bee/beepi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mail

Browse Source
This commit is contained in:
bee
2026-05-24 19:38:38 +02:00
parent 8c66580dab
commit 366a8cc197
35 changed files with 998 additions and 372 deletions
Download Patch File Download Diff File Expand all files Collapse all files
playbooks/anope/anope-2.0.19.tar.gz
BIN
View File
Binary file not shown.
playbooks/anope/anope.yml
-42
View File
@@ -1,42 +0,0 @@
- name: Nginx
hosts: pi
become: true
vars:
uplink_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34333036613062353533333364656363343539376463343762663637353634313533353164376262
3931346362356333616234336635326330333836623932390a646264393563633234393863303730
32313462313063613866653939313431356434373962613738653835316461636633346139326166
3232616234353765370a303731346238313131666263613462656633363730383437626130653564
31656261666436376236333865643532353035316634313231653333646338373636
anope_oper_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
65386331633238633231643964613965633661633038386664326538333538356462653638633164
3032373430663534383563383865333438643263653362320a303833306237363163613235313836
35306131646163623636666234663137393564626262303933366139613262303766306534396565
6638656464616335310a363938646236313164316561303364393839663930663062386166613736
31326264663135313337393362396562663439616331386138633532343662626134
tasks:
- name: Copy services
ansible.builtin.template:
src: services.conf.j2
dest: /home/anope/services/conf
owner: anope
group: anope
mode: '0644'
- name: Copy nickserv
ansible.builtin.copy:
src: nickserv.conf
dest: /home/anope/services/conf
owner: anope
group: anope
mode: '0644'
- name: Copy modules
ansible.builtin.copy:
src: modules.conf
dest: /home/anope/services/conf
owner: anope
group: anope
mode: '0644'
playbooks/anope/modules.conf
-27
View File
@@ -1,27 +0,0 @@
module { name = "help" }
module
{
name = "m_helpchan"
helpchannel = "#help"
}
module { name = "m_regex_pcre2" }
module { name = "m_regex_posix" }
module { name = "m_regex_tre" }
module { name = "m_rewrite" }
command
{
service = "ChanServ"; name = "CLEAR"; command = "rewrite"
rewrite = yes
rewrite_source = "CLEAR $ USERS"
rewrite_target = "KICK $1 *"
rewrite_description = "Clears all users from a channel"
}
module
{
name = "m_sasl"
agent = "NickServ"
}
playbooks/anope/nickserv.conf
-665
View File
@@ -1,665 +0,0 @@
service
{
/*
* The name of the NickServ client.
* If you change this value, you probably want to change the client directive in the configuration for the nickserv module too.
*/
nick = "NickServ"
/*
* The username of the NickServ client.
*/
user = "services"
/*
* The hostname of the NickServ client.
*/
host = "services.host"
/*
* The realname of the NickServ client.
*/
gecos = "Nickname Registration Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core NickServ module.
*
* Provides essential functionality for NickServ.
*/
module
{
name = "nickserv"
/*
* The name of the client that should be NickServ.
*/
client = "NickServ"
/*
* Force users to give an e-mail address when they register a nick.
*
* This directive defaults to "yes" and is recommended to be enabled.
*/
forceemail = no
/*
* Require users who change their email address to confirm they
* own their new email.
*/
confirmemailchanges = no
/*
* A message sent to users on connect if they use an unregistered nick. %n will be replaced with the user's nickname.
*
* This directive is optional.
*/
#unregistered_notice = "Your nickname is not registered. To register it, use: /msg NickServ REGISTER password email"
/*
* The default options for newly registered nicks. Note that changing these options
* will have no effect on nicks which are already registered. The list must be separated
* by spaces.
*
* The options are:
* - killprotect: Kill nick if not identified within 60 seconds
* - kill_quick: Kill nick if not identified within 20 seconds, this one overrides the killprotect
* option and the killprotect option must be specified with this one
* - kill_immed: Kill nick immediately if not identified, this one overrides both the killprotect
* and kill_quick options and the killprotect option must be specified with this one
* - ns_secure: Enable nickname security, requiring the nick's password before any operations
* can be done on it
* - ns_private: Hide the nick from NickServ's LIST command
* - hide_email: Hide the nick's e-mail address from NickServ's INFO command
* - hide_mask: Hide the nick's last or current user@host from NickServ's INFO command
* - hide_status: Hide the nick's services operator access status from NickServ's INFO command
* - hide_quit: Hide the nick's last quit message from NickServ's INFO command
* - memo_signon: Notify user if they have a new memo when they sign into the nick
* - memo_receive: Notify user if they have a new memo as soon as it's received
* - memo_mail: Notify user if they have a new memo by mail
* - autoop: User will be automatically opped in channels they enter and have access to
* - msg: Services messages will be sent as PRIVMSGs instead of NOTICEs, requires
* options:useprivmsg to be enabled as well
* - ns_keep_modes: Enables keepmodes, which retains user modes across sessions
*
* This directive is optional, if left blank, the options will default to ns_secure, memo_signon, and
* memo_receive. If you really want no defaults, use "none" by itself as the option.
