# Dezky — Stalwart mail server (bare-metal host service).
#
# Secrets (admin password, webhook secret) come from the EnvironmentFile, which
# install.sh generates from config.env. The binary needs CAP_NET_BIND_SERVICE
# to bind the privileged mail ports (25/143/...) while running as a non-root user.

[Unit]
Description=Stalwart Mail Server (Dezky)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=stalwart
Group=stalwart
EnvironmentFile=/opt/stalwart/etc/stalwart.env
ExecStart=/opt/stalwart/bin/stalwart --config /opt/stalwart/etc/config.toml
# Stalwart reloads its TLS certs / config on SIGHUP — used by cert-sync.
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

# Bind privileged ports without full root
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Hardening — Stalwart only needs to write under /opt/stalwart
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/opt/stalwart/data /opt/stalwart/logs /opt/stalwart/etc/tls
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target