about summary refs log tree commit diff stats
path: root/modules/by-name/st/stalwart-mail/settings.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/by-name/st/stalwart-mail/settings.nix56
1 files changed, 38 insertions, 18 deletions
diff --git a/modules/by-name/st/stalwart-mail/settings.nix b/modules/by-name/st/stalwart-mail/settings.nix
index 7032ae0..907cea9 100644
--- a/modules/by-name/st/stalwart-mail/settings.nix
+++ b/modules/by-name/st/stalwart-mail/settings.nix
@@ -18,6 +18,11 @@
     if cfg.security != null
     then cfg.security.verificationMode
     else "disable";
+
+  directory =
+    if cfg.principals == null
+    then "internal"
+    else "in-memory";
 in {
   config.services.stalwart-mail.settings = lib.mkIf cfg.enable {
     # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.3
@@ -219,7 +224,7 @@ in {
         require = true;
       };
       rcpt = {
-        directory = "'in-memory'";
+        directory = "'${directory}'";
         catch-all = true;
         subaddressing = true;
       };
@@ -236,7 +241,7 @@ in {
         };
         auth = {
           mechanisms = ["LOGIN" "PLAIN"];
-          directory = "'in-memory'";
+          directory = "'${directory}'";
           require = true;
           must-match-sender = true;
           errors = {
@@ -339,13 +344,13 @@ in {
       hostname = cfg.fqdn;
 
       listener = {
-        # TODO(@bpeetz): Add this <2025-02-08>
-        # # HTTP (used for jmap)
-        # "http" = {
-        #   bind = ["[::]:8080"];
-        #   protocol = "http";
-        #   tls.implicit = true;
-        # };
+        # HTTP (used for jmap)
+        "http" = {
+          bind = ["127.0.0.1:8112"];
+          protocol = "http";
+          # handled by ngnix
+          tls.implicit = false;
+        };
 
         # IMAP
         "imap" = {
@@ -401,11 +406,12 @@ in {
         certificate = "default";
       };
 
-      # TODO(@bpeetz): Configure that <2025-02-07>
-      # http = {
-      #   url = "";
-      #   allowed-endpoint = ["404"];
-      # };
+      http = {
+        url = "protocol + '://' + config_get('server.hostname') + ':' + local_port";
+
+        # We are behind a nginx proxy, and can thus trust this header.
+        use-x-forwarded = true;
+      };
 
       auto-ban = {
         # Ban if the same IP fails to login 10 times in a day
@@ -467,6 +473,14 @@ in {
         # Perform “maintenance” every day at 3 am local time.
         purge.frequency = "0 3 *";
       };
+      "rocksdb-directory" = lib.mkIf (cfg.principals == null) {
+        type = "rocksdb";
+        path = "${cfg.dataDirectory}/storage/directory";
+        compression = "lz4";
+
+        # Perform “maintenance” every day at 1 am local time.
+        purge.frequency = "0 1 *";
+      };
       "rocksdb-full-text-search" = {
         type = "rocksdb";
         path = "${cfg.dataDirectory}/storage/full-text-search";
@@ -505,7 +519,7 @@ in {
       full-text.default-language = "en";
       fts = "rocksdb-full-text-search";
 
-      directory = "in-memory";
+      directory = "${directory}";
 
       lookup = "redis";
 
@@ -516,9 +530,15 @@ in {
       encryption.enable = false;
     };
 
-    directory."in-memory" = {
-      type = "memory";
-      inherit (cfg) principals;
+    directory = {
+      "in-memory" = lib.mkIf (cfg.principals != null) {
+        type = "memory";
+        inherit (cfg) principals;
+      };
+      "internal" = lib.mkIf (cfg.principals == null) {
+        type = "internal";
+        store = "rocksdb-directory";
+      };
     };
 
     certificate = {