forked from Fachschaft/nixConfig
Disable TLS behind proxies and relays
This commit is contained in:
parent
ace96d5f7c
commit
e7154785dd
1 changed files with 1 additions and 11 deletions
|
@ -29,8 +29,6 @@ in {
|
||||||
postfix = {
|
postfix = {
|
||||||
enable = true;
|
enable = true;
|
||||||
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
||||||
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
|
|
||||||
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
|
|
||||||
config = {
|
config = {
|
||||||
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||||
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||||
|
@ -48,25 +46,17 @@ in {
|
||||||
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
||||||
settings.mta.verp_confirmations = "no";
|
settings.mta.verp_confirmations = "no";
|
||||||
};
|
};
|
||||||
nginx.virtualHosts.${cfg.hostName} = {
|
|
||||||
enableACME = true; # Get certificates (primarily for postfix)
|
|
||||||
forceSSL = false; # Don't use HTTPS behind the proxy
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.persistence.${config.impermanence.name} = {
|
environment.persistence.${config.impermanence.name} = {
|
||||||
directories = [
|
directories = [
|
||||||
"/var/lib/acme" # Persist TLS keys and account
|
|
||||||
"/var/lib/mailman"
|
"/var/lib/mailman"
|
||||||
"/var/lib/mailman-web"
|
"/var/lib/mailman-web"
|
||||||
];
|
];
|
||||||
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme.defaults.email = cfg.siteOwner;
|
networking.firewall.allowedTCPPorts = [25 80];
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [25 80 443];
|
|
||||||
|
|
||||||
# Update HRZ allowlist
|
# Update HRZ allowlist
|
||||||
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||||
|
|
Loading…
Reference in a new issue