From 56869ba276dd3d007ccf57a65a29f0e3457b7297 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Sun, 25 Aug 2024 19:28:56 +0200
Subject: [PATCH] chore: redeploy stalwart with hidden creds

---
 machines/akhaten/stalwart.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/machines/akhaten/stalwart.nix b/machines/akhaten/stalwart.nix
index e5c749d..8058368 100644
--- a/machines/akhaten/stalwart.nix
+++ b/machines/akhaten/stalwart.nix
@@ -3,10 +3,9 @@
   services.stalwart-mail = {
     enable = true;
     settings = {
-      global.tracing.level = "trace";
       authentication.fallback-admin = {
         user = "admin";
-        secret = "$6$R469iElYzZ7v7TlV$PtJpqLO0Szw.B/r8V.puCC26i5.nfQLJQotTWrNoBsTrFo6/J1pC43OIMKc.2Oli/Of0pjPcgbBNmhfFImuuu0";
+        secret = "%{file:/var/lib/stalwart-mail/admin-hash}%";
       };
       lookup.default.hostname = "mail.luj.fr";
       server = {
@@ -57,6 +56,13 @@
     };
   };
 
+  age.secrets.stalwart-admin-hash = {
+    file = ../../secrets/stalwart-admin.age;
+    path = "/var/lib/stalwart-mail/admin-hash";
+    owner = "stalwart-mail";
+    group = "stalwart-mail";
+  };
+
   machine.meta.zones."luj.fr".subdomains."mail" = {
     A = [ config.machine.meta.ips.public.ipv4 ];
     AAAA = [ config.machine.meta.ips.public.ipv6 ];