NiksOS/system/server/mail.nix

{config, ...}: {
  nixpkgs.overlays = [
    (final: prev: let
      version = "0.12.4";
      hash = "sha256-MUbWGBbb8+b5cp+M5w27A/cHHkMcoEtkN13++FyBvbM=";
      cargoHash = "sha256-G1c7hh0nScc4Cx7A1UUXv6slA6pP0fC6h00zR71BJIo=";
    in {
      stalwart-mail = prev.stalwart-mail.overrideAttrs (new: old: rec {
        inherit cargoHash version;
        src = prev.fetchFromGitHub {
          inherit version hash;
          inherit (old.src) owner repo;
          tag = "v${version}";
        };
        cargoDeps = prev.rustPlatform.fetchCargoVendor {
          inherit src;
          hash = cargoHash;
        };
      });
    })
  ];

  services.stalwart-mail = {
    enable = true;
    openFirewall = false; # Don't want to open port 8080, will leave that for caddy.
    credentials = {
      user_admin_password = config.age.secrets.mail-admin.path;
    };
    settings = {
      authentication.fallback-admin = {
        secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%";
        user = "admin";
      };
      server = {
        tracer."log" = {
          ansi = false;
          enable = true;
          level = "info";
          path = "./stalwart/logs";
          prefix = "stalwart.log";
          rotate = "daily";
          type = "log";
        };
        listener = {
          http = {
            bind = "127.0.0.1:9003";
            protocol = "http";
          };
          imaptls = {
            bind = "[::]:993";
            protocol = "imap";
            tls.implicit = true;
          };
          smtp = {
            bind = "[::]:25";
            protocol = "smtp";
          };
          submissions = {
            bind = "[::]:465";
            protocol = "smtp";
            tls.implicit = true;
          };
        };
      };

      hostname = "mx1.jsw.tf";
      lookup.default.domain = "jsw.tf";
      acme."letsencrypt" = {
        directory = "https://acme-v02.api.letsencrypt.org/directory";
        challenge = "tls-alpn-01";
        contact = ["jurnwubben@gmail.com"];
        domains = ["jsw.tf" "mx1.jsw.tf"];
        renew-before = "30d";
      };
      directory."imap".lookup.domains = ["jsw.tf"];
      # directory."in-memory" = {
      #   type = "memory";
      #   principals = [
      #     {
      #       class = "individual";
      #       name = "User 1";
      #       secret = "%{file:/etc/stalwart/mail-pw1}%";
      #       email = [""];
      #     }
      #   ];
      # };
    };
  };

  # virtualisation.oci-containers.containers.stalwart = {
  #   image = "docker.io/stalwartlabs/mail-server:latest";
  #   labels = {
  #     "io.containers.autoupdate" = "registry";
  #   };
  #   ports = ["25:25" "465:465" "993:993" "9003:8080"];
  #   volumes = [
  #     "/home/jsw/stalwart:/opt/stalwart-mail"
  #   ];
  # };
  networking.firewall.allowedTCPPorts = [
    993
    25
    465
  ];

  services.caddy.virtualHosts = {
    "webadmin.jsw.tf" = {
      extraConfig = ''
        reverse_proxy http://127.0.0.1:9003
      '';
      serverAliases = [
        "mta-sts.jsw.tf"
        "autoconfig.jsw.tf"
        "autodiscover.jsw.tf"
        "mail.jsw.tf"
      ];
    };
  };
}