start trying to migrate mail into the main puppet config

8 files changed, 275 insertions, 0 deletions

diff --git a/modules/mail/files/dhparam.pem b/modules/mail/files/dhparam.pem
new file mode 100644
index 0000000..bb54913
--- /dev/null
+++ b/modules/mail/files/dhparam.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA7AdtK45QmalmavuKKleQB98HE03rd9I0RarkQLnVyQ9CKTQY6sqr
+1TmWf6nzEU6ALnToanaTX30R30p28mz9pNbSK942wR8Gkiz22BTRNl3sykbAwvHA
+e5ZM51w7OY3LOPTa1YT2P2grnu4H39oujN4SrzdQxzKGgOQVacYAsavRwh4v7VgI
+grqbe1IjNHdsNhM7h+5DlXGMhNtMdH9dGkW/LiQvHGencbfK+2VmoJHoa2J3UgVE
+bizm9UHFXcWd2duVAFVQZx9PgOL6xIPtBTN6If45B+4nsrYFr/GsXk/DCtSTI9rP
+VEYEpGFgOz5gLFQJO+QySpRgkeQlge+WiC7XbRd1owrY7GuM3jSSVKFTGrhKa1wG
+DbGSD97OeI1aCgOKWFk3CBe5ezq0JvkeRbrE3Y4Y3/y4pY+mKf0Xd65acRf7E0th
+OiI9gNOBdQQ5FlZSHvxxJg5gpNLmytjMEHMLRbSLON6nxNyRF/m0rIKrdSnmhYiI
+nBQbq4u2wKtN4I4yvuSUD9NqQVZXYk9RH2agW7SovGWHlteYVmKdBWq7iZjcuWT2
+15S5kdv3rnUs3F955PTbDfDkf2nlNcghEqYvLXggzptH27HcO/RWFuDd1lxkeKv1
+H+b4OBHlywZEon13wf0ktj7Xg4GqN0tfbr3koIHaTvYC9CGmFaAhEAsCAQI=
+-----END DH PARAMETERS-----
diff --git a/modules/mail/files/dkim_signing.conf b/modules/mail/files/dkim_signing.conf
new file mode 100644
index 0000000..b1ddead
--- /dev/null
+++ b/modules/mail/files/dkim_signing.conf
@@ -0,0 +1 @@
+use_esld = false;
diff --git a/modules/mail/files/docker-compose.yml b/modules/mail/files/docker-compose.yml
new file mode 100644
index 0000000..747ba65
--- /dev/null
+++ b/modules/mail/files/docker-compose.yml
@@ -0,0 +1,97 @@
+version: '2'
+
+services:
+
+  front:
+    image: mailu/nginx:$VERSION
+    restart: always
+    env_file: .env
+    ports:
+    - "$BIND_ADDRESS4:80:80"
+    - "$BIND_ADDRESS4:443:443"
+    - "$BIND_ADDRESS4:110:110"
+    - "$BIND_ADDRESS4:143:143"
+    - "$BIND_ADDRESS4:993:993"
+    - "$BIND_ADDRESS4:995:995"
+    - "$BIND_ADDRESS4:25:25"
+    - "$BIND_ADDRESS4:465:465"
+    - "$BIND_ADDRESS4:587:587"
+    volumes:
+      - "$ROOT/certs:/certs"
+
+  redis:
+    image: redis:alpine
+    restart: always
+    volumes:
+      - "$ROOT/redis:/data"
+
+  imap:
+    image: mailu/dovecot:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/data:/data"
+      - "$ROOT/mail:/mail"
+      - "$ROOT/overrides:/overrides"
+    depends_on:
+      - front
+
+  smtp:
+    image: mailu/postfix:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/data:/data"
+      - "$ROOT/overrides:/overrides"
+    depends_on:
+      - front
+
+  antispam:
+    image: mailu/rspamd:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/filter:/var/lib/rspamd"
+      - "$ROOT/dkim:/dkim"
+      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
+    depends_on:
+      - front
+
+  antivirus:
+    image: mailu/$ANTIVIRUS:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/filter:/data"
+
+  webdav:
+    image: mailu/$WEBDAV:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/dav:/data"
+
+  admin:
+    image: mailu/admin:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/data:/data"
+      - "$ROOT/dkim:/dkim"
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    depends_on:
+      - redis
+
+  webmail:
+    image: "mailu/$WEBMAIL:$VERSION"
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/webmail:/data"
+
+  fetchmail:
+    image: mailu/fetchmail:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/data:/data"
diff --git a/modules/mail/files/env b/modules/mail/files/env
new file mode 100644
index 0000000..ab79b29
--- /dev/null
+++ b/modules/mail/files/env
@@ -0,0 +1,26 @@
+ROOT=/media/persistent
+VERSION=1.5
+DOMAIN=new.tozt.net
+HOSTNAMES=newsmtp.tozt.net
+POSTMASTER=admin
+TLS_FLAVOR=letsencrypt
+AUTH_RATELIMIT=10/minute;1000/hour
+DISABLE_STATISTICS=True
+ADMIN=true
+WEBMAIL=rainloop
+WEBDAV=radicale
+ANTIVIRUS=none
+MESSAGE_SIZE_LIMIT=50000000
+RELAYNETS=172.16.0.0/12
+RELAYHOST=
+FETCHMAIL_DELAY=600
+RECIPIENT_DELIMITER=+
+DMARC_RUA=admin
+DMARC_RUF=admin
+WELCOME=false
+WEB_ADMIN=/admin
+WEB_WEBMAIL=/webmail
+SITENAME=tozt.net
+WEBSITE=https://tozt.net/
+COMPOSE_PROJECT_NAME=mailu
+PASSWORD_SCHEME=SHA512-CRYPT
diff --git a/modules/mail/files/service b/modules/mail/files/service
new file mode 100644
index 0000000..f1da3bb
--- /dev/null
+++ b/modules/mail/files/service
@@ -0,0 +1,8 @@
+[Unit]
+Description = runs mailu
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/docker-compose up
+Restart=on-failure
+WorkingDirectory=/media/persistent
diff --git a/modules/mail/manifests/mailu.pp b/modules/mail/manifests/mailu.pp
new file mode 100644
index 0000000..9c61ecb
