stalwart-lite 0.15.6

Stalwart Mail and Collaboration Server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

# syntax=docker/dockerfile:1
# check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform

# *****************
# Base image for planner & builder
# *****************
FROM --platform=$BUILDPLATFORM rust:slim-trixie AS base

ENV DEBIAN_FRONTEND="noninteractive" \
    BINSTALL_DISABLE_TELEMETRY=true \
    CARGO_TERM_COLOR=always \
    LANG=C.UTF-8 \
    TZ=UTC \
    TERM=xterm-256color \
    AWS_LC_SYS_PREBUILT_NASM=1
# With zig, we only need libclang and make. ca-certificates is required for curl
# to verify HTTPS downloads (zig tarballs, FoundationDB debs, crates.io, etc).
RUN \
    --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    rm -f /etc/apt/apt.conf.d/docker-clean && \
    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache && \
    apt-get update && \
    apt-get install -yq --no-install-recommends ca-certificates curl jq xz-utils make libclang-19-dev
# Zig is pinned to 0.13.0. Zig 0.14+ changed how its default target ABI is
# resolved for `x86_64-linux-gnu`-style triples, and on Stalwart's dep tree
# (rocksdb, jemalloc, aws-lc-sys, libfdb_c.so, rust-std 1.87+) this surfaces
# as ld.lld undefined references to pthread_*/stat/pow@GLIBC_2.33+. An
# explicit glibc suffix (`.2.17`) is NOT a workaround — C deps compiled via
# zig cc against Zig 0.16 headers still emit @2.33+ symbols even when the
# linker target is 2.17. Zig 0.13 produces binaries with a max glibc ref of
# ~2.28 which stays compatible with Debian 11 / RHEL 8. Revisit this pin if
# Zig upstream stabilizes a backwards-compatible default or if Stalwart drops
# its hard C deps.
RUN \
    ZIG_VERSION=0.13.0 && \
    curl --retry 5 -fsSL "https://ziglang.org/download/${ZIG_VERSION}/zig-linux-$(uname -m)-${ZIG_VERSION}.tar.xz" | tar -J -x -C /usr/local && \
    ln -s "/usr/local/zig-linux-$(uname -m)-${ZIG_VERSION}/zig" /usr/local/bin/zig && \
    zig version
# Install cargo-binstall
RUN curl --retry 5 -fL --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
# Install cargo-chef & sccache & cargo-zigbuild
RUN cargo binstall --no-confirm cargo-chef sccache cargo-zigbuild

# *****************
# Planner
# *****************
FROM base AS planner
WORKDIR /app
COPY . .
# Generate recipe file
RUN cargo chef prepare --recipe-path recipe.json

# *****************
# Builder
# *****************
FROM base AS builder
WORKDIR /app
COPY --from=planner /app/recipe.json recipe.json
ARG TARGET
ARG BUILD_ENV
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Install toolchain and specify some env variables
RUN \
    rustup set profile minimal && \
    rustup target add ${TARGET} && \
    mkdir -p artifact && \
    touch /env-cargo && \
    if [ ! -z "${BUILD_ENV}" ]; then \
        echo "export ${BUILD_ENV}" >> /env-cargo; \
        echo "Setting up ${BUILD_ENV}"; \
    fi && \
    if [[ "${TARGET}" == *gnu ]]; then \
        base_arch="${TARGET%%-*}"; \
        case "$base_arch" in \
            x86_64) \
                echo "export FDB_ARCH=amd64" >> /env-cargo; \
                ;; \
            aarch64) \
                echo "export FDB_ARCH=aarch64" >> /env-cargo; \
                ;; \
            *) \
                exit 1; \
                ;; \
        esac; \
    fi
# Install FoundationDB (pinned to latest 7.4.x; Apple publishes 7.4 as
# prereleases on GitHub, so the release list is fetched without the
# prerelease filter and narrowed by tag name).
ARG FDB_VERSION_RANGE="7.4"
RUN \
    source /env-cargo && \
    if [ ! -z "${FDB_ARCH}" ]; then \
        curl --retry 5 -fLso fdb-client.deb "$(curl --retry 5 -fLs 'https://api.github.com/repos/apple/foundationdb/releases?per_page=100' | jq --arg FDB_ARCH "$FDB_ARCH" --arg RANGE "${FDB_VERSION_RANGE}" -r '[.[] | select(.tag_name | startswith($RANGE + "."))] | sort_by(.tag_name | split(".") | map(tonumber)) | reverse | .[0].assets[] | select(.name | test("foundationdb-clients.*" + $FDB_ARCH + ".deb$")) | .browser_download_url')" && \
        mkdir -p /fdb && \
        dpkg -x fdb-client.deb /fdb && \
        mv /fdb/usr/include/foundationdb /usr/include && \
        mv /fdb/usr/lib/libfdb_c.so /usr/lib && \
        rm -rf fdb-client.deb /fdb; \
    fi
# Cargo-chef Cache layer
RUN \
    --mount=type=secret,id=ACTIONS_RESULTS_URL,env=ACTIONS_RESULTS_URL \
    --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
    --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git \
    source /env-cargo && \
    if [ ! -z "${FDB_ARCH}" ]; then \
        RUSTFLAGS="-L /usr/lib" cargo chef cook --recipe-path recipe.json --zigbuild --release --target ${TARGET} -p stalwart-lite --no-default-features --features "foundationdb s3 redis nats enterprise"; \
    fi
RUN \
    --mount=type=secret,id=ACTIONS_RESULTS_URL,env=ACTIONS_RESULTS_URL \
    --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
    --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git \
    source /env-cargo && \
    cargo chef cook --recipe-path recipe.json --zigbuild --release --target ${TARGET} -p stalwart-lite --no-default-features --features "sqlite postgres mysql rocks s3 redis azure nats enterprise"
# Copy the source code
COPY . .
ENV RUSTC_WRAPPER="sccache" \
    SCCACHE_GHA_ENABLED=true
# Build FoundationDB version
RUN \
    --mount=type=secret,id=ACTIONS_RESULTS_URL,env=ACTIONS_RESULTS_URL \
    --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
    --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git \
    source /env-cargo && \
    if [ ! -z "${FDB_ARCH}" ]; then \
        RUSTFLAGS="-L /usr/lib" cargo zigbuild --release --target ${TARGET} -p stalwart-lite --no-default-features --features "foundationdb s3 redis nats enterprise" && \
        mv /app/target/${TARGET}/release/stalwart /app/artifact/stalwart-foundationdb; \
    fi
# Build generic version
RUN \
    --mount=type=secret,id=ACTIONS_RESULTS_URL,env=ACTIONS_RESULTS_URL \
    --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
    --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git \
    source /env-cargo && \
    cargo zigbuild --release --target ${TARGET} -p stalwart-lite --no-default-features --features "sqlite postgres mysql rocks s3 redis azure nats enterprise" && \
    mv /app/target/${TARGET}/release/stalwart /app/artifact/stalwart

