Compare commits
No commits in common. "cb564f311466b1147596021d4be545a716eeff58" and "6de9077144ec8b893508effdffe8d241358d5625" have entirely different histories.
cb564f3114
...
6de9077144
8 changed files with 114 additions and 33 deletions
1
env.yml
1
env.yml
|
@ -138,7 +138,6 @@ volumes:
|
||||||
etebase_datadir: /mnt/etebasedata
|
etebase_datadir: /mnt/etebasedata
|
||||||
hedgedoc_uploadsdir: /mnt/hedgedocuploads
|
hedgedoc_uploadsdir: /mnt/hedgedocuploads
|
||||||
lldap_datadir: /mnt/lldapdata
|
lldap_datadir: /mnt/lldapdata
|
||||||
mailserver_datadir: /mnt/mailserver
|
|
||||||
mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem"
|
mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem"
|
||||||
mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem"
|
mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem"
|
||||||
postgres_datadir: /mnt/postgresdata
|
postgres_datadir: /mnt/postgresdata
|
||||||
|
|
|
@ -7,6 +7,7 @@ services:
|
||||||
env_file: .env
|
env_file: .env
|
||||||
networks:
|
networks:
|
||||||
- authelia
|
- authelia
|
||||||
|
- mailserver
|
||||||
ports:
|
ports:
|
||||||
- {{ ports['lldap'] }}:17170
|
- {{ ports['lldap'] }}:17170
|
||||||
volumes:
|
volumes:
|
||||||
|
@ -15,3 +16,5 @@ services:
|
||||||
networks:
|
networks:
|
||||||
authelia:
|
authelia:
|
||||||
name: authelia
|
name: authelia
|
||||||
|
mailserver:
|
||||||
|
name: mailserver
|
||||||
|
|
|
@ -1,11 +1,10 @@
|
||||||
- name: "Backup PostgreSQL stalwart database & {{ volumes['mailserver_datadir'] }}/etc/config.toml"
|
- name: "Backup PostgreSQL stalwart database"
|
||||||
shell: >
|
shell: >
|
||||||
docker exec postgres
|
docker exec postgres
|
||||||
pg_dump -c {{ role_name }} |
|
pg_dump -c {{ role_name }} |
|
||||||
borg create
|
borg create
|
||||||
--compression lzma
|
--compression lzma
|
||||||
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
|
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
|
||||||
"{{ volumes['mailserver_datadir'] }}/etc/config.toml"
|
|
||||||
-
|
-
|
||||||
--stdin-name dump_{{ role_name }}.sql
|
--stdin-name dump_{{ role_name }}.sql
|
||||||
environment:
|
environment:
|
||||||
|
|
|
@ -6,24 +6,16 @@
|
||||||
- absent
|
- absent
|
||||||
- directory
|
- directory
|
||||||
|
|
||||||
- name: Template docker-compose.yaml to project directory
|
- name: Template docker-compose.yaml & config.toml to project directory
|
||||||
template:
|
template:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "{{ project_dir }}/{{ item }}"
|
dest: "{{ project_dir }}/{{ item }}"
|
||||||
owner: "{{ host_uid }}"
|
owner: "{{ host_uid }}"
|
||||||
group: "{{ host_uid }}"
|
group: "{{ users['mailserver'] + uid_shift }}"
|
||||||
mode: '660'
|
mode: '660'
|
||||||
loop:
|
loop:
|
||||||
- docker-compose.yaml
|
- docker-compose.yaml
|
||||||
become: true
|
- config.toml
|
||||||
|
|
||||||
- name: "Create (if not exists) directory {{ volumes['mailserver_datadir'] }} & set permissions"
|
|
||||||
file:
|
|
||||||
path: "{{ volumes['mailserver_datadir'] }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ users['mailserver'] + uid_shift }}"
|
|
||||||
group: "{{ users['mailserver'] + uid_shift }}"
|
|
||||||
mode: '700'
|
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: Set limited permissions on certificate directories
|
- name: Set limited permissions on certificate directories
|
||||||
|
|
92
roles/mailserver/templates/config.toml
Normal file
92
roles/mailserver/templates/config.toml
