modules/stalwart-mail: Add admin account passwordstalwart

This is required to start creating accounts via the webinterface.

3 files changed, 45 insertions, 31 deletions

diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix
index 6966e58..17085e8 100644
--- a/hosts/by-name/server3/configuration.nix
+++ b/hosts/by-name/server3/configuration.nix
@@ -71,6 +71,7 @@
       enable = true;
       fqdn = "mail.vhack.eu";
       admin = "admin@vhack.eu";
+      initialAdminPassword = "$6$k/JGlODSgRyb6dG2$KV78QYipkS423WQQoQIcEWNFZdq4uuS5uIpJUNL1WLmXsD3b6KuLtt18TNU24Hnpup5TbMM5vtui/I.vGAybS/";
       security = {
         dkimKeys = let
           loadKey = name: {
diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix
index 7bd985f..396116d 100644
--- a/modules/by-name/st/stalwart-mail/module.nix
+++ b/modules/by-name/st/stalwart-mail/module.nix
@@ -10,6 +10,33 @@
 
   configFormat = pkgs.formats.toml {};
   configFile = configFormat.generate "stalwart-mail.toml" topCfg.settings;
+
+  hashedPassword = let
+    prefix = pre: lib.types.strMatching "^${lib.strings.escapeRegex pre}.*";
+  in
+    lib.types.oneOf [
+      (prefix "$argon2")
+      (prefix "$pbkdf2")
+      (prefix "$scrypt")
+      (prefix "$2") # bcrypt
+      (prefix "$6$") # sha-512
+      (prefix "$5$") # sha-256
+      (prefix "$sha1")
+      (prefix "$1") # md5
+      (prefix "_") # BSDi crypt
+      (prefix "{SHA}") # base64 sha
+      (prefix "{SSHA}") # base64 salted sha
+
+      # unix crypt
+      (prefix "{CRYPT}")
+      (prefix "{crypt}")
+
+      # Plain text
+      (prefix "{PLAIN}")
+      (prefix "{plain}")
+      (prefix "{CLEAR}")
+      (prefix "{clear}")
+    ];
 in {
   imports = [
     ./settings.nix
@@ -24,14 +51,20 @@ in {
       description = ''
         Email address to advertise as administrator. This is the address, where dkim, spv
         etc. refusal reports are sent to.
-
-        The format should be: `mailto:<name>@<domain>`
       '';
       type = lib.types.str;
-      example = "mailto:dmarc+rua@example.com";
+      example = "dmarc+rua@example.com";
       default = "";
     };
 
+    initialAdminPassword = lib.mkOption {
+      type = hashedPassword;
+      description = ''
+        The hash of the password for the admin account, used to bootstrap account
+        creation.
+      '';
+    };
+
     fqdn = lib.mkOption {
       type = lib.types.str;
       example = "mail.foss-syndicate.org";
@@ -61,32 +94,7 @@ in {
           };
 
           secret = lib.mkOption {
-            type = let
-              prefix = pre: lib.types.strMatching "^${lib.strings.escapeRegex pre}.*";
-            in
-              lib.types.oneOf [
-                (prefix "$argon2")
-                (prefix "$pbkdf2")
-                (prefix "$scrypt")
-                (prefix "$2") # bcrypt
-                (prefix "$6$") # sha-512
-                (prefix "$5$") # sha-256
-                (prefix "$sha1")
-                (prefix "$1") # md5
-                (prefix "_") # BSDi crypt
-                (prefix "{SHA}") # base64 sha
-                (prefix "{SSHA}") # base64 salted sha
-
-                # unix crypt
-                (prefix "{CRYPT}")
-                (prefix "{crypt}")
-
-                # Plain text
-                (prefix "{PLAIN}")
-                (prefix "{plain}")
-                (prefix "{CLEAR}")
-                (prefix "{clear}")
-              ];
+            type = hashedPassword;
             description = ''
               Sets the password for the user account.
               Passwords can be stored hashed or in plain text (not recommended).
diff --git a/modules/by-name/st/stalwart-mail/settings.nix b/modules/by-name/st/stalwart-mail/settings.nix
index 907cea9..765d8db 100644
--- a/modules/by-name/st/stalwart-mail/settings.nix
+++ b/modules/by-name/st/stalwart-mail/settings.nix
@@ -100,7 +100,7 @@ in {
         from-name = "'TLS Report'";
         from-address = "'noreply-tls@${cfg.fqdn}'";
         org-name = "'Foss Syndicate Mail Handling'";
-        contact-info = "'${cfg.admin}'";
+        contact-info = "'mailto:${cfg.admin}'";
         send = "daily";
         max-size = 26214400; # 25 MiB
         sign = lib.mkIf (cfg.security != null) "'${cfg.fqdn}'";
@@ -110,7 +110,7 @@ in {
           from-name = "'DMARC Report'";
           from-address = "'noreply-dmarc@${cfg.fqdn}'";
           org-name = "'Foss Syndicate Mail Handling'";
-          contact-info = "'${cfg.admin}'";
+          contact-info = "'mailto:${cfg.admin}'";
           send = "weekly";
           max-size = 26214400; # 25MiB
           sign = lib.mkIf (cfg.security != null) "'${cfg.fqdn}'";
@@ -541,6 +541,11 @@ in {
       };
     };
 
+    authentication.fallback-admin = {
+      user = cfg.admin;
+      secret = cfg.initialAdminPassword;
+    };
+
     certificate = {
       "default" = {
         cert = "%{file:${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem}%";