--- /dev/null
+++ b/modules/mail/manifests/mailu.pp
@@ -0,0 +1,100 @@
+class mail::mailu {
+  include mail::persistent
+  include docker
+  include haveged
+
+  package { "opendkim":
+    ensure => installed;
+  }
+
+  file {
+    "/media/persistent/docker-compose.yml":
+      source => "puppet:///modules/mail/docker-compose.yml",
+      require => Class["mail::persistent"];
+    "/media/persistent/.env.tmpl":
+      source => "puppet:///modules/mail/env",
+      require => Class["mail::persistent"];
+    "/media/persistent/certs":
+      ensure => directory,
+      require => Class["mail::persistent"];
+    "/media/persistent/dkim":
+      ensure => directory,
+      require => Class["mail::persistent"];
+    "/media/persistent/certs/dhparam.pem":
+      source => "puppet:///modules/mail/dhparam.pem",
+      require => File["/media/persistent/certs"];
+    "/media/persistent/overrides":
+      ensure => directory,
+      require => Class["mail::persistent"];
+    "/media/persistent/overrides/rspamd":
+      ensure => directory,
+      require => File["/media/persistent/overrides"];
+    "/media/persistent/overrides/rspamd/dkim_signing.conf":
+      source => "puppet:///modules/mail/dkim_signing.conf",
+      require => File["/media/persistent/overrides/rspamd"];
+  }
+
+  exec { "generate dkim keys":
+    provider => shell,
+    command => "
+      opendkim-genkey -s dkim -d new2.tozt.net
+      mv dkim.private /media/persistent/dkim/new2.tozt.net.dkim.key
+      mv dkim.txt /media/persistent/dkim/new2.tozt.net.dkim.pub
+    ",
+    cwd => "/media/persistent",
+    creates => "/media/persistent/dkim/new2.tozt.net.dkim.key",
+    require => [
+      Class["haveged"],
+      Package["opendkim"],
+      Class["mail::persistent"],
+      File["/media/persistent/dkim"],
+    ];
+  }
+
+  exec { "generate mailu secret key":
+    provider => shell,
+    command => "
+      echo SECRET_KEY=$(dd if=/dev/urandom bs=64 count=1 status=none | base64 -w 0 | cut -b -16) > /media/persistent/secret-key
+    ",
+    creates => "/media/persistent/secret-key",
+    require => [
+      Class["haveged"],
+      Class["mail::persistent"],
+    ]
+  }
+
+  exec { "find local ip address":
+    provider => shell,
+    command => "echo BIND_ADDRESS4=`curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address` > /run/mailu_bind_address",
+    creates => "/run/mailu_bind_address";
+  }
+
+  exec { "create env file":
+    provider => shell,
+    command => "cat /media/persistent/.env.tmpl /media/persistent/secret-key /run/mailu_bind_address > /media/persistent/.env",
+    unless => "
+      test -f /media/persistent/.env &&\
+      test -f /run/mailu_bind_address &&\
+      grep -F `cat /run/mailu_bind_address` /media/persistent/.env
+    ",
+    subscribe => [
+      Exec["generate mailu secret key"],
+      Exec["find local ip address"],
+      File["/media/persistent/.env.tmpl"],
+    ];
+  }
+
+  file { "/etc/systemd/system/mailu.service":
+    source => "puppet:///modules/mail/service";
+  }
+
+  service { "mailu":
+    ensure => running,
+    enable => true,
+    require => [
+      File["/media/persistent/docker-compose.yml"],
+      Exec["create env file"],
+      File["/etc/systemd/system/mailu.service"],
+    ]
+  }
+}
diff --git a/modules/mail/manifests/persistent.pp b/modules/mail/manifests/persistent.pp
new file mode 100644
index 0000000..630047e
--- /dev/null
+++ b/modules/mail/manifests/persistent.pp
@@ -0,0 +1,27 @@
+class mail::persistent {
+  file {
+    "/media":
+      ensure => directory;
+    "/media/persistent":
+      ensure => directory,
+      require => File["/media"];
+  }
+
+  $fstab_line = "/dev/disk/by-id/scsi-0DO_Volume_mail-persistent /media/persistent ext4 rw,relatime 0 2"
+  exec { "populate fstab":
+    provider => shell,
+    command => "echo '${fstab_line}' >> /etc/fstab",
+    unless => "/usr/bin/grep -qF '${fstab_line}' /etc/fstab",
+    require => File["/media/persistent"];
+  }
+
+  exec { "mount /media/persistent":
+    provider => shell,
+    command => "/usr/bin/mount /media/persistent",
+    unless => "grep ' /media/persistent ' /proc/mounts",
+    require => [
+      File["/media/persistent"],
+      Exec["populate fstab"],
+    ];
+  }
+}
diff --git a/modules/mail/manifests/services.pp b/modules/mail/manifests/services.pp
new file mode 100644
index 0000000..ca9f88a
--- /dev/null
+++ b/modules/mail/manifests/services.pp
@@ -0,0 +1,3 @@
+class mail::services {
+  include fail2ban
+}