Compare commits

..

2 commits

8 changed files with 33 additions and 114 deletions

View file

@ -138,6 +138,7 @@ volumes:
etebase_datadir: /mnt/etebasedata etebase_datadir: /mnt/etebasedata
hedgedoc_uploadsdir: /mnt/hedgedocuploads hedgedoc_uploadsdir: /mnt/hedgedocuploads
lldap_datadir: /mnt/lldapdata lldap_datadir: /mnt/lldapdata
mailserver_datadir: /mnt/mailserver
mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem" mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem"
mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem" mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem"
postgres_datadir: /mnt/postgresdata postgres_datadir: /mnt/postgresdata

View file

@ -7,7 +7,6 @@ services:
env_file: .env env_file: .env
networks: networks:
- authelia - authelia
- mailserver
ports: ports:
- {{ ports['lldap'] }}:17170 - {{ ports['lldap'] }}:17170
volumes: volumes:
@ -16,5 +15,3 @@ services:
networks: networks:
authelia: authelia:
name: authelia name: authelia
mailserver:
name: mailserver

View file

@ -1,10 +1,11 @@
- name: "Backup PostgreSQL stalwart database" - name: "Backup PostgreSQL stalwart database & {{ volumes['mailserver_datadir'] }}/etc/config.toml"
shell: > shell: >
docker exec postgres docker exec postgres
pg_dump -c {{ role_name }} | pg_dump -c {{ role_name }} |
borg create borg create
--compression lzma --compression lzma
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
"{{ volumes['mailserver_datadir'] }}/etc/config.toml"
- -
--stdin-name dump_{{ role_name }}.sql --stdin-name dump_{{ role_name }}.sql
environment: environment:

View file

@ -6,16 +6,24 @@
- absent - absent
- directory - directory
- name: Template docker-compose.yaml & config.toml to project directory - name: Template docker-compose.yaml to project directory
template: template:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ project_dir }}/{{ item }}" dest: "{{ project_dir }}/{{ item }}"
owner: "{{ host_uid }}" owner: "{{ host_uid }}"
group: "{{ users['mailserver'] + uid_shift }}" group: "{{ host_uid }}"
mode: '660' mode: '660'
loop: loop:
- docker-compose.yaml - docker-compose.yaml
- config.toml become: true
- name: "Create (if not exists) directory {{ volumes['mailserver_datadir'] }} & set permissions"
file:
path: "{{ volumes['mailserver_datadir'] }}"
state: directory
owner: "{{ users['mailserver'] + uid_shift }}"
group: "{{ users['mailserver'] + uid_shift }}"
mode: '700'
become: true become: true
- name: Set limited permissions on certificate directories - name: Set limited permissions on certificate directories

