wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
34422ba2b1
tailwart/caddy/caddy.json

77 lines
2.7 KiB
JSON
Raw Normal View History

Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 22:25:38 -04:00
{
"//": "Layer-4 mail edge for tailwart. Pipes raw TCP mail ports to the",
"//2": "Stalwart sidecar over the tailnet, preserving client IP via PROXY",
"//3": "protocol v2. One server per port (upstream port differs per listener).",
"//4": "Stalwart terminates TLS itself — this is pure pass-through.",
"apps": {
"layer4": {
"servers": {
"smtp": {
"listen": [":25"],
"routes": [{ "handle": [{
"handler": "proxy",
"proxy_protocol": "v2",
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:25"] }]
}]}]
},
"submissions": {
"listen": [":465"],
"routes": [{ "handle": [{
"handler": "proxy",
"proxy_protocol": "v2",
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:465"] }]
}]}]
},
"submission": {
"listen": [":587"],
"routes": [{ "handle": [{
"handler": "proxy",
"proxy_protocol": "v2",
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:587"] }]
}]}]
},
"imap": {
"listen": [":143"],
"routes": [{ "handle": [{
"handler": "proxy",
"proxy_protocol": "v2",
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:143"] }]
}]}]
},
"imaptls": {
"listen": [":993"],
"routes": [{ "handle": [{
"handler": "proxy",
"proxy_protocol": "v2",
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:993"] }]
}]}]
Harden mail edge: PG-race healthcheck gate, :443 SNI fan-out, docs Fixes the root cause that was silently dropping Stalwart's cert/setting writes, completes the public HTTPS endpoints, and captures the debugging knowledge. - docker-compose.yml: gate the ts-stalwart healthcheck on Postgres reachability (nc -z the-record-prod:5432) in addition to tailscaled health. Stalwart's depends_on: service_healthy can no longer release it into the window where the tailnet route to Postgres isn't up yet — which was failing table init and losing in-flight cert writes (-> rcgen). - caddy/caddy.json + README: add the :443 SNI fan-out. mta-sts / autoconfig / autodiscover pass through to stalwart:443 (Stalwart terminates TLS with its wildcard cert; no proxy_protocol on :443). All other SNIs go to the box's web Caddy on :8443 (https_port 8443). L7 reverse_proxy is impossible here: CAA pins issuance to Stalwart's ACME account, so Caddy can't obtain its own cert for these names. - acl-snippet.hujson: grant tcp:443 on reverse-proxy -> stalwart for the SNI pass-through. - config/config.json: track the v0.16 bootstrap (commit-safe; the DB secret is an EnvironmentVariable reference, not inline). - LESSONS.md: symptom -> cause -> fix notes (PG race, DNS-01/Spaceship dead key, auto-ban vs PROXY protocol, wildcard-requires-DNS-01, SNI pass-through, ephemeral sidecar IP, LE rate-limit checks). - .gitignore: exclude _backup/ and _validate/ (DB dumps + an inline-secret config) and editor swap files. NEVER commit those. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 00:03:52 -04:00
},
"web": {
"//": "SNI fan-out on the public :443. Stalwart's HTTPS web endpoints",
"//2": "(MTA-STS policy, autoconfig, autodiscover) pass through to Stalwart,",
"//3": "which terminates TLS with its wildcard cert — NO proxy_protocol here,",
"//4": "unlike the mail ports above. Every other SNI falls to the box's own",
"//5": "web Caddy on :8443 (set `https_port 8443` there). A mail-only standalone",
"//6": "edge omits this server. See README — 'The HTTP side'.",
"listen": [":443"],
"routes": [
{
"match": [{ "tls": { "sni": ["mta-sts.infinidim.net", "autoconfig.infinidim.net", "autodiscover.infinidim.net"] } }],
"handle": [{
"handler": "proxy",
"upstreams": [{ "dial": ["stalwart.tail7b1641.ts.net:443"] }]
}]
},
{
"handle": [{
"handler": "proxy",
"upstreams": [{ "dial": ["127.0.0.1:8443"] }]
}]
}
]
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 22:25:38 -04:00
}
}
}
}
}
Reference in New Issue Copy Permalink