stalwart: exposes the http management panel now for encryption

Also added a LLDAP attribute

machines/gerd/services/lldap/default.nix

@@ -204,6 +204,7 @@ in {
       in lib.concatStrings (cap parts);
     in {
       uid = "uid";
+      creationdate = "creationdate";
       firstname = "givenName";
       lastname = "sn";
       email = "mail";

machines/gerd/services/stalwart/default.nix

@@ -7,7 +7,13 @@
 
   mine.shared.meta.stalwart = {
     name = "Stalwart Mail";
-    description = "We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password.";
+    description = ''
+        We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password.
+        From here encryption-at-rest can be setup with either OpenPGP or S/MIME. Keep in mind, Change Password, Two-factor Auth and App Passwords
+        do not work, as we are using LDAP for authentication instead.
+    '';
+
+    url = "https://${config.mine.shared.settings.mail.domain}";
 
     package = let
       pkg = config.services.stalwart-mail.package;

machines/gerd/services/stalwart/stalwart.nix

@@ -1,7 +1,10 @@
 { config, lib, pkgs, ... }:
 
 let
-  svc_domain = "mail.${config.mine.shared.settings.domain}";
+  svc_domain = "stalwart.${config.mine.shared.settings.domain}";
+  svc_domain_mail = "mail.${config.mine.shared.settings.domain}";
+  # TODO(eyJhb): in theory these domains are not used, they're just
+  # nice to have.. maybe.
   svc_domain_smtp = "smtp.${config.mine.shared.settings.domain}";
   svc_domain_imap = "imap.${config.mine.shared.settings.domain}";
 
@@ -27,7 +30,7 @@ in {
     openFirewall = true;
 
     settings = {
-      lookup.default.hostname = svc_domain;
+      lookup.default.hostname = svc_domain_mail;
 
       store.db.path = "${stateDir}/db";
 
@@ -72,11 +75,15 @@ in {
           quota = lconfig.attr.membermaildiskquota;
           class = "objectClass";
           groups = "memberOf";
-          # we dont have access to this in lldap
+          # we dont have access to this in lldap, and
+          # therefore we use secret-changed instead
           # secret = lconfig.attr.stalwart_secret;
+          # TODO(eyJhb): remove once LLDAP gets
+          # plugin support, so we can make a plugin
+          # that updates a attribute on password updates
+          # https://github.com/lldap/lldap/pull/1119
+          secret-changed = lconfig.attr.creationdate;
         });
-
-        
       };
 
       storage.directory = "ldap";
@@ -87,7 +94,7 @@ in {
         submissions = { bind = [ "[::]:${builtins.toString ports.submissions}"]; protocol = "smtp"; tls.implicit = true; };
         imaptls = { bind = [ "[::]:${builtins.toString ports.imaptls}"]; protocol = "imap"; tls.implicit = true; };
 
-        management = { bind = [ "127.0.0.1:${builtins.toString ports.http_management}" ]; protocol = "http"; };
+        management = { bind = [ "[::]:${builtins.toString ports.http_management}" ]; protocol = "http"; };
       };
 
       certificate.domain = {
@@ -139,13 +146,19 @@ in {
   ];
 
   # setup certs
-  services.nginx.virtualHosts."${svc_domain}" = {
+  services.nginx.virtualHosts."${svc_domain_mail}" = {
     forceSSL = true;
     enableACME = true;
     serverAliases = [ svc_domain_smtp svc_domain_imap ];
     root = pkgs.writeTextDir "index.html" "Nothing.";
   };
 
+  services.nginx.virtualHosts."${svc_domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString ports.http_management}";
+  };
+
   # need to change group to stalwart-mail for cert + add nginx to stalwart-mail group to do HTTP ACME
   users.users.nginx.extraGroups = [ stalwart_group ];
   security.acme.certs."${svc_domain}" = {
@@ -160,6 +173,7 @@ in {
 
   mine.shared.settings.mail = {
     domain = svc_domain;
+    domain_mail = svc_domain_mail;
     domain_smtp = svc_domain_smtp;
     domain_imap = svc_domain_imap;
 

shared/sources/default.nix

@@ -8,19 +8,21 @@ in sources // {
     src = sources.nixpkgs;
     name = "nixpkgs-patched";
     patches = [
-      # # tmp - lldap: 0.5.1-unstable-2024-10-30 -> 0.6.1
-      # (pkgs.fetchpatch {
-      #   url = "https://github.com/NixOS/nixpkgs/pull/359835.patch";
-      #   sha256 = "sha256-2C9l4v9MaUJyiaB+kslTsSjsqTZ7RlcfMNlRzZblMik=";
-      # })
-      # tmp - stalwart-mail.webadmin: pin wasm-bindgen-cli version
-      # (pkgs.fetchpatch {
-      #   url = "https://github.com/NixOS/nixpkgs/pull/353360.patch";
-      #   sha256 = "sha256-WPNnvVmtySyEk58kVIYWVx3VN8MhX4v2ITLLnUGhpz4=";
-      # })
+      # stalwart-mail: 0.11.8 -> 0.12.0 
+      (pkgs.fetchpatch {
+        url = "https://github.com/NixOS/nixpkgs/pull/409178.patch";
+        sha256 = "sha256-06J8pTjqeWTL6MJqVq17r3eelL5p/AfvUsPye5icVUg=";
+      })
+      # nixos/stalwart-mail: fix incorrect config for webadmin and spam-filter
+      (pkgs.fetchpatch {
+        url = "https://github.com/NixOS/nixpkgs/pull/412054.patch";
+        sha256 = "sha256-OExslGsrGGPWSJJFPkZgYV8DaPKq9YDlmozPf/bV6dE=";
+      })
     ];
   };
 
+  # nixpkgs = pkgs.lib.cleanSource /state/home/projects/nixos/nixpkgs;
+
   drasl = pkgs.applyPatches {
     src = sources.drasl;
     name = "drasl-patched";

shared/sources/sources.json

@@ -67,15 +67,15 @@
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-25.05",
+        "branch": "nixos-unstable",
         "description": "Nix Packages collection",
         "homepage": null,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
-        "sha256": "0klkpy7ah033y3cwj51a0l96lwmkqqvwgfv3kid4z9x5g2rqr0l5",
+        "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102",
+        "sha256": "064q32jmj54iwgh4lcdg2aii75cr5lvb683ym5pmj2kkj340pnpd",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/7282cb574e0607e65224d33be8241eae7cfe0979.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/96ec055edbe5ee227f28cdbc3f1ddf1df5965102.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }