From 10d4078fd2089729ba4bfebd9a0919e1ab6b6958 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Tue, 5 Nov 2024 14:39:49 +0100 Subject: [PATCH] feat(services): Created new `stalwart-mail` service --- secrets/OVHCloud.yaml | 6 +- services/default.nix | 1 + services/stalwart-mail/default.nix | 117 +++++++++++++++++++++++++++++ 3 files changed, 122 insertions(+), 2 deletions(-) create mode 100644 services/stalwart-mail/default.nix diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 2694e1d..0cb7209 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -45,6 +45,8 @@ penpot: STORAGE_ASSETS_S3_REGION: ENC[AES256_GCM,data:oV4ucbPe,iv:zNsUsftybGcQdryAB+mN9Xb/rVWOLFlVixqRLLz8WIY=,tag:FiiSjLyuK89HK1GEE3BSUA==,type:str] STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str] STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str] +stalwart-mail: + ADMIN_SECRET: ENC[AES256_GCM,data:4ytiKxJ55Wm9p6M=,iv:dl1BCtxOu4o+2qC6ZlUw8cluoqDjp16/SN9bhGneRHs=,tag:qEgWrYHQJHDjR2PwK9y8UA==,type:str] shadowsocks: password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str] webdav: @@ -76,8 +78,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-04T20:13:03Z" - mac: ENC[AES256_GCM,data:5vNhuKUNMXjBPdGU/ptNE68JqNpFdPxTMbAFZ7OW/tr4WPxSBNnOTuo5qXm36h0sMDbXOJCKe7ofdvbjECtTtcPbP4zRE7Sw+B0vwQ75ruLTD3fG01ONZ08GclomfSe5i2Uv1QEhrKfs3IWf657yRRE3mvIw+rhcpFEwFC+qOyE=,iv:SkwLNKK6K0F55eahv5U4IRjl1zCNRgMvbQWd1EIyeeI=,tag:6aU2GRc0T1YarztNQPoLtQ==,type:str] + lastmodified: "2024-11-04T21:15:49Z" + mac: ENC[AES256_GCM,data:/0c7+XlYMN+CYvhLhpo6ivwI33uLVUGpm8ypN4dJzxFWFCMlVRm4lDxb0u0/6Qudri7RQRqo1AtuK5jP0jBnZQBaKdvHWqV+uTBQNjtdh5PUNT+34eBBh1eT22OzED6CeXWRTlDiFZ6z3rQYpi6j3D7h13VMokvWGRNdpGgcKWw=,iv:LPrWXUgvxKum8hvp4hC01hOinyctafODE1/VJaPLRBc=,tag:rFjJkRIDipCUUhDV8C+dSA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/services/default.nix b/services/default.nix index a30d68d..b65b842 100644 --- a/services/default.nix +++ b/services/default.nix @@ -5,6 +5,7 @@ ./outline ./penpot ./shadowsocks + ./stalwart-mail ./uptime-kuma ./webdav ./wireguard diff --git a/services/stalwart-mail/default.nix b/services/stalwart-mail/default.nix new file mode 100644 index 0000000..0dcca5c --- /dev/null +++ b/services/stalwart-mail/default.nix @@ -0,0 +1,117 @@ +{config, ...}: let + domain = "mail.gasdev.fr"; +in { + sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail"; + + services.caddy.virtualHosts."${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:8080 + ''; + + services.stalwart-mail = { + enable = true; + settings = { + lookup.default.hostname = "${domain}"; + server = { + tls.certificate = "default"; + http = { + url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port"; + use-x-forwarded = true; + }; + listener = { + smtp = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + submissions = { + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + imaptls = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + management = { + bind = "[::]:8080"; + protocol = "http"; + }; + }; + }; + certificate.default = { + default = true; + cert = "%{file:/var/lib/stalwart-mail/cert/${domain}.pem}%"; + private-key = "%{file:/var/lib/stalwart-mail/cert/${domain}.priv.pem}%"; + }; + storage = { + data = "rocksdb"; + fts = "rocksdb"; + blob = "rocksdb"; + lookup = "rocksdb"; + directory = "internal"; + }; + store."rocksdb" = { + type = "rocksdb"; + path = "%{env:STALWART_PATH}%/data"; + compression = "lz4"; + }; + directory."internal" = { + type = "internal"; + store = "rocksdb"; + }; + tracer."stdout" = { + type = "stdout"; + level = "info"; + ansi = false; + enable = true; + }; + authentication."fallback-admin" = { + user = "admin"; + secret = "%{file:${config.sops.secrets."stalwart-mail/ADMIN_SECRET".path}}%"; + }; + }; + }; + + systemd.services.stalwart-mail = { + environment = { + STALWART_PATH = "/var/lib/stalwart-mail"; + }; + serviceConfig = { + StateDirectory = "stalwart-mail"; + StateDirectoryMode = "0740"; + }; + }; + + networking.firewall.allowedTCPPorts = [22 465 993]; + + systemd.timers."stalwart-mail-update-certs" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "stalwart-mail-update-certs.service"; + }; + }; + + systemd.services."stalwart-mail-update-certs" = { + script = '' + set -eu + + CADDY_CERT_DIR="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}" + STALWART_CERT_DIR="/var/lib/stalwart-mail/cert" + + mkdir -p "''\${CADDY_CERT_DIR}" + mkdir -p "''\${STALWART_CERT_DIR}" + + cat "''\${CADDY_CERT_DIR}/${domain}.crt" > "''\${STALWART_CERT_DIR}/${domain}.pem" + cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem" + + chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}" + chmod -R 0600 "''\${STALWART_CERT_DIR}" + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; +}