Add mail server configuration with Stalwart Mail, secrets management, and Traefik integration

2026-02-15 15:47:54 +01:00 · 2026-02-15 15:47:54 +01:00 · fe289e0600
commit fe289e0600
parent a91e60eb70
8 changed files with 288 additions and 1 deletions
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -265,6 +265,20 @@ in {
          teamspeak-data = {
            address = "[::]:30033/tcp";
          };
+
+          # Mail entrypoints: plain SMTP, implicit SMTPS (465) and IMAPS (993)
+          #smtp = {
+          #  # plain SMTP (port 25) - TCP passthrough to backend
+          #  address = "[::]:25";
+          # };
+          smtps = {
+            # implicit TLS SMTP (port 465) - passthrough to backend
+            address = "[::]:465";
+          };
+          imaps = {
+            # implicit TLS IMAP (port 993) - passthrough to backend
+            address = "[::]:993";
+          };
        };
        log = {
          level = "INFO";
@ -350,6 +364,14 @@ in {
            tls = {};
            middlewares = ["anubisForwardAuth"];
          };
+
+          # Mail HTTP (JMAP / web) - terminate TLS at Traefik and forward to Stalwart JMAP HTTP listener
+          mail = {
+            rule = "Host(`mail.prg-radio.org`)";
+            service = "mail-jmap";
+            entryPoints = ["websecure"];
+            tls = {certresolver = "acme";};
+          };
        };

        http.services = {
@ -387,6 +409,11 @@ in {
              {url = "http://10.1.1.10:3000";}
            ];
          };
+
+          # Mail JMAP HTTP backend
+          mail-jmap.loadBalancer = {
+            servers = [{url = "http://10.1.1.15:8080";}];
+          };
        };

        # TCP routing for TeamSpeak
@ -424,6 +451,30 @@ in {
              passthrough = true;
            };
          };
+
+          # Mail TCP routers: SMTP (25), SMTPS (465 implicit TLS), IMAPS (993 implicit TLS)
+          #mail-smtp = {
+          #  # catch-all TCP router for port 25
+          #   rule = "HostSNI(`*`)";
+          #  service = "mail-smtp";
+          #  entryPoints = ["smtp"];
+          # };
+
+          mail-smtps = {
+            # SMTPS implicit TLS - passthrough to backend
+            rule = "HostSNI(`*`)";
+            service = "mail-smtps";
+            entryPoints = ["smtps"];
+            tls = {passthrough = true;};
+          };
+
+          mail-imaps = {
+            # IMAPS implicit TLS - passthrough to backend
+            rule = "HostSNI(`*`)";
+            service = "mail-imaps";
+            entryPoints = ["imaps"];
+            tls = {passthrough = true;};
+          };
        };

        tcp.services = {
@ -442,6 +493,19 @@ in {
              {address = "10.1.1.248:12244";}
            ];
          };
+
+          # Mail TCP services
+          #  mail-smtp.loadBalancer = {
+          #     servers = [ { address = "10.1.1.15:25"; } ];
+          #   };
+
+          mail-smtps.loadBalancer = {
+            servers = [{address = "10.1.1.15:465";}];
+          };
+
+          mail-imaps.loadBalancer = {
+            servers = [{address = "10.1.1.15:993";}];
+          };
        };

        # UDP routing for TeamSpeak voice