From 57454a768b0efd6d7547f2fb159d134de2fe9c8c Mon Sep 17 00:00:00 2001 From: Patrick Date: Fri, 29 Nov 2024 21:20:08 +0100 Subject: [PATCH] feat: switch to stalwart --- config/services/idmail.nix | 4 +++- config/services/stalwart.nix | 6 ++++-- hosts/maddy/default.nix | 2 +- hosts/mailnix/net.nix | 1 + hosts/mailnix/secrets/generated/buildSSHKey.age | Bin 1190 -> 0 bytes hosts/mailnix/secrets/generated/dhparams.pem.age | Bin 0 -> 1516 bytes 6 files changed, 9 insertions(+), 4 deletions(-) delete mode 100644 hosts/mailnix/secrets/generated/buildSSHKey.age create mode 100644 hosts/mailnix/secrets/generated/dhparams.pem.age diff --git a/config/services/idmail.nix b/config/services/idmail.nix index b4674a2..3218705 100644 --- a/config/services/idmail.nix +++ b/config/services/idmail.nix @@ -73,6 +73,8 @@ in systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute services.nginx = { + enable = true; + recommendedSetup = true; upstreams.idmail = { servers."127.0.0.1:3000" = { }; extraConfig = '' @@ -82,7 +84,7 @@ in }; virtualHosts.${idmailDomain} = { forceSSL = true; - useACMEWildcardHost = true; + useACMEHost = domain; locations."/" = { proxyPass = "http://idmail"; proxyWebsockets = true; diff --git a/config/services/stalwart.nix b/config/services/stalwart.nix index 17d96bc..df1f6a9 100644 --- a/config/services/stalwart.nix +++ b/config/services/stalwart.nix @@ -125,6 +125,8 @@ in } ]; services.nginx = { + enable = true; + recommendedSetup = true; upstreams.stalwart = { servers."127.0.0.1:8080" = { }; extraConfig = '' @@ -136,7 +138,7 @@ in { ${domain} = { forceSSL = true; - useACMEWildcardHost = true; + useACMEHost = domain; extraConfig = '' client_max_body_size 512M; ''; @@ -154,7 +156,7 @@ in ] (_: { forceSSL = true; - useACMEWildcardHost = true; + useACMEHost = domain; locations."/".proxyPass = "http://stalwart"; }); }; diff --git a/hosts/maddy/default.nix b/hosts/maddy/default.nix index 01e0014..e1cd3ce 100644 --- a/hosts/maddy/default.nix +++ b/hosts/maddy/default.nix @@ -2,7 +2,7 @@ imports = [ ../../config/basic ../../config/support/initrd-ssh.nix - ../../config/services/maddy.nix + # ../../config/services/maddy.nix ../../config/support/zfs.nix ./net.nix diff --git a/hosts/mailnix/net.nix b/hosts/mailnix/net.nix index b4daf3f..8244117 100644 --- a/hosts/mailnix/net.nix +++ b/hosts/mailnix/net.nix @@ -52,6 +52,7 @@ }; }; networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ]; + users.groups.acme.members = [ "nginx" ]; security.acme.certs = { "${config.secrets.secrets.global.domains.mail_public}" = { domain = config.secrets.secrets.global.domains.mail_public; diff --git a/hosts/mailnix/secrets/generated/buildSSHKey.age b/hosts/mailnix/secrets/generated/buildSSHKey.age deleted