start over a bit with mailu

9 files changed, 288 insertions, 193 deletions

diff --git a/modules/mail/facts.d/bind_address b/modules/mail/facts.d/bind_address
new file mode 100755
index 0000000..2ba364f
--- /dev/null
+++ b/modules/mail/facts.d/bind_address
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -eu
+set -o pipefail
+
+curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address
diff --git a/modules/mail/files/dhparam.pem b/modules/mail/files/dhparam.pem
deleted file mode 100644
index bb54913..0000000
--- a/modules/mail/files/dhparam.pem
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIICCAKCAgEA7AdtK45QmalmavuKKleQB98HE03rd9I0RarkQLnVyQ9CKTQY6sqr
-1TmWf6nzEU6ALnToanaTX30R30p28mz9pNbSK942wR8Gkiz22BTRNl3sykbAwvHA
-e5ZM51w7OY3LOPTa1YT2P2grnu4H39oujN4SrzdQxzKGgOQVacYAsavRwh4v7VgI
-grqbe1IjNHdsNhM7h+5DlXGMhNtMdH9dGkW/LiQvHGencbfK+2VmoJHoa2J3UgVE
-bizm9UHFXcWd2duVAFVQZx9PgOL6xIPtBTN6If45B+4nsrYFr/GsXk/DCtSTI9rP
-VEYEpGFgOz5gLFQJO+QySpRgkeQlge+WiC7XbRd1owrY7GuM3jSSVKFTGrhKa1wG
-DbGSD97OeI1aCgOKWFk3CBe5ezq0JvkeRbrE3Y4Y3/y4pY+mKf0Xd65acRf7E0th
-OiI9gNOBdQQ5FlZSHvxxJg5gpNLmytjMEHMLRbSLON6nxNyRF/m0rIKrdSnmhYiI
-nBQbq4u2wKtN4I4yvuSUD9NqQVZXYk9RH2agW7SovGWHlteYVmKdBWq7iZjcuWT2
-15S5kdv3rnUs3F955PTbDfDkf2nlNcghEqYvLXggzptH27HcO/RWFuDd1lxkeKv1
-H+b4OBHlywZEon13wf0ktj7Xg4GqN0tfbr3koIHaTvYC9CGmFaAhEAsCAQI=
------END DH PARAMETERS-----
diff --git a/modules/mail/files/dkim_signing.conf b/modules/mail/files/dkim_signing.conf
deleted file mode 100644
index b1ddead..0000000
--- a/modules/mail/files/dkim_signing.conf
+++ /dev/null
@@ -1 +0,0 @@
-use_esld = false;
diff --git a/modules/mail/files/docker-compose.yml b/modules/mail/files/docker-compose.yml
deleted file mode 100644
index 747ba65..0000000
--- a/modules/mail/files/docker-compose.yml
+++ /dev/null
@@ -1,97 +0,0 @@
-version: '2'
-
-services:
-
-  front:
-    image: mailu/nginx:$VERSION
-    restart: always
-    env_file: .env
-    ports:
-    - "$BIND_ADDRESS4:80:80"
-    - "$BIND_ADDRESS4:443:443"
-    - "$BIND_ADDRESS4:110:110"
-    - "$BIND_ADDRESS4:143:143"
-    - "$BIND_ADDRESS4:993:993"
-    - "$BIND_ADDRESS4:995:995"
-    - "$BIND_ADDRESS4:25:25"
-    - "$BIND_ADDRESS4:465:465"
-    - "$BIND_ADDRESS4:587:587"
-    volumes:
-      - "$ROOT/certs:/certs"
-
-  redis:
-    image: redis:alpine
-    restart: always
-    volumes:
-      - "$ROOT/redis:/data"
-
-  imap:
-    image: mailu/dovecot:$VERSION
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/data:/data"
-      - "$ROOT/mail:/mail"
-      - "$ROOT/overrides:/overrides"
-    depends_on:
-      - front
-
-  smtp:
-    image: mailu/postfix:$VERSION
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/data:/data"
-      - "$ROOT/overrides:/overrides"
-    depends_on:
-      - front
-
-  antispam:
-    image: mailu/rspamd:$VERSION
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/filter:/var/lib/rspamd"
-      - "$ROOT/dkim:/dkim"
-      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
-    depends_on:
-      - front
-
-  antivirus:
-    image: mailu/$ANTIVIRUS:$VERSION
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/filter:/data"
-
-  webdav:
-    image: mailu/$WEBDAV:$VERSION
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/dav:/data"
-
-  admin:
-    image: mailu/admin:$VERSION
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/data:/data"
-      - "$ROOT/dkim:/dkim"
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    depends_on:
-      - redis
-
-  webmail:
-    image: "mailu/$WEBMAIL:$VERSION"
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/webmail:/data"
-
-  fetchmail:
-    image: mailu/fetchmail:$VERSION
-    restart: always
-    env_file: .env
-    volumes:
-      - "$ROOT/data:/data"
diff --git a/modules/mail/files/env b/modules/mail/files/env
deleted file mode 100644
index ab79b29..0000000
--- a/modules/mail/files/env
+++ /dev/null
@@ -1,26 +0,0 @@
-ROOT=/media/persistent
-VERSION=1.5
-DOMAIN=new.tozt.net
-HOSTNAMES=newsmtp.tozt.net
-POSTMASTER=admin
-TLS_FLAVOR=letsencrypt
-AUTH_RATELIMIT=10/minute;1000/hour
-DISABLE_STATISTICS=True
-ADMIN=true
-WEBMAIL=rainloop
-WEBDAV=radicale
-ANTIVIRUS=none
-MESSAGE_SIZE_LIMIT=50000000
-RELAYNETS=172.16.0.0/12
-RELAYHOST=
-FETCHMAIL_DELAY=600
-RECIPIENT_DELIMITER=+
-DMARC_RUA=admin
-DMARC_RUF=admin
-WELCOME=false
-WEB_ADMIN=/admin
-WEB_WEBMAIL=/webmail
-SITENAME=tozt.net
-WEBSITE=https://tozt.net/
-COMPOSE_PROJECT_NAME=mailu
-PASSWORD_SCHEME=SHA512-CRYPT
diff --git a/modules/mail/files/mailu.env b/modules/mail/files/mailu.env
new file mode 100644
index 0000000..2b58dae
--- /dev/null
+++ b/modules/mail/files/mailu.env
@@ -0,0 +1,159 @@
+# Mailu main configuration file
+#
