Ronni Baslund
3831c85285
Host provisioning for the single-server production target: SSH + firewall hardening (nftables allowlist), k3s node registration, bare-metal Stalwart install with systemd units and TLS cert-sync from the cluster secret, and Restic encrypted backup/restore (primary + DR) with timer units. Host-specific secrets live in config.env (gitignored); config.env.example is the template. Also gitignores MemPalace per-project files.
40 lines
1.2 KiB
Desktop File
40 lines
1.2 KiB
Desktop File
# Dezky — Stalwart mail server (bare-metal host service).
|
|
#
|
|
# Secrets (admin password, webhook secret) come from the EnvironmentFile, which
|
|
# install.sh generates from config.env. The binary needs CAP_NET_BIND_SERVICE
|
|
# to bind the privileged mail ports (25/143/...) while running as a non-root user.
|
|
|
|
[Unit]
|
|
Description=Stalwart Mail Server (Dezky)
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=stalwart
|
|
Group=stalwart
|
|
EnvironmentFile=/opt/stalwart/etc/stalwart.env
|
|
ExecStart=/opt/stalwart/bin/stalwart --config /opt/stalwart/etc/config.toml
|
|
# Stalwart reloads its TLS certs / config on SIGHUP — used by cert-sync.
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
LimitNOFILE=65536
|
|
|
|
# Bind privileged ports without full root
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
|
|
# Hardening — Stalwart only needs to write under /opt/stalwart
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
ReadWritePaths=/opt/stalwart/data /opt/stalwart/logs /opt/stalwart/etc/tls
|
|
ProtectKernelTunables=true
|
|
ProtectControlGroups=true
|
|
RestrictSUIDSGID=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|