diff options
author | Vincent Ambo <mail@tazj.in> | 2022-12-25T12·28+0300 |
---|---|---|
committer | tazjin <tazjin@tvl.su> | 2022-12-28T08·17+0000 |
commit | e665f5362156d4546184d79ef755a05ccd999824 (patch) | |
tree | e0e28ea9fe3def2ea7154820adfaabc3a8c4e2d1 | |
parent | 35b18b2fdb986aabc1ca22a48c203e2358b1b23e (diff) |
feat(ops/modules): enable IMAP access for public-inbox r/5511
This sets up IMAP on inbox.tvl.su:993 I added a hack to work around problems with the NixOS ACME module. Spent way too much time of my life with problems with that module, so I only use it with blunt force these days. Others are welcome to make a cleaner solution. Change-Id: Ice828766020856cf17d2f0a5b4491f4cec8ad9b4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7633 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
-rw-r--r-- | ops/modules/depot-inbox.nix | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/ops/modules/depot-inbox.nix b/ops/modules/depot-inbox.nix index 1f9acc3aaba1..3193f8d0cab5 100644 --- a/ops/modules/depot-inbox.nix +++ b/ops/modules/depot-inbox.nix @@ -41,14 +41,38 @@ in }; config = lib.mkIf cfg.enable { + # Having nginx *and* other services use ACME certificates for the + # same hostname is unsupported in NixOS without resorting to doing + # all ACME configuration manually. + # + # To work around this, we duplicate the TLS certificate used by + # nginx to a location that is readable by public-inbox daemons. + systemd.services.inbox-cert-sync = { + startAt = "daily"; + + script = '' + ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \ + /var/lib/acme/inbox.tvl.su/fullchain.pem /var/lib/public-inbox/tls/fullchain.pem + + ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \ + /var/lib/acme/inbox.tvl.su/key.pem /var/lib/public-inbox/tls/key.pem + ''; + }; + services.public-inbox = { enable = true; http.enable = true; http.port = 8053; - # imap.enable = true; # nntp.enable = true; + imap = { + enable = true; + port = 993; + cert = "/var/lib/public-inbox/tls/fullchain.pem"; + key = "/var/lib/public-inbox/tls/key.pem"; + }; + inboxes.depot = rec { address = [ "depot@tvl.su" # primary address @@ -72,6 +96,8 @@ in settings.publicinbox.wwwlisting = "all"; }; + networking.firewall.allowedTCPPorts = [ /* imap = */ 993 ]; + age.secrets.depot-inbox-imap = { file = depot.ops.secrets."depot-inbox-imap.age"; mode = "0440"; |