First try to install Stalwart as a mail software

flake-module.nix

@@ -15,7 +15,6 @@
   perSystem = {
     config,
     pkgs,
-    system,
     ...
   }: {
     devShells.default = config.pre-commit.devShell;
@@ -50,10 +49,6 @@
     # Per-system attributes can be defined here. The self' and inputs'
     # module parameters provide easy access to attributes of the same
     # system.
-    _module.args.pkgs = import inputs.nixpkgs {
-      inherit system;
-      config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
-    };
   };
 
   # Equivalent to  inputs'.nixpkgs.legacyPackages.hello;

nixos/modules/borgbackup.nix

@@ -48,6 +48,13 @@ in {
           path = "/var/lib/backups/cthulhu";
           allowSubRepos = true;
         };
+        dagon = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaTBennwqT9eB43gVD1nM1os3dMPZ8RWwIKPEjqMK5V Dagon Backup"
+          ];
+          path = "/var/lib/backups/dagon";
+          allowSubRepos = true;
+        };
         eihort = {
           authorizedKeysAppendOnly = [
             "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLoDxtY4Tp6NKxLt9oHmWT6w4UpU6eA1TnPU2Ut83BN Eihort Backup"

nixos/modules/mailman.nix

@@ -29,6 +29,8 @@ in {
       postfix = {
         enable = true;
         relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
+        sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
+        sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
         config = {
           transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
           local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
@@ -46,17 +48,25 @@ in {
         # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
         settings.mta.verp_confirmations = "no";
       };
+      nginx.virtualHosts.${cfg.hostName} = {
+        enableACME = true; # Get certificates (primarily for postfix)
+        forceSSL = false; # Don't use HTTPS behind the proxy
+      };
     };
 
     environment.persistence.${config.impermanence.name} = {
       directories = [
+        "/var/lib/acme" # Persist TLS keys and account
         "/var/lib/mailman"
         "/var/lib/mailman-web"
       ];
       files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
     };
 
-    networking.firewall.allowedTCPPorts = [25 80];
+    security.acme.defaults.email = cfg.siteOwner;
+    security.acme.acceptTerms = true;
+
+    networking.firewall.allowedTCPPorts = [25 80 443];
 
     # Update HRZ allowlist
     # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/

nixos/roles/admins.nix

@@ -3,28 +3,21 @@ with lib; let
   admins = {
     nerf = {
       hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
-      sshKeys = [
+      keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
       ];
-      nixKeys = [
-        "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
-      ];
     };
     gonne = {
       hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
-      sshKeys = [
+      keys = [
         "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAhwkSDISCWLN2GhHfxdZsVkK4J7JoEcPwtNbAesb+BZAAAABHNzaDo= Gonne"
       ];
-      nixKeys = [
-        "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
-      ];
     };
   };
 
   mkAdmin = name: {
     hashedPassword,
-    sshKeys,
-    ...
+    keys,
   }: {
     "${name}" = {
       isNormalUser = true;
@@ -32,12 +25,10 @@ with lib; let
       extraGroups = ["wheel"];
       group = "users";
       home = "/home/${name}";
-      openssh.authorizedKeys = {keys = sshKeys;};
+      openssh.authorizedKeys = {inherit keys;};
       inherit hashedPassword;
     };
   };
-  mkNixKeys = _: {nixKeys, ...}: nixKeys;
 in {
   users.users = mkMerge (mapAttrsToList mkAdmin admins);
-  nix.settings.trusted-public-keys = lists.concatLists (mapAttrsToList mkNixKeys admins);
 }

nixos/roles/default.nix

@@ -5,11 +5,18 @@
 }: {
   imports = [
     ./admins.nix
-    ./nix.nix
+    ./nix_keys.nix
     ./prometheusNodeExporter.nix
     ../modules/impermanence.nix
   ];
 
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+      builders-use-substitutes = true
+    '';
+  };
+
   networking = {
     firewall = {
       # these shoud be default, but better make sure!

nixos/roles/nix.nix

@@ -1,22 +0,0 @@
-{
-  nix = {
-    settings = {
-      # trusted-public-keys belonging to specific persons are set in rolse/admins.nix
-      trusted-public-keys = [];
-      experimental-features = [
-        "flakes"
-        "nix-command"
-      ];
-      auto-optimise-store = true;
-      fallback = true;
-      builders-use-substitutes = true;
-    };
-    gc = {
-      automatic = true;
-      persistent = false;
-      dates = "weekly";
-      options = "-d";
-      randomizedDelaySec = "5h";
-    };
-  };
-}

nixos/roles/nix_keys.nix

@@ -0,0 +1,7 @@
+{
+  imports = [];
+  nix.settings.trusted-public-keys = [
+    "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
+    "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
+  ];
+}