Revert "Final attempt at getting stalwart working before revert"

This reverts commit fbcd590bfe.
2025-07-30 11:11:14 +02:00 · 2025-07-30 11:11:14 +02:00 · ad84cfae7e
commit ad84cfae7e
parent fbcd590bfe
8 changed files with 46 additions and 95 deletions
--- a/nix/modules/nixos/infrastructure/mailserver/acme.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/acme.nix
@ -19,7 +19,6 @@ in
    services.stalwart-mail.settings = {
      certificate.default = {
        cert = "%{file:${acmeDir}/fullchain.pem}%";
-        default = true;
        private-key = "%{file:${config.security.acme.certs.${fqdn}.directory}/key.pem}%";
      };
    };
--- a/nix/modules/nixos/infrastructure/mailserver/default.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/default.nix
@ -36,34 +36,8 @@ in
      enable = true;
      package = pkgs.callPackage ./package/package.nix { };
      settings = {
-        config = {
-          local-keys =
-            # defaults
-            [
-              "store.*"
-              "directory.*"
-              "tracer.*"
-              "!server.blocked-ip.*"
-              "!server.allowed-ip.*"
-              "server.*"
-              "authentication.fallback-admin.*"
-              "cluster.*"
-              "config.local-keys.*"
-              "storage.data"
-              "storage.blob"
-              "storage.lookup"
-              "storage.fts"
-              "storage.directory"
-              "certificate.*"
-            ]
-            # KHS addded
-            ++ [
-              "http.*"
-              "lookup.default.*"
-            ];
-        };
        http = {
-          url = "'https://${fqdn}'";
+          url = "https://${fqdn}";
          use-x-forwarded = true;
        };
        server = {
@ -89,9 +63,13 @@ in
              protocol = "imap";
              tls.implicit = true;
            };
-            management = {
+            jmap = {
              bind = "[::]:8080";
              url = "https://${fqdn}";
+              protocol = "jmap";
+            };
+            management = {
+              bind = "[::]:8080";
              protocol = "http";
            };
          };
@ -100,6 +78,7 @@ in
          hostname = fqdn;
          domain = "kaareskovgaard.net";
        };
+        spam-filter.resource = "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml";
      };
    };
    # TODO: Include a similiar rule for openstack
--- a/nix/modules/nixos/infrastructure/mailserver/dkim.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/dkim.nix
@ -213,10 +213,6 @@ in
      ]) cfg.domains
    );
    services.stalwart-mail.settings = {
-      config.local-keys = [
-        "auth.*"
-        "signature.*"
-      ];
      auth.dkim = {
        sign = authDkim ++ [
          (otherwise false)
--- a/nix/modules/nixos/infrastructure/mailserver/ldap.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/ldap.nix
@ -17,9 +17,6 @@ in

  config = lib.mkIf cfg.enable {
    services.stalwart-mail.settings = {
-      config.local-keys = [
-        "storage.ldap.*"
-      ];
      storage = {
        directory = "ldap";
      };
--- a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix
@ -5,43 +5,41 @@ let
 in
 {
  config = lib.mkIf cfg.enable {
-    services.stalwart-mail.settings = {
-      tracer.stdout.level = "trace";
-      directory.oidc = {
-        type = "oidc";
-        url = "ldaps://login.kaareskovgaard.net";
-        timeout = "1s";
-        endpoint.url = "https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo";
-        endpoint.method = "userinfo";
-        auth.method = "user-token";
-        auth.username = "dovecot";
-        auth.secret = "%{file:${oauthConfigFile}}%";
-        fields.email = "email";
-        fields.username = "preferred_username";
-        fields.full-name = "name";
-      };
-    };
-    khscodes.services.vault-agent.templates = [
-      {
-        contents = ''
-          {{- with secret "kanidm/data/apps/dovecot" -}}
-          {{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect
-          {{- end -}}
-        '';
-        destination = oauthConfigFile;
-        perms = "0600";
-        owner = "stalwart-mail";
-        group = "stalwart-mail";
-        restartUnits = [ "stalwart-mail.service" ];
-      }
-    ];
-    systemd.services.stalwart-mail = {
-      serviceConfig.ReadOnlyPaths = [
-        oauthConfigFile
-      ];
-      unitConfig.ConditionPathExists = [
-        oauthConfigFile
-      ];
-    };
+    # khscodes.services.vault-agent.templates = [
+    #   {
+    #     contents = ''
+    #       {{- with secret "kanidm/data/apps/dovecot" -}}
+    #       scope = email openid profile
+    #       username_attribute = username
+    #       debug = yes
+    #       introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect
+    #       introspection_mode = post
+    #       {{- end -}}
+    #     '';
+    #     destination = oauthConfigFile;
+    #     perms = "0600";
+    #     owner = "root";
+    #     group = "root";
+    #     restartUnits = [ "dovecot2.service" ];
+    #   }
+    # ];
+    # services.dovecot2.extraConfig = ''
+    #   auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
+
+    #   passdb {
+    #     driver = oauth2
+    #     mechanisms = xoauth2 oauthbearer
+    #     args = ${oauthConfigFile}
+    #   }
+    # '';
+    # systemd.services.dovecot2 = {
+    #   serviceConfig.ReadOnlyPaths = [
+    #     oauthConfigFile
+    #   ];
+    #   unitConfig.ConditionPathExists = [
+    #     oauthConfigFile
+    #   ];
+    # };
+
  };
 }
--- a/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix
@ -1,5 +1,4 @@
-# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail.
-# Also some minor patches to avoid having warnings on startup
+# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail
 {
  lib,
  config,
@ -11,17 +10,6 @@ let
  configFile = configFormat.generate "stalwart-mail.toml" config.services.stalwart-mail.settings;
 in
 {
-  services.stalwart-mail.settings = {
-    config.local-keys = [
-      "spam-filter.resource"
-    ]
-    ++ [
-      # I think these maybe should be added to nixpkgs?
-      "resolver.*"
-      "webadmin.*"
-    ];
-    spam-filter.resource = "file://${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml";
-  };
  systemd.services.stalwart-mail = lib.mkIf config.services.stalwart-mail.enable {
    serviceConfig = {
      User = "stalwart-mail";
@ -30,7 +18,6 @@ in
        ""
        "${lib.getExe config.services.stalwart-mail.package} --config=${configFile}"
      ];
-      ReadOnlyPaths = [ "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml" ];
    };
  };
 }
--- a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix
@ -5,12 +5,9 @@ let
 in
 {
  config = lib.mkIf cfg.enable {
-    services.stalwart-mail.settings = {
-      config.local-keys = [ "metrics.prometheus.*" ];
-      metrics.prometheus = {
+    services.stalwart-mail.settings.metrics.prometheus = {
      enable = true;
    };
-    };
    # Don't expose the endpoint
    khscodes.services.nginx.virtualHosts."${fqdn}".locations."=/metrics/prometheus" = {
      return = 404;
--- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix
+++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix
@ -74,8 +74,6 @@
      $config['oauth_identity_uri'] = 'https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo';
      $config['oauth_identity_fields'] = ['preferred_username'];
      $config['oauth_scope'] = 'email openid profile';
-      # Don't show login dialog, just redirect to oauth login page
-      # $config['oauth_login_redirect'] = true;
    '';
  };
  khscodes.services.nginx = {