ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
1114be6c93a0bad95758ebe2caf9443df2762af7
dezky/infrastructure/production/host/stalwart/stalwart-mail.service
T
Ronni Baslund 9d075343c5
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
feat(infra): migrate Stalwart to the v0.16 config model (config.json) 
v0.16 dropped TOML config. The host service now boots from a tiny config.json
that describes only the datastore (RocksDB); all other settings live in the DB
(web UI / stalwart-cli / platform-api JMAP).

- add stalwart/config.json (RocksDb datastore at /opt/stalwart/data)
- install.sh: install config.json instead of config.toml
- stalwart-mail.service: --config points at config.json
- README: document the v0.16 model + remaining DB-side config + DNS/PTR

Verified: Stalwart 0.16.8 runs on node1 with default mail listeners + the :8080
management server. config.toml retained as a reference for the DB settings.
2026-06-08 21:02:17 +02:00

40 lines
1.2 KiB
Desktop File
Raw Blame History

# Dezky — Stalwart mail server (bare-metal host service).
#
# Secrets (admin password, webhook secret) come from the EnvironmentFile, which
# install.sh generates from config.env. The binary needs CAP_NET_BIND_SERVICE
# to bind the privileged mail ports (25/143/...) while running as a non-root user.
[Unit]
Description=Stalwart Mail Server (Dezky)
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=stalwart
Group=stalwart
EnvironmentFile=/opt/stalwart/etc/stalwart.env
ExecStart=/opt/stalwart/bin/stalwart --config /opt/stalwart/etc/config.json
# Stalwart reloads its TLS certs / config on SIGHUP — used by cert-sync.
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
# Bind privileged ports without full root
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# Hardening — Stalwart only needs to write under /opt/stalwart
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/opt/stalwart/data /opt/stalwart/logs /opt/stalwart/etc/tls
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink