls = {
           implicit = false;
         };
         auto-ban = {
-          auth.rate = "10/1d";
+          auth.rate = "100/1d";
         };
         listener = {
           smtp = {
@@ -114,7 +111,7 @@
 
       authentication.fallback-admin = {
         user = "fallback-admin";
-        secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%";
+        secret = "%{env:STALWART_ADMIN_PW}%";
       };
 
       directory.ldap = {