diff options
author | Jesse Luehrs <doy@tozt.net> | 2018-12-05 06:32:38 -0500 |
---|---|---|
committer | Jesse Luehrs <doy@tozt.net> | 2018-12-05 06:32:38 -0500 |
commit | 59715baf043453027d91172aedda60228101f4fc (patch) | |
tree | 189b8b2e5f1ed1608ad425e788e11109728d5aa3 /modules/mail | |
parent | aceaedaa9361951848cb3b5e8a7207611a1be90e (diff) | |
download | puppet-tozt-59715baf043453027d91172aedda60228101f4fc.tar.gz puppet-tozt-59715baf043453027d91172aedda60228101f4fc.zip |
start trying to migrate mail into the main puppet config
Diffstat (limited to 'modules/mail')
-rw-r--r-- | modules/mail/files/dhparam.pem | 13 | ||||
-rw-r--r-- | modules/mail/files/dkim_signing.conf | 1 | ||||
-rw-r--r-- | modules/mail/files/docker-compose.yml | 97 | ||||
-rw-r--r-- | modules/mail/files/env | 26 | ||||
-rw-r--r-- | modules/mail/files/service | 8 | ||||
-rw-r--r-- | modules/mail/manifests/mailu.pp | 100 | ||||
-rw-r--r-- | modules/mail/manifests/persistent.pp | 27 | ||||
-rw-r--r-- | modules/mail/manifests/services.pp | 3 |
8 files changed, 275 insertions, 0 deletions
diff --git a/modules/mail/files/dhparam.pem b/modules/mail/files/dhparam.pem new file mode 100644 index 0000000..bb54913 --- /dev/null +++ b/modules/mail/files/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA7AdtK45QmalmavuKKleQB98HE03rd9I0RarkQLnVyQ9CKTQY6sqr +1TmWf6nzEU6ALnToanaTX30R30p28mz9pNbSK942wR8Gkiz22BTRNl3sykbAwvHA +e5ZM51w7OY3LOPTa1YT2P2grnu4H39oujN4SrzdQxzKGgOQVacYAsavRwh4v7VgI +grqbe1IjNHdsNhM7h+5DlXGMhNtMdH9dGkW/LiQvHGencbfK+2VmoJHoa2J3UgVE +bizm9UHFXcWd2duVAFVQZx9PgOL6xIPtBTN6If45B+4nsrYFr/GsXk/DCtSTI9rP +VEYEpGFgOz5gLFQJO+QySpRgkeQlge+WiC7XbRd1owrY7GuM3jSSVKFTGrhKa1wG +DbGSD97OeI1aCgOKWFk3CBe5ezq0JvkeRbrE3Y4Y3/y4pY+mKf0Xd65acRf7E0th +OiI9gNOBdQQ5FlZSHvxxJg5gpNLmytjMEHMLRbSLON6nxNyRF/m0rIKrdSnmhYiI +nBQbq4u2wKtN4I4yvuSUD9NqQVZXYk9RH2agW7SovGWHlteYVmKdBWq7iZjcuWT2 +15S5kdv3rnUs3F955PTbDfDkf2nlNcghEqYvLXggzptH27HcO/RWFuDd1lxkeKv1 +H+b4OBHlywZEon13wf0ktj7Xg4GqN0tfbr3koIHaTvYC9CGmFaAhEAsCAQI= +-----END DH PARAMETERS----- diff --git a/modules/mail/files/dkim_signing.conf b/modules/mail/files/dkim_signing.conf new file mode 100644 index 0000000..b1ddead --- /dev/null +++ b/modules/mail/files/dkim_signing.conf @@ -0,0 +1 @@ +use_esld = false; diff --git a/modules/mail/files/docker-compose.yml b/modules/mail/files/docker-compose.yml new file mode 100644 index 0000000..747ba65 --- /dev/null +++ b/modules/mail/files/docker-compose.yml @@ -0,0 +1,97 @@ +version: '2' + +services: + + front: + image: mailu/nginx:$VERSION + restart: always + env_file: .env + ports: + - "$BIND_ADDRESS4:80:80" + - "$BIND_ADDRESS4:443:443" + - "$BIND_ADDRESS4:110:110" + - "$BIND_ADDRESS4:143:143" + - "$BIND_ADDRESS4:993:993" + - "$BIND_ADDRESS4:995:995" + - "$BIND_ADDRESS4:25:25" + - "$BIND_ADDRESS4:465:465" + - "$BIND_ADDRESS4:587:587" + volumes: + - "$ROOT/certs:/certs" + + redis: + image: redis:alpine + restart: always + volumes: + - "$ROOT/redis:/data" + + imap: + image: mailu/dovecot:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/data:/data" + - "$ROOT/mail:/mail" + - "$ROOT/overrides:/overrides" + depends_on: + - front + + smtp: + image: