1 files changed, 64 insertions, 38 deletions

diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix
index 1ad76c7..4565bf4 100644
--- a/modules/by-name/st/stalwart-mail/module.nix
+++ b/modules/by-name/st/stalwart-mail/module.nix
@@ -18,7 +18,7 @@ in {
   options.vhack.stalwart-mail = {
     enable = lib.mkEnableOption "starwart-mail";
 
-    package = lib.mkPackageOption vhackPackages "stalwart-mail-free" {};
+    package = lib.mkPackageOption vhackPackages "stalwart-mail-patched" {};
 
     admin = lib.mkOption {
       description = ''
@@ -41,8 +41,8 @@ in {
     };
 
     principals = lib.mkOption {
-      default = [];
-      type = lib.types.listOf (lib.types.submodule {
+      default = null;
+      type = lib.types.nullOr (lib.types.listOf (lib.types.submodule {
         options = {
           name = lib.mkOption {
             type = lib.types.str;
@@ -61,7 +61,32 @@ in {
           };
 
           secret = lib.mkOption {
-            type = lib.types.str;
+            type = let
+              prefix = pre: lib.types.strMatching "^${lib.strings.escapeRegex pre}.*";
+            in
+              lib.types.oneOf [
+                (prefix "$argon2")
+                (prefix "$pbkdf2")
+                (prefix "$scrypt")
+                (prefix "$2") # bcrypt
+                (prefix "$6$") # sha-512
+                (prefix "$5$") # sha-256
+                (prefix "$sha1")
+                (prefix "$1") # md5
+                (prefix "_") # BSDi crypt
+                (prefix "{SHA}") # base64 sha
+                (prefix "{SSHA}") # base64 salted sha
+
+                # unix crypt
+                (prefix "{CRYPT}")
+                (prefix "{crypt}")
+
+                # Plain text
+                (prefix "{PLAIN}")
+                (prefix "{plain}")
+                (prefix "{CLEAR}")
+                (prefix "{clear}")
+              ];
             description = ''
               Sets the password for the user account.
               Passwords can be stored hashed or in plain text (not recommended).
@@ -77,7 +102,7 @@ in {
             '';
           };
         };
-      });
+      }));
     };
 
     dataDirectory = lib.mkOption {
@@ -160,25 +185,16 @@ in {
         # However, this decision could obviously be reversed in the future. <2025-02-08>
         enable = false;
         inherit (cfg) package;
-        # dataDir = cfg.dataDirectory;
       };
 
-      # FIXME(@bpeetz): This is currently needed for a successful acme http-01 challenge.
-      # We could also use the DNS challenge. <2025-03-01>
       nginx.virtualHosts."${cfg.fqdn}" = {
-        enableACME = false;
-        extraConfig =
-          # This is copied directly from the nixos nginx module.
-          # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
-          # We use ^~ here, so that we don't check any regexes (which could
-          # otherwise easily override this intended match accidentally).
-          ''
-            location ^~ /.well-known/acme-challenge/ {
-              root ${config.security.acme.certs.${cfg.fqdn}.webroot};
-              auth_basic off;
-              auth_request off;
-            }
-          '';
+        locations."/" = {
+          proxyPass = "http://${builtins.elemAt config.services.stalwart-mail.settings.server.listener.http.bind 0}";
+          recommendedProxySettings = true;
+        };
+
+        useACMEHost = "${cfg.fqdn}";
+        forceSSL = true;
       };
 
       redis = {
@@ -209,7 +225,7 @@ in {
     security.acme.certs = {
       "${cfg.fqdn}" = {
         domain = cfg.fqdn;
-        group = "stalwart-mail";
+        group = "stalwart-mail-certificates";
       };
     };
 
@@ -239,7 +255,7 @@ in {
       {
         directory = "${config.services.redis.servers."stalwart-mail".settings.dir}";
         user = "stalwart-mail";
-        group = "redis";
+        group = "redis-stalwart-mail";
         mode = "0770";
       }
     ];
@@ -249,20 +265,31 @@ in {
     # service is restarted on a potentially large number of files.
     # That would cause unnecessary and unwanted delays.
     users = {
-      groups.stalwart-mail = {
-        gid = config.vhack.constants.ids.gids.stalwart-mail;
-      };
-      users.stalwart-mail = {
-        isSystemUser = true;
-        group = "stalwart-mail";
-        uid = config.vhack.constants.ids.uids.stalwart-mail;
-      };
-      groups.redis-stalwart-mail = {
-        gid = config.vhack.constants.ids.gids.redis-stalwart-mail;
+      groups = {
+        stalwart-mail = {
+          gid = config.vhack.constants.ids.gids.stalwart-mail;
+        };
+        stalwart-mail-certificates = {
+          gid = config.vhack.constants.ids.gids.stalwart-mail-certificates;
+        };
+        redis-stalwart-mail = {
+          gid = config.vhack.constants.ids.gids.redis-stalwart-mail;
+        };
       };
-      users.redis-stalwart-mail = {
-        group = "redis-stalwart-mail";
-        uid = config.vhack.constants.ids.uids.redis-stalwart-mail;
+      users = {
+        nginx = {
+          extraGroups = ["stalwart-mail-certificates"];
+        };
+        stalwart-mail = {
+          isSystemUser = true;
+          group = "stalwart-mail";
+          uid = config.vhack.constants.ids.uids.stalwart-mail;
+          extraGroups = ["stalwart-mail-certificates"];
+        };
+        redis-stalwart-mail = {
+          group = "redis-stalwart-mail";
+          uid = config.vhack.constants.ids.uids.redis-stalwart-mail;
+        };
       };
     };
 
@@ -321,8 +348,7 @@ in {
             ${lib.getExe cfg.package} --config="$CACHE_DIRECTORY/mutable_config_file.toml"
           '';
 
-          Restart = "on-failure";
-          RestartSec = 5;
+          Restart = "no";
 
           KillMode = "process";
           KillSignal = "SIGINT";