From bc3e939c9362321bdd0a956594b531046b8cbffd Mon Sep 17 00:00:00 2001
From: m4siri <git@m4siri.com>
Date: Sun, 23 Nov 2025 18:58:54 +0545
Subject: fix: mv admin pw to env

---
 hosts/experimental-nixos/services/acme.nix            |   2 +-
 hosts/experimental-nixos/services/ldap.nix            |   4 ----
 .../services/secrets/ldap-content.age                 | Bin 2325 -> 3054 bytes
 .../services/secrets/ldap-search-pw.age               |  13 -------------
 .../services/secrets/stalwart-env.age                 |  13 +++++++++++++
 hosts/experimental-nixos/services/stalwart.nix        |  17 +++++++----------
 6 files changed, 21 insertions(+), 28 deletions(-)
 delete mode 100644 hosts/experimental-nixos/services/secrets/ldap-search-pw.age
 create mode 100644 hosts/experimental-nixos/services/secrets/stalwart-env.age

(limited to 'hosts/experimental-nixos/services')

diff --git a/hosts/experimental-nixos/services/acme.nix b/hosts/experimental-nixos/services/acme.nix
index 3ea342b..1517b19 100644
--- a/hosts/experimental-nixos/services/acme.nix
+++ b/hosts/experimental-nixos/services/acme.nix
@@ -2,7 +2,7 @@
   security.acme = {
     acceptTerms = true;
     defaults = {
-      email = "sirimaharjan@proton.me";
+      email = "contact@m4siri.com";
     };
     certs."m4siri.com" = {
       webroot = "/var/lib/acme/acme-challenge/";
diff --git a/hosts/experimental-nixos/services/ldap.nix b/hosts/experimental-nixos/services/ldap.nix
index 47e67d5..92a7c1a 100644
--- a/hosts/experimental-nixos/services/ldap.nix
+++ b/hosts/experimental-nixos/services/ldap.nix
@@ -8,10 +8,6 @@
     mode = "444";
   };
 
-  secrets.ldap-search = {
-    file = ./secrets/ldap-search-pw.age;
-    mode = "444";
-  };
   services.openldap = {
     enable = true;
     urlList = ["ldap:///"];
diff --git a/hosts/experimental-nixos/services/secrets/ldap-content.age b/hosts/experimental-nixos/services/secrets/ldap-content.age
index ec16d56..a0616e2 100644
Binary files a/hosts/experimental-nixos/services/secrets/ldap-content.age and b/hosts/experimental-nixos/services/secrets/ldap-content.age differ
diff --git a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age b/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
deleted file mode 100644
index a0cbba9..0000000
--- a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBScERE
-MEZFdm9LbWh5b0xqdTd1TGJxTTU0L01pSk5zWHhlcWFKZzgvNGdzClY0ZHVNdWhm
-MWk4aHpYcnhoMlJLemZXL2g0VG8vVHc4YThUR21kSjEyOEEKLT4gc3NoLWVkMjU1
-MTkgbC94dFF3IHFHand2TGJUYUNDeExLemtvRUYxY0N0MW51WXk4ZzFqLzlWTnBI
-WmlueUEKeUZsSFNUWUVqcmtSbU9CZzVkTmM0SkUxUzJLZ2xNeUxyenZrWmZESFJL
-QQotPiAiLWdyZWFzZSBEWSBlWUlsditRCjk3aHdYYUdmS2ZRWTF5bmRQNkNjN2px
-ODJyaTh2Nk5NbXRsZXY4WTlmaEdEb0xVYlQvUVRIcFNBTS9vZmcwWVkKUkFTbTFo
-QjRRNmlOR1hjd1Z6RnJQcVlWdlZFanNMazRVREVuazVxazliR3NJdi9Ca3FSL3JH
-VG8KLS0tIFUvV1F4YVg2UGJtS1U0a3JidEh2elRDZEViUmI5RSt4MWZEdU1VOFN3
-VHMKbS4mptDGnMfvSjnBm+eKrYhg/VFqR2jovtL3KgViBNhWAh3Sg5Mdua0GEfhM
-oNuLTadgM+lAIIdsjAej6Kba0uhjr7P+M+8=
------END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/secrets/stalwart-env.age b/hosts/experimental-nixos/services/secrets/stalwart-env.age
new file mode 100644
index 0000000..97bc743
--- /dev/null
+++ b/hosts/experimental-nixos/services/secrets/stalwart-env.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBZVmpj
+YnB4TFF1V014MFFQYmx5VUdBTEdWaFpacUpuSjI4bjdHR0hGc1RBClBINngzTHZm
+MVlvVHFGK1hiTGN4MjI4OG9qTW45L3l1aHhuNTloSzVyb00KLT4gc3NoLWVkMjU1
+MTkgbC94dFF3IHVldFQvUDN5bUJmRVdGb09nT3c5OElBK2h1K2taU3BscGtDU1RE
+RkxMRjAKMzFSK3N0RkJXdUxFeDdMWVFXblowMDhGQWZob1FYTFczMFNoRUdEYWpB
+ZwotPiAzQzAoM0Jrei1ncmVhc2UKZ3Z6TktRbEo3RE1WaE9mcGlQQktFZnltNThK
+QVEzZ3RJMG1zdmRjTUthT2JxK1hmZi9IczdRdDFTQXlvMHNJdAphd3BweXhBZFFm
+SG4wNWRJdUEKLS0tIHZUWk5Ibm5SSFNZOTlZTHNWL0t3MXZ0S3NPM2E2UGt5MXBj
+VkdiRFdnVmMKiAAplQ40OPheiB2L/46dZd8uVOKZuVk/efYCNrGQaKwHpUcRGqhW
+MsihC8atXegTBs45pry0bqQp0G4aRw6WvMErKlD5cmedfsgDY3nFTWBuSHuGLxd2
++jWaaB6OIsFVKPY7XVYT+8Yfe3omiyn9
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix
index 665fb6e..4321234 100644
--- a/hosts/experimental-nixos/services/stalwart.nix
+++ b/hosts/experimental-nixos/services/stalwart.nix
@@ -10,10 +10,13 @@
     "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix"
   ];
 
-  environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path;
+  secrets.stalwart-env = {
+    file = ./secrets/stalwart-env.age;
+    mode = "444";
+  };
 
   systemd.services.stalwart-mail.serviceConfig = {
-    EnvironmentFile = config.age.secrets.ldap-search.path;
+    EnvironmentFile = config.age.secrets.stalwart-env.path;
   };
 
   users.users.stalwart-mail.extraGroups = ["acme"];
@@ -22,11 +25,6 @@
     enable = true;
     package = unstable.stalwart-mail;
     openFirewall = true;
-    credentials = {
-      user_admin_password = config.secrets.ldap-root.path;
-      user_search_password = config.secrets.ldap-search.path;
-    };
-
     settings = {
       certificate.default = {
         cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
@@ -37,14 +35,13 @@
       tracer.stdout = {
         level = "trace";
       };
-      auth.search = "%{file:/etc/stalwart-mail/search-pw}%";
       server = {
         hostname = "mail.m4siri.com";
         tls = {
           implicit = false;
         };
         auto-ban = {
-          auth.rate = "10/1d";
+          auth.rate = "100/1d";
         };
         listener = {
           smtp = {
@@ -114,7 +111,7 @@
 
       authentication.fallback-admin = {
         user = "fallback-admin";
-        secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%";
+        secret = "%{env:STALWART_ADMIN_PW}%";
       };
 
       directory.ldap = {
-- 
cgit v1.2.3