add mail role!

This commit is contained in:
Elizabeth Hunt 2024-01-07 00:35:54 -05:00
parent fb0b391408
commit ae64628958
8 changed files with 121 additions and 10 deletions

4
deploy-mail.yml Normal file
View File

@ -0,0 +1,4 @@
- name: mail setup
hosts: mail
roles:
- mail

5
group_vars/mail.yml Normal file
View File

@ -0,0 +1,5 @@
---
domain: mail.simponic.xyz
certbot_email: elizabeth.hunt@simponic.xyz
postmaster_email: postmaster@simponic.xyz
lldap_admin_pass: "{{ lookup('env', 'LLDAP_USER_PASS') }}"

View File

@ -2,7 +2,7 @@
nijika ansible_user=root ansible_connection=ssh nijika ansible_user=root ansible_connection=ssh
ryo ansible_user=root ansible_connection=ssh ryo ansible_user=root ansible_connection=ssh
levi ansible_user=root ansible_connection=ssh levi ansible_user=root ansible_connection=ssh
#ash ansible_user=root ansible_connection=ssh mail.simponic.xyz ansible_user=root ansible_connection=ssh
[private] [private]
johan ansible_user=root ansible_connection=ssh johan ansible_user=root ansible_connection=ssh
@ -10,7 +10,6 @@ johan ansible_user=root ansible_connection=ssh
[webservers] [webservers]
levi ansible_user=root ansible_connection=ssh levi ansible_user=root ansible_connection=ssh
nijika ansible_user=root ansible_connection=ssh nijika ansible_user=root ansible_connection=ssh
#ash.internal.simponic.xyz ansible_user=root ansible_connection=ssh
[nameservers] [nameservers]
ryo ansible_user=root ansible_connection=ssh ryo ansible_user=root ansible_connection=ssh
@ -41,4 +40,4 @@ johan ansible_user=root ansible_connection=ssh
johan ansible_user=root ansible_connection=ssh johan ansible_user=root ansible_connection=ssh
[mail] [mail]
#ash ansible_user=root ansible_connection=ssh mail.simponic.xyz ansible_user=root ansible_connection=ssh

57
roles/mail/tasks/main.yml Normal file
View File

@ -0,0 +1,57 @@
---
- name: install letsencrypt
apt:
name: letsencrypt
state: latest
- name: allow 80/tcp ufw
ufw:
rule: allow
port: '80'
proto: 'tcp'
- name: allow 443/tcp ufw
ufw:
rule: allow
port: '443'
proto: 'tcp'
- name: restart ufw
service: name=ufw state=restarted enabled=yes
- name: request certificate
shell: >
letsencrypt certonly -n --standalone -d "{{ domain }}" \
-m "{{ certbot_email }}" --agree-tos
args:
creates: "/etc/letsencrypt/live/{{ domain }}"
- name: add monthly letsencrypt cronjob for cert renewal
cron:
name: "letsencrypt_renewal_mail"
day: "18"
hour: "2"
minute: "1"
job: "letsencrypt renew --cert-name {{ domain }} -n --standalone --agree-tos -m {{ certbot_email }}"
- name: ensure mail docker/compose exist
file:
path: /etc/docker/compose/mail
state: directory
owner: root
group: root
mode: 0700
- name: build mail docker-compose.yml.j2
template:
src: ../templates/docker-compose.yml.j2
dest: /etc/docker/compose/mail/docker-compose.yml
owner: root
group: root
mode: u=rw,g=r,o=r
- name: daemon-reload and enable mail
ansible.builtin.systemd_service:
state: restarted
enabled: true
name: docker-compose@mail

View File

@ -0,0 +1,46 @@
services:
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:latest
container_name: mailserver
# Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
hostname: {{ domain }}
ports:
- "25:25"
- "465:465"
- "587:587"
- "993:993"
volumes:
- ./docker-data/dms/mail-data/:/var/mail/
- ./docker-data/dms/mail-state/:/var/mail-state/
- ./docker-data/dms/mail-logs/:/var/log/mail/
- ./docker-data/dms/config/:/tmp/docker-mailserver/
- /etc/letsencrypt:/etc/letsencrypt
- /etc/localtime:/etc/localtime:ro
environment:
- SSL_TYPE=letsencrypt
- ENABLE_CLAMAV=0
- ENABLE_AMAVIS=0
- ENABLE_FAIL2BAN=0
- SPOOF_PROTECTION=1
- ACCOUNT_PROVISIONER=LDAP
- LDAP_SERVER_HOST=ldap://lldap.internal.simponic.xyz:3890
- LDAP_SEARCH_BASE=dc=simponic,dc=xyz
- LDAP_BIND_DN=uid=admin,ou=people,dc=simponic,dc=xyz
- LDAP_BIND_PW={{ lldap_admin_pass }}
- LDAP_QUERY_FILTER_USER=(&(objectClass=mailAccount)(|(uid=%u)))
- LDAP_QUERY_FILTER_GROUP=(&(cn=mail)(uniquemember=uid=%u,ou=people,dc=simponic,dc=xyz))
- LDAP_QUERY_FILTER_ALIAS=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
- LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
- DOVECOT_AUTH_BIND=yes
- DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
- DOVECOT_USER_ATTRS==uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=rimap
- SASLAUTHD_MECH_OPTIONS=127.0.0.1
- POSTMASTER_ADDRESS={{ postmaster_email }}
dns:
- {{ johan_ip }}
restart: always

View File

@ -19,7 +19,6 @@ johan.simponic.xyz. 1 IN A 23.95.20.192
osaka.simponic.xyz. 1 IN A 129.123.76.14 osaka.simponic.xyz. 1 IN A 129.123.76.14
mail.simponic.xyz. 1 IN A 192.3.248.205 mail.simponic.xyz. 1 IN A 192.3.248.205
ash.simponic.xyz. 1 IN A 192.3.248.205
levi.simponic.xyz. 1 IN A 23.95.214.176 levi.simponic.xyz. 1 IN A 23.95.214.176
simponic.xyz. 1 IN A 23.95.214.176 simponic.xyz. 1 IN A 23.95.214.176
@ -36,5 +35,8 @@ authelia.simponic.xyz. 1 IN CNAME nijika.simponic.xyz.
simponic.xyz. 1 IN MX 10 mail.simponic.xyz. simponic.xyz. 1 IN MX 10 mail.simponic.xyz.
;; TXT Records ;; TXT Records
dkim._domainkey.simponic.xyz. 1 IN TXT "v=DKIM1; p= MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoNWLcbrcGq0z8f0fSmxLbfK/Q/ZwmnPyJEfljS2VuDIm7DUXahHIFtB8hfZ/WAocoirb8kUHTvTAgmUOXPpNxTDve3tV9S+CBBYHH2c9XBsuaZn/Vi0TR5vbBDuISmlXT6k+2cdq0LO+PYRwJI65t/JWTR5fQlCmVgxbI5gwDYFRZC0Nl5gEwuKw7pdEJg4Pymyox" "i" "zcikaGk/plXj6BDvv9pK1q8Wa+QPIkuBPFvsEh3KSApMP1p5thzHFaeNyCn5PuYEvbgkal0722px6GvYfR2W/APNRztbmWVewXH6kEWCgOYMkmWiYYLgEwz62rq2SzszP1rrl3WjVi26916wIDAQAB" mail._domainkey.simponic.xyz. 1 IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ktysbZaewsAo1Uk+FfLvVeL9ii6ejTDxxYE1RoGTxFDulFYXdpvO+MErDq62IvaQ6E4TYTc0RULoqp3BjuVVG6IG85SmhWME9XYSrxLm1pq7yRN1s1b6pBqNC6+yiyxwSjThS7RzH3sxwBL7R8AHRuEV+2UKsvT2wOCyRXAth+lrB7t9S9niWNOB3lvDqe0/oPf9JDrKjpuO6"
"lKZ3nglGzPfdJEpfLyXBP4l5UlxqWYUIrCzqHY9bNmyPepb1CJT97AD5jGGngCrnMCmllAdyOKa1ds5uoPjjGaLO8bOoBWXQuacn++hDsdyQ78Y673T2935CN/uGgrLBs9UiA0BQIDAQAB" ) ; ----- DKIM key mail for simponic.xyz
_dmarc.simponic.xyz. IN TXT "v=DMARC1; p=none; sp=none; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@simponic.xyz; ruf=mailto:dmarc.report@simponic.xyz"
simponic.xyz. 1 IN TXT "v=spf1 mx ip4:192.3.248.205 ~all" simponic.xyz. 1 IN TXT "v=spf1 mx ip4:192.3.248.205 ~all"

View File

@ -84,12 +84,10 @@
- name: reload nginx to activate sites - name: reload nginx to activate sites
service: name=nginx state=restarted service: name=nginx state=restarted
- name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits - name: add daily letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
cron: cron:
name: "letsencrypt_renewal_{{ item.stdout }}" name: "letsencrypt_renewal_{{ item.stdout }}"
day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}" special_time: "daily"
hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}"
minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}"
job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt --agree-tos --email {{ step_acme_cert_contact }} && service nginx reload" job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt --agree-tos --email {{ step_acme_cert_contact }} && service nginx reload"
loop: "{{ extracted_domains.results }}" loop: "{{ extracted_domains.results }}"
when: item.stdout != "" when: item.stdout != ""

View File

@ -236,7 +236,7 @@ unix_socket_permission: "0770"
# OpenID Connect # OpenID Connect
oidc: oidc:
# Block further startup until the OIDC provider is healthy and available # Block further startup until the OIDC provider is healthy and available
only_start_if_oidc_is_available: true only_start_if_oidc_is_available: false
# Specified by your OIDC provider # Specified by your OIDC provider
issuer: "https://authelia.simponic.xyz" issuer: "https://authelia.simponic.xyz"
# Specified/generated by your OIDC provider # Specified/generated by your OIDC provider