+# Generated for compose flavor
+#
+# This file is autogenerated by the configuration management wizard.
+# For a detailed list of configuration variables, see the documentation at
+# https://mailu.io
+
+###################################
+# Common configuration variables
+###################################
+
+# Set this to the path where Mailu data and configuration is stored
+# This variable is now set directly in `docker-compose.yml by the setup utility
+# ROOT=/media/persistent
+
+# Mailu version to run (1.0, 1.1, etc. or master)
+#VERSION=1.6
+
+# Set to a randomly generated 16 bytes string
+SECRET_KEY=KBLWPEM0GW3950ET
+
+# Address where listening ports should bind
+# This variables are now set directly in `docker-compose.yml by the setup utility
+# PUBLIC_IPV4= 127.0.0.1 (default: 127.0.0.1)
+# PUBLIC_IPV6= ::1 (default: ::1)
+
+# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
+SUBNET=192.168.203.0/24
+
+# Main mail domain
+DOMAIN=new.tozt.net
+
+# Hostnames for this server, separated with comas
+HOSTNAMES=newsmtp.tozt.net
+
+# Postmaster local part (will append the main mail domain)
+POSTMASTER=admin
+
+# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
+TLS_FLAVOR=letsencrypt
+
+# Authentication rate limit (per source IP address)
+AUTH_RATELIMIT=10/minute;1000/hour 
+
+# Opt-out of statistics, replace with "True" to opt out
+DISABLE_STATISTICS=True
+
+###################################
+# Optional features
+###################################
+
+# Expose the admin interface (value: true, false)
+ADMIN=true
+
+# Choose which webmail to run if any (values: roundcube, rainloop, none)
+WEBMAIL=rainloop
+
+# Dav server implementation (value: radicale, none)
+WEBDAV=radicale
+
+# Antivirus solution (value: clamav, none)
+#ANTIVIRUS=none
+
+#Antispam solution
+ANTISPAM=none
+
+###################################
+# Mail settings
+###################################
+
+# Message size limit in bytes
+# Default: accept messages up to 50MB
+# Max attachment size will be 33% smaller
+MESSAGE_SIZE_LIMIT=50000000
+
+# Networks granted relay permissions
+# Use this with care, all hosts in this networks will be able to send mail without authentication!
+RELAYNETS=
+
+# Will relay all outgoing mails if configured
+RELAYHOST=
+
+# Fetchmail delay
+FETCHMAIL_DELAY=600
+
+# Recipient delimiter, character used to delimiter localpart from custom address part
+RECIPIENT_DELIMITER=+
+
+# DMARC rua and ruf email
+DMARC_RUA=admin
+DMARC_RUF=admin
+
+# Welcome email, enable and set a topic and body if you wish to send welcome
+# emails to all users.
+WELCOME=false
+WELCOME_SUBJECT=Welcome to your new email account
+WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
+
+# Maildir Compression
+# choose compression-method, default: none (value: bz2, gz)
+COMPRESSION=
+# change compression-level, default: 6 (value: 1-9)
+COMPRESSION_LEVEL=
+
+###################################
+# Web settings
+###################################
+
+# Path to redirect / to
+WEBROOT_REDIRECT=/webmail
+
+# Path to the admin interface if enabled
+WEB_ADMIN=/admin
+
+# Path to the webmail if enabled
+WEB_WEBMAIL=/webmail
+
+# Website name
+SITENAME=tozt.net
+
+# Linked Website URL
+WEBSITE=https://tozt.net
+
+
+
+###################################
+# Advanced settings
+###################################
+
+# Log driver for front service. Possible values:
+# json-file (default)
+# journald (On systemd platforms, useful for Fail2Ban integration)
+# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
+# LOG_DRIVER=json-file
+
+# Docker-compose project name, this will prepended to containers names.
+COMPOSE_PROJECT_NAME=mailu
+
+# Default password scheme used for newly created accounts and changed passwords
+# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
+PASSWORD_SCHEME=BLF-CRYPT
+
+# Header to take the real ip from
+REAL_IP_HEADER=
+
+# IPs for nginx set_real_ip_from (CIDR list separated by commas)
+REAL_IP_FROM=
+
+# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
+REJECT_UNLISTED_RECIPIENT=
+
+# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
+LOG_LEVEL=WARNING
+
+###################################
+# Database settings
+###################################
+DB_FLAVOR=sqlite
diff --git a/modules/mail/files/service b/modules/mail/files/mailu.service
index 2c3712e..2c3712e 100644
--- a/modules/mail/files/service
+++ b/modules/mail/files/mailu.service
diff --git a/modules/mail/manifests/mailu.pp b/modules/mail/manifests/mailu.pp
index dd53440..3aead66 100644
--- a/modules/mail/manifests/mailu.pp
+++ b/modules/mail/manifests/mailu.pp
@@ -3,52 +3,13 @@ class mail::mailu {
   include docker
   include haveged
 
