nichts/modules/services/stalwart/module.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkEnableOption;

  domain = "charlieroot.dev";

  cfg = config.modules.system.services.stalwart;
in {
  options.modules.system.services.stalwart.enable = mkEnableOption "stalwart";
  config = mkIf cfg.enable {
    # create the stallwart user
    users.users.stalwart = {
      home = "/var/lib/stalwart-mail";
      useDefaultShell = true;
      group = "stalwart";
      isSystemUser = true;
    };
    users.groups.stalwart = {};

    services.stalwart-mail = {
      enable = true;
      package = pkgs.stalwart-mail;
      openFirewall = true;
      settings = {
        email = {
          # All incoming messages via SMTP or LMTP are automatically encrypted before they are written to disk,
          # provided the user has uploaded their S/MIME certificate or OpenPGP public key.

          encryption.enable = true;
        };
        server = {
          # The default server hostname is utilized in SMTP EHLO commands,
          # as well as included in message headers and reports.
          hostname = domain;
          tls = {
            # Specifies whether the TLS encryption is available for the listener.
            enable = true;

            # Specifies whether the listener should use implicit or explicit TLS encryption.
            # If set to false (the default), the listener will use explicit TLS encryption,
            # which requires clients to initiate a STARTTLS command before upgrading the connection
            # to an encrypted one. If set to true, the listener will use implicit TLS encryption,
            # which requires the connection to be encrypted from the start.
            implicit = true;
          };

          # Listeners are responsible for receiving incoming TCP connections.
          listener = {
            # Unencrypted SMTP connections are received on port 25 by default.
            # This is the standard port for SMTP, and is used by mail servers to send email to each other.
            smtp = {
              protocol = "smtp";
              bind = ["[::]:25"];
              tls.implicit = true;
            };
            # SMTP submissions with implicit TLS are received on port 465 by default.
            # This is the standard port for SMTP submissions with native implicit TLS,
            # and is used by mail clients to send email to mail servers.

            submissions = {
              bind = ["[::]:465"];
              protocol = "smtp";
              tls.implicit = true;
            };
            imaps = {
              bind = ["[::]:993"];
              protocol = "imap";
              tls.implicit = true;
            };
            management = {
              bind = ["127.0.0.1:8080"];
              protocol = "http";
              tls.implicit = true;
            };
          };
          lookup.default = {
            hostname = "mail.${domain}";
            inherit domain;
          };
        };
        # storage = {
        #   data = "postgresql";
        #   blob = "postgresql";
        #   fts = "postgresql";
        #   lookup = "postgresql";
        #   full-text = {
        #     default-language = "en";
        #   };
        # };
      #   store = {
      #     postgresql = {
      #       # Specifies the database type, set to "postgresql" for PostgreSQL.
      #       type = "postgresql";

      #       # The hostname or IP address of the PostgreSQL server.
      #       host = "localhost";

      #       # Port PostgreSQL runs on. Defaults to 5432.
      #       port = "5432";

      #       # Name of the database to connect to.
      #       # TODO: add this to PostgreSQL.
      #       database = "stalwart";

      #       # The username used for authentication with the PostgreSQL server.
      #       # TODO: add this to PostgreSQL.
      #       user = "stalwart";

      #       password = "";

      #       # Enable TLS
      #       tls.enable = true;
      #     };
      #   };
      };
    };
    services.nginx = {
      enable = true;
      virtualHosts."mail.${domain}" = {
        addSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString 8080}";
        };
      };
    };
  };
}
stalwart: init 2025-05-22 09:44:38 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}: let`
			`inherit (lib.modules) mkIf;`
			`inherit (lib.options) mkEnableOption;`

stalwart: progress 2025-05-22 22:06:58 +02:00			`domain = "charlieroot.dev";`
stalwart: fix domain issues 2025-05-22 18:08:22 +02:00
stalwart: init 2025-05-22 09:44:38 +02:00			`cfg = config.modules.system.services.stalwart;`
			`in {`
			`options.modules.system.services.stalwart.enable = mkEnableOption "stalwart";`
			`config = mkIf cfg.enable {`
stalwart: add stalwart user 2025-05-22 22:43:04 +02:00			`# create the stallwart user`
			`users.users.stalwart = {`
			`home = "/var/lib/stalwart-mail";`
			`useDefaultShell = true;`
			`group = "stalwart";`
			`isSystemUser = true;`
			`};`
			`users.groups.stalwart = {};`

stalwart: init 2025-05-22 09:44:38 +02:00			`services.stalwart-mail = {`
			`enable = true;`
			`package = pkgs.stalwart-mail;`
			`openFirewall = true;`
			`settings = {`
			`email = {`
			`# All incoming messages via SMTP or LMTP are automatically encrypted before they are written to disk,`
			`# provided the user has uploaded their S/MIME certificate or OpenPGP public key.`

