73 lines
2 KiB
Nix
73 lines
2 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.stalwart = {
|
|
enable = true;
|
|
stateVersion = config.system.stateVersion;
|
|
# Let stalwart open its own ports if needed for the main services
|
|
openFirewall = true;
|
|
|
|
settings = {
|
|
server = {
|
|
hostname = "extremist.software";
|
|
tls = {
|
|
enable = true;
|
|
implicit = false; # StartTLS usually on 587
|
|
};
|
|
listener = {
|
|
smtp = {
|
|
protocol = "smtp";
|
|
bind = "[::]:25";
|
|
};
|
|
submissions = {
|
|
bind = "[::]:465";
|
|
protocol = "smtp";
|
|
tls.implicit = true;
|
|
};
|
|
imaps = {
|
|
bind = "[::]:993";
|
|
protocol = "imap";
|
|
tls.implicit = true;
|
|
};
|
|
management = {
|
|
bind = [ "127.0.0.1:8080" ];
|
|
protocol = "http";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Use the certificate procured by security.acme for Caddy
|
|
certificate."default" = {
|
|
cert = "%{file:/var/lib/acme/extremist.software/fullchain.pem}%";
|
|
private-key = "%{file:/var/lib/acme/extremist.software/key.pem}%";
|
|
};
|
|
|
|
authentication.fallback-admin = {
|
|
user = "admin";
|
|
secret = "%{file:/run/agenix/stalwart-admin}%";
|
|
};
|
|
|
|
session.hook."qa-webhook" = {
|
|
enable = "contains(recipients, 'qa@jetpham.com')";
|
|
url = "http://127.0.0.1:3003/api/webhook";
|
|
stages = [ "data" ];
|
|
auth = {
|
|
username = "qa-webhook";
|
|
secret = "%{file:${config.age.secrets.webhook-secret.path}}%";
|
|
};
|
|
options = {
|
|
"tempfail-on-error" = true;
|
|
"max-response-size" = 1048576;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
# Allow Stalwart to read the ACME certificate procured for Caddy and the agenix secret
|
|
systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
|
|
systemd.services.stalwart.serviceConfig.ReadOnlyPaths = [
|
|
"/run/agenix/stalwart-admin"
|
|
config.age.secrets.webhook-secret.path
|
|
];
|
|
|
|
}
|