diff options
| author | m4siri <git@m4siri.com> | 2025-11-23 10:36:43 +0545 |
|---|---|---|
| committer | m4siri <git@m4siri.com> | 2025-11-23 10:36:56 +0545 |
| commit | 3424cfd40c046c038df0335212e8000ebd473602 (patch) | |
| tree | fc800399450284e77be346311952968591a5534e /hosts/experimental-nixos/services/stalwart.nix | |
repo init
Diffstat (limited to 'hosts/experimental-nixos/services/stalwart.nix')
| -rw-r--r-- | hosts/experimental-nixos/services/stalwart.nix | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix new file mode 100644 index 0000000..665fb6e --- /dev/null +++ b/hosts/experimental-nixos/services/stalwart.nix @@ -0,0 +1,150 @@ +{ + pkgs, + nixpkgs-unstable, + unstable, + config, + ... +}: { + disabledModules = ["services/mail/stalwart-mail.nix"]; + imports = [ + "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix" + ]; + + environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path; + + systemd.services.stalwart-mail.serviceConfig = { + EnvironmentFile = config.age.secrets.ldap-search.path; + }; + + users.users.stalwart-mail.extraGroups = ["acme"]; + + services.stalwart-mail = { + enable = true; + package = unstable.stalwart-mail; + openFirewall = true; + credentials = { + user_admin_password = config.secrets.ldap-root.path; + user_search_password = config.secrets.ldap-search.path; + }; + + settings = { + certificate.default = { + cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%"; + private-key = "%{file:/var/lib/acme/mail.m4siri.com/key.pem}%"; + default = true; + }; + http.url = "protocol + '://' + config_get('server.hostname')"; + tracer.stdout = { + level = "trace"; + }; + auth.search = "%{file:/etc/stalwart-mail/search-pw}%"; + server = { + hostname = "mail.m4siri.com"; + tls = { + implicit = false; + }; + auto-ban = { + auth.rate = "10/1d"; + }; + listener = { + smtp = { + protocol = "smtp"; + bind = "[::]:25"; + }; + submissions = { + bind = "[::]:465"; + protocol = "smtp"; + tls.implicit = true; + }; + submission = { + bind = "[::]:587"; + protocol = "smtp"; + tls.implicit = true; + }; + pop3 = { + bind = "[::]:110"; + protocol = "pop3"; + }; + pop3s = { + bind = "[::]:995"; + protocol = "pop3"; + tls.implicit = true; + }; + imap = { + bind = "[::]:143"; + protocol = "imap"; + }; + imaps = { + bind = "[::]:993"; + protocol = "imap"; + tls.implicit = true; + }; + http = { + bind = ["127.0.0.1:8080"]; + protocol = "http"; + }; + https = { + bind = ["127.0.0.1:1443"]; + protocol = "http"; + tls.implicit = true; + }; + jmap = { + bind = ["127.0.0.1:1443"]; + protocol = "http"; + tls.implicit = true; + }; + sieve = { + bind = "[::]:4190"; + protocol = "managesieve"; + }; + }; + }; + + storage.blob = "rocksdb"; + storage.data = "rocksdb"; + storage.directory = "ldap"; + storage.fts = "rocksdb"; + store = { + "rocksdb" = { + compression = "lz4"; + path = "/var/lib/stalwart-mail/data"; + type = "rocksdb"; + }; + }; + + authentication.fallback-admin = { + user = "fallback-admin"; + secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%"; + }; + + directory.ldap = { + type = "ldap"; + url = "ldap://localhost:389"; + timeout = "30s"; + base-dn = "dc=m4siri,dc=com"; + tls.enable = false; + + bind = { + dn = "cn=searchuser,ou=users,dc=m4siri,dc=com"; + secret = "%{env:STALWART_SEARCH_PW}%"; + auth = { + method = "template"; + template = "uid={local},ou=users,dc=m4siri,dc=com"; + search = true; + }; + }; + filter = { + name = "(&(objectClass=inetOrgPerson)(|(mail=?)(uid=?)))"; + email = "(&(objectClass=inetLocalMailRecipient)(|(mail=?)(mailLocalAddress=?)))"; + }; + + attributes = { + name = "uid"; + secret = "userPassword"; + email = "mail"; + email-alias = "mailLocalAddress"; + }; + }; + }; + }; +} |