feat(infra): migrate Stalwart to the v0.16 config model (config.json)

v0.16 dropped TOML config. The host service now boots from a tiny config.json
that describes only the datastore (RocksDB); all other settings live in the DB
(web UI / stalwart-cli / platform-api JMAP).

- add stalwart/config.json (RocksDb datastore at /opt/stalwart/data)
- install.sh: install config.json instead of config.toml
- stalwart-mail.service: --config points at config.json
- README: document the v0.16 model + remaining DB-side config + DNS/PTR

Verified: Stalwart 0.16.8 runs on node1 with default mail listeners + the :8080
management server. config.toml retained as a reference for the DB settings.

infrastructure/production/host/README.md

@@ -225,3 +225,21 @@ cert-manager + `ClusterIssuer`, ingress, the data tier (Postgres/Mongo/Redis),
 Authentik, OCIS + Collabora, and portal + platform-api — plus the
 `mail/mail-tls` cert and the DB-dump CronJobs this layer's `cert-sync` and
 backups depend on.
+
+## Stalwart v0.16 — config model change (IMPORTANT)
+
+v0.16 **removed TOML configuration**. The host service now boots from
+`stalwart/config.json` — a tiny file describing ONLY the datastore (RocksDB at
+`/opt/stalwart/data`). Every other setting (listeners, authentication, TLS,
+domains, DKIM, spam, webhooks) is stored in the DB and managed via the web admin
+UI, `stalwart-cli`, or platform-api over JMAP. `stalwart/config.toml` is kept as
+a reference for the settings to recreate in the DB; it is NOT loaded by v0.16.
+
+**Status (node1):** Stalwart 0.16.8 installed + running with default listeners
+(25/465/587/143/993/4190 + management on `:8080`). Still to configure (DB-side):
+- Fallback admin password (so platform-api can authenticate) + the audit webhook.
+- TLS for `mail.dezky.eu` — Stalwart's own ACME, or rework `cert-sync.sh` to feed
+  the cert-manager cert into the v0.16 DB cert model.
+- Domains / DKIM — provisioned by platform-api over JMAP.
+
+Then publish DNS (MX, SPF, DKIM, DMARC) and set the **PTR/rDNS** → `mail.dezky.eu`.

infrastructure/production/host/stalwart/config.json

@@ -0,0 +1,4 @@
+{
+  "@type": "RocksDb",
+  "path": "/opt/stalwart/data"
+}

infrastructure/production/host/stalwart/install.sh

@@ -89,12 +89,17 @@ systemctl stop stalwart-mail 2>/dev/null || true
 install -o stalwart -g stalwart -m 0755 "$bin" "$PREFIX/bin/stalwart"
 ok "Installed $("$PREFIX/bin/stalwart" --version 2>/dev/null || echo 'stalwart binary')."
 
-# ── Step 3: config + secrets EnvironmentFile ───────────────────────────────
+# ── Step 3: config.json (v0.16 datastore) + secrets EnvironmentFile ────────
-info "Step 3: config.toml + secrets env..."
+# v0.16 dropped TOML: config.json describes ONLY the datastore; every other
-install -o stalwart -g stalwart -m 0640 "$SCRIPT_DIR/config.toml" "$PREFIX/etc/config.toml"
+# setting (listeners, auth, TLS, domains, DKIM, spam, webhooks) lives in the DB
+# and is managed via the web UI / stalwart-cli / platform-api (JMAP).
+info "Step 3: config.json (v0.16 datastore-only) + secrets env..."
+install -o stalwart -g stalwart -m 0640 "$SCRIPT_DIR/config.json" "$PREFIX/etc/config.json"
 umask 077
 cat > "$PREFIX/etc/stalwart.env" <<EOF
-# Generated by install.sh from config.env — DO NOT commit.
+# Generated by install.sh from config.env — DO NOT commit. Bootstrap secrets
+# platform-api uses to authenticate to Stalwart's management API (set the
+# fallback admin to this on first DB setup).
 STALWART_ADMIN_PASSWORD=${STALWART_ADMIN_PASSWORD}
 STALWART_WEBHOOK_SECRET=${STALWART_WEBHOOK_SECRET}
 EOF

infrastructure/production/host/stalwart/stalwart-mail.service

@@ -14,7 +14,7 @@ Type=simple
 User=stalwart
 Group=stalwart
 EnvironmentFile=/opt/stalwart/etc/stalwart.env
-ExecStart=/opt/stalwart/bin/stalwart --config /opt/stalwart/etc/config.toml
+ExecStart=/opt/stalwart/bin/stalwart --config /opt/stalwart/etc/config.json
 # Stalwart reloads its TLS certs / config on SIGHUP — used by cert-sync.
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure