about summary refs log tree commit diff
path: root/ops/modules
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-12-25T12·28+0300
committertazjin <tazjin@tvl.su>2022-12-28T08·17+0000
commite665f5362156d4546184d79ef755a05ccd999824 (patch)
treee0e28ea9fe3def2ea7154820adfaabc3a8c4e2d1 /ops/modules
parent35b18b2fdb986aabc1ca22a48c203e2358b1b23e (diff)
feat(ops/modules): enable IMAP access for public-inbox r/5511
This sets up IMAP on inbox.tvl.su:993

I added a hack to work around problems with the NixOS ACME module.
Spent way too much time of my life with problems with that module, so
I only use it with blunt force these days. Others are welcome to make
a cleaner solution.

Change-Id: Ice828766020856cf17d2f0a5b4491f4cec8ad9b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7633
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Diffstat (limited to 'ops/modules')
-rw-r--r--ops/modules/depot-inbox.nix28
1 files changed, 27 insertions, 1 deletions
diff --git a/ops/modules/depot-inbox.nix b/ops/modules/depot-inbox.nix
index 1f9acc3aaba1..3193f8d0cab5 100644
--- a/ops/modules/depot-inbox.nix
+++ b/ops/modules/depot-inbox.nix
@@ -41,14 +41,38 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # Having nginx *and* other services use ACME certificates for the
+    # same hostname is unsupported in NixOS without resorting to doing
+    # all ACME configuration manually.
+    #
+    # To work around this, we duplicate the TLS certificate used by
+    # nginx to a location that is readable by public-inbox daemons.
+    systemd.services.inbox-cert-sync = {
+      startAt = "daily";
+
+      script = ''
+        ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
+          /var/lib/acme/inbox.tvl.su/fullchain.pem /var/lib/public-inbox/tls/fullchain.pem
+
+        ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
+          /var/lib/acme/inbox.tvl.su/key.pem /var/lib/public-inbox/tls/key.pem
+      '';
+    };
+
     services.public-inbox = {
       enable = true;
 
       http.enable = true;
       http.port = 8053;
-      # imap.enable = true;
       # nntp.enable = true;
 
+      imap = {
+        enable = true;
+        port = 993;
+        cert = "/var/lib/public-inbox/tls/fullchain.pem";
+        key = "/var/lib/public-inbox/tls/key.pem";
+      };
+
       inboxes.depot = rec {
         address = [
           "depot@tvl.su" # primary address
@@ -72,6 +96,8 @@ in
       settings.publicinbox.wwwlisting = "all";
     };
 
+    networking.firewall.allowedTCPPorts = [ /* imap = */ 993 ];
+
     age.secrets.depot-inbox-imap = {
       file = depot.ops.secrets."depot-inbox-imap.age";
       mode = "0440";