summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/experimental-nixos/services/acme.nix2
-rw-r--r--hosts/experimental-nixos/services/ldap.nix4
-rw-r--r--hosts/experimental-nixos/services/secrets/ldap-content.agebin2325 -> 3054 bytes
-rw-r--r--hosts/experimental-nixos/services/secrets/ldap-search-pw.age13
-rw-r--r--hosts/experimental-nixos/services/secrets/stalwart-env.age13
-rw-r--r--hosts/experimental-nixos/services/stalwart.nix17
6 files changed, 21 insertions, 28 deletions
diff --git a/hosts/experimental-nixos/services/acme.nix b/hosts/experimental-nixos/services/acme.nix
index 3ea342b..1517b19 100644
--- a/hosts/experimental-nixos/services/acme.nix
+++ b/hosts/experimental-nixos/services/acme.nix
@@ -2,7 +2,7 @@
security.acme = {
acceptTerms = true;
defaults = {
- email = "sirimaharjan@proton.me";
+ email = "contact@m4siri.com";
};
certs."m4siri.com" = {
webroot = "/var/lib/acme/acme-challenge/";
diff --git a/hosts/experimental-nixos/services/ldap.nix b/hosts/experimental-nixos/services/ldap.nix
index 47e67d5..92a7c1a 100644
--- a/hosts/experimental-nixos/services/ldap.nix
+++ b/hosts/experimental-nixos/services/ldap.nix
@@ -8,10 +8,6 @@
mode = "444";
};
- secrets.ldap-search = {
- file = ./secrets/ldap-search-pw.age;
- mode = "444";
- };
services.openldap = {
enable = true;
urlList = ["ldap:///"];
diff --git a/hosts/experimental-nixos/services/secrets/ldap-content.age b/hosts/experimental-nixos/services/secrets/ldap-content.age
index ec16d56..a0616e2 100644
--- a/hosts/experimental-nixos/services/secrets/ldap-content.age
+++ b/hosts/experimental-nixos/services/secrets/ldap-content.age
Binary files differ
diff --git a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age b/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
deleted file mode 100644
index a0cbba9..0000000
--- a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBScERE
-MEZFdm9LbWh5b0xqdTd1TGJxTTU0L01pSk5zWHhlcWFKZzgvNGdzClY0ZHVNdWhm
-MWk4aHpYcnhoMlJLemZXL2g0VG8vVHc4YThUR21kSjEyOEEKLT4gc3NoLWVkMjU1
-MTkgbC94dFF3IHFHand2TGJUYUNDeExLemtvRUYxY0N0MW51WXk4ZzFqLzlWTnBI
-WmlueUEKeUZsSFNUWUVqcmtSbU9CZzVkTmM0SkUxUzJLZ2xNeUxyenZrWmZESFJL
-QQotPiAiLWdyZWFzZSBEWSBlWUlsditRCjk3aHdYYUdmS2ZRWTF5bmRQNkNjN2px
-ODJyaTh2Nk5NbXRsZXY4WTlmaEdEb0xVYlQvUVRIcFNBTS9vZmcwWVkKUkFTbTFo
-QjRRNmlOR1hjd1Z6RnJQcVlWdlZFanNMazRVREVuazVxazliR3NJdi9Ca3FSL3JH
-VG8KLS0tIFUvV1F4YVg2UGJtS1U0a3JidEh2elRDZEViUmI5RSt4MWZEdU1VOFN3
-VHMKbS4mptDGnMfvSjnBm+eKrYhg/VFqR2jovtL3KgViBNhWAh3Sg5Mdua0GEfhM
-oNuLTadgM+lAIIdsjAej6Kba0uhjr7P+M+8=
------END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/secrets/stalwart-env.age b/hosts/experimental-nixos/services/secrets/stalwart-env.age
new file mode 100644
index 0000000..97bc743
--- /dev/null
+++ b/hosts/experimental-nixos/services/secrets/stalwart-env.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBZVmpj
+YnB4TFF1V014MFFQYmx5VUdBTEdWaFpacUpuSjI4bjdHR0hGc1RBClBINngzTHZm
+MVlvVHFGK1hiTGN4MjI4OG9qTW45L3l1aHhuNTloSzVyb00KLT4gc3NoLWVkMjU1
+MTkgbC94dFF3IHVldFQvUDN5bUJmRVdGb09nT3c5OElBK2h1K2taU3BscGtDU1RE
+RkxMRjAKMzFSK3N0RkJXdUxFeDdMWVFXblowMDhGQWZob1FYTFczMFNoRUdEYWpB
+ZwotPiAzQzAoM0Jrei1ncmVhc2UKZ3Z6TktRbEo3RE1WaE9mcGlQQktFZnltNThK
+QVEzZ3RJMG1zdmRjTUthT2JxK1hmZi9IczdRdDFTQXlvMHNJdAphd3BweXhBZFFm
+SG4wNWRJdUEKLS0tIHZUWk5Ibm5SSFNZOTlZTHNWL0t3MXZ0S3NPM2E2UGt5MXBj
+VkdiRFdnVmMKiAAplQ40OPheiB2L/46dZd8uVOKZuVk/efYCNrGQaKwHpUcRGqhW
+MsihC8atXegTBs45pry0bqQp0G4aRw6WvMErKlD5cmedfsgDY3nFTWBuSHuGLxd2
++jWaaB6OIsFVKPY7XVYT+8Yfe3omiyn9
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix
index 665fb6e..4321234 100644
--- a/hosts/experimental-nixos/services/stalwart.nix
+++ b/hosts/experimental-nixos/services/stalwart.nix
@@ -10,10 +10,13 @@
"${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix"
];
- environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path;
+ secrets.stalwart-env = {
+ file = ./secrets/stalwart-env.age;
+ mode = "444";
+ };
systemd.services.stalwart-mail.serviceConfig = {
- EnvironmentFile = config.age.secrets.ldap-search.path;
+ EnvironmentFile = config.age.secrets.stalwart-env.path;
};
users.users.stalwart-mail.extraGroups = ["acme"];
@@ -22,11 +25,6 @@
enable = true;
package = unstable.stalwart-mail;
openFirewall = true;
- credentials = {
- user_admin_password = config.secrets.ldap-root.path;
- user_search_password = config.secrets.ldap-search.path;
- };
-
settings = {
certificate.default = {
cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
@@ -37,14 +35,13 @@
tracer.stdout = {
level = "trace";
};
- auth.search = "%{file:/etc/stalwart-mail/search-pw}%";
server = {
hostname = "mail.m4siri.com";
tls = {
implicit = false;
};
auto-ban = {
- auth.rate = "10/1d";
+ auth.rate = "100/1d";
};
listener = {
smtp = {
@@ -114,7 +111,7 @@
authentication.fallback-admin = {
user = "fallback-admin";
- secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%";
+ secret = "%{env:STALWART_ADMIN_PW}%";
};
directory.ldap = {
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-31 09:55:05 +0000