			`encryption.enable = true;`
			`};`
			`server = {`
			`# The default server hostname is utilized in SMTP EHLO commands,`
			`# as well as included in message headers and reports.`
stalwart: fix domain issues 2025-05-22 18:08:22 +02:00			`hostname = domain;`
stalwart: init 2025-05-22 09:44:38 +02:00			`tls = {`
			`# Specifies whether the TLS encryption is available for the listener.`
			`enable = true;`

			`# Specifies whether the listener should use implicit or explicit TLS encryption.`
			`# If set to false (the default), the listener will use explicit TLS encryption,`
			`# which requires clients to initiate a STARTTLS command before upgrading the connection`
			`# to an encrypted one. If set to true, the listener will use implicit TLS encryption,`
			`# which requires the connection to be encrypted from the start.`
			`implicit = true;`
			`};`

			`# Listeners are responsible for receiving incoming TCP connections.`
			`listener = {`
			`# Unencrypted SMTP connections are received on port 25 by default.`
			`# This is the standard port for SMTP, and is used by mail servers to send email to each other.`
			`smtp = {`
			`protocol = "smtp";`
progress dump 2025-05-26 12:23:30 +02:00			`bind = ["[::]:25"];`
stalwart: init 2025-05-22 09:44:38 +02:00			`tls.implicit = true;`
			`};`
			`# SMTP submissions with implicit TLS are received on port 465 by default.`
			`# This is the standard port for SMTP submissions with native implicit TLS,`
			`# and is used by mail clients to send email to mail servers.`

			`submissions = {`
progress dump 2025-05-26 12:23:30 +02:00			`bind = ["[::]:465"];`
stalwart: init 2025-05-22 09:44:38 +02:00			`protocol = "smtp";`
			`tls.implicit = true;`
			`};`
			`imaps = {`
progress dump 2025-05-26 12:23:30 +02:00			`bind = ["[::]:993"];`
stalwart: init 2025-05-22 09:44:38 +02:00			`protocol = "imap";`
			`tls.implicit = true;`
			`};`
			`management = {`
progress dump 2025-05-26 12:23:30 +02:00			`bind = ["127.0.0.1:8080"];`
stalwart: init 2025-05-22 09:44:38 +02:00			`protocol = "http";`
			`tls.implicit = true;`
			`};`
			`};`
			`lookup.default = {`
stalwart: progress 2025-05-22 22:06:58 +02:00			`hostname = "mail.${domain}";`
stalwart: init 2025-05-22 09:44:38 +02:00			`inherit domain;`
			`};`
			`};`
progress dump 2025-05-26 12:23:30 +02:00			`# storage = {`
			`# data = "postgresql";`
			`# blob = "postgresql";`
			`# fts = "postgresql";`
			`# lookup = "postgresql";`
			`# full-text = {`
			`# default-language = "en";`
			`# };`
			`# };`
			`# store = {`
			`# postgresql = {`
			`# # Specifies the database type, set to "postgresql" for PostgreSQL.`
			`# type = "postgresql";`
stalwart: init 2025-05-22 09:44:38 +02:00
progress dump 2025-05-26 12:23:30 +02:00			`# # The hostname or IP address of the PostgreSQL server.`
			`# host = "localhost";`
stalwart: init 2025-05-22 09:44:38 +02:00
progress dump 2025-05-26 12:23:30 +02:00			`# # Port PostgreSQL runs on. Defaults to 5432.`
			`# port = "5432";`
stalwart: init 2025-05-22 09:44:38 +02:00
progress dump 2025-05-26 12:23:30 +02:00			`# # Name of the database to connect to.`
			`# # TODO: add this to PostgreSQL.`
			`# database = "stalwart";`
stalwart: init 2025-05-22 09:44:38 +02:00
progress dump 2025-05-26 12:23:30 +02:00			`# # The username used for authentication with the PostgreSQL server.`
			`# # TODO: add this to PostgreSQL.`
			`# user = "stalwart";`
stalwart: init 2025-05-22 09:44:38 +02:00
progress dump 2025-05-26 12:23:30 +02:00			`# password = "";`
stalwart: add stalwart user 2025-05-22 22:43:04 +02:00
progress dump 2025-05-26 12:23:30 +02:00			`# # Enable TLS`
			`# tls.enable = true;`
			`# };`
			`# };`
stalwart: init 2025-05-22 09:44:38 +02:00			`};`
			`};`
			`services.nginx = {`
			`enable = true;`
stalwart: progress 2025-05-22 22:06:58 +02:00			`virtualHosts."mail.${domain}" = {`
stalwart: init 2025-05-22 09:44:38 +02:00			`addSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:${toString 8080}";`
			`};`
			`};`
			`};`
			`};`
			`}`