# *****************
# Binary stage
# *****************
FROM scratch AS binaries
COPY --from=builder /app/artifact /

# *****************
# Runtime image for GNU targets
# *****************
FROM --platform=$TARGETPLATFORM docker.io/library/debian:trixie-slim AS gnu
RUN export DEBIAN_FRONTEND=noninteractive && \
    apt-get update && \
    apt-get install -yq --no-install-recommends ca-certificates curl tzdata libcap2-bin && \
    rm -rf /var/lib/apt/lists/* && \
    groupadd -r -g 2000 stalwart && \
    useradd -r -u 2000 -g 2000 -s /usr/sbin/nologin -M stalwart && \
    mkdir -p /etc/stalwart /var/lib/stalwart && \
    chown stalwart:stalwart /etc/stalwart /var/lib/stalwart
COPY --from=builder --chmod=0755 /app/artifact/stalwart /usr/local/bin/stalwart
RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/stalwart
USER stalwart
WORKDIR /var/lib/stalwart
VOLUME ["/etc/stalwart", "/var/lib/stalwart"]
EXPOSE	443 25 110 587 465 143 993 995 4190 8080
ENV STALWART_HEALTHCHECK_URL=https://127.0.0.1:443/healthz/live
HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
    CMD curl -fsSk "$STALWART_HEALTHCHECK_URL" || curl -fsS http://127.0.0.1:8080/healthz/live || exit 1
ENTRYPOINT ["/usr/local/bin/stalwart"]
CMD ["--config", "/etc/stalwart/config.json"]

# *****************
# Runtime image for musl targets
# *****************
FROM --platform=$TARGETPLATFORM alpine AS musl
RUN apk add --update --no-cache ca-certificates curl tzdata libcap && \
    rm -rf /var/cache/apk/* && \
    addgroup -S -g 2000 stalwart && \
    adduser -S -D -H -u 2000 -G stalwart -s /sbin/nologin stalwart && \
    mkdir -p /etc/stalwart /var/lib/stalwart && \
    chown stalwart:stalwart /etc/stalwart /var/lib/stalwart
COPY --from=builder --chmod=0755 /app/artifact/stalwart /usr/local/bin/stalwart
RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/stalwart
USER stalwart
WORKDIR /var/lib/stalwart
VOLUME ["/etc/stalwart", "/var/lib/stalwart"]
EXPOSE	443 25 110 587 465 143 993 995 4190 8080
ENV STALWART_HEALTHCHECK_URL=https://127.0.0.1:443/healthz/live
HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
    CMD curl -fsSk "$STALWART_HEALTHCHECK_URL" || curl -fsS http://127.0.0.1:8080/healthz/live || exit 1
ENTRYPOINT ["/usr/local/bin/stalwart"]
CMD ["--config", "/etc/stalwart/config.json"]