Normal file
|
@ -0,0 +1,92 @@
|
||||||
|
authentication.fallback-admin.secret = "{{ mailserver_secrets['admin_secret'] }}"
|
||||||
|
authentication.fallback-admin.user = "{{ mailserver_secrets['admin_user'] }}"
|
||||||
|
cluster.node-id = 1
|
||||||
|
lookup.default.hostname = "mail.{{ domain }}"
|
||||||
|
lookup.default.domain = "{{ domain }}"
|
||||||
|
|
||||||
|
|
||||||
|
# Server settings
|
||||||
|
server.http.permissive-cors = false
|
||||||
|
server.http.url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port"
|
||||||
|
server.http.use-x-forwarded = true
|
||||||
|
server.max-connections = 8192
|
||||||
|
server.socket.backlog = 1024
|
||||||
|
server.socket.nodelay = true
|
||||||
|
server.socket.reuse-addr = true
|
||||||
|
server.socket.reuse-port = true
|
||||||
|
|
||||||
|
|
||||||
|
# Listeners
|
||||||
|
server.listener.https.bind = "[::]:443"
|
||||||
|
server.listener.https.protocol = "http"
|
||||||
|
server.listener.https.tls.implicit = true
|
||||||
|
server.listener.imaptls.bind = "[::]:993"
|
||||||
|
server.listener.imaptls.protocol = "imap"
|
||||||
|
server.listener.imaptls.tls.implicit = true
|
||||||
|
server.listener.smtp.bind = "[::]:25"
|
||||||
|
server.listener.smtp.protocol = "smtp"
|
||||||
|
server.listener.smtp.tls.implicit = false
|
||||||
|
server.listener.submissions.bind = "[::]:465"
|
||||||
|
server.listener.submissions.protocol = "smtp"
|
||||||
|
server.listener.submissions.tls.implicit = true
|
||||||
|
|
||||||
|
|
||||||
|
# Certificate settings
|
||||||
|
certificate."default".cert = "%{file:///etc/fullchain.pem}%"
|
||||||
|
certificate."default".default = true
|
||||||
|
certificate."default".private-key = "%{file:///etc/privkey.pem}%"
|
||||||
|
|
||||||
|
|
||||||
|
# Storage settings
|
||||||
|
storage.blob = "postgresql"
|
||||||
|
storage.data = "postgresql"
|
||||||
|
storage.directory = "ldap"
|
||||||
|
storage.fts = "postgresql"
|
||||||
|
storage.lookup = "postgresql"
|
||||||
|
|
||||||
|
|
||||||
|
# Directory settings
|
||||||
|
# Note: 'directory.ldap.attributes.secret' must not be defined
|
||||||
|
# to correctly disable OAuth, if the LDAP server doesn't expose passwords hashes.
|
||||||
|
directory.ldap.attributes.class = "objectClass"
|
||||||
|
directory.ldap.attributes.description = "distinguishedName"
|
||||||
|
directory.ldap.attributes.email = "mail"
|
||||||
|
directory.ldap.attributes.email-alias = "mailAlias"
|
||||||
|
directory.ldap.attributes.groups = "memberOf"
|
||||||
|
directory.ldap.attributes.name = "uid"
|
||||||
|
directory.ldap.attributes.quota = "diskQuota"
|
||||||
|
directory.ldap.base-dn = "{{ ldap_base_dn }}"
|
||||||
|
directory.ldap.bind.auth.dn = "uid=?,ou=people,{{ ldap_base_dn }}"
|
||||||
|
directory.ldap.bind.auth.enable = true
|
||||||
|
directory.ldap.bind.dn = "{{ mailserver_secrets['ldap_user'] }}"
|
||||||
|
directory.ldap.bind.secret = "{{ mailserver_secrets['ldap_password'] }}"
|
||||||
|
directory.ldap.cache.entries = 500
|
||||||
|
directory.ldap.filter.domains = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=*@?)(mailAlias=*@?)))"
|
||||||
|
directory.ldap.filter.email = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=?)(mailAlias=?)(mailList=?))(mail=*@{{ domain }}))"
|
||||||
|
directory.ldap.filter.expand = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(mailList=?))"
|
||||||
|
directory.ldap.filter.name = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(uid=?))"
