mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ops/modules): enable IMAP access for public-inbox

Browse source 
This sets up IMAP on inbox.tvl.su:993

I added a hack to work around problems with the NixOS ACME module.
Spent way too much time of my life with problems with that module, so
I only use it with blunt force these days. Others are welcome to make
a cleaner solution.

Change-Id: Ice828766020856cf17d2f0a5b4491f4cec8ad9b4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7633
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
This commit is contained in:
Vincent Ambo 2022-12-25 15:28:45 +03:00 committed by tazjin
parent 35b18b2fdb
commit e665f53621
1 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
ops/modules/depot-inbox.nix
View file

@ -41,14 +41,38 @@ in
};
config = lib.mkIf cfg.enable {
# Having nginx *and* other services use ACME certificates for the
# same hostname is unsupported in NixOS without resorting to doing
# all ACME configuration manually.
#
# To work around this, we duplicate the TLS certificate used by
# nginx to a location that is readable by public-inbox daemons.
systemd.services.inbox-cert-sync = {
startAt = "daily";
script = ''
${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
/var/lib/acme/inbox.tvl.su/fullchain.pem /var/lib/public-inbox/tls/fullchain.pem
${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
/var/lib/acme/inbox.tvl.su/key.pem /var/lib/public-inbox/tls/key.pem
'';
};
services.public-inbox = {
enable = true;
http.enable = true;
http.port = 8053;
# imap.enable = true;
# nntp.enable = true;
imap = {
enable = true;
port = 993;
cert = "/var/lib/public-inbox/tls/fullchain.pem";
key = "/var/lib/public-inbox/tls/key.pem";
};
inboxes.depot = rec {
address = [
"depot@tvl.su" # primary address
@ -72,6 +96,8 @@ in
settings.publicinbox.wwwlisting = "all";
};
networking.firewall.allowedTCPPorts = [ /* imap = */ 993 ];
age.secrets.depot-inbox-imap = {
file = depot.ops.secrets."depot-inbox-imap.age";
mode = "0440";