View file

@ -1,92 +0,0 @@
authentication.fallback-admin.secret = "{{ mailserver_secrets['admin_secret'] }}"
authentication.fallback-admin.user = "{{ mailserver_secrets['admin_user'] }}"
cluster.node-id = 1
lookup.default.hostname = "mail.{{ domain }}"
lookup.default.domain = "{{ domain }}"
# Server settings
server.http.permissive-cors = false
server.http.url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port"
server.http.use-x-forwarded = true
server.max-connections = 8192
server.socket.backlog = 1024
server.socket.nodelay = true
server.socket.reuse-addr = true
server.socket.reuse-port = true
# Listeners
server.listener.https.bind = "[::]:443"
server.listener.https.protocol = "http"
server.listener.https.tls.implicit = true
server.listener.imaptls.bind = "[::]:993"
server.listener.imaptls.protocol = "imap"
server.listener.imaptls.tls.implicit = true
server.listener.smtp.bind = "[::]:25"
server.listener.smtp.protocol = "smtp"
server.listener.smtp.tls.implicit = false
server.listener.submissions.bind = "[::]:465"
server.listener.submissions.protocol = "smtp"
server.listener.submissions.tls.implicit = true
# Certificate settings
certificate."default".cert = "%{file:///etc/fullchain.pem}%"
certificate."default".default = true
certificate."default".private-key = "%{file:///etc/privkey.pem}%"
# Storage settings
storage.blob = "postgresql"
storage.data = "postgresql"
storage.directory = "ldap"
storage.fts = "postgresql"
storage.lookup = "postgresql"
# Directory settings
# Note: 'directory.ldap.attributes.secret' must not be defined
# to correctly disable OAuth, if the LDAP server doesn't expose passwords hashes.
directory.ldap.attributes.class = "objectClass"
directory.ldap.attributes.description = "distinguishedName"
directory.ldap.attributes.email = "mail"
directory.ldap.attributes.email-alias = "mailAlias"
directory.ldap.attributes.groups = "memberOf"
directory.ldap.attributes.name = "uid"
directory.ldap.attributes.quota = "diskQuota"
directory.ldap.base-dn = "{{ ldap_base_dn }}"
directory.ldap.bind.auth.dn = "uid=?,ou=people,{{ ldap_base_dn }}"
directory.ldap.bind.auth.enable = true
directory.ldap.bind.dn = "{{ mailserver_secrets['ldap_user'] }}"
directory.ldap.bind.secret = "{{ mailserver_secrets['ldap_password'] }}"
directory.ldap.cache.entries = 500
directory.ldap.filter.domains = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=*@?)(mailAlias=*@?)))"
directory.ldap.filter.email = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=?)(mailAlias=?)(mailList=?))(mail=*@{{ domain }}))"
directory.ldap.filter.expand = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(mailList=?))"
directory.ldap.filter.name = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(uid=?))"
directory.ldap.filter.verify = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=*?*)(mailAlias=*?*)))"
directory.ldap.tls.allow-invalid-certs = false
directory.ldap.tls.enable = false
directory.ldap.type = "ldap"
directory.ldap.url = "ldap://lldap:3890"
# Store settings
store.postgresql.compression = "lz4"
store.postgresql.database = "stalwart"
store.postgresql.host = "postgres.{{ domain }}"
store.postgresql.password = "{{ mailserver_secrets['postgres_password'] }}"
store.postgresql.port = "5432"
store.postgresql.purge.frequency = "0 3 *"
store.postgresql.tls.allow-invalid-certs = true
store.postgresql.tls.enable = true
store.postgresql.type = "postgresql"
store.postgresql.user = "{{ mailserver_secrets['postgres_user'] }}"
# Logs settings
tracer.stdout.ansi = true
tracer.stdout.enable = true
tracer.stdout.level = "info"
tracer.stdout.type = "stdout"

View file

@ -1,21 +1,15 @@
services: services:
mailserver: mailserver:
image: docker.io/stalwartlabs/mail-server:v0.8.3
container_name: mailserver container_name: mailserver
image: docker.io/stalwartlabs/mail-server:v0.8.3
restart: always restart: always
user: "{{ users['mailserver'] }}:{{ users['mailserver'] }}" user: "{{ users['mailserver'] }}:{{ users['mailserver'] }}"
networks:
- mailserver
ports: ports:
- "{{ ports['mailserver_smtp'] }}:25" - "{{ ports['mailserver_smtp'] }}:25"
- {{ ports['mailserver_smtps'] }}:465 - {{ ports['mailserver_smtps'] }}:465
- {{ ports['mailserver_imaps'] }}:993 - {{ ports['mailserver_imaps'] }}:993
- {{ ports['mailserver_https'] }}:443 - {{ ports['mailserver_https'] }}:443
volumes: volumes:
- {{ volumes['mailserver_tls_certificate_file'] }}:/etc/fullchain.pem - {{ volumes['mailserver_tls_certificate_file'] }}:/etc/fullchain.pem:ro
- {{ volumes['mailserver_tls_certificate_key_file'] }}:/etc/privkey.pem - {{ volumes['mailserver_tls_certificate_key_file'] }}:/etc/privkey.pem:ro
- ./config.toml:/opt/stalwart-mail/etc/config.toml - {{ volumes['mailserver_datadir'] }}:/opt/stalwart-mail
networks:
mailserver:
name: mailserver

View file

@ -11,3 +11,18 @@ server {
include /etc/nginx/snippets/proxy.conf; include /etc/nginx/snippets/proxy.conf;
} }
} }
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mta-sts.{{ domain }};
location / {
return 404;
}
location = /.well-known/mta-sts.txt {
proxy_pass https://127.0.0.1:{{ ports['mailserver_https'] }};
}
}

View file

@ -52,11 +52,6 @@ lldap_secrets:
postgres_password: postgres_password:
mailserver_secrets: mailserver_secrets:
admin_user:
# Hash obtained with openssl passwd -6
admin_secret:
ldap_user:
ldap_password:
postgres_user: postgres_user:
postgres_password: postgres_password: