diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-04-12 16:08:30 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-04-23 12:10:28 +0200 |
| commit | e48c609796a9f819e75eb05b7f4833f2d442cee7 (patch) | |
| tree | 025f44cb5d4d073e170d62d61e86a9c33e180bb2 /modules | |
| parent | modules/stalwart-mail: Explicitly list out valid password hashes (diff) | |
| download | nixos-server-e48c609796a9f819e75eb05b7f4833f2d442cee7.zip | |
modules/stalwart-mail: Allow both nginx and stalwart-mail access to the cert
This is needed for the http challenge (and for the potential to use nginx as a proxy in the future.)
Diffstat (limited to '')
| -rw-r--r-- | modules/by-name/co/constants/module.nix | 1 | ||||
| -rw-r--r-- | modules/by-name/st/stalwart-mail/module.nix | 56 |
2 files changed, 28 insertions, 29 deletions
diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix index 946776b..743ac65 100644 --- a/modules/by-name/co/constants/module.nix +++ b/modules/by-name/co/constants/module.nix @@ -85,6 +85,7 @@ # Keep this sorted with `!sort --numeric-sort --key=2 --field-separator="="` systemd-coredump = 151; # matches systemd-coredump user resolvconf = 333; # This group is not matched to an user? + stalwart-mail-certificates = 338; # This group is used to connect nginx and stalwart-mail # The gid should match the uid. Thus should not be >= 400; }; diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix index ec10188..ed1821a 100644 --- a/modules/by-name/st/stalwart-mail/module.nix +++ b/modules/by-name/st/stalwart-mail/module.nix @@ -188,22 +188,9 @@ in { # dataDir = cfg.dataDirectory; }; - # FIXME(@bpeetz): This is currently needed for a successful acme http-01 challenge. - # We could also use the DNS challenge. <2025-03-01> nginx.virtualHosts."${cfg.fqdn}" = { - enableACME = false; - extraConfig = - # This is copied directly from the nixos nginx module. - # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) - # We use ^~ here, so that we don't check any regexes (which could - # otherwise easily override this intended match accidentally). - '' - location ^~ /.well-known/acme-challenge/ { - root ${config.security.acme.certs.${cfg.fqdn}.webroot}; - auth_basic off; - auth_request off; - } - ''; + useACMEHost = "${cfg.fqdn}"; + forceSSL = true; }; redis = { @@ -234,7 +221,7 @@ in { security.acme.certs = { "${cfg.fqdn}" = { domain = cfg.fqdn; - group = "stalwart-mail"; + group = "stalwart-mail-certificates"; }; }; @@ -274,20 +261,31 @@ in { # service is restarted on a potentially large number of files. # That would cause unnecessary and unwanted delays. users = { - groups.stalwart-mail = { - gid = config.vhack.constants.ids.gids.stalwart-mail; - }; - users.stalwart-mail = { - isSystemUser = true; - group = "stalwart-mail"; - uid = config.vhack.constants.ids.uids.stalwart-mail; - }; - groups.redis-stalwart-mail = { - gid = config.vhack.constants.ids.gids.redis-stalwart-mail; + groups = { + stalwart-mail = { + gid = config.vhack.constants.ids.gids.stalwart-mail; + }; + stalwart-mail-certificates = { + gid = config.vhack.constants.ids.gids.stalwart-mail-certificates; + }; + redis-stalwart-mail = { + gid = config.vhack.constants.ids.gids.redis-stalwart-mail; + }; }; - users.redis-stalwart-mail = { - group = "redis-stalwart-mail"; - uid = config.vhack.constants.ids.uids.redis-stalwart-mail; + users = { + nginx = { + extraGroups = ["stalwart-mail-certificates"]; + }; + stalwart-mail = { + isSystemUser = true; + group = "stalwart-mail"; + uid = config.vhack.constants.ids.uids.stalwart-mail; + extraGroups = ["stalwart-mail-certificates"]; + }; + redis-stalwart-mail = { + group = "redis-stalwart-mail"; + uid = config.vhack.constants.ids.uids.redis-stalwart-mail; + }; }; }; |