Martin Weinelt
33ba1ff52b
Drop most of the existing certificate handling, because we're effectively duplicating functionality that NixOS offers for free with better design, testing and maintainance than what we could provide downstream. The remaining two options are to reference an existing `security.acme.certs` configuration through `mailserver.x509.useACMEHost` or to provide existing key material via `mailserver.x509.certificateFile` and `mailserver.x509.privateKeyFile`. Support for automatic creation of self-signed certificates has been removed, because it is undesirable in public mail setups. The updated setup guide now displays the recommended configuration that relies on the NixOS ACME module, but requires further customization to select a suitable challenge. Co-Authored-By: Emily <git@emilylange.de>
40 lines
1.0 KiB
Nix
40 lines
1.0 KiB
Nix
{
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
{
|
|
# Testing eval failures that result from stateVersion assertion is out of scope
|
|
mailserver.stateVersion = 999;
|
|
|
|
# Keep testing submission with explicit TLS
|
|
mailserver.enableSubmission = true;
|
|
|
|
# Certificate created for testing purposes from RFC9500 private key
|
|
# https://datatracker.ietf.org/doc/rfc9500/
|
|
# openssl req -x509 -new -key key.pem \
|
|
# -subj "/CN=test.localdomain" \
|
|
# -sha256 -days 3650 \
|
|
# -out cert.pem
|
|
mailserver.x509 = {
|
|
certificateFile = "${./cert.pem}";
|
|
privateKeyFile = "${./key.pem}";
|
|
};
|
|
|
|
# Enable second CPU core
|
|
virtualisation.cores = lib.mkDefault 2;
|
|
|
|
services.rspamd = {
|
|
# Don't make tests block on DNS requests that will never succeed
|
|
locals."options.inc".text = ''
|
|
dns {
|
|
nameservers = ["127.0.0.1"];
|
|
timeout = 0.0s;
|
|
retransmits = 0;
|
|
}
|
|
'';
|
|
# Relax `local_addrs` definition to default for tests, so mail doesn't get flagged as spam
|
|
overrides."options.inc".enable = false;
|
|
};
|
|
}
|