summaryrefslogtreecommitdiff
path: root/hosts/experimental-nixos/services/stalwart.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/experimental-nixos/services/stalwart.nix')
-rw-r--r--hosts/experimental-nixos/services/stalwart.nix150
1 files changed, 150 insertions, 0 deletions
diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix
new file mode 100644
index 0000000..665fb6e
--- /dev/null
+++ b/hosts/experimental-nixos/services/stalwart.nix
@@ -0,0 +1,150 @@
+{
+ pkgs,
+ nixpkgs-unstable,
+ unstable,
+ config,
+ ...
+}: {
+ disabledModules = ["services/mail/stalwart-mail.nix"];
+ imports = [
+ "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix"
+ ];
+
+ environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path;
+
+ systemd.services.stalwart-mail.serviceConfig = {
+ EnvironmentFile = config.age.secrets.ldap-search.path;
+ };
+
+ users.users.stalwart-mail.extraGroups = ["acme"];
+
+ services.stalwart-mail = {
+ enable = true;
+ package = unstable.stalwart-mail;
+ openFirewall = true;
+ credentials = {
+ user_admin_password = config.secrets.ldap-root.path;
+ user_search_password = config.secrets.ldap-search.path;
+ };
+
+ settings = {
+ certificate.default = {
+ cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
+ private-key = "%{file:/var/lib/acme/mail.m4siri.com/key.pem}%";
+ default = true;
+ };
+ http.url = "protocol + '://' + config_get('server.hostname')";
+ tracer.stdout = {
+ level = "trace";
+ };
+ auth.search = "%{file:/etc/stalwart-mail/search-pw}%";
+ server = {
+ hostname = "mail.m4siri.com";
+ tls = {
+ implicit = false;
+ };
+ auto-ban = {
+ auth.rate = "10/1d";
+ };
+ listener = {
+ smtp = {
+ protocol = "smtp";
+ bind = "[::]:25";
+ };
+ submissions = {
+ bind = "[::]:465";
+ protocol = "smtp";
+ tls.implicit = true;
+ };
+ submission = {
+ bind = "[::]:587";
+ protocol = "smtp";
+ tls.implicit = true;
+ };
+ pop3 = {
+ bind = "[::]:110";
+ protocol = "pop3";
+ };
+ pop3s = {
+ bind = "[::]:995";
+ protocol = "pop3";
+ tls.implicit = true;
+ };
+ imap = {
+ bind = "[::]:143";
+ protocol = "imap";
+ };
+ imaps = {
+ bind = "[::]:993";
+ protocol = "imap";
+ tls.implicit = true;
+ };
+ http = {
+ bind = ["127.0.0.1:8080"];
+ protocol = "http";
+ };
+ https = {
+ bind = ["127.0.0.1:1443"];
+ protocol = "http";
+ tls.implicit = true;
+ };
+ jmap = {
+ bind = ["127.0.0.1:1443"];
+ protocol = "http";
+ tls.implicit = true;
+ };
+ sieve = {
+ bind = "[::]:4190";
+ protocol = "managesieve";
+ };
+ };
+ };
+
+ storage.blob = "rocksdb";
+ storage.data = "rocksdb";
+ storage.directory = "ldap";
+ storage.fts = "rocksdb";
+ store = {
+ "rocksdb" = {
+ compression = "lz4";
+ path = "/var/lib/stalwart-mail/data";
+ type = "rocksdb";
+ };
+ };
+
+ authentication.fallback-admin = {
+ user = "fallback-admin";
+ secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%";
+ };
+
+ directory.ldap = {
+ type = "ldap";
+ url = "ldap://localhost:389";
+ timeout = "30s";
+ base-dn = "dc=m4siri,dc=com";
+ tls.enable = false;
+
+ bind = {
+ dn = "cn=searchuser,ou=users,dc=m4siri,dc=com";
+ secret = "%{env:STALWART_SEARCH_PW}%";
+ auth = {
+ method = "template";
+ template = "uid={local},ou=users,dc=m4siri,dc=com";
+ search = true;
+ };
+ };
+ filter = {
+ name = "(&(objectClass=inetOrgPerson)(|(mail=?)(uid=?)))";
+ email = "(&(objectClass=inetLocalMailRecipient)(|(mail=?)(mailLocalAddress=?)))";
+ };
+
+ attributes = {
+ name = "uid";
+ secret = "userPassword";
+ email = "mail";
+ email-alias = "mailLocalAddress";
+ };
+ };
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-31 08:26:13 +0000