feat: add other mail domains, autogenerate argon hashes

2025-10-10 23:00:39 +02:00 · 2024-07-31 19:54:49 +02:00 · 2024-07-31 19:54:49 +02:00 · 76163bad98
commit 76163bad98
parent a128dd5f40
51 changed files with 284 additions and 51 deletions
--- a/hosts/envoy/idmail.nix
+++ b/hosts/envoy/idmail.nix
@ -4,26 +4,47 @@
  lib,
  ...
 }: let
-  mailDomains = globals.domains.mail;
-  primaryDomain = mailDomains.primary;
+  primaryDomain = globals.mail.primary;
  idmailDomain = "alias.${primaryDomain}";
-in {
-  # Not needed, we store stuff in stalwart's directory
-  #environment.persistence."/persist".directories = [
-  #  {
-  #    directory = "/var/lib/idmail";
-  #    user = "idmail";
-  #    group = "idmail";
-  #    mode = "0700";
-  #  }
-  #];

-  age.secrets.idmail-admin-hash = {
-    rekeyFile = ./secrets/idmail-admin-hash.age;
+  mkRandomSecret = {
+    generator.script = "alnum";
+    mode = "000";
+  };
+
+  mkArgon2id = secret: {
+    generator.dependencies = [config.age.secrets.${secret}];
+    generator.script = "argon2id";
    mode = "440";
    group = "stalwart-mail";
  };

+  shortHash = x: lib.substring 0 16 (builtins.hashString "sha256" "${globals.salt}:${x}");
+in {
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/idmail";
+      user = "idmail";
+      group = "idmail";
+      mode = "0700";
+    }
+  ];
+
+  age.secrets = lib.mergeAttrsList (
+    [
+      {
+        idmail-user-pw_admin = mkRandomSecret;
+        idmail-user-hash_admin = mkArgon2id "idmail-user-pw_admin";
+      }
+    ]
+    ++ lib.forEach (lib.attrNames globals.mail.domains) (
+      domain: {
+        "idmail-mailbox-pw_catch-all@${shortHash domain}" = mkRandomSecret;
+        "idmail-mailbox-hash_catch-all@${shortHash domain}" = mkArgon2id "idmail-mailbox-pw_catch-all@${shortHash domain}";
+      }
+    )
+  );
+
  globals.services.idmail.domain = idmailDomain;
  globals.monitoring.http.idmail = {
    url = "https://${idmailDomain}";
@ -31,6 +52,11 @@ in {
    network = "internet";
  };

+  #systemd.tmpfiles.settings."50-idmail"."${dataDir}".d = {
+  #  user = "idmail";
+  #  mode = "0750";
+  #};
+
  services.idmail = {
    enable = true;
    user = "stalwart-mail";
@ -39,12 +65,20 @@ in {
      enable = true;
      users.admin = {
        admin = true;
-        password_hash = "%{file:${config.age.secrets.idmail-admin-hash.path}}%";
+        password_hash = "%{file:${config.age.secrets.idmail-user-hash_admin.path}}%";
      };
-      domains = lib.genAttrs mailDomains.all (_: {
+      domains = lib.flip lib.mapAttrs globals.mail.domains (domain: domainCfg: {
        owner = "admin";
-        public = true;
+        catch_all = "catch-all@${domain}";
+        inherit (domainCfg) public;
      });
+      mailboxes = lib.flip lib.mapAttrs' globals.mail.domains (
+        domain: _domainCfg:
+          lib.nameValuePair "catch-all@${domain}" {
+            password_hash = "%{file:${config.age.secrets."idmail-mailbox-hash_catch-all@${shortHash domain}".path}}%";
+            owner = "admin";
+          }
+      );
    };
  };
  systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute
--- a/hosts/envoy/net.nix
+++ b/hosts/envoy/net.nix
@ -7,8 +7,8 @@
  icfg = config.repo.secrets.local.networking.interfaces.wan;
 in {
  networking.hostId = config.repo.secrets.local.networking.hostId;
-  networking.domain = globals.domains.mail.primary;
-  networking.hosts."127.0.0.1" = ["mail.${globals.domains.mail.primary}"];
+  networking.domain = globals.mail.primary;
+  networking.hosts."127.0.0.1" = ["mail.${globals.mail.primary}"];

  globals.monitoring.ping.envoy = {
    hostv4 = lib.net.cidr.ip icfg.hostCidrv4;
--- a/hosts/envoy/secrets/idmail-admin-hash.age
+++ b/hosts/envoy/secrets/idmail-admin-hash.age
--- a/hosts/envoy/secrets/stalwart-admin-hash.age
+++ b/hosts/envoy/secrets/stalwart-admin-hash.age
@ -1,11 +0,0 @@
-age-encryption.org/v1
-> X25519 t0FJIrbn5q7oX4+1tHvjDnWDCiD6NMkNw7Aq2MfSXw4
-W6aq9jnVOH9W+pjsrSCZG1BJXSNojhiUrTgzANFpM9w
-> piv-p256 xqSe8Q A3qjOwYgwBFDf0beUSyw3nHhkO9ZhsJzGHBh4BTw7+tS
-ffyaSOMoOHiIXfXvCJY/apYkEc7wZgkhOGTNT9O7oJ0
-> n[k#S-grease /{ w79 (TV$':-8 4E
-hxVz/9v74X2gEt9y0yvKMClVgId3mAl5PVisyL0r8WUn4extTHoh8qj2fSFl++54
-c0aRZZ5Y+Pdqu/7FyignIhV4WbUtverMWhWdRAhGsXqFm/8ejLqPfELQ54w
--- rTgyJNg/7gotGoTSMt5jDxSFE0tM8CP+azNlDTRjCow
-LiÀºÝ“kþÃñ.?�N@1�l·HÎ¢æÐ�m°@8N�^òU•u•	Ô
-¦Ïƒ/íò¬ØÇ³§FIHÍÂk+*è+;#3ÒvÖx×~¯3¢Ú‚VZß¯‡ïî¿oó£Ñ’ZC|ñßÂÕ›T*ˆÛ‡“^-ªÑ .71Ñé€cÐ÷+g¬±‘†»Å�
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@ -5,8 +5,7 @@
  pkgs,
  ...
 }: let
-  mailDomains = globals.domains.mail;
-  primaryDomain = mailDomains.primary;
+  primaryDomain = globals.mail.primary;
  stalwartDomain = "mail.${primaryDomain}";
  dataDir = "/var/lib/stalwart-mail";
 in {
@ -19,8 +18,14 @@ in {
    }
  ];

+  age.secrets.stalwart-admin-pw = {
+    generator.script = "alnum";
+    mode = "000";
+  };
+
  age.secrets.stalwart-admin-hash = {
-    rekeyFile = ./secrets/stalwart-admin-hash.age;
+    generator.dependencies = [config.age.secrets.stalwart-admin-pw];
+    generator.script = "argon2id";
    mode = "440";
    group = "stalwart-mail";
  };