jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rewritten email config

Browse source
This commit is contained in:
Jurn Wubben 2025-06-11 19:10:16 +02:00
parent 500ed29f42
commit fdd922b159
4 changed files with 66 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

7
secrets/default.nix
View file

@ -20,5 +20,12 @@
else "root";
};
cloudflare-acme.file = ./cloudflare-acme.age;
mail-admin = {
owner =
if config.niksos.server
then "stalwart-mail"
else "root";
file = ./mail-admin.age;
};
};
}

12
secrets/mail-admin.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 WCPLrA wfP5+Ur2RKtojpj8WsbgaWXsr+Pt7YUiHseahvlP6lE
fkAWtR6xpgJjVi8VRYhRnjgN2NgeQidIJJ6FLFd5L8U
-> ssh-ed25519 7/ziYw 3yl4W+lcsQAy40Yud0qPnbZmh3J/pzDwBOXDiEbpiRc
Y8A7XnfzFkGH9qdM+N3wb6u8Imk/U/uwjdKfRpHe2Ng
-> ssh-ed25519 GQzYWA Gvd1t0M1CTYe+5k4sF5M/U/VHebmylPpLD4zHgCzt3U
UD1zOdb2UFqfN43S0HkU1BcmKjCu25q0Kgnq+tR2V4E
-> ssh-ed25519 MfR7VA dErummA05w7hEN4yLYyE6iuj/qHXLpBxEZ2Ha5oKNUY
KbltxK/l6ioaGWJMBt441FPlFRlGjvhJGumXtsK8N9I
--- GG7HnagqvHaWIJLwotO//9EtjZZNZ75e1rHSDkLlGlM
áa$‹ÔÑ^—)<02>àBkµ¤‡Æçìóº†
}‹ûÛ­*¡aÖh&Pí¶ ÝoÇŒÄÊÕϹßê?~0£Ò3žòØȀݹ*³)M•tï¸Jà‰»ÂÆöÉ<C389>Óáifæ~c$ŠSǪ6[%,ˆÇw@”YðeÝ<C39D>ÄsD1Š Ë—&Â÷

1
secrets/secrets.nix
View file

@ -12,4 +12,5 @@ in {
"dcbot.age".publicKeys = systems;
"matrix-registration.age".publicKeys = systems;
"cloudflare-acme.age".publicKeys = systems;
"mail-admin.age".publicKeys = systems;
}

84
system/server/mail.nix
View file

@ -1,57 +1,64 @@
{config, ...}: {
services.stalwart-mail = {
enable = true;
openFirewall = true;
openFirewall = false; # Don't want to open port 8080, will leave that for caddy.
settings = {
server = {
hostname = "mx1.jsw.tf";
tls = {
tracer."log" = {
ansi = false;
enable = true;
implicit = true;
level = "info";
path = "./stalwart/logs";
prefix = "stalwart.log";
rotate = "daily";
type = "log";
};
authentication = {
fallback-admin = {
secret = "%{file:${config.age.secrets.mail-admin.path}}%";
user = "admin";
};
};
listener = {
http = {
bind = "127.0.0.1:9003";
protocol = "http";
};
imaptls = {
bind = "[::]:993";
protocol = "imap";
tls.implicit = true;
};
smtp = {
protocol = "smtp";
bind = "[::]:25";
protocol = "smtp";
};
jmap = {
bind = "[::]:9003";
url = "https://mail.jsw.tf";
protocol = "jmap";
};
submissions = {
bind = "[::]:465";
protocol = "smtp";
};
imaps = {
bind = "[::]:993";
protocol = "imap";
};
jmap = {
bind = "[::]:8080";
url = "https://mail.jsw.tf";
protocol = "jmap";
};
management = {
bind = ["127.0.0.1:8080"];
protocol = "http";
tls.implicit = true;
};
};
};
hostname = "mx1.jsw.tf";
lookup.default = {
hostname = "mx1.jsw.tf";
domain = "jsw.tf";
};
acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01";
contact = "jswmail@proton.me";
challenge = "tls-alpn-01";
contact = ["jurnwubben@gmail.com"];
domains = ["jsw.tf" "mx1.jsw.tf"];
provider = "cloudflare";
secret = "%{file:${config.age.secrets.cloudflare-acme.path}}%";
cache = "%{BASE_PATH}%/etc/acme";
renew-before = "30d";
};
session.auth = {
mechanisms = "[plain]";
directory = "'in-memory'";
};
storage.directory = "in-memory";
session.rcpt.directory = "'in-memory'";
queue.outbound.next-hop = "'local'";
directory."imap".lookup.domains = ["jsw.tf"];
# directory."in-memory" = {
# type = "memory";
@ -64,23 +71,24 @@
# }
# ];
# };
authentication.fallback-admin = {
user = "admin";
secret = "%{file:${config.age.secrets.password.path}}%";
};
};
};
networking.firewall.allowedTCPPorts = [
993
25
465
];
services.caddy.virtualHosts = {
"webadmin.jsw.tf" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:8080
reverse_proxy http://127.0.0.1:9003
'';
serverAliases = [
"mta-sts.example.org"
"autoconfig.example.org"
"autodiscover.example.org"
"mail.example.org"
"mta-sts.jsw.tf"
"autoconfig.jsw.tf"
"autodiscover.jsw.tf"
"mail.jsw.tf"
];
};
};