Ronni Baslund
7bec940e7f
Push-based ingest for mail-server events. Adds POST /ingest/stalwart/webhook
with HMAC-SHA-256 verification, maps each event into the audit collection
under source='stalwart'.
services/platform-api/src/ingest/stalwart-webhook.controller.ts:
- Public endpoint (no JwtAuthGuard — Stalwart can't carry a JWT). Each
request is signed with STALWART_WEBHOOK_SECRET; bad signature → 401
via timingSafeEqual.
- Body: { events: [{ id, type, createdAt, data }, ... ] }. Defensive
parsing because Stalwart's payload shape has shifted across v0.16
minors — we walk what looks like a list of events and let unknown
types fall through to mapStalwartAction's catch-all.
- Per-event recordOne: action via mapStalwartAction(), actor from
data.email/account/username, IP from data.ip or X-Forwarded-For,
targetName from data.account/email/address/to, full payload kept
in metadata. externalId = evt.id so the (source, externalId)
unique index dedups re-deliveries.
action-map.ts: 14 known Stalwart event types →
stalwart.{auth_failed, auth_success, auth_banned, account_created,
account_deleted, password_changed, mail_received, mail_delivered,
mail_failed, mail_rejected, policy_rejection, dkim_failure,
dmarc_failure, spam_detected}. Snake/kebab forms normalized.
infrastructure/docker-compose:
- .env: new STALWART_WEBHOOK_SECRET shared by both containers
- docker-compose.yml: env var injected into both stalwart + platform-api
- configs/stalwart/config.toml: [webhook."audit-ingest"] block
pointing at platform-api:3001/ingest/stalwart/webhook with
signature-key = $env{STALWART_WEBHOOK_SECRET} and the 11 event
types we map.
Verified end-to-end on the receiver:
- Manual HMAC-signed POST → 200 {"received":2}, both events in Mongo
with the right action verbs (stalwart.auth_failed, stalwart.account_created),
actor/IP/externalId populated.
- Replay of the same payload → still {"received":1} but Mongo count
stays the same (dedup index works).
- X-Signature: deadbeef → 401, no row written.
Known unknown: I couldn't fully confirm Stalwart v0.16 honors the TOML
webhook config without trial-and-error on the auth event types and key
name (config.toml uses signature-key; some Stalwart builds want plain
'key'). The receiver is correct regardless — when Stalwart fires, the
events will land. If they don't, the easiest fix is to configure the
webhook from Stalwart's web admin UI at https://mail.dezky.local
instead of via TOML.
Dezky
Sovereign workspace platform for European businesses. Mail, files, calendar, video meetings — all EU-hosted, all open source.
Quick start (local development)
# 1. Clone and enter
git clone <repo-url> dezky
cd dezky
# 2. Run bootstrap (handles everything)
./scripts/bootstrap.sh
# 3. Open the portal
open https://app.dezky.local
The bootstrap script:
- Checks prerequisites (Docker, mkcert, openssl)
- Generates wildcard TLS certificate via mkcert
- Adds /etc/hosts entries (with your permission)
- Generates secure random secrets in
.env - Pulls Docker images
- Starts all services in correct order
- Prints next-step instructions
Service URLs (local development)
| Service | URL | Purpose |
|---|---|---|
| Portal | https://app.dezky.local | Customer-facing landing & launcher |
| Authentik | https://auth.dezky.local | Identity provider (OIDC/SAML) |
| Files (OCIS) | https://files.dezky.local | File storage & sharing |
| Mail (Stalwart) | https://mail.dezky.local | Mail server admin UI |
| Office | https://office.dezky.local | Collabora Online editor |
| Traefik | https://traefik.dezky.local | Reverse proxy dashboard |
What's in this repo
dezky/
├── apps/portal/ Nuxt 3 customer portal
├── services/platform-api/ NestJS service · tenants, partners, users, provisioning orchestration
├── packages/ Shared TypeScript libraries
├── infrastructure/
│ └── docker-compose/ Local development stack
├── scripts/ Setup, reset, helpers
└── docs/ Service references & guides
Prerequisites
- macOS or Linux (Windows users: use WSL2)
- Docker Desktop 24+ or OrbStack
- mkcert (
brew install mkcert) - pnpm 9+ (
brew install pnpm) - Node.js 20+
- 16 GB RAM recommended
Common commands
# Start everything
docker compose -f infrastructure/docker-compose/docker-compose.yml up -d
# View logs
docker compose -f infrastructure/docker-compose/docker-compose.yml logs -f [service]
# Stop everything (keeps data)
docker compose -f infrastructure/docker-compose/docker-compose.yml down
# Nuke and restart (DESTROYS DATA)
./scripts/reset.sh
Architecture
This is a multi-tenant SaaS platform. Each tenant gets:
- Isolated Authentik OIDC tenant
- Custom subdomain (e.g.
customer-name.dezky.local) - Mail domain in Stalwart with auto-generated DKIM
- Dedicated OCIS space hierarchy
- Branded launcher in the portal
All components are Apache 2.0 / MIT licensed — no per-seat fees, full whitelabel rights.
Production
The production target is a single Hetzner AX41-NVMe server (€39/mo) with:
- Stalwart on bare-metal
- k3s for all other services
- Hetzner Object Storage (€5/mo) as OCIS S3 backend
- Storage Box BX11 (€3.20/mo) for Restic backups
- Storage Box BX11 in Helsinki (€3.20/mo) for DR
See docs/PRODUCTION-DEPLOYMENT.md (TBD) for migration plan.
Stack rationale
These choices are deliberate after extensive license/architecture research. See CLAUDE.md for the full reasoning.
| Component | License | Why this one |
|---|---|---|
| Stalwart Mail | Apache 2.0 | Modern Rust, ActiveSync built-in, JMAP support |
| OCIS | Apache 2.0 | Cleaner license than Nextcloud (AGPL+trademark) |
| Zulip | Apache 2.0 | Only truly open-core-free chat option |
| Authentik | MIT | Better multi-tenancy than Keycloak |
| Hetzner | N/A | 100% EU sovereignty — core to business |
License
Application code: MIT (own code) Third-party services: see individual service licenses in stack.