55 lines
1.5 KiB
Nix
55 lines
1.5 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.stalwart = {
|
|
enable = true;
|
|
# Let stalwart open its own ports if needed for the main services
|
|
openFirewall = true;
|
|
|
|
settings = {
|
|
server = {
|
|
hostname = "extremist.software";
|
|
tls = {
|
|
enable = true;
|
|
implicit = false; # StartTLS usually on 587
|
|
};
|
|
listener = {
|
|
smtp = {
|
|
protocol = "smtp";
|
|
bind = "[::]:25";
|
|
};
|
|
submissions = {
|
|
bind = "[::]:465";
|
|
protocol = "smtp";
|
|
tls.implicit = true;
|
|
};
|
|
imaps = {
|
|
bind = "[::]:993";
|
|
protocol = "imap";
|
|
tls.implicit = true;
|
|
};
|
|
management = {
|
|
bind = [ "127.0.0.1:8080" ];
|
|
protocol = "http";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Use the certificate procured by security.acme for Caddy
|
|
certificate."default" = {
|
|
cert = "%{file:/var/lib/acme/extremist.software/fullchain.pem}%";
|
|
private-key = "%{file:/var/lib/acme/extremist.software/key.pem}%";
|
|
};
|
|
|
|
authentication.fallback-admin = {
|
|
user = "admin";
|
|
secret = "%{file:/run/agenix/stalwart-admin}%";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Allow Stalwart to read the ACME certificate procured for Caddy and the agenix secret
|
|
systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
|
|
systemd.services.stalwart.serviceConfig.ReadOnlyPaths = [ "/run/agenix/stalwart-admin" ];
|
|
|
|
}
|