diff options
-rw-r--r-- | ops/modules/depot-inbox.nix | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/ops/modules/depot-inbox.nix b/ops/modules/depot-inbox.nix index 1f9acc3aaba1..3193f8d0cab5 100644 --- a/ops/modules/depot-inbox.nix +++ b/ops/modules/depot-inbox.nix @@ -41,14 +41,38 @@ in }; config = lib.mkIf cfg.enable { + # Having nginx *and* other services use ACME certificates for the + # same hostname is unsupported in NixOS without resorting to doing + # all ACME configuration manually. + # + # To work around this, we duplicate the TLS certificate used by + # nginx to a location that is readable by public-inbox daemons. + systemd.services.inbox-cert-sync = { + startAt = "daily"; + + script = '' + ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \ + /var/lib/acme/inbox.tvl.su/fullchain.pem /var/lib/public-inbox/tls/fullchain.pem + + ${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \ + /var/lib/acme/inbox.tvl.su/key.pem /var/lib/public-inbox/tls/key.pem + ''; + }; + services.public-inbox = { enable = true; http.enable = true; http.port = 8053; - # imap.enable = true; # nntp.enable = true; + imap = { + enable = true; + port = 993; + cert = "/var/lib/public-inbox/tls/fullchain.pem"; + key = "/var/lib/public-inbox/tls/key.pem"; + }; + inboxes.depot = rec { address = [ "depot@tvl.su" # primary address @@ -72,6 +96,8 @@ in settings.publicinbox.wwwlisting = "all"; }; + networking.firewall.allowedTCPPorts = [ /* imap = */ 993 ]; + age.secrets.depot-inbox-imap = { file = depot.ops.secrets."depot-inbox-imap.age"; mode = "0440"; |