{ config, lib, pkgs, nixpkgs-unstable, ... }: { disabledModules = [ "services/mail/stalwart-mail.nix" ]; imports = [ "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix" ]; services.stalwart-mail = { enable = true; package = pkgs.unstable.stalwart-mail.override { stalwartEnterprise = true; }; openFirewall = true; settings = { config = { local-keys = [ "store.*" "directory.*" "tracer.*" "!server.blocked-ip.*" "!server.allowed-ip.*" "server.*" "authentication.fallback-admin.*" "cluster.*" "config.local-keys.*" "storage.data" "storage.blob" "storage.lookup" "storage.fts" "storage.directory" "certificate.*" "webadmin.*" "metrics.prometheus.*" "resolver.*" "http.hsts" ]; }; certificate."mail-vapor-systems" = { cert = "%{file:/var/lib/acme/mail.vapor.systems/fullchain.pem}%"; private-key = "%{file:/var/lib/acme/mail.vapor.systems/key.pem}%"; }; spam-filter = lib.mkForce {}; http = { hsts = true; }; metrics.prometheus = { enable = true; auth = { username = "prometheus"; secret = "%{file:/etc/secrets/prometheus}%"; }; }; server = { hostname = "mail.vapor.systems"; tls = { enable = true; implicit = true; timeout = "1m"; disable-protocols = [ "TLSv1.2" ]; disable-ciphers = [ "TLS13_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ]; ignore-client-order = true; }; listener = { smtp = { bind = [ "0.0.0.0:25" "[2a01:4f8:1c1c:3ce7::1]:25" ]; protocol = "smtp"; }; submission = { bind = [ "0.0.0.0:587" "[2a01:4f8:1c1c:3ce7::1]:587" ]; protocol = "smtp"; }; submissions = { bind = [ "0.0.0.0:465" "[2a01:4f8:1c1c:3ce7::1]:465" ]; protocol = "smtp"; tls = { enable = true; implicit = true; }; }; imap = { bind = [ "0.0.0.0:993" "[2a01:4f8:1c1c:3ce7::1]:993" ]; protocol = "imap"; tls = { enable = true; implicit = true; }; }; management_plain = { bind = [ "0.0.0.0:80" "[2a01:4f8:1c1c:3ce7::1]:80" ]; protocol = "http"; }; management = { bind = [ "0.0.0.0:443" "[2a01:4f8:1c1c:3ce7::1]:443" ]; protocol = "http"; tls = { enable = true; implicit = true; }; }; }; }; storage.directory = "internal"; directory = { ldap = { type = "ldap"; url = "ldap://10.10.0.1:389"; timeout = "30s"; tls.enable = false; base-dn = "dc=mail,dc=vapor,dc=systems"; bind = { dn = "cn=mail,ou=users,dc=mail,dc=vapor,dc=systems"; secret = "%{file:/etc/secrets/ldap}%"; auth = { method = "template"; template = "cn={local},ou=users,dc=mail,dc=vapor,dc=systems"; search = true; }; }; filter = { name = "(&(|(objectClass=person)(objectClass=group))(sAMAccountName=?))"; email = "(&(|(objectClass=person)(objectClass=group))(|(mail=?)(mailAlias=?)))"; }; attributes = { name = "sAMAccountName"; class = "objectClass"; description = [ "displayName" ]; secret = "userPassword"; groups = [ "memberOf" ]; email = "mail"; email-alias = "mailAlias"; quota = "diskQuota"; }; }; }; authentication = { fallback-admin = { user = "admin"; secret = "$6$W2nCPyf1a./fdBxp$yLaBwQDxQqj00UnH9hR3XN8NIXGd.X/ts.dKVKjSWsd8DPJbn/YUnFGUAaoTX5jbeRi76qeFnCVLARdDJKLgA/"; }; }; }; }; secrets = { ldap = { source = ../../secrets/authentik/mail; dest = "/etc/secrets/ldap"; owner = config.users.users.stalwart-mail.name; }; prometheus = { source = ../../secrets/prometheus; dest = "/etc/secrets/prometheus"; owner = config.users.users.stalwart-mail.name; }; }; users.users.stalwart-mail.extraGroups = [ "acme" ]; security.acme.certs = { "mail.vapor.systems" = { }; }; }