feat: switch to stalwart

config/services/idmail.nix

@@ -73,6 +73,8 @@ in
   systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute
 
   services.nginx = {
+    enable = true;
+    recommendedSetup = true;
     upstreams.idmail = {
       servers."127.0.0.1:3000" = { };
       extraConfig = ''
@@ -82,7 +84,7 @@ in
     };
     virtualHosts.${idmailDomain} = {
       forceSSL = true;
-      useACMEWildcardHost = true;
+      useACMEHost = domain;
       locations."/" = {
         proxyPass = "http://idmail";
         proxyWebsockets = true;

config/services/stalwart.nix

@@ -125,6 +125,8 @@ in
     }
   ];
   services.nginx = {
+    enable = true;
+    recommendedSetup = true;
     upstreams.stalwart = {
       servers."127.0.0.1:8080" = { };
       extraConfig = ''
@@ -136,7 +138,7 @@ in
       {
         ${domain} = {
           forceSSL = true;
-          useACMEWildcardHost = true;
+          useACMEHost = domain;
           extraConfig = ''
             client_max_body_size 512M;
           '';
@@ -154,7 +156,7 @@ in
         ]
         (_: {
           forceSSL = true;
-          useACMEWildcardHost = true;
+          useACMEHost = domain;
           locations."/".proxyPass = "http://stalwart";
         });
   };

hosts/maddy/default.nix

@@ -2,7 +2,7 @@
   imports = [
     ../../config/basic
     ../../config/support/initrd-ssh.nix
-    ../../config/services/maddy.nix
+    # ../../config/services/maddy.nix
     ../../config/support/zfs.nix
 
     ./net.nix

hosts/mailnix/net.nix

@@ -52,6 +52,7 @@
     };
   };
   networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ];
+  users.groups.acme.members = [ "nginx" ];
   security.acme.certs = {
     "${config.secrets.secrets.global.domains.mail_public}" = {
       domain = config.secrets.secrets.global.domains.mail_public;