pyrox.dev / nix
My Nix Configuration
fork atom

[prefect.stalwart] update secrets handling

pyrox.dev 5b37b423 1e366d4e

verified
options
unified split
Changed files
+23 -11
systems
x86_64-linux
prefect
secrets
stalwart-fallback-admin-pw.age
services
mailserver
stalwart
acme.nix
default.nix
signature.nix
systems/x86_64-linux/prefect/secrets/stalwart-fallback-admin-pw.age

This is a binary file and will not be displayed.

+6 -2
systems/x86_64-linux/prefect/services/mailserver/stalwart/acme.nix 
···

       
1

       
-

       
{ cfg }:


     

       

       

       
     

       

       

       
     

       
2

       
 

       
{


     

       
3

       
 

       
  letsencrypt = {


     

       
4

       
 

       
    directory = "https://acme-staging-v02.api.letsencrypt.org/directory";


     

       
5

       
-

       
    challenge = "http-01";


     

       
6

       
 

       
    contact = [ "pyrox@pyrox.dev" ];


     

       
7

       
 

       
    domains = [


     

       
8

       
 

       
      "mail.pyrox.dev"


     
···

       
13

       
 

       
    cache = "${cfg.dataDir}/acme/certs";


     

       
14

       
 

       
    renew-before = "30d";


     

       
15

       
 

       
    default = true;


     

       

       

       
     

       

       

       
     

       
16

       
 

       
  };


     

       
17

       
 

       
}


     
···

       
1

       
+

       
# ACME for certs, using TLS-ALPN-01 Challenges(one fewer ports open)


     

       
2

       
+

       
# https://stalw.art/docs/server/tls/acme/configuration


     

       
3

       
+

       
{ cfg, sec }:


     

       
4

       
 

       
{


     

       
5

       
 

       
  letsencrypt = {


     

       
6

       
 

       
    directory = "https://acme-staging-v02.api.letsencrypt.org/directory";


     

       
7

       
+

       
    challenge = "dns-01";


     

       
8

       
 

       
    contact = [ "pyrox@pyrox.dev" ];


     

       
9

       
 

       
    domains = [


     

       
10

       
 

       
      "mail.pyrox.dev"


     
···

       
15

       
 

       
    cache = "${cfg.dataDir}/acme/certs";


     

       
16

       
 

       
    renew-before = "30d";


     

       
17

       
 

       
    default = true;


     

       
18

       
+

       
    provider = "desec";


     

       
19

       
+

       
    secret = "%{file:${sec.stalwart-desec-token.path}}";


     

       
20

       
 

       
  };


     

       
21

       
 

       
}
+14 -7
systems/x86_64-linux/prefect/services/mailserver/stalwart/default.nix 
···

       
28

       
 

       
  services.stalwart-mail = {


     

       
29

       
 

       
    enable = true;


     

       
30

       
 

       
    dataDir = "/var/lib/stalwart";


     

       
31

       
-

       
    credentials = {


     

       
32

       
-

       
      rsa_private_key = sec.stalwart-secret-rsa.path;


     

       
33

       
-

       
      ed25519_private_key = sec.stalwart-secret-ed25519.path;


     

       
34

       
-

       
    };


     

       
35

       
 

       
    settings = {


     

       
36

       
 

       
      tracer.stdout.level = "debug";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
37

       
 

       
      config = {


     

       
38

       
 

       
        local-keys = [


     

       
39

       
 

       
          "acme.*"


     
···

       
56

       
 

       
          "resolver.*"


     

       
57

       
 

       
          "server.*"


     

       
58

       
 

       
          "session.*"


     

       

       

       
     

       
59

       
 

       
          "storage.*"


     

       
60

       
 

       
          "store.*"


     

       
61

       
 

       
          "tracer.*"


     
···

       
66

       
 

       
        ];


     

       
67

       
 

       
      };


     

       
68

       
 

       
      server = import ./server.nix { inherit d; };


     

       
69

       
-

       
      # ACME for certs, using TLS-ALPN-01 Challenges(one fewer ports open)


     

       
70

       
-

       
      # https://stalw.art/docs/server/tls/acme/configuration


     

       
71

       
-

       
      acme = import ./acme.nix { inherit cfg; };


     

       
72

       
 

       
      # HTTP Configuration


     

       
73

       
 

       
      # https://stalw.art/docs/http/overview


     

       
74

       
 

       
      http = {


     
···

       
78

       
 

       
      # Disable HTTP Forms submission


     

       
79

       
 

       
      # https://stalw.art/docs/http/form-submission


     

       
80

       
 

       
      form.enable = false;


     

       

       

       
     

       

       

       
     

       
81

       
 

       
      # Storage Settings


     

       
82

       
 

       
      # https://stalw.art/docs/storage/overview


     

       
83

       
 

       
      store = {


     
···

       
176

       
 

       
    };


     

       
177

       
 

       
    stalwart-secret-ed25519 = smSecret // {


     

       
178

       
 

       
      file = ../../../secrets/stalwart-secret-ed25519.age;


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
179

       
 

       
    };


     

       
180

       
 

       
  };


     

       
181

       
 

       
}


     
···

       
28

       
 

       
  services.stalwart-mail = {


     

       
29

       
 

       
    enable = true;


     

       
30

       
 

       
    dataDir = "/var/lib/stalwart";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
31

       
 

       
    settings = {


     

       
32

       
 

       
      tracer.stdout.level = "debug";


     

       
33

       
+

       
      authentication.fallback-admin = {


     

       
34

       
+

       
        user = "fallback";


     

       
35

       
+

       
        secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}";


     

       
36

       
+

       
      };


     

       
37

       
 

       
      config = {


     

       
38

       
 

       
        local-keys = [


     

       
39

       
 

       
          "acme.*"


     
···

       
56

       
 

       
          "resolver.*"


     

       
57

       
 

       
          "server.*"


     

       
58

       
 

       
          "session.*"


     

       
59

       
+

       
          "signature.*"


     

       
60

       
 

       
          "storage.*"


     

       
61

       
 

       
          "store.*"


     

       
62

       
 

       
          "tracer.*"


     
···

       
67

       
 

       
        ];


     

       
68

       
 

       
      };


     

       
69

       
 

       
      server = import ./server.nix { inherit d; };


     

       
70

       
+

       
      acme = import ./acme.nix { inherit cfg sec; };


     

       

       

       
     

       

       

       
     

       
71

       
 

       
      # HTTP Configuration


     

       
72

       
 

       
      # https://stalw.art/docs/http/overview


     

       
73

       
 

       
      http = {


     
···

       
77

       
 

       
      # Disable HTTP Forms submission


     

       
78

       
 

       
      # https://stalw.art/docs/http/form-submission


     

       
79

       
 

       
      form.enable = false;


     

       
80

       
+

       
      # DKIM Signatures


     

       
81

       
+

       
      signature = import ./signature.nix { inherit sec; };


     

       
82

       
 

       
      # Storage Settings


     

       
83

       
 

       
      # https://stalw.art/docs/storage/overview


     

       
84

       
 

       
      store = {


     
···

       
177

       
 

       
    };


     

       
178

       
 

       
    stalwart-secret-ed25519 = smSecret // {


     

       
179

       
 

       
      file = ../../../secrets/stalwart-secret-ed25519.age;


     

       
180

       
+

       
    };


     

       
181

       
+

       
    stalwart-desec-token = smSecret // {


     

       
182

       
+

       
      file = ../../../secrets/stalwart-desec-token.age;


     

       
183

       
+

       
    };


     

       
184

       
+

       
    stalwart-fallback-admin-pw = smSecret // {


     

       
185

       
+

       
      file = ../../../secrets/stalwart-fallback-admin-pw.age;


     

       
186

       
 

       
    };


     

       
187

       
 

       
  };


     

       
188

       
 

       
}
+3 -2
systems/x86_64-linux/prefect/services/mailserver/stalwart/signature.nix 
···

       

       

       
     

       
1

       
 

       
let


     

       
2

       
 

       
  headers = [


     

       
3

       
 

       
    "From"


     
···

       
20

       
 

       
{


     

       
21

       
 

       
  rsa = {


     

       
22

       
 

       
    inherit headers;


     

       
23

       
-

       
    private-key = "%{file:/run/credentials/stalwart-mail.service/rsa_private_key}";


     

       
24

       
 

       
    domain = "pyrox.dev";


     

       
25

       
 

       
    selector = "rsa-default";


     

       
26

       
 

       
    algorithm = "rsa-sha256";


     
···

       
30

       
 

       
  };


     

       
31

       
 

       
  ed25519 = {


     

       
32

       
 

       
    inherit headers;


     

       
33

       
-

       
    private-key = "%{file:/run/credentials/stalwart-mail.service/ed25519_private_key}";


     

       
34

       
 

       
    domain = "pyrox.dev";


     

       
35

       
 

       
    selector = "default";


     

       
36

       
 

       
    algorithm = "ed25519-sha256";


     
···

       
1

       
+

       
{ sec }:


     

       
2

       
 

       
let


     

       
3

       
 

       
  headers = [


     

       
4

       
 

       
    "From"


     
···

       
21

       
 

       
{


     

       
22

       
 

       
  rsa = {


     

       
23

       
 

       
    inherit headers;


     

       
24

       
+

       
    private-key = "%{file:${sec.stalwart-secret-rsa.path}}";


     

       
25

       
 

       
    domain = "pyrox.dev";


     

       
26

       
 

       
    selector = "rsa-default";


     

       
27

       
 

       
    algorithm = "rsa-sha256";


     
···

       
31

       
 

       
  };


     

       
32

       
 

       
  ed25519 = {


     

       
33

       
 

       
    inherit headers;


     

       
34

       
+

       
    private-key = "%{file:${sec.stalwart-secret-ed25519.path}}";


     

       
35

       
 

       
    domain = "pyrox.dev";


     

       
36

       
 

       
    selector = "default";


     

       
37

       
 

       
    algorithm = "ed25519-sha256";