diff --git a/nix/modules/nixos/infrastructure/mailserver/acme.nix b/nix/modules/nixos/infrastructure/mailserver/acme.nix index c13d0ca..ba54139 100644 --- a/nix/modules/nixos/infrastructure/mailserver/acme.nix +++ b/nix/modules/nixos/infrastructure/mailserver/acme.nix @@ -19,6 +19,7 @@ in services.stalwart-mail.settings = { certificate.default = { cert = "%{file:${acmeDir}/fullchain.pem}%"; + default = true; private-key = "%{file:${config.security.acme.certs.${fqdn}.directory}/key.pem}%"; }; }; diff --git a/nix/modules/nixos/infrastructure/mailserver/default.nix b/nix/modules/nixos/infrastructure/mailserver/default.nix index a4b7289..9e5bc73 100644 --- a/nix/modules/nixos/infrastructure/mailserver/default.nix +++ b/nix/modules/nixos/infrastructure/mailserver/default.nix @@ -36,8 +36,34 @@ in enable = true; package = pkgs.callPackage ./package/package.nix { }; settings = { + config = { + local-keys = + # defaults + [ + "store.*" + "directory.*" + "tracer.*" + "!server.blocked-ip.*" + "!server.allowed-ip.*" + "server.*" + "authentication.fallback-admin.*" + "cluster.*" + "config.local-keys.*" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "certificate.*" + ] + # KHS addded + ++ [ + "http.*" + "lookup.default.*" + ]; + }; http = { - url = "https://${fqdn}"; + url = "'https://${fqdn}'"; use-x-forwarded = true; }; server = { @@ -63,13 +89,9 @@ in protocol = "imap"; tls.implicit = true; }; - jmap = { - bind = "[::]:8080"; - url = "https://${fqdn}"; - protocol = "jmap"; - }; management = { bind = "[::]:8080"; + url = "https://${fqdn}"; protocol = "http"; }; }; @@ -78,7 +100,6 @@ in hostname = fqdn; domain = "kaareskovgaard.net"; }; - spam-filter.resource = "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml"; }; }; # TODO: Include a similiar rule for openstack diff --git a/nix/modules/nixos/infrastructure/mailserver/dkim.nix b/nix/modules/nixos/infrastructure/mailserver/dkim.nix index 894c6e5..68ddd50 100644 --- a/nix/modules/nixos/infrastructure/mailserver/dkim.nix +++ b/nix/modules/nixos/infrastructure/mailserver/dkim.nix @@ -213,6 +213,10 @@ in ]) cfg.domains ); services.stalwart-mail.settings = { + config.local-keys = [ + "auth.*" + "signature.*" + ]; auth.dkim = { sign = authDkim ++ [ (otherwise false) diff --git a/nix/modules/nixos/infrastructure/mailserver/ldap.nix b/nix/modules/nixos/infrastructure/mailserver/ldap.nix index c009b5a..ed1c0ed 100644 --- a/nix/modules/nixos/infrastructure/mailserver/ldap.nix +++ b/nix/modules/nixos/infrastructure/mailserver/ldap.nix @@ -17,6 +17,9 @@ in config = lib.mkIf cfg.enable { services.stalwart-mail.settings = { + config.local-keys = [ + "storage.ldap.*" + ]; storage = { directory = "ldap"; }; diff --git a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix index 43c383f..2fe2075 100644 --- a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix +++ b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix @@ -5,41 +5,43 @@ let in { config = lib.mkIf cfg.enable { - # khscodes.services.vault-agent.templates = [ - # { - # contents = '' - # {{- with secret "kanidm/data/apps/dovecot" -}} - # scope = email openid profile - # username_attribute = username - # debug = yes - # introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect - # introspection_mode = post - # {{- end -}} - # ''; - # destination = oauthConfigFile; - # perms = "0600"; - # owner = "root"; - # group = "root"; - # restartUnits = [ "dovecot2.service" ]; - # } - # ]; - # services.dovecot2.extraConfig = '' - # auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 - - # passdb { - # driver = oauth2 - # mechanisms = xoauth2 oauthbearer - # args = ${oauthConfigFile} - # } - # ''; - # systemd.services.dovecot2 = { - # serviceConfig.ReadOnlyPaths = [ - # oauthConfigFile - # ]; - # unitConfig.ConditionPathExists = [ - # oauthConfigFile - # ]; - # }; - + services.stalwart-mail.settings = { + tracer.stdout.level = "trace"; + directory.oidc = { + type = "oidc"; + url = "ldaps://login.kaareskovgaard.net"; + timeout = "1s"; + endpoint.url = "https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo"; + endpoint.method = "userinfo"; + auth.method = "user-token"; + auth.username = "dovecot"; + auth.secret = "%{file:${oauthConfigFile}}%"; + fields.email = "email"; + fields.username = "preferred_username"; + fields.full-name = "name"; + }; + }; + khscodes.services.vault-agent.templates = [ + { + contents = '' + {{- with secret "kanidm/data/apps/dovecot" -}} + {{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect + {{- end -}} + ''; + destination = oauthConfigFile; + perms = "0600"; + owner = "stalwart-mail"; + group = "stalwart-mail"; + restartUnits = [ "stalwart-mail.service" ]; + } + ]; + systemd.services.stalwart-mail = { + serviceConfig.ReadOnlyPaths = [ + oauthConfigFile + ]; + unitConfig.ConditionPathExists = [ + oauthConfigFile + ]; + }; }; } diff --git a/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix b/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix index 5d4160c..9aa349f 100644 --- a/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix +++ b/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix @@ -1,4 +1,5 @@ -# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail +# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail. +# Also some minor patches to avoid having warnings on startup { lib, config, @@ -10,6 +11,17 @@ let configFile = configFormat.generate "stalwart-mail.toml" config.services.stalwart-mail.settings; in { + services.stalwart-mail.settings = { + config.local-keys = [ + "spam-filter.resource" + ] + ++ [ + # I think these maybe should be added to nixpkgs? + "resolver.*" + "webadmin.*" + ]; + spam-filter.resource = "file://${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml"; + }; systemd.services.stalwart-mail = lib.mkIf config.services.stalwart-mail.enable { serviceConfig = { User = "stalwart-mail"; @@ -18,6 +30,7 @@ in "" "${lib.getExe config.services.stalwart-mail.package} --config=${configFile}" ]; + ReadOnlyPaths = [ "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml" ]; }; }; } diff --git a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix index 9c1e7f5..51d9dcf 100644 --- a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix +++ b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix @@ -5,8 +5,11 @@ let in { config = lib.mkIf cfg.enable { - services.stalwart-mail.settings.metrics.prometheus = { - enable = true; + services.stalwart-mail.settings = { + config.local-keys = [ "metrics.prometheus.*" ]; + metrics.prometheus = { + enable = true; + }; }; # Don't expose the endpoint khscodes.services.nginx.virtualHosts."${fqdn}".locations."=/metrics/prometheus" = { diff --git a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix index 737fa57..0d92018 100644 --- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix @@ -74,6 +74,8 @@ $config['oauth_identity_uri'] = 'https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo'; $config['oauth_identity_fields'] = ['preferred_username']; $config['oauth_scope'] = 'email openid profile'; + # Don't show login dialog, just redirect to oauth login page + # $config['oauth_login_redirect'] = true; ''; }; khscodes.services.nginx = {