mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: enable stalwart

Browse source
This commit is contained in:
oddlama 2024-07-21 01:59:07 +02:00
parent 6a50fc769c
commit 611a64fb49
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 116 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/nix.nix
View file

@ -48,6 +48,6 @@
extraSystemBuilderCmds = '' extraSystemBuilderCmds = ''
ln -sv ${inputs.nixpkgs} $out/nixpkgs ln -sv ${inputs.nixpkgs} $out/nixpkgs
''; '';
stateVersion = "23.11"; stateVersion = "24.11";
}; };
} }

4
hosts/envoy/default.nix
View file

@ -12,8 +12,8 @@
./acme.nix ./acme.nix
./fs.nix ./fs.nix
./net.nix ./net.nix
./maddy.nix #./maddy.nix
#./stalwart-mail.nix ./stalwart-mail.nix
]; ];
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";

206
hosts/envoy/stalwart-mail.nix
View file

@ -1,27 +1,24 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: let }: let
mailDomains = config.repo.secrets.global.domains.mail; mailDomains = config.repo.secrets.global.domains.mail;
primaryDomain = mailDomains.primary; primaryDomain = mailDomains.primary;
stalwartDomain = "mail.${primaryDomain}";
dataDir = "/var/lib/stalwart-mail";
in { in {
environment.persistence."/persist".directories = [ environment.persistence."/persist".directories = [
{ {
directory = "/var/lib/stalwart-mail"; directory = dataDir;
owner = "stalwart-mail"; user = "stalwart-mail";
group = "stalwart-mail"; group = "stalwart-mail";
mode = "0700"; mode = "0700";
} }
]; ];
users.groups.acme.members = ["stalwart-mail"]; users.groups.acme.members = ["stalwart-mail"];
users.groups.stalwart-mail = {};
users.users.stalwart-mail = {
isSystemUser = true;
home = "/var/lib/stalwart-mail";
group = "stalwart-mail";
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
25 # smtp 25 # smtp
@ -29,45 +26,66 @@ in {
# 587 # submission starttls # 587 # submission starttls
993 # imap tls 993 # imap tls
# 143 # imap starttls # 143 # imap starttls
8080 # stalwart-mail http
4190 # manage sieve 4190 # manage sieve
]; ];
systemd.services.stalwart-mail = { globals.services.stalwart.domain = stalwartDomain;
serviceConfig = { globals.monitoring.http.stalwart = {
DynamicUser = lib.mkForce false; url = "https://${stalwartDomain}";
StandardOutput = lib.mkForce "journal"; expectedBodyRegex = "Stalwart Management";
StandardError = lib.mkForce "journal"; network = "internet";
SupplementaryGroups = ["acme"];
};
}; };
services.stalwart-mail = { services.stalwart-mail = {
enable = true; enable = true;
settings = { settings = lib.mkForce {
#include.files = [secrets."stalwart.toml".path]; authentication.fallback-admin = {
#config.local-keys = [ user = "admin";
# "store.*" secret = "$6$tOo2HQnlyAcgyfx5$aMI3uELtqsjkN.gHn8f2W2yxl2ovo.6PU9XxT9jvjJ2CNXpwpumlBq.ZaERPQcTzl4.o1vklB.sdBevXBrLPp0";
# "directory.*" };
# "tracer.*"
# "server.*"
# "!server.blocked-ip.*"
# "authentication.fallback-admin.*"
# "cluster.node-id"
# "storage.data"
# "storage.blob"
# "storage.lookup"
# "storage.fts"
# "storage.directory"
# "lookup.default.hostname"
# "certificate.*"
#];
global.tracing.level = "trace"; tracer.stdout = {
resolver.public-suffix = [ # Do not use the built-in journal tracer, as it shows much less auxiliary
"https://publicsuffix.org/list/public_suffix_list.dat" # information for the same loglevel
]; type = "stdout";
