2 files changed, 90 insertions, 50 deletions
diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix
index 1e39e81..396116d 100644
--- a/modules/by-name/st/stalwart-mail/module.nix
+++ b/modules/by-name/st/stalwart-mail/module.nix
@@ -10,6 +10,33 @@
 
   configFormat = pkgs.formats.toml {};
   configFile = configFormat.generate "stalwart-mail.toml" topCfg.settings;
+
+  hashedPassword = let
+    prefix = pre: lib.types.strMatching "^${lib.strings.escapeRegex pre}.*";
+  in
+    lib.types.oneOf [
+      (prefix "$argon2")
+      (prefix "$pbkdf2")
+      (prefix "$scrypt")
+      (prefix "$2") # bcrypt
+      (prefix "$6$") # sha-512
+      (prefix "$5$") # sha-256
+      (prefix "$sha1")
+      (prefix "$1") # md5
+      (prefix "_") # BSDi crypt
+      (prefix "{SHA}") # base64 sha
+      (prefix "{SSHA}") # base64 salted sha
+
+      # unix crypt
+      (prefix "{CRYPT}")
+      (prefix "{crypt}")
+
+      # Plain text
+      (prefix "{PLAIN}")
+      (prefix "{plain}")
+      (prefix "{CLEAR}")
+      (prefix "{clear}")
+    ];
 in {
   imports = [
     ./settings.nix
@@ -24,14 +51,20 @@ in {
       description = ''
         Email address to advertise as administrator. This is the address, where dkim, spv
         etc. refusal reports are sent to.
-
-        The format should be: `mailto:<name>@<domain>`
       '';
       type = lib.types.str;
-      example = "mailto:dmarc+rua@example.com";
+      example = "dmarc+rua@example.com";
       default = "";
     };
 
+    initialAdminPassword = lib.mkOption {
+      type = hashedPassword;
+      description = ''
+        The hash of the password for the admin account, used to bootstrap account
+        creation.
+      '';
+    };
+
     fqdn = lib.mkOption {
       type = lib.types.str;
       example = "mail.foss-syndicate.org";
@@ -61,7 +94,7 @@ in {
           };
 
           secret = lib.mkOption {
-            type = lib.types.str;
+            type = hashedPassword;
             description = ''
               Sets the password for the user account.
               Passwords can be stored hashed or in plain text (not recommended).
@@ -160,25 +193,16 @@ in {
         # However, this decision could obviously be reversed in the future. <2025-02-08>
         enable = false;
         inherit (cfg) package;
-        # dataDir = cfg.dataDirectory;
       };
 
-      # FIXME(@bpeetz): This is currently needed for a successful acme http-01 challenge.
-      # We could also use the DNS challenge. <2025-03-01>
       nginx.virtualHosts."${cfg.fqdn}" = {
-        enableACME = false;
-        extraConfig =
-          # This is copied directly from the nixos nginx module.
-          # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
-          # We use ^~ here, so that we don't check any regexes (which could
-          # otherwise easily override this intended match accidentally).
-          ''
-            location ^~ /.well-known/acme-challenge/ {
-              root ${config.security.acme.certs.${cfg.fqdn}.webroot};
-              auth_basic off;
-              auth_request off;
-            }
-          '';
+        locations."/" = {
+          proxyPass = "http://${builtins.elemAt config.services.stalwart-mail.settings.server.listener.http.bind 0}";
+          recommendedProxySettings = true;
+        };
+
+        useACMEHost = "${cfg.fqdn}";
+        forceSSL = true;
       };
 
       redis = {
@@ -209,7 +233,7 @@ in {
     security.acme.certs = {
       "${cfg.fqdn}" = {
         domain = cfg.fqdn;
-        group = "stalwart-mail";
+        group = "stalwart-mail-certificates";
       };
     };
 
