diff --git a/machines/gerd/services/lldap/default.nix b/machines/gerd/services/lldap/default.nix index 12806c5..dd36177 100644 --- a/machines/gerd/services/lldap/default.nix +++ b/machines/gerd/services/lldap/default.nix @@ -204,6 +204,7 @@ in { in lib.concatStrings (cap parts); in { uid = "uid"; + creationdate = "creationdate"; firstname = "givenName"; lastname = "sn"; email = "mail"; diff --git a/machines/gerd/services/stalwart/default.nix b/machines/gerd/services/stalwart/default.nix index 8b0edd3..16cca83 100644 --- a/machines/gerd/services/stalwart/default.nix +++ b/machines/gerd/services/stalwart/default.nix @@ -7,7 +7,13 @@ mine.shared.meta.stalwart = { name = "Stalwart Mail"; - description = "We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password."; + description = '' + We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password. + From here encryption-at-rest can be setup with either OpenPGP or S/MIME. Keep in mind, Change Password, Two-factor Auth and App Passwords + do not work, as we are using LDAP for authentication instead. + ''; + + url = "https://${config.mine.shared.settings.mail.domain}"; package = let pkg = config.services.stalwart-mail.package; diff --git a/machines/gerd/services/stalwart/stalwart.nix b/machines/gerd/services/stalwart/stalwart.nix index 1ab1106..c50dfcb 100644 --- a/machines/gerd/services/stalwart/stalwart.nix +++ b/machines/gerd/services/stalwart/stalwart.nix @@ -1,7 +1,10 @@ { config, lib, pkgs, ... }: let - svc_domain = "mail.${config.mine.shared.settings.domain}"; + svc_domain = "stalwart.${config.mine.shared.settings.domain}"; + svc_domain_mail = "mail.${config.mine.shared.settings.domain}"; + # TODO(eyJhb): in theory these domains are not used, they're just + # nice to have.. maybe. svc_domain_smtp = "smtp.${config.mine.shared.settings.domain}"; svc_domain_imap = "imap.${config.mine.shared.settings.domain}"; @@ -27,7 +30,7 @@ in { openFirewall = true; settings = { - lookup.default.hostname = svc_domain; + lookup.default.hostname = svc_domain_mail; store.db.path = "${stateDir}/db"; @@ -72,11 +75,15 @@ in { quota = lconfig.attr.membermaildiskquota; class = "objectClass"; groups = "memberOf"; - # we dont have access to this in lldap + # we dont have access to this in lldap, and + # therefore we use secret-changed instead # secret = lconfig.attr.stalwart_secret; + # TODO(eyJhb): remove once LLDAP gets + # plugin support, so we can make a plugin + # that updates a attribute on password updates + # https://github.com/lldap/lldap/pull/1119 + secret-changed = lconfig.attr.creationdate; }); - - }; storage.directory = "ldap"; @@ -87,7 +94,7 @@ in { submissions = { bind = [ "[::]:${builtins.toString ports.submissions}"]; protocol = "smtp"; tls.implicit = true; }; imaptls = { bind = [ "[::]:${builtins.toString ports.imaptls}"]; protocol = "imap"; tls.implicit = true; }; - management = { bind = [ "127.0.0.1:${builtins.toString ports.http_management}" ]; protocol = "http"; }; + management = { bind = [ "[::]:${builtins.toString ports.http_management}" ]; protocol = "http"; }; }; certificate.domain = { @@ -139,13 +146,19 @@ in { ]; # setup certs - services.nginx.virtualHosts."${svc_domain}" = { + services.nginx.virtualHosts."${svc_domain_mail}" = { forceSSL = true; enableACME = true; serverAliases = [ svc_domain_smtp svc_domain_imap ]; root = pkgs.writeTextDir "index.html" "Nothing."; }; + services.nginx.virtualHosts."${svc_domain}" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${builtins.toString ports.http_management}"; + }; + # need to change group to stalwart-mail for cert + add nginx to stalwart-mail group to do HTTP ACME users.users.nginx.extraGroups = [ stalwart_group ]; security.acme.certs."${svc_domain}" = { @@ -160,6 +173,7 @@ in { mine.shared.settings.mail = { domain = svc_domain; + domain_mail = svc_domain_mail; domain_smtp = svc_domain_smtp; domain_imap = svc_domain_imap;