diff --git a/hosts/envoy/default.nix b/hosts/envoy/default.nix index 0f929b2..756d34f 100644 --- a/hosts/envoy/default.nix +++ b/hosts/envoy/default.nix @@ -10,6 +10,7 @@ ./fs.nix ./net.nix ./maddy.nix + #./stalwart-mail.nix ]; boot.mode = "bios"; diff --git a/hosts/envoy/net.nix b/hosts/envoy/net.nix index e09dd5d..37d4248 100644 --- a/hosts/envoy/net.nix +++ b/hosts/envoy/net.nix @@ -1,6 +1,7 @@ {config, ...}: { networking.hostId = config.repo.secrets.local.networking.hostId; - networking.domain = config.repo.secrets.global.domains.me; + networking.domain = config.repo.secrets.global.domains.mail.primary; + networking.hosts."127.0.0.1" = ["mx1.${config.repo.secrets.global.domains.mail.primary}"]; boot.initrd.systemd.network = { enable = true; diff --git a/hosts/envoy/stalwart-mail.nix b/hosts/envoy/stalwart-mail.nix new file mode 100644 index 0000000..4df6622 --- /dev/null +++ b/hosts/envoy/stalwart-mail.nix @@ -0,0 +1,151 @@ +{ + config, + lib, + ... +}: let + mailDomains = config.repo.secrets.global.domains.mail; + primaryDomain = mailDomains.primary; +in { + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/stalwart-mail"; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0700"; + } + ]; + + users.groups.acme.members = ["stalwart-mail"]; + users.groups.stalwart-mail = {}; + users.users.stalwart-mail = { + isSystemUser = true; + home = "/var/lib/stalwart-mail"; + group = "stalwart-mail"; + }; + + networking.firewall.allowedTCPPorts = [ + 25 # smtp + 465 # submission tls + # 587 # submission starttls + 993 # imap tls + # 143 # imap starttls + 8080 # stalwart-mail http + 4190 # manage sieve + ]; + + systemd.services.stalwart-mail = { + serviceConfig = { + DynamicUser = lib.mkForce false; + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + SupplementaryGroups = ["acme"]; + }; + }; + + services.stalwart-mail = { + enable = true; + + settings = { + #include.files = [secrets."stalwart.toml".path]; + #config.local-keys = [ + # "store.*" + # "directory.*" + # "tracer.*" + # "server.*" + # "!server.blocked-ip.*" + # "authentication.fallback-admin.*" + # "cluster.node-id" + # "storage.data" + # "storage.blob" + # "storage.lookup" + # "storage.fts" + # "storage.directory" + # "lookup.default.hostname" + # "certificate.*" + #]; + + global.tracing.level = "trace"; + resolver.public-suffix = [ + "https://publicsuffix.org/list/public_suffix_list.dat" + ]; + + server = { + hostname = "mx1.${primaryDomain}"; + tls = { + certificate = "default"; + ignore-client-order = true; + }; + socket = { + nodelay = true; + reuse-addr = true; + }; + listener = { + jmap = { + protocol = "jmap"; + bind = " [::]:18080"; + url = "https://mail.${primaryDomain}/jmap"; + }; + imaps = { + protocol = "imap"; + bind = "[::]:1993"; + tls.enable = true; + tls.implicit = true; + }; + }; + }; + + session = { + rcpt = { + directory = "default"; + relay = [ + { + "if" = "authenticated-as"; + ne = ""; + "then" = true; + } + {"else" = false;} + ]; + }; + }; + + queue = { + outbound = { + next-hop = [ + { + "if" = "rcpt-domain"; + in-list = "default/domains"; + "then" = "local"; + } + {"else" = "relay";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + }; + }; + }; + + remote.relay = { + protocol = "smtp"; + address = "127.0.0.1"; + port = 25; + }; + + jmap = { + directory = "default"; + http.headers = [ + "Access-Control-Allow-Origin: *" + "Access-Control-Allow-Methods: POST, GET, HEAD, OPTIONS" + "Access-Control-Allow-Headers: *" + ]; + }; + + management.directory = "default"; + + certificate.default = { + cert = "file://${cfg.certFile}"; + private-key = "file://${cfg.keyFile}"; + }; + }; + }; +} diff --git a/modules/config/users.nix b/modules/config/users.nix index f3a78c7..3882b0c 100644 --- a/modules/config/users.nix +++ b/modules/config/users.nix @@ -32,5 +32,6 @@ podman = uidGid 977; maddy = uidGid 976; minecraft = uidGid 975; + stalwart-mail = uidGid 974; }; }