···

       
908
       
908
       
 
       
        "type": "github"

     

       
909
       
909
       
 
       
      }

     

       
910
       
910
       
 
       
    },

     

       
911
       
911
       
+
       
    "nixpkgs-stalwart-fix": {

     

       
912
       
912
       
+
       
      "locked": {

     

       
913
       
913
       
+
       
        "lastModified": 1755293787,

     

       
914
       
914
       
+
       
        "narHash": "sha256-L+msFwg9jXAj4JmDFQF9BIg2kQhgUzexVmDYePfKMW8=",

     

       
915
       
915
       
+
       
        "owner": "pyrox0",

     

       
916
       
916
       
+
       
        "repo": "nixpkgs",

     

       
917
       
917
       
+
       
        "rev": "52f6d43ca3db097cde5d0bfb30db0af5bdf41103",

     

       
918
       
918
       
+
       
        "type": "github"

     

       
919
       
919
       
+
       
      },

     

       
920
       
920
       
+
       
      "original": {

     

       
921
       
921
       
+
       
        "owner": "pyrox0",

     

       
922
       
922
       
+
       
        "ref": "fix/stalwart-module",

     

       
923
       
923
       
+
       
        "repo": "nixpkgs",

     

       
924
       
924
       
+
       
        "type": "github"

     

       
925
       
925
       
+
       
      }

     

       
926
       
926
       
+
       
    },

     

       
911
       
927
       
 
       
    "nixpkgs_2": {

     

       
912
       
928
       
 
       
      "locked": {

     

       
913
       
929
       
 
       
        "lastModified": 1747179050,

     
···

       
988
       
1004
       
 
       
        "nix-search": "nix-search",

     

       
989
       
1005
       
 
       
        "nixpkgs": "nixpkgs_4",

     

       
990
       
1006
       
 
       
        "nixpkgs-lib": "nixpkgs-lib",

     

       
1007
       
1007
       
+
       
        "nixpkgs-stalwart-fix": "nixpkgs-stalwart-fix",

     

       
991
       
1008
       
 
       
        "snowfall-lib": "snowfall-lib",

     

       
992
       
1009
       
 
       
        "stable": "stable",

     

       
993
       
1010
       
 
       
        "systems": "systems_2",

     

···

       
25
       
25
       
 
       
      inputs.flake-compat.follows = "flake-compat";

     

       
26
       
26
       
 
       
    };

     

       
27
       
27
       
 
       
    nixpkgs.url = "https://nixpkgs.dev/channel/nixpkgs-unstable";

     

       
28
       
28
       
+
       
    nixpkgs-stalwart-fix.url = "github:pyrox0/nixpkgs/fix/stalwart-module";

     

       
28
       
29
       
 
       
    stable.url = "github:nixos/nixpkgs/nixos-24.05";

     

       
29
       
30
       
 
       
    # Overrides

     

       
30
       
31
       
 
       
    flake-compat.url = "github:edolstra/flake-compat";

     

···

       
1
       
1
       
-
       
{ pkgs, system, ... }:

     

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  pkgs,

     

       
3
       
3
       
+
       
  system,

     

       
4
       
4
       
+
       
  inputs,

     

       
5
       
5
       
+
       
  ...

     

       
6
       
6
       
+
       
}:

     

       
2
       
7
       
 
       
{

     

       
8
       
8
       
+
       
  disabledModules = [

     

       
9
       
9
       
+
       
    "services/mail/stalwart-mail.nix"

     

       
10
       
10
       
+
       
  ];

     

       
3
       
11
       
 
       
  imports = [

     

       
12
       
12
       
+
       
    "${inputs.nixpkgs-stalwart-fix}/nixos/modules/services/mail/stalwart-mail.nix"

     

       
4
       
13
       
 
       
    # Machine-specific configurations.

     

       
5
       
14
       
 
       
    ./bootloader.nix

     

       
6
       
15
       
 
       
    ./firewall.nix

     

···

       
1
       
1
       
 
       
age-encryption.org/v1

     

       
2
       
2
       
-
       
-> ssh-ed25519 LcWOqQ i/qdqW02ufOTMiy8czjhOa/AJRZTuAFQ5MNrQjNjgXI

     

       
3
       
3
       
-
       
ZcYytLIizQ25y/kwXmYy9q6e4fyvJju1HIYja2ucEcY

     

       
2
       
2
       
+
       
-> ssh-ed25519 LcWOqQ W9y79zRYtD++Eh6rHy123fXPpbjF/VKym6yKbiJdeko

     

       
3
       
3
       
+
       
RblRsoHs16Zi2sG3wqdcW60hRUWG2QQQS/Rvro5fPlk

     

       
4
       
4
       
 
       
-> ssh-rsa fFaiTA

     

       
5
       
5
       
-
       
od7jPtXTEEZ6xYCXScOFmNs1EFThNKoFlw1MRXBmlRW8+PlLyuQ6m3d3DsPpXXdk

     

       
6
       
6
       
-
       
VN/HUF5vSv8pHVXBuoBSCOG5c4uYfN1unsuHkj1R/rnlP7MP8R4KSnzgLWRgRGfg

     

       
7
       
7
       
-
       
xOGXvK+nUDqjEY7SousJ5n4E03FeuiQVrYV/YNZWhTgpuciX3BCcYQkgzZxsUAt/

     

       
8
       
8
       
-
       
tyMpEwGirr2PbAOPzeDN394yNfWQgU5PderJJuyiEywFn8kZJDlZZmex+PBuAzxQ

     

       
9
       
9
       
-
       
XJ+jmi0D7M/FsSzfv/G8xfaWCns/6FIvClK+vIhnInxVHz6aQnGSFHMsNTHaQTzI

     

       
10
       
10
       
-
       
+ps6A6cKrCpuhd0nuaibd9WE/EkU54q5lFiUQPVpr+8qBbYD+Jcqk763Z3dGYE6P

     

       
11
       
11
       
-
       
aNL8Xun0HjcifqEs67fsMLmUEnDaI5+xadPW90oCJcDtc/FYtUalUS/sf9LTlbzP

     

       
12
       
12
       
-
       
XOyj2xhRCRl+wxSLhZw28c/3L0eqsDzN3tZzLPHfXn3qR5D4ohfS/Cw5OZHENyrM

     

       
13
       
13
       
-
       
5EpjSPUr0OF7ySL7L2DGAG1zY0FhqcMJgl2ccVhyBzinzPWIEfnc29yrEvwG1ALq

     

       
14
       
14
       
-
       
bOAwDzMrJPhFgnLe4AdAeiOKcdUwa+/5wMepxCuzKyjCvTJxuet367ledF53fLMn

     

       
15
       
15
       
-
       
uXeltHwG5M4kCw7YoFGGoo0y8SrDLJEP78U8gfQEMwU

     

       
16
       
16
       
-
       
-> ssh-ed25519 wpmdHA oU+tow9XZ1O9mtSRV9U8tJGSoKALwBVncVbKQZd37Dc

     

       
17
       
17
       
-
       
ycDQoOW0EjZFTJjA6meC2E5naJrNy7Lg9VS4HlKZStI

     

       
18
       
18
       
-
       
--- nLQZlSx//ps1f1UOReCuNOYtGIP+XJlloVIbkiDNRsU

     

       
19
       
19
       
-
       
Ie�f�_�I���\Ќl,j3�u���E�������k�IZO�G�u���
��y��?���̟�ƨk�

     

       
20
       
20
       
-
       
ޱ?�;��
     

       
5
       
5
       
+
       
gfo7VZ2QjUSHTSuY5fL9clW/RwnMLbFEBcM6tGwXdaJBtnGJiK3TE/haiX078y9l

     

       
6
       
6
       
+
       
Yw8qA04rQ0d4PSN2aUvLhbj1la8WfkutwZM1E4otuiI0waPLVBK7lyImSucMJVRW

     

       
7
       
7
       
+
       
ZyYJuRUNAbyGZcj6qrbTPOK2qv4NORbVNJrXA5utUOn7+SimpifUcN60mSY1LTXG

     

       
8
       
8
       
+
       
AmWa+qo7iWTkSngEG+ZaqnCqKRBGn9j3b9h925ah13PKaP9Y1g3L2EtSj/Z0BMPS

     

       
9
       
9
       
+
       
PGTuObBgc1a+mQswcDY1tLq2gdohPAoRV/6djRdL7cnkVK3gcrPq+qca6Vy4xV1N

     

       
10
       
10
       
+
       
w1IPPb4TTEPuTdqJRHQ/56b3QK9+ahpDUQMfUGcJ7nQeVqYksu8fbEhkCNTW2nK7

     

       
11
       
11
       
+
       
Z+XC9BbksI/xlIC0t7HjMf99c2rLxbBY3lkh8EiH3vlCEURAqbAw4yRjSeUU24SP

     

       
12
       
12
       
+
       
ieEI3fFp1ShFxVKQ15mcICGD6bCK55S7lk6RFYMsPFn+gaNWpy1k6KPPom6Bw0pf

     

       
13
       
13
       
+
       
uHQ2Mc8eTPe6pmeLkV133TIvf5fWZTpOaw9fV9DLyggd04yTYsfbn2g7TBEC/PaK

     

       
14
       
14
       
+
       
9UjuxtlyZOLWzvoa6leKhqJDhJnQcYKSXGczjMtWzwwdhDlK7gM84uSw/NHjc/uP

     

       
15
       
15
       
+
       
mswdQXpTIZ3AawGtgJy1hx0gxOBNNTJTu3T0kR2TP9E

     

       
16
       
16
       
+
       
-> ssh-ed25519 wpmdHA QHgeXP4+KHH7z+oNDoJiQx2W5rywdt8ufTFqMKJSAg4

     

       
17
       
17
       
+
       
8Ws80AAf/4LYBu+BIxFaCf5+X6STrurg2Oel8wQ4LVI

     

       
18
       
18
       
+
       
--- gtLhAHFMWYrIqO7DB2HyBXvh3rFaTY9T99R/1Nn8Jq0

     

