From 0435d5679d4a8912295da60f3b582071283bb38d Mon Sep 17 00:00:00 2001
From: Pascal Bleser <p.bleser@opencloud.eu>
Date: Wed, 16 Apr 2025 15:45:48 +0200
Subject: [PATCH] Add Stalwart container to the opencloud_full deployment,
 using the OpenLDAP container as a directory for user authentication

---
 devtools/deployments/opencloud_full/.env      |  6 +-
 .../config/stalwart/config.toml               | 79 +++++++++++++++++++
 .../deployments/opencloud_full/stalwart.yml   | 36 +++++++++
 3 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 devtools/deployments/opencloud_full/config/stalwart/config.toml
 create mode 100644 devtools/deployments/opencloud_full/stalwart.yml

diff --git a/devtools/deployments/opencloud_full/.env b/devtools/deployments/opencloud_full/.env
index 75d6d33f55..c06402da62 100644
--- a/devtools/deployments/opencloud_full/.env
+++ b/devtools/deployments/opencloud_full/.env
@@ -305,8 +305,12 @@ KEYCLOAK_ADMIN_PASSWORD=
 # Leaving it default stores data in docker internal volumes.
 #RADICALE_DATA_DIR=/your/local/radicale/data
 
+### Stalwart Settings ###
+# Note: the leading colon is required to enable the service.
+#STALWART=:stalwart.yml
+
 ## IMPORTANT ##
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}
\ No newline at end of file
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}${STALWART:-}
diff --git a/devtools/deployments/opencloud_full/config/stalwart/config.toml b/devtools/deployments/opencloud_full/config/stalwart/config.toml
new file mode 100644
index 0000000000..efeb2e4427
--- /dev/null
+++ b/devtools/deployments/opencloud_full/config/stalwart/config.toml
@@ -0,0 +1,79 @@
+authentication.fallback-admin.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.fallback-admin.user = "admin"
+authentication.master.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.master.user = "master"
+directory.ldap.attributes.class = "objectClass"
+directory.ldap.attributes.description = "description"
+directory.ldap.attributes.email = "mail"
+directory.ldap.attributes.email-alias = "mailAlias"
+directory.ldap.attributes.groups = "memberOf"
+directory.ldap.attributes.name = "uid"
+directory.ldap.attributes.secret = "userPassword"
+directory.ldap.base-dn = "dc=opencloud,dc=eu"
+directory.ldap.bind.auth.dn = "uid=?,ou=users,dc=opencloud,dc=eu"
+directory.ldap.bind.auth.enable = true
+directory.ldap.bind.auth.search = true
+directory.ldap.bind.dn = "cn=admin,dc=opencloud,dc=eu"
+directory.ldap.bind.secret = "admin"
+directory.ldap.cache.ttl.negative = "10m"
+directory.ldap.cache.ttl.positive = "1h"
+directory.ldap.filter.email = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=?)(mailAlias=?)(mailList=?)))"
+directory.ldap.filter.name = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(uid=?))"
+directory.ldap.timeout = "3s"
+directory.ldap.tls.allow-invalid-certs = false
+directory.ldap.tls.enable = false
+directory.ldap.type = "ldap"
+directory.ldap.url = "ldap://ldap-server:1389"
+server.hostname = "stalwart.opencloud.test"
+server.http.allowed-endpoint = 200
+server.http.hsts = false
+server.http.permissive-cors = false
+server.http.url = "protocol + '://stalwart.opencloud.test:' + local_port"
+server.http.use-x-forwarded = false
+server.listener.http.bind = "[::]:8080"
+server.listener.http.protocol = "http"
+server.listener.https.bind = "[::]:443"
+server.listener.https.protocol = "http"
+server.listener.https.tls.implicit = true
+server.listener.imap.bind = "[::]:143"
+server.listener.imap.protocol = "imap"
+server.listener.imaptls.bind = "[::]:993"
+server.listener.imaptls.protocol = "imap"
+server.listener.imaptls.tls.implicit = true
+server.listener.pop3.bind = "[::]:110"
+server.listener.pop3.protocol = "pop3"
+server.listener.pop3s.bind = "[::]:995"
+server.listener.pop3s.protocol = "pop3"
+server.listener.pop3s.tls.implicit = true
+server.listener.sieve.bind = "[::]:4190"
+server.listener.sieve.protocol = "managesieve"
+server.listener.smtp.bind = "[::]:25"
+server.listener.smtp.protocol = "smtp"
+server.listener.submission.bind = "[::]:587"
+server.listener.submission.protocol = "smtp"
+server.listener.submissions.bind = "[::]:465"
+server.listener.submissions.protocol = "smtp"
+server.listener.submissions.tls.implicit = true
+server.max-connections = 8192
+server.socket.backlog = 1024
+server.socket.nodelay = true
+server.socket.reuse-addr = true
+server.socket.reuse-port = true
+storage.blob = "rocksdb"
+storage.data = "rocksdb"
+storage.directory = "ldap"
+storage.fts = "rocksdb"
+storage.lookup = "rocksdb"
+store.rocksdb.compression = "lz4"
+store.rocksdb.path = "/opt/stalwart-mail/data"
+store.rocksdb.type = "rocksdb"
+tracer.log.ansi = true
+tracer.log.buffered = true
+tracer.log.enable = true
+tracer.log.level = "trace"
+tracer.log.lossy = false
+tracer.log.multiline = false
+tracer.log.type = "stdout"
+metrics.prometheus.enable = true
+metrics.prometheus.auth.username = "metrics"
+metrics.prometheus.auth.secret = "secret"
diff --git a/devtools/deployments/opencloud_full/stalwart.yml b/devtools/deployments/opencloud_full/stalwart.yml
new file mode 100644
index 0000000000..35ed532ec5
--- /dev/null
+++ b/devtools/deployments/opencloud_full/stalwart.yml
@@ -0,0 +1,36 @@
+---
+services:
+  traefik:
+    networks:
+      opencloud-net:
+        aliases:
+          - ${STALWART_DOMAIN:-stalwart.opencloud.test}
+
+  stalwart:
+    image: stalwartlabs/mail-server:latest
+    networks:
+      - opencloud-net
+    ports:
+      - "127.0.0.1:143:143"
+      - "127.0.0.1:993:993"
+    volumes:
+      - ./config/stalwart:/opt/stalwart-mail/etc
+      - stalwart-data:/opt/stalwart-mail/data
+      - stalwart-logs:/opt/stalwart-mail/logs
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.stalwart.entrypoints=https"
+      - "traefik.http.routers.stalwart.rule=Host(`${STALWART_DOMAIN:-stalwart.opencloud.test}`)"
+      - "traefik.http.routers.stalwart.tls.certresolver=http"
+      - "traefik.http.routers.stalwart.service=stalwart"
+      - "traefik.http.services.stalwart.loadbalancer.server.port=8080"
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+volumes:
+  stalwart-data:
+  stalwart-logs:
+
+networks:
+  opencloud-net: