lobon (Mailman-VM) #30
1 changed files with 1 additions and 11 deletions
|
|
@ -29,8 +29,6 @@ in {
|
|||
postfix = {
|
||||
enable = true;
|
||||
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
||||
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
|
||||
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
|
||||
config = {
|
||||
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
|
|
@ -48,25 +46,17 @@ in {
|
|||
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
||||
settings.mta.verp_confirmations = "no";
|
||||
};
|
||||
nginx.virtualHosts.${cfg.hostName} = {
|
||||
enableACME = true; # Get certificates (primarily for postfix)
|
||||
forceSSL = false; # Don't use HTTPS behind the proxy
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence.${config.impermanence.name} = {
|
||||
directories = [
|
||||
|
Gonne marked this conversation as resolved
Outdated
|
||||
"/var/lib/acme" # Persist TLS keys and account
|
||||
"/var/lib/mailman"
|
||||
"/var/lib/mailman-web"
|
||||
];
|
||||
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
||||
|
Gonne marked this conversation as resolved
Outdated
Gonne
commented
TODO: Backups? TODO: Backups?
Gonne
commented
Done for mailman data. The certificates can be regenerated on hardware failure. Done for mailman data. The certificates can be regenerated on hardware failure.
|
||||
};
|
||||
|
||||
security.acme.defaults.email = cfg.siteOwner;
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [25 80 443];
|
||||
networking.firewall.allowedTCPPorts = [25 80];
|
||||
|
||||
# Update HRZ allowlist
|
||||
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||
|
|
|
|||
Loading…
Reference in a new issue
I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one).
If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block?
Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?
“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme
I don't want to do DNS validation so this is the way. The
services.mailman.serve.enable = trueenables nginx anyway.Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS).
On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.