file mode 100644 index 7c8dcba46e759791b9cb08d7ea36bf334468413c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1190 zcmY+<`)?Bk0Kjo2#9$}eLi86RQd~en?RtIQ7Ioupy}qu`d-Sdq*{OV|gjHyVPHCjm8S>x+YRAin zSF5>9qLd+$gi0hm3=Gxi1RZe_s3pW(IJUb*u}eCZ^D2&zMzh%`f|9FP6^GknPW$*= zP&Y&Fh(eVyp(;>r4S-=nNW>(Dh2Ub$0YT*+isNF*o)jJ>B-vyaaBNPWZ za4zWffti}-E(nGy8ZK9njmMo?FYuH_6Nx+tnIStH!CaM6l}pBeB2=_+vP%F&S5c;_ zNP*Kx5-ioc8CO80G*bfU$SVvR3`A9#OUC)`fIz|dBE}G9$>t`a7R;NDVIDnGLY}hz z|El>tIcK)DhGcB+l*%cTDSz0xcj-7$#2TLjvSSVI%KARRedz zUb~1DxMb8XG4Y_5;QSP7%Z4>fe#&xJdg7&o87h=rP!Mi$(g3rb{fGuJSCBk3dEs zPlj!hA&40+SEMxE%eN9D1ULbc5Yv-H2(z)eEt1FvaKa;^9Wtr~(GXUNhV#ilA>uEB zAP7@EXu=gHG=vZSmt?h?i6X;Sq@-k^Nj{${qLdnq`m-rdp_IXk1sZdT6xcy$AW+~< za|Y6spQe~oXrK_{-w;`hfFH?;j)Kl}1cyw~$^>bF;Y*Qe{6 z{@A^2&G1k||IVXFCPp?6&Fz`EqSSZRtyq|NU+LU?=c~sjyXcK~2XfmYTfn}TZp~m9 zF7NqtQ~jKQGsErebN*bo?#}Tyzl;Xj4~5?l-ZJVgoE<(@zwcO$-8#kZQ+C4+q7mtFE6m_!sf_`yt^9eezH#+S0YZonVJiTDY@X{6YzqP%x)O#Z@o}Ha&yZ&?SP}`B2!J*{~R(_Oi zn!I%G2DJFdBJ#}0YYz`set54S^lrZ0a_d~zXnO2~c_*^?-NXI20J3TAhVA#REZDyM z*~Zr+(%Ds|ZBrLdpF0VBm|8VB-Mjjy`XBG#Y#DDH6?eBC_~iH$Wxe{$z|EQ*Fn8{6 uSbuMeb2D5Sl*(h1zxO$Vlilxpe^fU&4qh9(bc`QZ(fMfl?OgxN-~R%J%hMbH diff --git a/hosts/mailnix/secrets/generated/dhparams.pem.age b/hosts/mailnix/secrets/generated/dhparams.pem.age new file mode 100644 index 0000000000000000000000000000000000000000..074e00dadc97fa93b1e118ebe81872db89d37cbf GIT binary patch literal 1516 zcmY+I1eHk*Tl1gfM0 zRmW0CoVK2*RjEhC5k;$2(H3tVZ`%=3Q4y~e#G@Q)$A>=n3%>bmn3L`#9KjeFcKeAL z{vgJPuqgCgs)^0zviMXD=wr$tj@ls82H`kg63NHiUbV2$DJLZsjhYuQ*tsztY{n%R z#Rc+_Fl6v};%1O#3`LY|ENa)sQJ5`sMA@8BK45UTRXSTFj=vX3cZ5!|xggad!`zA} zRY|jB8qT$HVxeJtP;#wchw5YZ_@Jh4&5Fq(Lbs8Zv?Wq#BWLtv>+WDpnXW%?o# zf})BKtp8u2AC?q(*=(s9P;#7dz>gIbs0f5m@Ex)e6bPX_r9`eW)0kop#cY<+OvQl! z2Pjdn#6i1KB&W@flROyF1vL>u&6Y=5Y7D~)?9vY`Zp4R#wNzn17onM=Ac44SC4Li! zDWkc=0k8U*NR+>h?9dTNwpWzsYQs!z}K>T;Cz1xY7hA-(>JrVV=@k5LaSg` z^YEXZw6Z5&zU@hYQg4rLc{yQ=J9kJo4dBqbmYt|ne!jfzM67A6`O}pkZq)!|FT8R- zR$X#Dx%Ye|g??gCx?=sQ#J`Df!_a`OZTr~qhx4q>wNoVl5V+8PvrPUX(RHM%^;vfP z0#<8dmt9b&`3O$av92{gn$jcIBuQso`}yFzk)Ireg3aNFZF?(P8ap-(+I_uhbbDsm zsll(8CB4lU|7wr5J`t_a{jy|S&aCsNE0R}dGu~N}&KF(Y{-&YQ?)~i0t4vG%$^9ED zj)C80s@l7HN~gFIC@uZonoT{gYX{rD&pe&WhFs>YZBJ|4(<-wHs)*#1r!Gu?2VZZP z-VC%4aE(9lew37Y-kpED+pHT5&!(Z}WjR+2BdaYGhQtY2-h59@h<=s~#_TB?+M|O1AabG5X zan=2IQ{1)-O&jrL=?|jZ4dYVpBLjPVV?3OpSMBSmE+nOT*!cl*{Ex_pWvc}XzMeM3 zmqUL&v^25t;=?sWP1)#4TgXs*Yu25`NNf4bIng;S4W~QIr^h9BPX4OBdPJJFJbkjR zc;k(%=Xr{b#Rt|ZHC$@J7DdLYA+sL#_3m49>iRnO&iKofNeZfG9wbtv6)U%;Bnj%%8@0!p_8b{l>1%bN#=55N zVWnrRWp~3n7k56`_v^*pvyP16x2L}{R2_wqngWw5b;AyK-+jz-n~BXW7iG_F8PixbsA5|s5+8VOiY9$pY5lU&6E~MW zi+5)4T(zn@)O2I*t+)04afWH*?%IOT(xn_ZX%)0Q0}j&rAFO1Rzo=Q*n4xy0r&{rS f{p&`_D|613T=eGCp3d$HoXel5?$3iJPI~Ykezj}$ literal 0 HcmV?d00001