From ad84cfae7e507b823557a1c03600e0e0dfeba4fe Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Wed, 30 Jul 2025 11:11:14 +0200 Subject: [PATCH] Revert "Final attempt at getting stalwart working before revert" This reverts commit fbcd590bfe6327748aff33ba0e0b20ef58f561a3. --- .../nixos/infrastructure/mailserver/acme.nix | 1 - .../infrastructure/mailserver/default.nix | 35 ++------- .../nixos/infrastructure/mailserver/dkim.nix | 4 - .../nixos/infrastructure/mailserver/ldap.nix | 3 - .../mailserver/openid-connect.nix | 74 +++++++++---------- .../mailserver/package/nixos-module.nix | 15 +--- .../infrastructure/mailserver/prometheus.nix | 7 +- .../mx.kaareskovgaard.net/default.nix | 2 - 8 files changed, 46 insertions(+), 95 deletions(-) diff --git a/nix/modules/nixos/infrastructure/mailserver/acme.nix b/nix/modules/nixos/infrastructure/mailserver/acme.nix index ba54139..c13d0ca 100644 --- a/nix/modules/nixos/infrastructure/mailserver/acme.nix +++ b/nix/modules/nixos/infrastructure/mailserver/acme.nix @@ -19,7 +19,6 @@ in services.stalwart-mail.settings = { certificate.default = { cert = "%{file:${acmeDir}/fullchain.pem}%"; - default = true; private-key = "%{file:${config.security.acme.certs.${fqdn}.directory}/key.pem}%"; }; }; diff --git a/nix/modules/nixos/infrastructure/mailserver/default.nix b/nix/modules/nixos/infrastructure/mailserver/default.nix index 9e5bc73..a4b7289 100644 --- a/nix/modules/nixos/infrastructure/mailserver/default.nix +++ b/nix/modules/nixos/infrastructure/mailserver/default.nix @@ -36,34 +36,8 @@ in enable = true; package = pkgs.callPackage ./package/package.nix { }; settings = { - config = { - local-keys = - # defaults - [ - "store.*" - "directory.*" - "tracer.*" - "!server.blocked-ip.*" - "!server.allowed-ip.*" - "server.*" - "authentication.fallback-admin.*" - "cluster.*" - "config.local-keys.*" - "storage.data" - "storage.blob" - "storage.lookup" - "storage.fts" - "storage.directory" - "certificate.*" - ] - # KHS addded - ++ [ - "http.*" - "lookup.default.*" - ]; - }; http = { - url = "'https://${fqdn}'"; + url = "https://${fqdn}"; use-x-forwarded = true; }; server = { @@ -89,9 +63,13 @@ in protocol = "imap"; tls.implicit = true; }; - management = { + jmap = { bind = "[::]:8080"; url = "https://${fqdn}"; + protocol = "jmap"; + }; + management = { + bind = "[::]:8080"; protocol = "http"; }; }; @@ -100,6 +78,7 @@ in hostname = fqdn; domain = "kaareskovgaard.net"; }; + spam-filter.resource = "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml"; }; }; # TODO: Include a similiar rule for openstack diff --git a/nix/modules/nixos/infrastructure/mailserver/dkim.nix b/nix/modules/nixos/infrastructure/mailserver/dkim.nix index 68ddd50..894c6e5 100644 --- a/nix/modules/nixos/infrastructure/mailserver/dkim.nix +++ b/nix/modules/nixos/infrastructure/mailserver/dkim.nix @@ -213,10 +213,6 @@ in ]) cfg.domains ); services.stalwart-mail.settings = { - config.local-keys = [ - "auth.*" - "signature.*" - ]; auth.dkim = { sign = authDkim ++ [ (otherwise false) diff --git a/nix/modules/nixos/infrastructure/mailserver/ldap.nix b/nix/modules/nixos/infrastructure/mailserver/ldap.nix index ed1c0ed..c009b5a 100644 --- a/nix/modules/nixos/infrastructure/mailserver/ldap.nix +++ b/nix/modules/nixos/infrastructure/mailserver/ldap.nix @@ -17,9 +17,6 @@ in config = lib.mkIf cfg.enable { services.stalwart-mail.settings = { - config.local-keys = [ - "storage.ldap.*" - ]; storage = { directory = "ldap"; }; diff --git a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix index 2fe2075..43c383f 100644 --- a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix +++ b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix @@ -5,43 +5,41 @@ let in { config = lib.mkIf cfg.enable { - services.stalwart-mail.settings = { - tracer.stdout.level = "trace"; - directory.oidc = { - type = "oidc"; - url = "ldaps://login.kaareskovgaard.net"; - timeout = "1s"; - endpoint.url = "https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo"; - endpoint.method = "userinfo"; - auth.method = "user-token"; - auth.username = "dovecot"; - auth.secret = "%{file:${oauthConfigFile}}%"; - fields.email = "email"; - fields.username = "preferred_username"; - fields.full-name = "name"; - }; - }; - khscodes.services.vault-agent.templates = [ - { - contents = '' - {{- with secret "kanidm/data/apps/dovecot" -}} - {{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect - {{- end -}} - ''; - destination = oauthConfigFile; - perms = "0600"; - owner = "stalwart-mail"; - group = "stalwart-mail"; - restartUnits = [ "stalwart-mail.service" ]; - } - ]; - systemd.services.stalwart-mail = { - serviceConfig.ReadOnlyPaths = [ - oauthConfigFile - ]; - unitConfig.ConditionPathExists = [ - oauthConfigFile - ]; - }; + # khscodes.services.vault-agent.templates = [ + # { + # contents = '' + # {{- with secret "kanidm/data/apps/dovecot" -}} + # scope = email openid profile + # username_attribute = username + # debug = yes + # introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect + # introspection_mode = post + # {{- end -}} + # ''; + # destination = oauthConfigFile; + # perms = "0600"; + # owner = "root"; + # group = "root"; + # restartUnits = [ "dovecot2.service" ]; + # } + # ]; + # services.dovecot2.extraConfig = '' + # auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 + + # passdb { + # driver = oauth2 + # mechanisms = xoauth2 oauthbearer + # args = ${oauthConfigFile} + # } + # ''; + # systemd.services.dovecot2 = { + # serviceConfig.ReadOnlyPaths = [ + # oauthConfigFile + # ]; + # unitConfig.ConditionPathExists = [ + # oauthConfigFile + # ]; + # }; + }; } diff --git a/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix b/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix index 9aa349f..5d4160c 100644 --- a/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix +++ b/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix @@ -1,5 +1,4 @@ -# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail. -# Also some minor patches to avoid having warnings on startup +# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail { lib, config, @@ -11,17 +10,6 @@ let configFile = configFormat.generate "stalwart-mail.toml" config.services.stalwart-mail.settings; in { - services.stalwart-mail.settings = { - config.local-keys = [ - "spam-filter.resource" - ] - ++ [ - # I think these maybe should be added to nixpkgs? - "resolver.*" - "webadmin.*" - ]; - spam-filter.resource = "file://${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml"; - }; systemd.services.stalwart-mail = lib.mkIf config.services.stalwart-mail.enable { serviceConfig = { User = "stalwart-mail"; @@ -30,7 +18,6 @@ in "" "${lib.getExe config.services.stalwart-mail.package} --config=${configFile}" ]; - ReadOnlyPaths = [ "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml" ]; }; }; } diff --git a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix index 51d9dcf..9c1e7f5 100644 --- a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix +++ b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix @@ -5,11 +5,8 @@ let in { config = lib.mkIf cfg.enable { - services.stalwart-mail.settings = { - config.local-keys = [ "metrics.prometheus.*" ]; - metrics.prometheus = { - enable = true; - }; + services.stalwart-mail.settings.metrics.prometheus = { + enable = true; }; # Don't expose the endpoint khscodes.services.nginx.virtualHosts."${fqdn}".locations."=/metrics/prometheus" = { diff --git a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix index 0d92018..737fa57 100644 --- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix @@ -74,8 +74,6 @@ $config['oauth_identity_uri'] = 'https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo'; $config['oauth_identity_fields'] = ['preferred_username']; $config['oauth_scope'] = 'email openid profile'; - # Don't show login dialog, just redirect to oauth login page - # $config['oauth_login_redirect'] = true; ''; }; khscodes.services.nginx = {