{ config, lib, ... }: let inherit (lib) mkIf; inherit (lib.lists) forEach; cfg = config.conf.email; in mkIf cfg.enable { services.nginx = { virtualHosts.${cfg.domain} = { serverName = cfg.domain; serverAliases = forEach ["mail" "webadmin" "autoconfig" "autodiscover"] (sub: "${sub}.${cfg.domain}"); forceSSL = true; useACMEHost = cfg.domain; locations = { "/" = { proxyPass = "http://localhost:${toString cfg.ports.local}"; }; }; }; }; users.users."stalwart-mail".extraGroups = ["nginx"]; services.stalwart-mail = { enable = true; openFirewall = true; settings = { server = { hostname = cfg.domain; tls = { enable = true; }; listener = { smtp = { protocol = "smtp"; bind = ["[::]:25"]; }; lmtp = { protocol = "lmtp"; bind = ["[::]:24"]; }; jmap = { protocol = "http"; bind = ["[::]:8080"]; tls.implicit = true; }; imap = { protocol = "imap"; bind = ["[::]:143"]; }; imaps = { protocol = "imap"; bind = ["[::]:993"]; tls.implicit = true; }; submission = { protocol = "smtp"; bind = ["[::]:587"]; }; submissions = { protocol = "smtp"; bind = ["[::]:465"]; tls.implicit = true; }; management = { protocol = "http"; bind = "127.0.0.1:${toString cfg.ports.local}"; }; }; }; lookup.default = { hostname = cfg.domain; domain = cfg.domain; }; certificate.default = { default = true; cert = "%{file:/var/lib/acme/${cfg.domain}/cert.pem}%"; private-key = "%{file:/var/lib/acme/${cfg.domain}/key.pem}%"; }; storage = { data = "db"; fts = "db"; block = "db"; lookup = "db"; directory = "internal"; }; directory."internal" = { type = "internal"; store = "db"; }; tracer."stdout" = { type = "stdout"; level = "info"; ansi = false; enable = true; }; session.rcpt = { directory = "'internal'"; }; spam-filter = { score.spam = "10.0"; }; }; }; }