|
||||||
|
directory.ldap.filter.verify = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=*?*)(mailAlias=*?*)))"
|
||||||
|
directory.ldap.tls.allow-invalid-certs = false
|
||||||
|
directory.ldap.tls.enable = false
|
||||||
|
directory.ldap.type = "ldap"
|
||||||
|
directory.ldap.url = "ldap://lldap:3890"
|
||||||
|
|
||||||
|
|
||||||
|
# Store settings
|
||||||
|
store.postgresql.compression = "lz4"
|
||||||
|
store.postgresql.database = "stalwart"
|
||||||
|
store.postgresql.host = "postgres.{{ domain }}"
|
||||||
|
store.postgresql.password = "{{ mailserver_secrets['postgres_password'] }}"
|
||||||
|
store.postgresql.port = "5432"
|
||||||
|
store.postgresql.purge.frequency = "0 3 *"
|
||||||
|
store.postgresql.tls.allow-invalid-certs = true
|
||||||
|
store.postgresql.tls.enable = true
|
||||||
|
store.postgresql.type = "postgresql"
|
||||||
|
store.postgresql.user = "{{ mailserver_secrets['postgres_user'] }}"
|
||||||
|
|
||||||
|
|
||||||
|
# Logs settings
|
||||||
|
tracer.stdout.ansi = true
|
||||||
|
tracer.stdout.enable = true
|
||||||
|
tracer.stdout.level = "info"
|
||||||
|
tracer.stdout.type = "stdout"
|
|
@ -1,15 +1,21 @@
|
||||||
services:
|
services:
|
||||||
mailserver:
|
mailserver:
|
||||||
container_name: mailserver
|
|
||||||
image: docker.io/stalwartlabs/mail-server:v0.8.3
|
image: docker.io/stalwartlabs/mail-server:v0.8.3
|
||||||
|
container_name: mailserver
|
||||||
restart: always
|
restart: always
|
||||||
user: "{{ users['mailserver'] }}:{{ users['mailserver'] }}"
|
user: "{{ users['mailserver'] }}:{{ users['mailserver'] }}"
|
||||||
|
networks:
|
||||||
|
- mailserver
|
||||||
ports:
|
ports:
|
||||||
- "{{ ports['mailserver_smtp'] }}:25"
|
- "{{ ports['mailserver_smtp'] }}:25"
|
||||||
- {{ ports['mailserver_smtps'] }}:465
|
- {{ ports['mailserver_smtps'] }}:465
|
||||||
- {{ ports['mailserver_imaps'] }}:993
|
- {{ ports['mailserver_imaps'] }}:993
|
||||||
- {{ ports['mailserver_https'] }}:443
|
- {{ ports['mailserver_https'] }}:443
|
||||||
volumes:
|
volumes:
|
||||||
- {{ volumes['mailserver_tls_certificate_file'] }}:/etc/fullchain.pem:ro
|
- {{ volumes['mailserver_tls_certificate_file'] }}:/etc/fullchain.pem
|
||||||
- {{ volumes['mailserver_tls_certificate_key_file'] }}:/etc/privkey.pem:ro
|
- {{ volumes['mailserver_tls_certificate_key_file'] }}:/etc/privkey.pem
|
||||||
- {{ volumes['mailserver_datadir'] }}:/opt/stalwart-mail
|
- ./config.toml:/opt/stalwart-mail/etc/config.toml
|
||||||
|
|
||||||
|
networks:
|
||||||
|
mailserver:
|
||||||
|
name: mailserver
|
||||||
|
|
|
@ -11,18 +11,3 @@ server {
|
||||||
include /etc/nginx/snippets/proxy.conf;
|
include /etc/nginx/snippets/proxy.conf;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
server_name mta-sts.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location = /.well-known/mta-sts.txt {
|
|
||||||
proxy_pass https://127.0.0.1:{{ ports['mailserver_https'] }};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -52,6 +52,11 @@ lldap_secrets:
|
||||||
postgres_password:
|
postgres_password:
|
||||||
|
|
||||||
mailserver_secrets:
|
mailserver_secrets:
|
||||||
|
admin_user:
|
||||||
|
# Hash obtained with openssl passwd -6
|
||||||
|
admin_secret:
|
||||||
|
ldap_user:
|
||||||
|
ldap_password:
|
||||||
postgres_user:
|
postgres_user:
|
||||||
postgres_password:
|
postgres_password:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue