Disable TLS behind proxies and relays

This commit is contained in:
Gonne 2024-10-12 13:56:34 +02:00 committed by Gonne
parent ace96d5f7c
commit e7154785dd

View file

@ -29,8 +29,6 @@ in {
postfix = {
enable = true;
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
config = {
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
@ -48,25 +46,17 @@ in {
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
settings.mta.verp_confirmations = "no";
};
nginx.virtualHosts.${cfg.hostName} = {
enableACME = true; # Get certificates (primarily for postfix)
forceSSL = false; # Don't use HTTPS behind the proxy
};
};
environment.persistence.${config.impermanence.name} = {
directories = [
"/var/lib/acme" # Persist TLS keys and account
"/var/lib/mailman"
"/var/lib/mailman-web"
];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
};
security.acme.defaults.email = cfg.siteOwner;
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [25 80 443];
networking.firewall.allowedTCPPorts = [25 80];
# Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/