tailwart/caddy/docker-compose.yml

# tailwart edge — the layer-4 mail proxy. Deploy this on ANY host with a public
# IP that is joined to the tailnet and tagged tag:reverse-proxy. It does not
# have to be the same machine as the Stalwart mailbox — that's the fun part.
#
#   docker compose up -d --build
#
# network_mode: host is deliberate: the proxy needs to bind the public mail
# ports AND resolve/reach ${STALWART_MAGIC_NAME}.${TS_TAILNET} via the host's
# tailscaled (MagicDNS). The mailbox container, by contrast, binds nothing on
# the host — opposite ends of the same wire.

name: tailwart-edge

services:
  caddy-l4:
    build: .
    image: tailwart-caddy:latest
    network_mode: host
    command: ["caddy", "run", "--config", "/etc/caddy/caddy.json"]
    volumes:
      - ./caddy.json:/etc/caddy/caddy.json:ro
      - caddy-data:/data
    restart: unless-stopped

volumes:
  caddy-data:
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`# tailwart edge — the layer-4 mail proxy. Deploy this on ANY host with a public`
			`# IP that is joined to the tailnet and tagged tag:reverse-proxy. It does not`
			`# have to be the same machine as the Stalwart mailbox — that's the fun part.`
			`#`
			`# docker compose up -d --build`
			`#`
			`# network_mode: host is deliberate: the proxy needs to bind the public mail`
			`# ports AND resolve/reach ${STALWART_MAGIC_NAME}.${TS_TAILNET} via the host's`
			`# tailscaled (MagicDNS). The mailbox container, by contrast, binds nothing on`
			`# the host — opposite ends of the same wire.`

			`name: tailwart-edge`

			`services:`
			`caddy-l4:`
			`build: .`
			`image: tailwart-caddy:latest`
			`network_mode: host`
			`command: ["caddy", "run", "--config", "/etc/caddy/caddy.json"]`
			`volumes:`
			`- ./caddy.json:/etc/caddy/caddy.json:ro`
			`- caddy-data:/data`
			`restart: unless-stopped`

			`volumes:`
			`caddy-data:`