Rewritten email config

2025-06-11 19:10:16 +02:00 · 2025-06-11 19:10:16 +02:00 · 0bb374be15
commit 0bb374be15
parent 58aad1f55b
4 changed files with 66 additions and 38 deletions
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -20,5 +20,12 @@
        else "root";
    };
    cloudflare-acme.file = ./cloudflare-acme.age;
    mail-admin = {
      owner =
        if config.niksos.server
        then "stalwart-mail"
        else "root";
      file = ./mail-admin.age;
    };
  };
 }
--- a/secrets/mail-admin.age
+++ b/secrets/mail-admin.age
@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 WCPLrA wfP5+Ur2RKtojpj8WsbgaWXsr+Pt7YUiHseahvlP6lE
 fkAWtR6xpgJjVi8VRYhRnjgN2NgeQidIJJ6FLFd5L8U
 -> ssh-ed25519 7/ziYw 3yl4W+lcsQAy40Yud0qPnbZmh3J/pzDwBOXDiEbpiRc
 Y8A7XnfzFkGH9qdM+N3wb6u8Imk/U/uwjdKfRpHe2Ng
 -> ssh-ed25519 GQzYWA Gvd1t0M1CTYe+5k4sF5M/U/VHebmylPpLD4zHgCzt3U
 UD1zOdb2UFqfN43S0HkU1BcmKjCu25q0Kgnq+tR2V4E
 -> ssh-ed25519 MfR7VA dErummA05w7hEN4yLYyE6iuj/qHXLpBxEZ2Ha5oKNUY
 KbltxK/l6ioaGWJMBt441FPlFRlGjvhJGumXtsK8N9I
 --- GG7HnagqvHaWIJLwotO//9EtjZZNZ75e1rHSDkLlGlM
 áa$‹ÔÑ^—)<02>àBkµ¤‡Æçìó‹º†
 }‹ûÛ*¡aÖh&Pí¶	ÝoÇŒÄÊÕ,ÞÏ¹ßê?~0£Ò3žòØÈ€Ý¹*³)M•tï¸Jà‰»ÂÆöÉ›<C389>Óáifæ~c$ŠSÇª6‹[%,ˆÇw@”YðeÝ<C39D>ÄsD1ŠË—&Â÷5ö
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,4 +12,5 @@ in {
  "dcbot.age".publicKeys = systems;
  "matrix-registration.age".publicKeys = systems;
  "cloudflare-acme.age".publicKeys = systems;
  "mail-admin.age".publicKeys = systems;
 }
--- a/system/server/mail.nix
+++ b/system/server/mail.nix
@ -1,57 +1,64 @@
 {config, ...}: {
  services.stalwart-mail = {
    enable = true;
-    openFirewall = true;
+    openFirewall = false; # Don't want to open port 8080, will leave that for caddy.
    settings = {
      server = {
-        hostname = "mx1.jsw.tf";
+        tracer."log" = {
-        tls = {
+          ansi = false;
          enable = true;
-          implicit = true;
+          level = "info";
          path = "./stalwart/logs";
          prefix = "stalwart.log";
          rotate = "daily";
          type = "log";
        };
        authentication = {
          fallback-admin = {
            secret = "%{file:${config.age.secrets.mail-admin.path}}%";
            user = "admin";
          };
        };
        listener = {
          http = {
            bind = "127.0.0.1:9003";
            protocol = "http";
          };
          imaptls = {
            bind = "[::]:993";
            protocol = "imap";
            tls.implicit = true;
          };
          smtp = {
            protocol = "smtp";
            bind = "[::]:25";
            protocol = "smtp";
          };
          jmap = {
            bind = "[::]:9003";
            url = "https://mail.jsw.tf";
            protocol = "jmap";
          };
          submissions = {
            bind = "[::]:465";
            protocol = "smtp";
-          };
+            tls.implicit = true;
          imaps = {
            bind = "[::]:993";
            protocol = "imap";
          };
          jmap = {
            bind = "[::]:8080";
            url = "https://mail.jsw.tf";
            protocol = "jmap";
          };
          management = {
            bind = ["127.0.0.1:8080"];
            protocol = "http";
          };
        };
      };
      hostname = "mx1.jsw.tf";
      lookup.default = {
        hostname = "mx1.jsw.tf";
        domain = "jsw.tf";
      };
      acme."letsencrypt" = {
        directory = "https://acme-v02.api.letsencrypt.org/directory";
-        challenge = "dns-01";
+        challenge = "tls-alpn-01";
-        contact = "jswmail@proton.me";
+        contact = ["jurnwubben@gmail.com"];
        domains = ["jsw.tf" "mx1.jsw.tf"];
-        provider = "cloudflare";
+        cache = "%{BASE_PATH}%/etc/acme";
-        secret = "%{file:${config.age.secrets.cloudflare-acme.path}}%";
+        renew-before = "30d";
      };
      session.auth = {
        mechanisms = "[plain]";
        directory = "'in-memory'";
      };
      storage.directory = "in-memory";
      session.rcpt.directory = "'in-memory'";
      queue.outbound.next-hop = "'local'";
      directory."imap".lookup.domains = ["jsw.tf"];
      # directory."in-memory" = {
      #   type = "memory";
@ -64,23 +71,24 @@
      #     }
      #   ];
      # };
      authentication.fallback-admin = {
        user = "admin";
        secret = "%{file:${config.age.secrets.password.path}}%";
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    993
    25
    465
  ];
  services.caddy.virtualHosts = {
    "webadmin.jsw.tf" = {
      extraConfig = ''
-        reverse_proxy http://127.0.0.1:8080
+        reverse_proxy http://127.0.0.1:9003
      '';
      serverAliases = [
-        "mta-sts.example.org"
+        "mta-sts.jsw.tf"
-        "autoconfig.example.org"
+        "autoconfig.jsw.tf"
-        "autodiscover.example.org"
+        "autodiscover.jsw.tf"
-        "mail.example.org"
+        "mail.jsw.tf"
      ];
    };
  };