1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00

feat: add other mail domains, autogenerate argon hashes

This commit is contained in:
oddlama 2024-07-31 19:54:49 +02:00
parent a128dd5f40
commit 76163bad98
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
51 changed files with 284 additions and 51 deletions

View file

@ -4,26 +4,47 @@
lib,
...
}: let
mailDomains = globals.domains.mail;
primaryDomain = mailDomains.primary;
primaryDomain = globals.mail.primary;
idmailDomain = "alias.${primaryDomain}";
in {
# Not needed, we store stuff in stalwart's directory
#environment.persistence."/persist".directories = [
# {
# directory = "/var/lib/idmail";
# user = "idmail";
# group = "idmail";
# mode = "0700";
# }
#];
age.secrets.idmail-admin-hash = {
rekeyFile = ./secrets/idmail-admin-hash.age;
mkRandomSecret = {
generator.script = "alnum";
mode = "000";
};
mkArgon2id = secret: {
generator.dependencies = [config.age.secrets.${secret}];
generator.script = "argon2id";
mode = "440";
group = "stalwart-mail";
};
shortHash = x: lib.substring 0 16 (builtins.hashString "sha256" "${globals.salt}:${x}");
in {
environment.persistence."/persist".directories = [
{
directory = "/var/lib/idmail";
user = "idmail";
group = "idmail";
mode = "0700";
}
];
age.secrets = lib.mergeAttrsList (
[
{
idmail-user-pw_admin = mkRandomSecret;
idmail-user-hash_admin = mkArgon2id "idmail-user-pw_admin";
}
]
++ lib.forEach (lib.attrNames globals.mail.domains) (
domain: {
"idmail-mailbox-pw_catch-all@${shortHash domain}" = mkRandomSecret;
"idmail-mailbox-hash_catch-all@${shortHash domain}" = mkArgon2id "idmail-mailbox-pw_catch-all@${shortHash domain}";
}
)
);
globals.services.idmail.domain = idmailDomain;
globals.monitoring.http.idmail = {
url = "https://${idmailDomain}";
@ -31,6 +52,11 @@ in {
network = "internet";
};
#systemd.tmpfiles.settings."50-idmail"."${dataDir}".d = {
# user = "idmail";
# mode = "0750";
#};
services.idmail = {
enable = true;
user = "stalwart-mail";
@ -39,12 +65,20 @@ in {
enable = true;
users.admin = {
admin = true;
password_hash = "%{file:${config.age.secrets.idmail-admin-hash.path}}%";
password_hash = "%{file:${config.age.secrets.idmail-user-hash_admin.path}}%";
};
domains = lib.genAttrs mailDomains.all (_: {
domains = lib.flip lib.mapAttrs globals.mail.domains (domain: domainCfg: {
owner = "admin";
public = true;
catch_all = "catch-all@${domain}";
inherit (domainCfg) public;
});
mailboxes = lib.flip lib.mapAttrs' globals.mail.domains (
domain: _domainCfg:
lib.nameValuePair "catch-all@${domain}" {
password_hash = "%{file:${config.age.secrets."idmail-mailbox-hash_catch-all@${shortHash domain}".path}}%";
owner = "admin";
}
);
};
};
systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute