Skip to content

Commit

Permalink
setup stalwart
Browse files Browse the repository at this point in the history
  • Loading branch information
@xanderio
xanderio committed Jun 4, 2024
1 parent c49ae8f commit 7f97add
Show file tree
Hide file tree
Showing 4 changed files with 141 additions and 0 deletions.
6 changes: 6 additions & 0 deletions .sops.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,9 @@ creation_rules:
- age:
- *xanderio
- *carrot

- path_regex: secrets/services/stalwart.yaml
key_groups:
- age:
- *xanderio
- *carrot
1 change: 1 addition & 0 deletions hosts/carrot/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
./postgresql.nix
./matrix.nix
./outline.nix
./mail.nix

./disko-config.nix
];
Expand Down
102 changes: 102 additions & 0 deletions hosts/carrot/mail.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }:
let
domain = "mail.xanderio.de";
credPath = "/run/credentials/stalwart-mail.service";
configFormat = pkgs.formats.toml { };
configFile = configFormat.generate "stalwart-mail.toml" config.services.stalwart-mail.settings;
in
{
config = {
x.sops.secrets."services/stalwart/adminPwd" = { };

security.acme.certs."${domain}" = { };

systemd.services.stalwart-mail = {
wants = [ "acme-${domain}.service" ];
after = [ "acme-${domain}.service" ];
preStart = lib.mkForce ''
'';
serviceConfig = {
LoadCredential = [
"cert.pem:${config.security.acme.certs.${domain}.directory}/cert.pem"
"key.pem:${config.security.acme.certs.${domain}.directory}/key.pem"
"adminPwd:${config.sops.secrets."services/stalwart/adminPwd".path}"
];
};
};

networking.firewall.allowedTCPPorts = [
25 # smtp
465 # smtp tls
993 # imap tls
4190 # manage sieve
];

services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8119";
proxyWebsockets = true;
};
};


services.stalwart-mail = {
enable = true;
package = pkgs.stalwart-mail;
settings = {
certificate.default = {
cert = "%{file:${credPath}/cert.pem}%";
private-key = "%{file:${credPath}/key.pem}%";
default = true;
};

lookup.default.hostname = config.networking.fqdn;
server = {
listener = {
smtp = {
bind = [ "[::]:25" ];
protocol = "smtp";
};
submissions = {
bind = [ "[::]:465" ];
protocol = "smtp";
tls.implicit = true;
};
imaptls = {
bind = [ "[::]:993" ];
protocol = "imap";
tls.implicit = true;
};
management = {
bind = [ "127.0.0.1:8119" ];
protocol = "http";
};
};
};

store = {
db = {
type = "rocksdb";
path = "%{env:STATE_DIRECTORY}%/db";
compression = "lz4";
};
};

storage = {
directory = "internal";
data = "db";
blob = "db";
fts = "db";
lookup = "db";
};

authentication.fallback-admin = {
user = "admin";
secret = "%{file:${credPath}/adminPwd}%";
};
};
};
};
}
32 changes: 32 additions & 0 deletions secrets/services/stalwart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
services:
stalwart:
adminPwd: ENC[AES256_GCM,data:daOXUrUtD3m6bDEMJxneSXXWOw==,iv:32fu4YDXIrL9WTpeiH3/slWruABX+BoEDkBNFyzjLD4=,tag:bAn3cMCG558xa/bIJwrIsg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ftsxs8qj86g6v28f69qalwg2a85rd0vxh8zm304k3p4uv63x5yesd44w56
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNk1UeUZPeVNaeVNWYTE0
UEJqaDV4bGZIcWR6REhlMU1NUjE1Wm9LcWtzClBkWkNRcXcwa0lENFNEN0x6ZDRF
U2tFYjhzcUNQUmp4TkJIcjlKZHpoNjgKLS0tIDV6TzQ5ZW4wbUZPSDJjdHA5VTg2
cE51RzlNTk9Wc3V2WGt1MFJxYU9POTQKOclzfjOZVE343nxRWKYVSqabWcBHBh4M
RGJfzIyChiAb9nRPvNxinlV1PPMcvpDHBbfRYHvbD/dSQnV5tXGlaA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vnu25nrzx8535t2x9exp8uger5x25tj4ak309rdjfw6mhetqeekqu6c0cc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZU9kK1pzTmIraXB0UDRp
aGtaTyswRmR3Sko3emtxTHc5UTBSaVVCWFNjCnZIcGxVS1pMTXZnUHBWQlZnS0NX
Q0hWeUlzSEFNU2ZaTGYyQUxvNFRIWWMKLS0tIHdpa2t4bmhHVG1iWEdFd0tqU0tB
VStvNVljWGI4ejV2ZlBSWHllZXF5Q2MKomjqialmLcKDf9yoJzGaP1LKA6wt43uZ
NiES7Q5P0hYa+jdtnHPC+F3PwnLSQbv8udGCMf1oCSopntROukFDhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-02T17:19:39Z"
mac: ENC[AES256_GCM,data:ZjdbjqOuXDp7Tr2+CV8zlRmog1R1HmG11YyfynjTQRx3n2Dz5IoHUwTBwkKEMcrF1pk6OXMsrzfKsU0nzW8tWiFK9xAIQArbmf775qBBXS84CbpgHBdeoD8Yi9x2nXXFtmEqYjNwNPklAq/RvoV6cv/7ETygWJXCvqVPt4gNsH8=,iv:x10ABuFwp8Qxy6sjEzSKzag7kegoJF0VxYUMcP786h8=,tag:JNSKCMw821dn38W/PLKscg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

0 comments on commit 7f97add

Please sign in to comment.