-  package { "opendkim":
-    ensure => installed;
-  }
-
   file {
     "/media/persistent/docker-compose.yml":
-      source => "puppet:///modules/mail/docker-compose.yml",
-      require => Class["mail::persistent"];
-    "/media/persistent/.env.tmpl":
-      source => "puppet:///modules/mail/env",
-      require => Class["mail::persistent"];
-    "/media/persistent/certs":
-      ensure => directory,
-      require => Class["mail::persistent"];
-    "/media/persistent/dkim":
-      ensure => directory,
+      content => template("mail/docker-compose.yml.erb"),
       require => Class["mail::persistent"];
-    "/media/persistent/certs/dhparam.pem":
-      source => "puppet:///modules/mail/dhparam.pem",
-      require => File["/media/persistent/certs"];
-    "/media/persistent/overrides":
-      ensure => directory,
+    "/media/persistent/.env.common":
+      content => "puppet:///modules/mail/mailu.env",
       require => Class["mail::persistent"];
-    "/media/persistent/overrides/rspamd":
-      ensure => directory,
-      require => File["/media/persistent/overrides"];
-    "/media/persistent/overrides/rspamd/dkim_signing.conf":
-      source => "puppet:///modules/mail/dkim_signing.conf",
-      require => File["/media/persistent/overrides/rspamd"];
-  }
-
-  exec { "generate dkim keys":
-    provider => shell,
-    command => "
-      opendkim-genkey -s dkim -d new.tozt.net
-      mv dkim.private /media/persistent/dkim/new.tozt.net.dkim.key
-      mv dkim.txt /media/persistent/dkim/new.tozt.net.dkim.pub
-    ",
-    cwd => "/media/persistent",
-    creates => "/media/persistent/dkim/new.tozt.net.dkim.key",
-    require => [
-      Class["haveged"],
-      Package["opendkim"],
-      Class["mail::persistent"],
-      File["/media/persistent/dkim"],
-    ];
   }
 
   exec { "generate mailu secret key":
@@ -63,29 +24,18 @@ class mail::mailu {
     ]
   }
 