mailu/postfix:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/data:/data" + - "$ROOT/overrides:/overrides" + depends_on: + - front + + antispam: + image: mailu/rspamd:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/filter:/var/lib/rspamd" + - "$ROOT/dkim:/dkim" + - "$ROOT/overrides/rspamd:/etc/rspamd/override.d" + depends_on: + - front + + antivirus: + image: mailu/$ANTIVIRUS:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/filter:/data" + + webdav: + image: mailu/$WEBDAV:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/dav:/data" + + admin: + image: mailu/admin:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/data:/data" + - "$ROOT/dkim:/dkim" + - /var/run/docker.sock:/var/run/docker.sock:ro + depends_on: + - redis + + webmail: + image: "mailu/$WEBMAIL:$VERSION" + restart: always + env_file: .env + volumes: + - "$ROOT/webmail:/data" + + fetchmail: + image: mailu/fetchmail:$VERSION + restart: always + env_file: .env + volumes: + - "$ROOT/data:/data" diff --git a/modules/mail/files/env b/modules/mail/files/env new file mode 100644 index 0000000..ab79b29 --- /dev/null +++ b/modules/mail/files/env @@ -0,0 +1,26 @@ +ROOT=/media/persistent +VERSION=1.5 +DOMAIN=new.tozt.net +HOSTNAMES=newsmtp.tozt.net +POSTMASTER=admin +TLS_FLAVOR=letsencrypt +AUTH_RATELIMIT=10/minute;1000/hour +DISABLE_STATISTICS=True +ADMIN=true +WEBMAIL=rainloop +WEBDAV=radicale +ANTIVIRUS=none +MESSAGE_SIZE_LIMIT=50000000 +RELAYNETS=172.16.0.0/12 +RELAYHOST= +FETCHMAIL_DELAY=600 +RECIPIENT_DELIMITER=+ +DMARC_RUA=admin +DMARC_RUF=admin +WELCOME=false +WEB_ADMIN=/admin +WEB_WEBMAIL=/webmail +SITENAME=tozt.net +WEBSITE=https://tozt.net/ +COMPOSE_PROJECT_NAME=mailu +PASSWORD_SCHEME=SHA512-CRYPT diff --git a/modules/mail/files/service b/modules/mail/files/service new file mode 100644 index 0000000..f1da3bb --- /dev/null +++ b/modules/mail/files/service @@ -0,0 +1,8 @@ +[Unit] +Description = runs mailu +After=network.target + +[Service] +ExecStart=/usr/local/bin/docker-compose up +Restart=on-failure +WorkingDirectory=/media/persistent diff --git a/modules/mail/manifests/mailu.pp b/modules/mail/manifests/mailu.pp new file mode 100644 index 0000000..9c61ecb --- /dev/null +++ b/modules/mail/manifests/mailu.pp @@ -0,0 +1,100 @@ +class mail::mailu { + include mail::persistent + include docker + include haveged + + package { "opendkim": + ensure => installed; + } + + file { + "/media/persistent/docker-compose.yml": + source => "puppet:///modules/mail/docker-compose.yml", + require => Class["mail::persistent"]; + "/media/persistent/.env.tmpl": + source => "puppet:///modules/mail/env", + require => Class["mail::persistent"]; + "/media/persistent/certs": + ensure => directory, + require => Class["mail::persistent"]; + "/media/persistent/dkim": + ensure => directory, + require => Class["mail::persistent"]; + "/media/persistent/certs/dhparam.pem": + source => "puppet:///modules/mail/dhparam.pem", + require => File["/media/persistent/certs"]; + "/media/persistent/overrides": + ensure => directory, + require => Class["mail::persistent"]; + "/media/persistent/overrides/rspamd": + ensure => directory, + require => File["/media/persistent/overrides"]; + "/media/persistent/overrides/rspamd/dkim_signing.conf": + source => "puppet:///modules/mail/dkim_signing.conf", + require => File["/media/persistent/overrides/rspamd"]; + } + + exec { "generate dkim keys": + provider => shell, + command => " + opendkim-genkey -s dkim -d new2.tozt.net + mv dkim.private /media/persistent/dkim/new2.tozt.net.dkim.key + mv dkim.txt /media/persistent/dkim/new2.tozt.net.dkim.pub + ", + cwd => "/media/persistent", + creates => "/media/persistent/dkim/new2.tozt.net.dkim.key", + require => [ + Class["haveged"], + Package["opendkim"], + Class["mail::persistent"], + File["/media/persistent/dkim"], + ]; + } + + exec { "generate mailu secret key": + provider => shell, + command => " + echo SECRET_KEY=$(dd if=/dev/urandom bs=64 count=1 status=none | base64 -w 0 | cut -b -16) > /media/persistent/secret-key + ", + creates => "/media/persistent/secret-key", + require => [ + Class["haveged"], + Class["mail::persistent"], + ] + } + + exec { "find local ip address": + provider => shell, + command => "echo BIND_ADDRESS4=`curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address` > /run/mailu_bind_address", + creates => "/run/mailu_bind_address"; + } + + exec { "create env file": + provider => shell, + command => "cat /media/persistent/.env.tmpl /media/persistent/secret-key /run/mailu_bind_address > /media/persistent/.env", + unless => " + test -f /media/persistent/.env &&\ + test -f /run/mailu_bind_address &&\ + grep -F `cat /run/mailu_bind_address` /media/persistent/.env + ", + subscribe => [ + Exec["generate mailu secret key"], + Exec["find local ip address"], + File["/media/persistent/.env.tmpl"], + ]; + } + + file { "/etc/systemd/system/mailu.service": + source => "puppet:///modules/mail/service"; + } + + service { "mailu": + ensure => running, + enable => true, + require => [ + File["/media/persistent/docker-compose.yml"], + Exec["create env file"], + File["/etc/systemd/system/mailu.service"], + ] + } +} diff --git a/modules/mail/manifests/persistent.pp b/modules/mail/manifests/persistent.pp new file mode 100644 index 0000000..630047e --- /dev/null +++ b/modules/mail/manifests/persistent.pp @@ -0,0 +1,27 @@ +class mail::persistent { + file { + "/media": + ensure => directory; + "/media/persistent": + ensure => directory, + require => File["/media"]; + } + + $fstab_line = "/dev/disk/by-id/scsi-0DO_Volume_mail-persistent /media/persistent ext4 rw,relatime 0 2" + exec { "populate fstab": + provider => shell, + command => "echo '${fstab_line}' >> /etc/fstab", + unless => "/usr/bin/grep -qF '${fstab_line}' /etc/fstab", + require => File["/media/persistent"]; + } + + exec { "mount /media/persistent": + provider => shell, + command => "/usr/bin/mount /media/persistent", + unless => "grep ' /media/persistent ' /proc/mounts", + require => [ + File["/media/persistent"], + Exec["populate fstab"], + ]; + } +} diff --git a/modules/mail/manifests/services.pp b/modules/mail/manifests/services.pp new file mode 100644 index 0000000..ca9f88a --- /dev/null +++ b/modules/mail/manifests/services.pp @@ -0,0 +1,3 @@ +class mail::services { + include fail2ban +} |