level = "info";
ansi = false; # no colour markers to journald
enable = true;
};
store.db = {
type = "sqlite";
path = "${dataDir}/database.sqlite3";
};
storage = {
data = "db";
fts = "db";
lookup = "db";
blob = "db";
directory = "internal";
};
directory.internal = {
type = "internal";
store = "db";
};
resolver = {
type = "system";
public-suffix = [
"file://${pkgs.publicsuffix-list}/share/publicsuffix/public_suffix_list.dat"
];
};
config.resource.spam-filter = "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml";
certificate.default = {
cert = "%{file:${config.security.acme.certs.${primaryDomain}.directory}/fullchain.pem}%";
private-key = "%{file:${config.security.acme.certs.${primaryDomain}.directory}/key.pem}%";
default = true;
};
server = { server = {
hostname = "mx1.${primaryDomain}"; hostname = "mx1.${primaryDomain}";
@ -80,72 +98,72 @@ in {
reuse-addr = true; reuse-addr = true;
}; };
listener = { listener = {
jmap = { smtp = {
protocol = "jmap"; protocol = "smtp";
bind = " [::]:8080"; bind = "[::]:25";
url = "https://mail.${primaryDomain}/jmap"; };
submissions = {
protocol = "smtp";
bind = "[::]:465";
tls.implicit = true;
}; };
imaps = { imaps = {
protocol = "imap"; protocol = "imap";
bind = "[::]:993"; bind = "[::]:993";
tls.enable = true; tls.implicit = true;
};
http = {
# jmap, web interface
protocol = "http";
bind = "[::]:8080";
url = "https://${stalwartDomain}/jmap";
};
sieve = {
protocol = "managesieve";
bind = "[::]:4190";
tls.implicit = true; tls.implicit = true;
}; };
}; };
}; };
};
};
session = { services.nginx = {
rcpt = { upstreams.stalwart = {
directory = "default"; servers."localhost:8080" = {};
relay = [ extraConfig = ''
{ zone stalwart 64k;
"if" = "authenticated-as"; keepalive 2;
ne = ""; '';
"then" = true; };
} virtualHosts.${stalwartDomain} = {
{"else" = false;} forceSSL = true;
]; useACMEWildcardHost = true;
}; extraConfig = ''
}; client_max_body_size 512M;
'';
queue = { locations."/" = {
outbound = { proxyPass = "http://stalwart";
next-hop = [ proxyWebsockets = true;
{
"if" = "rcpt-domain";
in-list = "default/domains";
"then" = "local";
}
{"else" = "relay";}
];
tls = {
mta-sts = "disable";
dane = "disable";
};
};
};
remote.relay = {
protocol = "smtp";
address = "127.0.0.1";
port = 25;
};
jmap = {
directory = "default";
http.headers = [
"Access-Control-Allow-Origin: *"
"Access-Control-Allow-Methods: POST, GET, HEAD, OPTIONS"
"Access-Control-Allow-Headers: *"
];
};
management.directory = "default";
certificate.default = {
cert = "file://${cfg.certFile}";
private-key = "file://${cfg.keyFile}";
}; };
}; };
}; };
systemd.services.stalwart-mail = let
cfg = config.services.stalwart-mail;
configFormat = pkgs.formats.toml {};
configFile = configFormat.generate "stalwart-mail.toml" cfg.settings;
in {
preStart = lib.mkAfter ''
cat ${configFile} > /run/stalwart-mail/config.toml
'';
serviceConfig = {
RuntimeDirectory = "stalwart-mail";
ExecStart = lib.mkForce [
""
"${cfg.package}/bin/stalwart-mail --config=/run/stalwart-mail/config.toml"
];
RestartSec = "60"; # Retry every minute
};
};
} }

2
nix/installer-configuration.nix
View file

@ -1,5 +1,5 @@
{pkgs, ...}: { {pkgs, ...}: {
system.stateVersion = "23.11"; system.stateVersion = "24.11";
nix.extraOptions = '' nix.extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';