       
19
       
19
       
+
       
(�h�=gx��:�d9�y��^c�m���2b��$�� K�M3:�f*�VH�8�h���9��!�i�U����k?��
     

···

       
2
       
2
       
 
       
{

     

       
3
       
3
       
 
       
  security.acme = {

     

       
4
       
4
       
 
       
    acceptTerms = true;

     

       
5
       
5
       
-
       
    certs."mail.pyrox.dev" = {

     

       
5
       
5
       
+
       
    certs."pyroxdev-mail" = {

     

       
6
       
6
       
+
       
      domain = "mail.pyrox.dev";

     

       
6
       
7
       
 
       
      extraDomainNames = [

     

       
7
       
8
       
 
       
        "mail2.pyrox.dev"

     

       
8
       
9
       
 
       
        "mta-sts.pyrox.dev"

     

       
9
       
10
       
 
       
        "autoconfig.pyrox.dev"

     

       
10
       
11
       
 
       
        "autodiscover.pyrox.dev"

     

       
11
       
12
       
 
       
      ];

     

       
12
       
12
       
-
       
      reloadServices = [ "stalwart-mail.service" ];

     

       
13
       
13
       
+
       
      reloadServices = [ "stalwart-mail" ];

     

       
13
       
14
       
 
       
    };

     

       
14
       
15
       
 
       
    defaults = {

     

       
15
       
16
       
 
       
      # LE Production Server

     
···

       
19
       
20
       
 
       
      dnsProvider = "desec";

     

       
20
       
21
       
 
       
      # Enable DNS Propagation checks(ensure DNS records exist before requesting certs)

     

       
21
       
22
       
 
       
      dnsPropagationCheck = true;

     

       
23
       
23
       
+
       
      dnsResolver = "9.9.9.9:53";

     

       
22
       
24
       
 
       
      # Agenix-encrypted credentials for ACME

     

       
23
       
25
       
 
       
      credentialsFile = config.age.secrets.acme-creds.path;

     

       
24
       
24
       
-
       
      dnsResolver = "9.9.9.9:53";

     

       
25
       
26
       
 
       
    };

     

       
26
       
27
       
 
       
  };

     

       
27
       
28
       
 
       
  age.secrets.acme-creds = {

     

···

       
9
       
9
       
 
       
  sec = config.age.secrets;

     

       
10
       
10
       
 
       
  creds = config.services.stalwart-mail.credentials;

     

       
11
       
11
       
 
       
  credsDir = "/run/credentials/stalwart-mail.service";

     

       
12
       
12
       
-
       
  certDir = config.security.acme.certs."mail.pyrox.dev".directory;

     

       
12
       
12
       
+
       
  certDir = config.security.acme.certs."pyroxdev-mail".directory;

     

       
13
       
13
       
 
       
  isAuthenticated = d: {

     

       
14
       
14
       
 
       
    "if" = "!is_empty(authenticated_as)";

     

       
15
       
15
       
 
       
    "then" = d;

     
···

       
35
       
35
       
 
       
    enable = true;

     

       
36
       
36
       
 
       
    dataDir = "/var/lib/stalwart";

     

       
37
       
37
       
 
       
    settings = {

     

       
38
       
38
       
-
       
      tracer.stdout.level = "debug";

     

       
38
       
38
       
+
       
      tracer.stdout.level = "info";

     

       
39
       
39
       
 
       
      authentication.fallback-admin = {

     

       
40
       
40
       
 
       
        user = "fallback";

     

       
41
       
41
       
 
       
        secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}%";

     
···

       
191
       
191
       
 
       
        card-is-ham = true;

     

       
192
       
192
       
 
       
      };

     

       
193
       
193
       
 
       
    };

     

       
194
       
194
       
+
       
  };

     

       
195
       
195
       
+
       
  systemd.services.stalwart-mail.serviceConfig = {

     

       
196
       
196
       
+
       
    Restart = lib.mkForce "always";

     

       
197
       
197
       
+
       
    RestartSec = lib.mkForce 1;

     

       
194
       
198
       
 
       
  };

     

       
195
       
199
       
 
       
  age.secrets = {

     

       
196
       
200
       
 
       
    stalwart-secret-rsa = smSecret // {

     

···

       
64
       
64
       
 
       
  proxy.trusted-networks = [

     

       
65
       
65
       
 
       
    "fd7a:115c:a1e0::/48"

     

       
66
       
66
       
 
       
    "100.64.0.0/10"

     

       
67
       
67
       
+
       
    "127.0.0.1/8"

     

       
67
       
68
       
 
       
  ];

     

       
68
       
69
       
 
       
}

     

···

       
21
       
21
       
 
       
  # systemd.tmpfiles.rules = ["L+ /lib64 - - - - /run/current-system/sw/lib64"];

     

       
22
       
22
       
 
       


     

       
23
       
23
       
 
       
  virtualisation.virtualbox = {

     

       
24
       
24
       
-
       
    host.enable = true;

     

       
24
       
24
       
+
       
    host.enable = false;

     

       
25
       
25
       
 
       
    host.enableExtensionPack = false;

     

       
26
       
26
       
 
       
    guest = {

     

       
27
       
27
       
 
       
      enable = false;