From fcd61fad16dd898d2a0ab289f8b7320dd0bc22f5 Mon Sep 17 00:00:00 2001 From: eyjhb Date: Sat, 31 May 2025 20:38:34 +0200 Subject: [PATCH 1/3] move back to nixos-unstable because of stalwart --- shared/sources/sources.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/sources/sources.json b/shared/sources/sources.json index 64d5621..6949936 100644 --- a/shared/sources/sources.json +++ b/shared/sources/sources.json @@ -67,15 +67,15 @@ "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "nixos-25.05", + "branch": "nixos-unstable", "description": "Nix Packages collection", "homepage": null, "owner": "NixOS", "repo": "nixpkgs", - "rev": "7282cb574e0607e65224d33be8241eae7cfe0979", - "sha256": "0klkpy7ah033y3cwj51a0l96lwmkqqvwgfv3kid4z9x5g2rqr0l5", + "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102", + "sha256": "064q32jmj54iwgh4lcdg2aii75cr5lvb683ym5pmj2kkj340pnpd", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/7282cb574e0607e65224d33be8241eae7cfe0979.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/96ec055edbe5ee227f28cdbc3f1ddf1df5965102.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } From c06d0844cd048ecf8ecc6e33f964729ca546eb7a Mon Sep 17 00:00:00 2001 From: eyjhb Date: Sat, 31 May 2025 20:38:46 +0200 Subject: [PATCH 2/3] stalwart: add patches --- shared/sources/default.nix | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/shared/sources/default.nix b/shared/sources/default.nix index 25c0e05..12d5f5f 100644 --- a/shared/sources/default.nix +++ b/shared/sources/default.nix @@ -8,19 +8,21 @@ in sources // { src = sources.nixpkgs; name = "nixpkgs-patched"; patches = [ - # # tmp - lldap: 0.5.1-unstable-2024-10-30 -> 0.6.1 - # (pkgs.fetchpatch { - # url = "https://github.com/NixOS/nixpkgs/pull/359835.patch"; - # sha256 = "sha256-2C9l4v9MaUJyiaB+kslTsSjsqTZ7RlcfMNlRzZblMik="; - # }) - # tmp - stalwart-mail.webadmin: pin wasm-bindgen-cli version - # (pkgs.fetchpatch { - # url = "https://github.com/NixOS/nixpkgs/pull/353360.patch"; - # sha256 = "sha256-WPNnvVmtySyEk58kVIYWVx3VN8MhX4v2ITLLnUGhpz4="; - # }) + # stalwart-mail: 0.11.8 -> 0.12.0 + (pkgs.fetchpatch { + url = "https://github.com/NixOS/nixpkgs/pull/409178.patch"; + sha256 = "sha256-06J8pTjqeWTL6MJqVq17r3eelL5p/AfvUsPye5icVUg="; + }) + # nixos/stalwart-mail: fix incorrect config for webadmin and spam-filter + (pkgs.fetchpatch { + url = "https://github.com/NixOS/nixpkgs/pull/412054.patch"; + sha256 = "sha256-OExslGsrGGPWSJJFPkZgYV8DaPKq9YDlmozPf/bV6dE="; + }) ]; }; + # nixpkgs = pkgs.lib.cleanSource /state/home/projects/nixos/nixpkgs; + drasl = pkgs.applyPatches { src = sources.drasl; name = "drasl-patched"; From d95717941d38dbb557e384ba27494125951a7758 Mon Sep 17 00:00:00 2001 From: eyjhb Date: Sat, 31 May 2025 20:43:12 +0200 Subject: [PATCH 3/3] stalwart: exposes the http management panel now for encryption Also added a LLDAP attribute --- machines/gerd/services/lldap/default.nix | 1 + machines/gerd/services/stalwart/default.nix | 8 +++++- machines/gerd/services/stalwart/stalwart.nix | 28 +++++++++++++++----- 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/machines/gerd/services/lldap/default.nix b/machines/gerd/services/lldap/default.nix index 12806c5..dd36177 100644 --- a/machines/gerd/services/lldap/default.nix +++ b/machines/gerd/services/lldap/default.nix @@ -204,6 +204,7 @@ in { in lib.concatStrings (cap parts); in { uid = "uid"; + creationdate = "creationdate"; firstname = "givenName"; lastname = "sn"; email = "mail"; diff --git