60 lines
1.6 KiB
Nix
60 lines
1.6 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.stalwart = {
|
|
enable = true;
|
|
# Let stalwart open its own ports if needed for the main services
|
|
openFirewall = true;
|
|
|
|
settings = {
|
|
server = {
|
|
hostname = "extremist.software";
|
|
tls = {
|
|
enable = true;
|
|
implicit = false; # StartTLS usually on 587
|
|
};
|
|
listener = {
|
|
smtp = {
|
|
protocol = "smtp";
|
|
bind = "[::]:25";
|
|
};
|
|
submissions = {
|
|
bind = "[::]:465";
|
|
protocol = "smtp";
|
|
tls.implicit = true;
|
|
};
|
|
imaps = {
|
|
bind = "[::]:993";
|
|
protocol = "imap";
|
|
tls.implicit = true;
|
|
};
|
|
management = {
|
|
bind = [ "127.0.0.1:8080" ];
|
|
protocol = "http";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Use the certificate procured by security.acme for Caddy
|
|
certificate."default" = {
|
|
cert = "%{file:/var/lib/acme/extremist.software/fullchain.pem}%";
|
|
private-key = "%{file:/var/lib/acme/extremist.software/key.pem}%";
|
|
};
|
|
|
|
authentication.fallback-admin = {
|
|
user = "admin";
|
|
secret = config.mySecrets.stalwartAdmin;
|
|
};
|
|
};
|
|
};
|
|
|
|
# Allow Stalwart to read the ACME certificate procured for Caddy
|
|
systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
|
|
|
|
# Open Firewalls for Mail
|
|
networking.firewall.allowedTCPPorts = [
|
|
993 # IMAP (Secure)
|
|
4190 # Sieve
|
|
8080 # Admin UI (Reverse proxied, but good to double check loopback)
|
|
];
|
|
}
|