chore: update stalwart, add firezone tokens

2025-10-10 23:00:39 +02:00 · 2025-03-16 15:13:53 +01:00 · 2025-03-16 15:13:53 +01:00 · 3dabfb23e0
commit 3dabfb23e0
parent be7e4d158c
5 changed files with 30 additions and 6 deletions
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@ -351,11 +351,8 @@ in
          ];
        };

-        config.resource.spam-filter = builtins.trace "remove when stalwart 0.11" "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml";
-        config.resource.webadmin = builtins.trace "remove when stalwart 0.11" "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip";
-        # FIXME: 1.11+
-        # spam-filter.resource = "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml";
-        # webadmin.resource = "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip";
+        spam-filter.resource = "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml";
+        webadmin.resource = "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip";
        webadmin.path = "/var/cache/stalwart-mail";

        certificate.default = {
@ -364,8 +361,8 @@ in
          default = true;
        };

-        lookup.default.hostname = stalwartDomain;
        server = {
+          hostname = stalwartDomain;
          tls = {
            certificate = "default";
            ignore-client-order = true;
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -28,6 +28,11 @@ in
 {
  age.secrets.firezone-smtp-password.generator.script = "alnum";

+  # NOTE: state: this token is from a manually created service account
+  age.secrets.firezone-relay-token = {
+    rekeyFile = config.node.secretsDir + "/firezone-relay-token.age";
+  };
+
  # Mirror the original oauth2 secret
  age.secrets.firezone-oauth2-client-secret = {
    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-firezone) rekeyFile;
@ -137,6 +142,16 @@ in
    web.externalUrl = "https://${firezoneDomain}/";
  };

+  services.firezone.relay = {
+    enable = true;
+    name = "sentinel";
+    apiUrl = "wss://${firezoneDomain}/api/";
+    tokenFile = config.age.secrets.firezone-relay-token.path;
+    publicIpv4 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv4;
+    publicIpv6 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv6;
+    openFirewall = true;
+  };
+
  services.nginx = {
    upstreams.firezone = {
      servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { };
--- a/hosts/sentinel/secrets/firezone-relay-token.age
+++ b/hosts/sentinel/secrets/firezone-relay-token.age
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -58,6 +58,18 @@
    };
  };

+  # NOTE: state: this token is from a manually created service account
+  age.secrets.firezone-gateway-token = {
+    rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age";
+  };
+
+  services.firezone.gateway = {
+    enable = true;
+    name = "ward";
+    apiUrl = "wss://${globals.services.firezone.domain}/api/";
+    tokenFile = config.age.secrets.firezone-gateway-token.path;
+  };
+
  guests =
    let
      mkGuest = guestName: {
--- a/hosts/ward/secrets/firezone-gateway-token.age
+++ b/hosts/ward/secrets/firezone-gateway-token.age