stalwart: exposes the http management panel now for encryption

Also added a LLDAP attribute

machines/gerd/services/lldap/default.nix

@@ -204,6 +204,7 @@ in {
       in lib.concatStrings (cap parts);
     in {
       uid = "uid";
+      creationdate = "creationdate";
       firstname = "givenName";
       lastname = "sn";
       email = "mail";

machines/gerd/services/stalwart/default.nix

@@ -7,7 +7,13 @@
 
   mine.shared.meta.stalwart = {
     name = "Stalwart Mail";
-    description = "We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password.";
+    description = ''
+        We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password.
+        From here encryption-at-rest can be setup with either OpenPGP or S/MIME. Keep in mind, Change Password, Two-factor Auth and App Passwords
+        do not work, as we are using LDAP for authentication instead.
+    '';
+
+    url = "https://${config.mine.shared.settings.mail.domain}";
 
     package = let
       pkg = config.services.stalwart-mail.package;

machines/gerd/services/stalwart/stalwart.nix

@@ -1,7 +1,10 @@
 { config, lib, pkgs, ... }:
 
 let
-  svc_domain = "mail.${config.mine.shared.settings.domain}";
+  svc_domain = "stalwart.${config.mine.shared.settings.domain}";
+  svc_domain_mail = "mail.${config.mine.shared.settings.domain}";
+  # TODO(eyJhb): in theory these domains are not used, they're just
+  # nice to have.. maybe.
   svc_domain_smtp = "smtp.${config.mine.shared.settings.domain}";
   svc_domain_imap = "imap.${config.mine.shared.settings.domain}";
 
@@ -27,7 +30,7 @@ in {
     openFirewall = true;
 
     settings = {
-      lookup.default.hostname = svc_domain;
+      lookup.default.hostname = svc_domain_mail;
 
       store.db.path = "${stateDir}/db";
 
@@ -72,11 +75,15 @@ in {
           quota = lconfig.attr.membermaildiskquota;
           class = "objectClass";
           groups = "memberOf";
-          # we dont have access to this in lldap
+          # we dont have access to this in lldap, and
+          # therefore we use secret-changed instead
           # secret = lconfig.attr.stalwart_secret;
+          # TODO(eyJhb): remove once LLDAP gets
+          # plugin support, so we can make a plugin
+          # that updates a attribute on password updates
+          # https://github.com/lldap/lldap/pull/1119
+          secret-changed = lconfig.attr.creationdate;
         });
-
-        
       };
 
       storage.directory = "ldap";
@@ -87,7 +94,7 @@ in {
         submissions = { bind = [ "[::]:${builtins.toString ports.submissions}"]; protocol = "smtp"; tls.implicit = true; };
         imaptls = { bind = [ "[::]:${builtins.toString ports.imaptls}"]; protocol = "imap"; tls.implicit = true; };
 
-        management = { bind = [ "127.0.0.1:${builtins.toString ports.http_management}" ]; protocol = "http"; };
+        management = { bind = [ "[::]:${builtins.toString ports.http_management}" ]; protocol = "http"; };
       };
 
       certificate.domain = {
@@ -139,13 +146,19 @@ in {
   ];
 
   # setup certs
-  services.nginx.virtualHosts."${svc_domain}" = {
+  services.nginx.virtualHosts."${svc_domain_mail}" = {
     forceSSL = true;
     enableACME = true;
     serverAliases = [ svc_domain_smtp svc_domain_imap ];
     root = pkgs.writeTextDir "index.html" "Nothing.";
   };
 
+  services.nginx.virtualHosts."${svc_domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString ports.http_management}";
+  };
+
   # need to change group to stalwart-mail for cert + add nginx to stalwart-mail group to do HTTP ACME
   users.users.nginx.extraGroups = [ stalwart_group ];
   security.acme.certs."${svc_domain}" = {
@@ -160,6 +173,7 @@ in {
 
   mine.shared.settings.mail = {
     domain = svc_domain;
+    domain_mail = svc_domain_mail;
     domain_smtp = svc_domain_smtp;
     domain_imap = svc_domain_imap;