a/machines/gerd/services/stalwart/default.nix b/machines/gerd/services/stalwart/default.nix index 8b0edd3..16cca83 100644 --- a/machines/gerd/services/stalwart/default.nix +++ b/machines/gerd/services/stalwart/default.nix @@ -7,7 +7,13 @@ mine.shared.meta.stalwart = { name = "Stalwart Mail"; - description = "We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password."; + description = '' + We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password. + From here encryption-at-rest can be setup with either OpenPGP or S/MIME. Keep in mind, Change Password, Two-factor Auth and App Passwords + do not work, as we are using LDAP for authentication instead. + ''; + + url = "https://${config.mine.shared.settings.mail.domain}"; package = let pkg = config.services.stalwart-mail.package; diff --git a/machines/gerd/services/stalwart/stalwart.nix b/machines/gerd/services/stalwart/stalwart.nix index 1ab1106..c50dfcb 100644 --- a/machines/gerd/services/stalwart/stalwart.nix +++ b/machines/gerd/services/stalwart/stalwart.nix @@ -1,7 +1,10 @@ { config, lib, pkgs, ... }: let - svc_domain = "mail.${config.mine.shared.settings.domain}"; + svc_domain = "stalwart.${config.mine.shared.settings.domain}"; + svc_domain_mail = "mail.${config.mine.shared.settings.domain}"; + # TODO(eyJhb): in theory these domains are not used, they're just + # nice to have.. maybe. svc_domain_smtp = "smtp.${config.mine.shared.settings.domain}"; svc_domain_imap = "imap.${config.mine.shared.settings.domain}"; @@ -27,7 +30,7 @@ in { openFirewall = true; settings = { - lookup.default.hostname = svc_domain; + lookup.default.hostname = svc_domain_mail; store.db.path = "${stateDir}/db"; @@ -72,11 +75,15 @@ in { quota = lconfig.attr.membermaildiskquota; class = "objectClass"; groups = "memberOf"; - # we dont have access to this in lldap + # we dont have access to this in lldap, and + # therefore we use secret-changed instead # secret = lconfig.attr.stalwart_secret; + # TODO(eyJhb): remove once LLDAP gets + # plugin support, so we can make a plugin + # that updates a attribute on password updates + # https://github.com/lldap/lldap/pull/1119 + secret-changed = lconfig.attr.creationdate; }); - - }; storage.directory = "ldap"; @@ -87,7 +94,7 @@ in { submissions = { bind = [ "[::]:${builtins.toString ports.submissions}"]; protocol = "smtp"; tls.implicit = true; }; imaptls = { bind = [ "[::]:${builtins.toString ports.imaptls}"]; protocol = "imap"; tls.implicit = true; }; - management = { bind = [ "127.0.0.1:${builtins.toString ports.http_management}" ]; protocol = "http"; }; + management = { bind = [ "[::]:${builtins.toString ports.http_management}" ]; protocol = "http"; }; }; certificate.domain = { @@ -139,13 +146,19 @@ in { ]; # setup certs - services.nginx.virtualHosts."${svc_domain}" = { + services.nginx.virtualHosts."${svc_domain_mail}" = { forceSSL = true; enableACME = true; serverAliases = [ svc_domain_smtp svc_domain_imap ]; root = pkgs.writeTextDir "index.html" "Nothing."; }; + services.nginx.virtualHosts."${svc_domain}" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${builtins.toString ports.http_management}"; + }; + # need to change group to stalwart-mail for cert + add nginx to stalwart-mail group to do HTTP ACME users.users.nginx.extraGroups = [ stalwart_group ]; security.acme.certs."${svc_domain}" = { @@ -160,6 +173,7 @@ in { mine.shared.settings.mail = { domain = svc_domain; + domain_mail = svc_domain_mail; domain_smtp = svc_domain_smtp; domain_imap = svc_domain_imap;