@@ -249,20 +273,31 @@ in {
     # service is restarted on a potentially large number of files.
     # That would cause unnecessary and unwanted delays.
     users = {
-      groups.stalwart-mail = {
-        gid = config.vhack.constants.ids.gids.stalwart-mail;
-      };
-      users.stalwart-mail = {
-        isSystemUser = true;
-        group = "stalwart-mail";
-        uid = config.vhack.constants.ids.uids.stalwart-mail;
-      };
-      groups.redis-stalwart-mail = {
-        gid = config.vhack.constants.ids.gids.redis-stalwart-mail;
+      groups = {
+        stalwart-mail = {
+          gid = config.vhack.constants.ids.gids.stalwart-mail;
+        };
+        stalwart-mail-certificates = {
+          gid = config.vhack.constants.ids.gids.stalwart-mail-certificates;
+        };
+        redis-stalwart-mail = {
+          gid = config.vhack.constants.ids.gids.redis-stalwart-mail;
+        };
       };
-      users.redis-stalwart-mail = {
-        group = "redis-stalwart-mail";
-        uid = config.vhack.constants.ids.uids.redis-stalwart-mail;
+      users = {
+        nginx = {
+          extraGroups = ["stalwart-mail-certificates"];
+        };
+        stalwart-mail = {
+          isSystemUser = true;
+          group = "stalwart-mail";
+          uid = config.vhack.constants.ids.uids.stalwart-mail;
+          extraGroups = ["stalwart-mail-certificates"];
+        };
+        redis-stalwart-mail = {
+          group = "redis-stalwart-mail";
+          uid = config.vhack.constants.ids.uids.redis-stalwart-mail;
+        };
       };
     };
 
@@ -321,8 +356,7 @@ in {
             ${lib.getExe cfg.package} --config="$CACHE_DIRECTORY/mutable_config_file.toml"
           '';
 
-          Restart = "on-failure";
-          RestartSec = 5;
+          Restart = "no";
 
           KillMode = "process";
           KillSignal = "SIGINT";
diff --git a/modules/by-name/st/stalwart-mail/settings.nix b/modules/by-name/st/stalwart-mail/settings.nix
index 17f045d..765d8db 100644
--- a/modules/by-name/st/stalwart-mail/settings.nix
+++ b/modules/by-name/st/stalwart-mail/settings.nix
@@ -100,7 +100,7 @@ in {
         from-name = "'TLS Report'";
         from-address = "'noreply-tls@${cfg.fqdn}'";
         org-name = "'Foss Syndicate Mail Handling'";
-        contact-info = "'${cfg.admin}'";
+        contact-info = "'mailto:${cfg.admin}'";
         send = "daily";
         max-size = 26214400; # 25 MiB
         sign = lib.mkIf (cfg.security != null) "'${cfg.fqdn}'";
@@ -110,7 +110,7 @@ in {
           from-name = "'DMARC Report'";
           from-address = "'noreply-dmarc@${cfg.fqdn}'";
           org-name = "'Foss Syndicate Mail Handling'";
-          contact-info = "'${cfg.admin}'";
+          contact-info = "'mailto:${cfg.admin}'";
           send = "weekly";
           max-size = 26214400; # 25MiB
           sign = lib.mkIf (cfg.security != null) "'${cfg.fqdn}'";
@@ -344,13 +344,13 @@ in {
       hostname = cfg.fqdn;
 
       listener = {
-        # TODO(@bpeetz): Add this <2025-02-08>
-        # # HTTP (used for jmap)
-        # "http" = {
-        #   bind = ["[::]:8080"];
-        #   protocol = "http";
-        #   tls.implicit = true;
-        # };
+        # HTTP (used for jmap)
+        "http" = {
+          bind = ["127.0.0.1:8112"];
+          protocol = "http";
+          # handled by ngnix
+          tls.implicit = false;
+        };
 
         # IMAP
         "imap" = {
@@ -406,11 +406,12 @@ in {
         certificate = "default";
       };
 
-      # TODO(@bpeetz): Configure that <2025-02-07>
-      # http = {
-      #   url = "";
-      #   allowed-endpoint = ["404"];
-      # };
+      http = {
+        url = "protocol + '://' + config_get('server.hostname') + ':' + local_port";
+
+        # We are behind a nginx proxy, and can thus trust this header.
+        use-x-forwarded = true;
+      };
 
       auto-ban = {
         # Ban if the same IP fails to login 10 times in a day
@@ -540,6 +541,11 @@ in {
       };
     };
 
+    authentication.fallback-admin = {
+      user = cfg.admin;
+      secret = cfg.initialAdminPassword;
+    };
+
     certificate = {
       "default" = {
         cert = "%{file:${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem}%";