From 0bb374be15630fb354dfadbb8f9de06ddfa34076 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Wed, 11 Jun 2025 19:10:16 +0200
Subject: [PATCH] Rewritten email config

---
 secrets/default.nix    |  7 ++++
 secrets/mail-admin.age | 12 ++++++
 secrets/secrets.nix    |  1 +
 system/server/mail.nix | 84 +++++++++++++++++++++++-------------------
 4 files changed, 66 insertions(+), 38 deletions(-)
 create mode 100644 secrets/mail-admin.age

diff --git a/secrets/default.nix b/secrets/default.nix
index b5d7956..20be83e 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -20,5 +20,12 @@
         else "root";
     };
     cloudflare-acme.file = ./cloudflare-acme.age;
+    mail-admin = {
+      owner =
+        if config.niksos.server
+        then "stalwart-mail"
+        else "root";
+      file = ./mail-admin.age;
+    };
   };
 }
diff --git a/secrets/mail-admin.age b/secrets/mail-admin.age
new file mode 100644
index 0000000..a1e8bda
--- /dev/null
+++ b/secrets/mail-admin.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 WCPLrA wfP5+Ur2RKtojpj8WsbgaWXsr+Pt7YUiHseahvlP6lE
+fkAWtR6xpgJjVi8VRYhRnjgN2NgeQidIJJ6FLFd5L8U
+-> ssh-ed25519 7/ziYw 3yl4W+lcsQAy40Yud0qPnbZmh3J/pzDwBOXDiEbpiRc
+Y8A7XnfzFkGH9qdM+N3wb6u8Imk/U/uwjdKfRpHe2Ng
+-> ssh-ed25519 GQzYWA Gvd1t0M1CTYe+5k4sF5M/U/VHebmylPpLD4zHgCzt3U
+UD1zOdb2UFqfN43S0HkU1BcmKjCu25q0Kgnq+tR2V4E
+-> ssh-ed25519 MfR7VA dErummA05w7hEN4yLYyE6iuj/qHXLpBxEZ2Ha5oKNUY
+KbltxK/l6ioaGWJMBt441FPlFRlGjvhJGumXtsK8N9I
+--- GG7HnagqvHaWIJLwotO//9EtjZZNZ75e1rHSDkLlGlM
+áa$‹ÔÑ^—)àBkµ¤‡Æçìó‹º†
+}‹ûÛ­*¡aÖh&Pí¶	ÝoÇŒÄÊÕ,ÞÏ¹ßê?~0£Ò3žòØÈ€Ý¹*³)M•tï¸Jà‰»ÂÆöÉ›Óáifæ~c$ŠSÇª6‹[%,ˆÇw@”YðeÝÄsD1ŠË—&Â÷5ö
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index df0f3e1..b375c6c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,4 +12,5 @@ in {
   "dcbot.age".publicKeys = systems;
   "matrix-registration.age".publicKeys = systems;
   "cloudflare-acme.age".publicKeys = systems;
+  "mail-admin.age".publicKeys = systems;
 }
diff --git a/system/server/mail.nix b/system/server/mail.nix
index 5ae099b..5e582fb 100644
--- a/system/server/mail.nix
+++ b/system/server/mail.nix
@@ -1,57 +1,64 @@
 {config, ...}: {
   services.stalwart-mail = {
     enable = true;
-    openFirewall = true;
+    openFirewall = false; # Don't want to open port 8080, will leave that for caddy.
     settings = {
       server = {
-        hostname = "mx1.jsw.tf";
-        tls = {
+        tracer."log" = {
+          ansi = false;
           enable = true;
-          implicit = true;
+          level = "info";
+          path = "./stalwart/logs";
+          prefix = "stalwart.log";
+          rotate = "daily";
+          type = "log";
+        };
+        authentication = {
+          fallback-admin = {
+            secret = "%{file:${config.age.secrets.mail-admin.path}}%";
+            user = "admin";
+          };
         };
         listener = {
+          http = {
+            bind = "127.0.0.1:9003";
+            protocol = "http";
+          };
+          imaptls = {
+            bind = "[::]:993";
+            protocol = "imap";
+            tls.implicit = true;
+          };
           smtp = {
-            protocol = "smtp";
             bind = "[::]:25";
+            protocol = "smtp";
+          };
+          jmap = {
+            bind = "[::]:9003";
+            url = "https://mail.jsw.tf";
+            protocol = "jmap";
           };
           submissions = {
             bind = "[::]:465";
             protocol = "smtp";
-          };
-          imaps = {
-            bind = "[::]:993";
-            protocol = "imap";
-          };
-          jmap = {
-            bind = "[::]:8080";
-            url = "https://mail.jsw.tf";
-            protocol = "jmap";
-          };
-          management = {
-            bind = ["127.0.0.1:8080"];
-            protocol = "http";
+            tls.implicit = true;
           };
         };
       };
+
+      hostname = "mx1.jsw.tf";
       lookup.default = {
         hostname = "mx1.jsw.tf";
         domain = "jsw.tf";
       };
       acme."letsencrypt" = {
         directory = "https://acme-v02.api.letsencrypt.org/directory";
-        challenge = "dns-01";
-        contact = "jswmail@proton.me";
+        challenge = "tls-alpn-01";
+        contact = ["jurnwubben@gmail.com"];
         domains = ["jsw.tf" "mx1.jsw.tf"];
-        provider = "cloudflare";
-        secret = "%{file:${config.age.secrets.cloudflare-acme.path}}%";
+        cache = "%{BASE_PATH}%/etc/acme";
+        renew-before = "30d";
       };
-      session.auth = {
-        mechanisms = "[plain]";
-        directory = "'in-memory'";
-      };
-      storage.directory = "in-memory";
-      session.rcpt.directory = "'in-memory'";
-      queue.outbound.next-hop = "'local'";
       directory."imap".lookup.domains = ["jsw.tf"];
       # directory."in-memory" = {
       #   type = "memory";
@@ -64,23 +71,24 @@
       #     }
       #   ];
       # };
-      authentication.fallback-admin = {
-        user = "admin";
-        secret = "%{file:${config.age.secrets.password.path}}%";
-      };
     };
   };
+  networking.firewall.allowedTCPPorts = [
+    993
+    25
+    465
+  ];
 
   services.caddy.virtualHosts = {
     "webadmin.jsw.tf" = {
       extraConfig = ''
-        reverse_proxy http://127.0.0.1:8080
+        reverse_proxy http://127.0.0.1:9003
       '';
       serverAliases = [
-        "mta-sts.example.org"
-        "autoconfig.example.org"
-        "autodiscover.example.org"
-        "mail.example.org"
+        "mta-sts.jsw.tf"
+        "autoconfig.jsw.tf"
+        "autodiscover.jsw.tf"
+        "mail.jsw.tf"
       ];
     };
   };