From 3dabfb23e0ceb8a0f77f7d3840c3f609de81926e Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 16 Mar 2025 15:13:53 +0100 Subject: [PATCH] chore: update stalwart, add firezone tokens --- hosts/envoy/stalwart-mail.nix | 9 +++------ hosts/sentinel/firezone.nix | 15 +++++++++++++++ hosts/sentinel/secrets/firezone-relay-token.age | Bin 0 -> 670 bytes hosts/ward/default.nix | 12 ++++++++++++ hosts/ward/secrets/firezone-gateway-token.age | Bin 0 -> 633 bytes 5 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 hosts/sentinel/secrets/firezone-relay-token.age create mode 100644 hosts/ward/secrets/firezone-gateway-token.age diff --git a/hosts/envoy/stalwart-mail.nix b/hosts/envoy/stalwart-mail.nix index 2bef84f..e81acc0 100644 --- a/hosts/envoy/stalwart-mail.nix +++ b/hosts/envoy/stalwart-mail.nix @@ -351,11 +351,8 @@ in ]; }; - config.resource.spam-filter = builtins.trace "remove when stalwart 0.11" "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml"; - config.resource.webadmin = builtins.trace "remove when stalwart 0.11" "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip"; - # FIXME: 1.11+ - # spam-filter.resource = "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml"; - # webadmin.resource = "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip"; + spam-filter.resource = "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml"; + webadmin.resource = "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip"; webadmin.path = "/var/cache/stalwart-mail"; certificate.default = { @@ -364,8 +361,8 @@ in default = true; }; - lookup.default.hostname = stalwartDomain; server = { + hostname = stalwartDomain; tls = { certificate = "default"; ignore-client-order = true; diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix index 3ffe7cf..249ee6c 100644 --- a/hosts/sentinel/firezone.nix +++ b/hosts/sentinel/firezone.nix @@ -28,6 +28,11 @@ in { age.secrets.firezone-smtp-password.generator.script = "alnum"; + # NOTE: state: this token is from a manually created service account + age.secrets.firezone-relay-token = { + rekeyFile = config.node.secretsDir + "/firezone-relay-token.age"; + }; + # Mirror the original oauth2 secret age.secrets.firezone-oauth2-client-secret = { inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-firezone) rekeyFile; @@ -137,6 +142,16 @@ in web.externalUrl = "https://${firezoneDomain}/"; }; + services.firezone.relay = { + enable = true; + name = "sentinel"; + apiUrl = "wss://${firezoneDomain}/api/"; + tokenFile = config.age.secrets.firezone-relay-token.path; + publicIpv4 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv4; + publicIpv6 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv6; + openFirewall = true; + }; + services.nginx = { upstreams.firezone = { servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { }; diff --git a/hosts/sentinel/secrets/firezone-relay-token.age b/hosts/sentinel/secrets/firezone-relay-token.age new file mode 100644 index 0000000000000000000000000000000000000000..f8b69431009575776d6c66f18f6ff2a9233a4aa2 GIT binary patch literal 670 zcmV;P0%84OXJsvAZewzJaCB*JZZ2j4a!F`!SyoR|XEJk9dQ}QWd16#}S42^6bvH0IQb}wvGigmY zYEL&fXIW1-F-3JTQ*SR}YBf(#NJ$DUJ|J*ub}eu+H8vo4aZ_bDQ6ND#RZVs?Ic+Of zPdQ{lc2_w`PBm|0GgL`cRc|?HPGopQS7~}{RYfyuI7kY4W^-#$XHI5nMr?OhM`|`= zLsDsOaZz(OWOaIKY*cqPdU9DxV=!@NI7tdEJ|H74XL4m>b7de_EnY8rEowg?ep**j zF<~kSNmpw`VMa+bbt^S&MsqPXcy%&od2l&(ZEbZma(FZ^GBHmvOJr*=RZ4P5R&8^0 zYDzh9Ffc)Eb~##fXF&=rEiE8#FllylP-10CK}KP5Qg&=lMm1SVOE)%eIb}6(N^n_8 zPeE^LRWVg7V`B*gt&uaN2!{C%QBTGfa@y>!Cr`k3oQW6FpllK(4h&p zXFOkl!Js^PeBMW@YbLi|sY<|Y6K-(EO6#}QbfxH?^*fa3b;I{psiAS(&P3K^zBJoo zj9<>Tv9*n-Z=E~m%pyh(IH%hi25?squ^eQ;!a2i7c}6< z+w%;|9=qZ$_=g86P>(V0$?iQ>7r9vi(^g1AB9xC94yk~A%=@s)5$p`z=y7vE79 zD@b%lsFb{*dO^!WVI6TM;HtY*|e@DokFTA{)A+LEpbaC{b@me(vgv6t2w8x4aF EKEVwUbN~PV literal 0 HcmV?d00001 diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 30f147f..f5ed3ec 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -58,6 +58,18 @@ }; }; + # NOTE: state: this token is from a manually created service account + age.secrets.firezone-gateway-token = { + rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age"; + }; + + services.firezone.gateway = { + enable = true; + name = "ward"; + apiUrl = "wss://${globals.services.firezone.domain}/api/"; + tokenFile = config.age.secrets.firezone-gateway-token.path; + }; + guests = let mkGuest = guestName: { diff --git a/hosts/ward/secrets/firezone-gateway-token.age b/hosts/ward/secrets/firezone-gateway-token.age new file mode 100644 index 0000000000000000000000000000000000000000..cff2ce46e2b3c33a8936846138b1504a9b02c93e GIT binary patch literal 633 zcmV-<0*3uzXJsvAZewzJaCB*JZZ2AbTl?jN>gxBVPZlzHET9YR&xqzc}!_cH#2K)a56_(Z8bGAQEqcj zL}D*XHAgozVpwuBGI&@{c1U9@OE?NGJ|J*ub}eu+H8vo4aZ_bDQ6NDtL2YtuZZ>mP zZB=VlYGhSwc4uW&OiE8iNI7mwQAu!UFJ(+;YD-K(N^uHGG(}@;XktTlOmuTcYhq(; zD{E+RW^PbwVm4Awb3-#lW_EEfR7huLZ7>QgJ|I6nF?CIIEoX9NVRL05N;P(1X*^s~ zAaGetASN;*Y_xHhJNC3P`` z{3rHrMNu}Ig1A=z=VoC|-KF5J+uypfT%KG?9Z69o2E!Y-wLw&k(6z^GIs6DfcB6CSS)1(XW4jcz@*+!HogA{qf2o1n>Vyc@gf!a$wxV zeNzE!H6`6a1eBn0j_Ea5^ahRcEz10fGmc%at!xzPG&L!y_Z=M2#ur-D{4HvwQCpH0 TbP`yOth>9#9IL>|7o0xIW10dZ literal 0 HcmV?d00001