{ config, pkgs, ... }:

{
  services.stalwart = {
    enable = true;
    settings = {
      server = {
        hostname = "mail.extremist.software";
        tls = {
          enable = true;
          implicit = false; # StartTLS usually on 587
        };
      };
      
      authentication.fallback-admin = {
        user = "admin";
        secret = config.mySecrets.stalwartAdmin;
      };

      # Stalwart configuration is quite extensive. 
      # By default it listens on standard ports (25, 465, 587, 993, 4190)
      # and provides a web admin UI on 8080.
    };
  };

  # Open Firewalls for Mail
  networking.firewall.allowedTCPPorts = [ 
    25 465 587 # SMTP
    993        # IMAP (Secure)
    4190       # Sieve
    8080       # Admin UI (Reverse proxied, but good to double check loopback)
  ];
}