From 1199820574ac1735a2939875e8ee001bcf57fa2c Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Wed, 8 Feb 2023 20:29:53 +0100
Subject: [PATCH] postfix: use caddy's certs for STARTTLS on port 25

---
 hosts/flora-6/mailman.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix
index a007c971..2ac2dbc7 100644
--- a/hosts/flora-6/mailman.nix
+++ b/hosts/flora-6/mailman.nix
@@ -14,9 +14,12 @@ in {
   services.postfix = {
     enable = true;
     relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
-    # FIXME: get TLS certs for list.pub.solar from caddy
-    #sslCert = config.security.acme.certs."lists.example.org".directory + "/full.pem";
-    #sslKey = config.security.acme.certs."lists.example.org".directory + "/key.pem";
+    # get TLS certs for list.pub.solar from caddy
+    # TODO: when caddy renews certs, postfix doesn't know about it
+    # implement custom built caddy with events exec handler or systemd-reload
+    # hook so postfix reloads, too
+    sslCert = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt";
+    sslKey = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.key";
     config = {
       transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
       local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];