diff --git a/secrets/default.nix b/secrets/default.nix index 1d2d578..12e4986 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -23,10 +23,10 @@ in { }; cloudflare-acme.file = ./cloudflare-acme.age; mail-admin = { - owner = - if config.niksos.server - then serviceUser "stalwart-mail" - else "root"; + # owner = #FIXME: revert when stopped using docker for stalwart. + # if config.niksos.server + # then serviceUser "stalwart-mail" + # else "root"; file = ./mail-admin.age; }; }; diff --git a/system/server/mail.nix b/system/server/mail.nix index c3d8fdc..50531fa 100644 --- a/system/server/mail.nix +++ b/system/server/mail.nix @@ -1,102 +1,101 @@ {config, ...}: { - nixpkgs.overlays = [ - (final: prev: let - version = "0.12.4"; - hash = "sha256-MUbWGBbb8+b5cp+M5w27A/cHHkMcoEtkN13++FyBvbM="; - cargoHash = "sha256-G1c7hh0nScc4Cx7A1UUXv6slA6pP0fC6h00zR71BJIo="; - in { - stalwart-mail = prev.stalwart-mail.overrideAttrs (new: old: rec { - inherit cargoHash version; - src = prev.fetchFromGitHub { - inherit version hash; - inherit (old.src) owner repo; - tag = "v${version}"; - }; - cargoDeps = prev.rustPlatform.fetchCargoVendor { - inherit src; - hash = cargoHash; - }; - }); - }) - ]; - - services.stalwart-mail = { - enable = true; - openFirewall = false; # Don't want to open port 8080, will leave that for caddy. - credentials = { - user_admin_password = config.age.secrets.mail-admin.path; - }; - settings = { - authentication.fallback-admin = { - secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%"; - user = "admin"; - }; - server = { - tracer."log" = { - ansi = false; - enable = true; - level = "info"; - path = "./stalwart/logs"; - prefix = "stalwart.log"; - rotate = "daily"; - type = "log"; - }; - listener = { - http = { - bind = "127.0.0.1:9003"; - protocol = "http"; - }; - imaptls = { - bind = "[::]:993"; - protocol = "imap"; - tls.implicit = true; - }; - smtp = { - bind = "[::]:25"; - protocol = "smtp"; - }; - submissions = { - bind = "[::]:465"; - protocol = "smtp"; - tls.implicit = true; - }; - }; - }; - - hostname = "mx1.jsw.tf"; - lookup.default.domain = "jsw.tf"; - acme."letsencrypt" = { - directory = "https://acme-v02.api.letsencrypt.org/directory"; - challenge = "tls-alpn-01"; - contact = ["jurnwubben@gmail.com"]; - domains = ["jsw.tf" "mx1.jsw.tf"]; - renew-before = "30d"; - }; - directory."imap".lookup.domains = ["jsw.tf"]; - # directory."in-memory" = { - # type = "memory"; - # principals = [ - # { - # class = "individual"; - # name = "User 1"; - # secret = "%{file:/etc/stalwart/mail-pw1}%"; - # email = [""]; - # } - # ]; - # }; - }; - }; - - # virtualisation.oci-containers.containers.stalwart = { - # image = "docker.io/stalwartlabs/mail-server:latest"; - # labels = { - # "io.containers.autoupdate" = "registry"; + # nixpkgs.overlays = [ + # (final: prev: let + # version = "0.12.4"; + # hash = "sha256-MUbWGBbb8+b5cp+M5w27A/cHHkMcoEtkN13++FyBvbM="; + # cargoHash = "sha256-G1c7hh0nScc4Cx7A1UUXv6slA6pP0fC6h00zR71BJIo="; + # in { + # stalwart-mail = prev.stalwart-mail.overrideAttrs (new: old: rec { + # inherit cargoHash version; + # src = prev.fetchFromGitHub { + # inherit version hash; + # inherit (old.src) owner repo; + # tag = "v${version}"; + # }; + # cargoDeps = prev.rustPlatform.fetchCargoVendor { + # inherit src; + # hash = cargoHash; + # }; + # }); + # }) + # ]; + # services.stalwart-mail = { + # enable = true; + # openFirewall = false; # Don't want to open port 8080, will leave that for caddy. + # credentials = { + # user_admin_password = config.age.secrets.mail-admin.path; # }; - # ports = ["25:25" "465:465" "993:993" "9003:8080"]; - # volumes = [ - # "/home/jsw/stalwart:/opt/stalwart-mail" - # ]; + # settings = { + # authentication.fallback-admin = { + # secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%"; + # user = "admin"; + # }; + # server = { + # tracer."log" = { + # ansi = false; + # enable = true; + # level = "info"; + # path = "./stalwart/logs"; + # prefix = "stalwart.log"; + # rotate = "daily"; + # type = "log"; + # }; + # listener = { + # bind = "127.0.0.1:9003"; + # protocol = "http"; + # }; + # imaptls = { + # bind = "[::]:993"; + # protocol = "imap"; + # tls.implicit = true; + # }; + # smtp = { + # bind = "[::]:25"; + # protocol = "smtp"; + # }; + # submissions = { + # bind = "[::]:465"; + # protocol = "smtp"; + # tls.implicit = true; + # }; + # }; + # }; + # + # hostname = "mx1.jsw.tf"; + # lookup.default.domain = "jsw.tf"; + # acme."letsencrypt" = { + # directory = "https://acme-v02.api.letsencrypt.org/directory"; + # challenge = "tls-alpn-01"; + # contact = ["jurnwubben@gmail.com"]; + # domains = ["jsw.tf" "mx1.jsw.tf"]; + # renew-before = "30d"; + # }; + # directory."imap".lookup.domains = ["jsw.tf"]; + # # directory."in-memory" = { + # # type = "memory"; + # # principals = [ + # # { + # # class = "individual"; + # # name = "User 1"; + # # secret = "%{file:/etc/stalwart/mail-pw1}%"; + # # email = [""]; + # # } + # # ]; + # # }; # }; + + #FIXME: revert when stopped using docker for stalwart. https://github.com/NixOS/nixpkgs/issues/416091 + + virtualisation.oci-containers.containers.stalwart = { + image = "docker.io/stalwartlabs/stalwart:latest"; + labels = { + "io.containers.autoupdate" = "registry"; + }; + ports = ["25:25" "465:465" "993:993" "9003:8080"]; + volumes = [ + "/opt/stalwart:/opt/stalwart" + ]; + }; networking.firewall.allowedTCPPorts = [ 993 25 @@ -109,9 +108,9 @@ reverse_proxy http://127.0.0.1:9003 ''; serverAliases = [ - "mta-sts.jsw.tf" - "autoconfig.jsw.tf" - "autodiscover.jsw.tf" + # "mta-sts.jsw.tf" + # "autoconfig.jsw.tf" + # "autodiscover.jsw.tf" "mail.jsw.tf" ]; };