2eb8a0c225
Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
24 lines
1.1 KiB
Plaintext
24 lines
1.1 KiB
Plaintext
// tailwart — merge into your live Tailscale policy (admin console).
|
|
// Snippet, not a full policy. Kept here so an upstream pull of any other repo
|
|
// can't clobber it.
|
|
|
|
// 1) tagOwners — add (self-ownership required for auth-key node creation):
|
|
// "tag:stalwart": ["autogroup:admin", "tag:stalwart"],
|
|
|
|
// 2) grants — Stalwart reaches the three shared backends:
|
|
{ "src": ["tag:stalwart"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },
|
|
{ "src": ["tag:stalwart"], "dst": ["tag:db-redis"], "ip": ["tcp:6379"] },
|
|
{ "src": ["tag:stalwart"], "dst": ["tag:garage"], "ip": ["tcp:3900"] },
|
|
|
|
// 3) grants — the edge proxy (tag:reverse-proxy) reaches the mailbox ports.
|
|
// 8080 is the JMAP/admin HTTP tier (fronted by the main L7 Caddy).
|
|
{
|
|
"src": ["tag:reverse-proxy"],
|
|
"dst": ["tag:stalwart"],
|
|
"ip": ["tcp:25", "tcp:465", "tcp:587", "tcp:143", "tcp:993", "tcp:8080"],
|
|
},
|
|
|
|
// 4) admin console (not this file): assign tag:stalwart to the same OAuth
|
|
// client federatedSocial uses, on the Devices/Core + Keys/AuthKeys scopes.
|
|
// Missing → 403 "calling actor does not have enough permissions" at boot.
|