refactor(mail): Rewrite config
Following this guide: https://wiki.nixos.org/wiki/Stalwart
This commit is contained in:
parent
ed4e4b1f2c
commit
cc13ba61f4
2 changed files with 48 additions and 58 deletions
|
@ -55,6 +55,7 @@ penpot:
|
|||
STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str]
|
||||
STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str]
|
||||
stalwart-mail:
|
||||
ACME_SECRET: ENC[AES256_GCM,data:maC7iAMiwFCYXD15IEqaCVi9TqPAIJ15T/yJWSwo4dW3mdqXmItS4hoS2cI=,iv:fWDase9PM2riakQDUiuCTa+W9W4bf7I39k/WSbX4RjI=,tag:+OixerP8JWAjGeh8U+g32g==,type:str]
|
||||
ADMIN_SECRET: ENC[AES256_GCM,data:4ytiKxJ55Wm9p6M=,iv:dl1BCtxOu4o+2qC6ZlUw8cluoqDjp16/SN9bhGneRHs=,tag:qEgWrYHQJHDjR2PwK9y8UA==,type:str]
|
||||
shadowsocks:
|
||||
password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str]
|
||||
|
@ -91,8 +92,8 @@ sops:
|
|||
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
|
||||
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-07T22:25:47Z"
|
||||
mac: ENC[AES256_GCM,data:6LynPNzengBoVm5fPtxHuUxbvMy7Vaf6Qd/ikUcu8/Af3oPhxeBTwN0aOje+oqAVuYFsNLCsf1GGCkZ+U1mK+Fr777vSsl/+T5iG7hcjTht+Gtq2sK93qiGB6rdYrHzuJ6G3hHR1Xl/OGW7TsYj9+2PJvV/Hr18qElr3VDBDJD0=,iv:EQe5Q4FDn9Di4L76eIw/wU+44iCeTS7lrJlPfZvLOdM=,tag:sEYyV4+jN8yEKPfYgrSemg==,type:str]
|
||||
lastmodified: "2024-11-10T17:52:12Z"
|
||||
mac: ENC[AES256_GCM,data:uMHh5OQcsNiOsItwqhb5tovS2ZpCQLjlBmbH83Iu7oWOSaUwqmwWoO1u7LPVmmWbN0JhZldIT84ym9Wg9Tn70Nnd+/B2h+54C86/LLnNlGCUamckMvUSDGwiz2lBLlM9a6C0iprgbBNcYd+5I9Iw62FOs+lB9fmsLg9fqn8W4aU=,iv:7fSoWal+A/EFVKzVJZoKromcTd6McVPHQMmNbDid2m4=,tag:saljEoUMhNHpdGf1bUo3Eg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
||||
|
|
|
@ -2,51 +2,73 @@
|
|||
domain = "gasdev.fr";
|
||||
in {
|
||||
sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
|
||||
sops.secrets."stalwart-mail/ACME_SECRET".owner = "stalwart-mail";
|
||||
|
||||
services.caddy.virtualHosts."${domain}".extraConfig = ''
|
||||
redir https://www.gasdev.fr
|
||||
'';
|
||||
|
||||
services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
|
||||
reverse_proxy 127.0.0.1:8080
|
||||
'';
|
||||
services.caddy.virtualHosts."mailadmin.${domain}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy http://127.0.01:8080
|
||||
'';
|
||||
serverAliases = [
|
||||
"mta-sts.${domain}"
|
||||
"autoconfig.${domain}"
|
||||
"autodiscover.${domain}"
|
||||
"mail.${domain}"
|
||||
];
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [25 465 587 993];
|
||||
|
||||
services.stalwart-mail = {
|
||||
enable = true;
|
||||
settings = {
|
||||
lookup.default.hostname = "mail.${domain}";
|
||||
server = {
|
||||
tls.certificate = "default";
|
||||
http = {
|
||||
url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port";
|
||||
use-x-forwarded = true;
|
||||
hostname = "mx1.${domain}";
|
||||
tls = {
|
||||
enable = true;
|
||||
implicit = true;
|
||||
};
|
||||
listener = {
|
||||
smtp = {
|
||||
bind = ["[::]:25"];
|
||||
protocol = "smtp";
|
||||
bind = "[::]:25";
|
||||
};
|
||||
submissions = {
|
||||
bind = ["[::]:465"];
|
||||
bind = "[::]:465";
|
||||
protocol = "smtp";
|
||||
tls.implicit = true;
|
||||
};
|
||||
imaptls = {
|
||||
bind = ["[::]:993"];
|
||||
imaps = {
|
||||
bind = "[::]:993";
|
||||
protocol = "imap";
|
||||
tls.implicit = true;
|
||||
};
|
||||
jmap = {
|
||||
bind = "[::]:8080";
|
||||
url = "https://mail.${domain}";
|
||||
protocol = "jmap";
|
||||
};
|
||||
management = {
|
||||
bind = "[::]:8080";
|
||||
bind = ["127.0.0.1:8080"];
|
||||
protocol = "http";
|
||||
};
|
||||
};
|
||||
};
|
||||
certificate.default = {
|
||||
default = true;
|
||||
cert = "%{file:/var/lib/stalwart-mail/cert/${domain}.pem}%";
|
||||
private-key = "%{file:/var/lib/stalwart-mail/cert/${domain}.priv.pem}%";
|
||||
lookup.default = {
|
||||
hostname = "mx1.${domain}";
|
||||
domain = "${domain}";
|
||||
};
|
||||
acme."letsencrypt" = {
|
||||
directory = "https://acme-v02.api.letsencrypt.org/directory";
|
||||
challenge = "dns-01";
|
||||
contact = "postmaster@${domain}";
|
||||
domains = ["${domain}" "mx1.${domain}"];
|
||||
provider = "cloudflare";
|
||||
secret = "%{file:${config.sops.secrets."stalwart-mail/ACME_SECRET".path}}%";
|
||||
};
|
||||
session.auth = {
|
||||
mechanisms = "[plain]";
|
||||
directory = "'in-memory'";
|
||||
};
|
||||
session.rcpt.directory = "'in-memory'";
|
||||
queue.outbound.next-hop = "'local'";
|
||||
directory."imap".lookup.domains = ["${domain}"];
|
||||
storage = {
|
||||
data = "rocksdb";
|
||||
fts = "rocksdb";
|
||||
|
@ -85,37 +107,4 @@ in {
|
|||
StateDirectoryMode = "0740";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [25 465 993];
|
||||
|
||||
systemd.timers."stalwart-mail-update-certs" = {
|
||||
wantedBy = ["timers.target"];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = true;
|
||||
Unit = "stalwart-mail-update-certs.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."stalwart-mail-update-certs" = {
|
||||
script = ''
|
||||
set -eu
|
||||
|
||||
CADDY_CERT_DIR="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}"
|
||||
STALWART_CERT_DIR="/var/lib/stalwart-mail/cert"
|
||||
|
||||
mkdir -p "''\${CADDY_CERT_DIR}"
|
||||
mkdir -p "''\${STALWART_CERT_DIR}"
|
||||
|
||||
cat "''\${CADDY_CERT_DIR}/${domain}.crt" > "''\${STALWART_CERT_DIR}/${domain}.pem"
|
||||
cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
|
||||
|
||||
chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
|
||||
chmod -R 0700 "''\${STALWART_CERT_DIR}"
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue