2024-11-05 14:39:49 +01:00
|
|
|
{config, ...}: let
|
2024-11-05 18:35:52 +01:00
|
|
|
domain = "gasdev.fr";
|
2024-11-05 14:39:49 +01:00
|
|
|
in {
|
|
|
|
sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
|
|
|
|
|
|
|
|
services.caddy.virtualHosts."${domain}".extraConfig = ''
|
2024-11-05 18:35:52 +01:00
|
|
|
redir https://www.gasdev.fr
|
|
|
|
'';
|
|
|
|
|
|
|
|
services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
|
2024-11-05 14:39:49 +01:00
|
|
|
reverse_proxy 127.0.0.1:8080
|
|
|
|
'';
|
|
|
|
|
|
|
|
services.stalwart-mail = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
2024-11-05 18:35:52 +01:00
|
|
|
lookup.default.hostname = "mail.${domain}";
|
2024-11-05 14:39:49 +01:00
|
|
|
server = {
|
|
|
|
tls.certificate = "default";
|
|
|
|
http = {
|
|
|
|
url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port";
|
|
|
|
use-x-forwarded = true;
|
|
|
|
};
|
|
|
|
listener = {
|
|
|
|
smtp = {
|
|
|
|
bind = ["[::]:25"];
|
|
|
|
protocol = "smtp";
|
|
|
|
};
|
|
|
|
submissions = {
|
|
|
|
bind = ["[::]:465"];
|
|
|
|
protocol = "smtp";
|
|
|
|
tls.implicit = true;
|
|
|
|
};
|
|
|
|
imaptls = {
|
|
|
|
bind = ["[::]:993"];
|
|
|
|
protocol = "imap";
|
|
|
|
tls.implicit = true;
|
|
|
|
};
|
|
|
|
management = {
|
|
|
|
bind = "[::]:8080";
|
|
|
|
protocol = "http";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
certificate.default = {
|
|
|
|
default = true;
|
|
|
|
cert = "%{file:/var/lib/stalwart-mail/cert/${domain}.pem}%";
|
|
|
|
private-key = "%{file:/var/lib/stalwart-mail/cert/${domain}.priv.pem}%";
|
|
|
|
};
|
|
|
|
storage = {
|
|
|
|
data = "rocksdb";
|
|
|
|
fts = "rocksdb";
|
|
|
|
blob = "rocksdb";
|
|
|
|
lookup = "rocksdb";
|
|
|
|
directory = "internal";
|
|
|
|
};
|
|
|
|
store."rocksdb" = {
|
|
|
|
type = "rocksdb";
|
|
|
|
path = "%{env:STALWART_PATH}%/data";
|
|
|
|
compression = "lz4";
|
|
|
|
};
|
|
|
|
directory."internal" = {
|
|
|
|
type = "internal";
|
|
|
|
store = "rocksdb";
|
|
|
|
};
|
|
|
|
tracer."stdout" = {
|
|
|
|
type = "stdout";
|
|
|
|
level = "info";
|
|
|
|
ansi = false;
|
|
|
|
enable = true;
|
|
|
|
};
|
|
|
|
authentication."fallback-admin" = {
|
|
|
|
user = "admin";
|
|
|
|
secret = "%{file:${config.sops.secrets."stalwart-mail/ADMIN_SECRET".path}}%";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.stalwart-mail = {
|
|
|
|
environment = {
|
|
|
|
STALWART_PATH = "/var/lib/stalwart-mail";
|
|
|
|
};
|
|
|
|
serviceConfig = {
|
|
|
|
StateDirectory = "stalwart-mail";
|
|
|
|
StateDirectoryMode = "0740";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-11-05 14:52:43 +01:00
|
|
|
networking.firewall.allowedTCPPorts = [25 465 993];
|
2024-11-05 14:39:49 +01:00
|
|
|
|
|
|
|
systemd.timers."stalwart-mail-update-certs" = {
|
|
|
|
wantedBy = ["timers.target"];
|
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = "daily";
|
|
|
|
Persistent = true;
|
|
|
|
Unit = "stalwart-mail-update-certs.service";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services."stalwart-mail-update-certs" = {
|
|
|
|
script = ''
|
|
|
|
set -eu
|
|
|
|
|
|
|
|
CADDY_CERT_DIR="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}"
|
|
|
|
STALWART_CERT_DIR="/var/lib/stalwart-mail/cert"
|
|
|
|
|
|
|
|
mkdir -p "''\${CADDY_CERT_DIR}"
|
|
|
|
mkdir -p "''\${STALWART_CERT_DIR}"
|
|
|
|
|
|
|
|
cat "''\${CADDY_CERT_DIR}/${domain}.crt" > "''\${STALWART_CERT_DIR}/${domain}.pem"
|
|
|
|
cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
|
|
|
|
|
|
|
|
chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
|
2024-11-05 18:35:52 +01:00
|
|
|
chmod -R 0700 "''\${STALWART_CERT_DIR}"
|
2024-11-05 14:39:49 +01:00
|
|
|
'';
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
User = "root";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|