-  exec { "find local ip address":
-    provider => shell,
-    command => "echo BIND_ADDRESS4=`curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address` > /run/mailu_bind_address",
-    creates => "/run/mailu_bind_address";
-  }
-
   exec { "create env file":
     provider => shell,
-    command => "cat /media/persistent/.env.tmpl /media/persistent/secret-key /run/mailu_bind_address > /media/persistent/.env",
-    unless => "
-      test -f /media/persistent/.env &&\
-      test -f /run/mailu_bind_address &&\
-      grep -F `cat /run/mailu_bind_address` /media/persistent/.env
-    ",
+    command => "cat /media/persistent/.env.common /media/persistent/secret-key > /media/persistent/mailu.env",
+    creates => "/media/persistent/mailu.env",
     subscribe => [
       Exec["generate mailu secret key"],
-      Exec["find local ip address"],
       File["/media/persistent/.env.tmpl"],
     ];
   }
 
   file { "/etc/systemd/system/mailu.service":
-    source => "puppet:///modules/mail/service",
+    source => "puppet:///modules/mail/mailu.service",
     notify => Exec["/usr/bin/systemctl daemon-reload"];
   }
 
diff --git a/modules/mail/templates/docker-compose.yml.erb b/modules/mail/templates/docker-compose.yml.erb
new file mode 100644
index 0000000..75f4836
--- /dev/null
+++ b/modules/mail/templates/docker-compose.yml.erb
@@ -0,0 +1,118 @@
+# This file is auto-generated by the Mailu configuration wizard.
+# Please read the documentation before attempting any change.
+# Generated for compose flavor
+
+version: '3.6'
+
+services:
+
+  # External dependencies
+  redis:
+    image: redis:alpine
+    restart: always
+    volumes:
+      - "/media/persistent/redis:/data"
+    
+  # Core services
+  front:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-1.6}
+    restart: always
+    env_file: mailu.env
+    logging:
+      driver: json-file
+    ports:
+      - "<%= @bind_address %>:80:80"
+      - "<%= @bind_address %>:443:443"
+      - "<%= @bind_address %>:25:25"
+      - "<%= @bind_address %>:465:465"
+      - "<%= @bind_address %>:587:587"
+      - "<%= @bind_address %>:110:110"
+      - "<%= @bind_address %>:995:995"
+      - "<%= @bind_address %>:143:143"
+      - "<%= @bind_address %>:993:993"
+    volumes:
+      - "/media/persistent/certs:/certs"
+      - "/media/persistent/overrides/nginx:/overrides"
+
+  resolver:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-1.6}
+    env_file: mailu.env
+    restart: always
+    networks:
+      default:
+        ipv4_address: 192.168.203.254
+
+  admin:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-1.6}
+    restart: always
+    env_file: mailu.env
+    volumes:
+      - "/media/persistent/data:/data"
+      - "/media/persistent/dkim:/dkim"
+    depends_on:
+      - redis
+
+  imap:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-1.6}
+    restart: always
+    env_file: mailu.env
+    volumes:
+      - "/media/persistent/mail:/mail"
+      - "/media/persistent/overrides:/overrides"
+    depends_on:
+      - front
+
+  smtp:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-1.6}
+    restart: always
+    env_file: mailu.env
+    volumes:
+      - "/media/persistent/overrides:/overrides"
+    depends_on:
+      - front
+      - resolver
+    dns:
+      - 192.168.203.254
+
+  antispam:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-1.6}
+    restart: always
+    env_file: mailu.env
+    volumes:
+      - "/media/persistent/filter:/var/lib/rspamd"
+      - "/media/persistent/dkim:/dkim"
+      - "/media/persistent/overrides/rspamd:/etc/rspamd/override.d"
+    depends_on:
+      - front
+      - resolver
+    dns:
+      - 192.168.203.254
+
+  # Optional services
+
+  webdav:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}radicale:${MAILU_VERSION:-1.6}
+    restart: always
+    env_file: mailu.env
+    volumes:
+      - "/media/persistent/dav:/data"
+
+
+  # Webmail
+  webmail:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rainloop:${MAILU_VERSION:-1.6}
+    restart: always
+    env_file: mailu.env
+    volumes:
+      - "/media/persistent/webmail:/data"
+    depends_on:
+      - imap
+
+
+networks:
+  default:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 192.168.203.0/24