*/
defaults = "killprotect ns_secure ns_private hide_email hide_mask memo_signon memo_receive autoop"
/*
* The minimum length of time between consecutive uses of NickServ's REGISTER command. This
* directive is optional, but recommended. If not set, this restriction will be disabled.
*/
regdelay = 30s
/*
* The length of time before a nick's registration expires.
*
* This directive is optional, but recommended. If not set, the default is 21 days.
*/
expire = 21d
/*
* Prevents the use of the ACCESS and CERT (excluding their LIST subcommand), DROP, FORBID, SUSPEND,
* GETPASS and SET PASSWORD commands by services operators on other services operators.
*
* This directive is optional, but recommended.
*/
secureadmins = yes
/*
* If set, Services will set the channel modes a user has access to upon identifying, assuming
* they are not already set.
*
* This directive is optional.
*/
modeonid = yes
/*
* If set, Services will set these user modes on any user who identifies.
*
* This directive is optional.
*/
#modesonid = "+R"
/*
* If set, Services will not show netsplits in the last quit message field
* of NickServ's INFO command.
*/
hidenetsplitquit = no
/*
* If set, is the length of time NickServ's killquick and kill options wait before
* forcing users off of protected nicknames.
*/
killquick = 20s
kill = 60s
/*
* If set, forbids the registration of nicks that contain an existing
* nick with Services access. For example, if Tester is a Services Oper,
* you can't register NewTester or Tester123 unless you are an IRC
* Operator.
*
* NOTE: If you enable this, you will have to be logged in as an IRC
* operator in order to register a Services Root nick when setting up
* Anope for the first time.
*
* This directive is optional.
*/
#restrictopernicks = yes
/*
* The username, and possibly hostname, used for fake users created when Services needs to
* hold a nickname.
*/
enforceruser = "enforcer"
enforcerhost = "services.host"
/*
* The length of time Services hold nicknames.
*
* This directive is optional, but recommended. If not set it defaults to 1 minute.
*/
releasetimeout = 1m
/*
* When a user's nick is forcibly changed to enforce a "nick kill", their new nick will start
* with this value. The rest will be made up of 6 or 7 digits.
* Make sure this is a valid nick and Nicklen+7 is not longer than the allowed Nicklen on your ircd.
*
* This directive is optional. If not set it defaults to "Guest"
*/
guestnickprefix = "Guest"
/*
* If set, Services do not allow ownership of nick names, only ownership of accounts.
*/
nonicknameownership = no
/*
* The maximum length of passwords
*
* This directive is optional. If not set it defaults to 32.
*/
passlen = 32
}
/*
* Core NickServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Command group configuration for NickServ.
*
* Commands may optionally be placed into groups to make NickServ's HELP output easier to understand.
* Remove the following groups to use the old behavior of simply listing all NickServ commands from HELP.
*/
command_group
{
name = "nickserv/admin"
description = _("Services Operator commands")
}
/* Give it a help command. */
command { service = "NickServ"; name = "HELP"; command = "generic/help"; }
/*
* ns_access
*
* Provides the command nickserv/access.
*
* Used for configuring what hosts have access to your account.
*/
module
{
name = "ns_access"
/*
* The maximum number of entries allowed on a nickname's access list.
* If not set, the default is 32. This number cannot be set to 0.
*/
accessmax = 32
/*
* If set, Services will add the usermask of registering users to the access list of their
* newly created account. If not set, users will always have to identify to NickServ before
* being recognized, unless they manually add an address to the access list of their account.
* This directive is optional.
*/
addaccessonreg = no
}
command { service = "NickServ"; name = "ACCESS"; command = "nickserv/access"; }
/*
* ns_ajoin
*
* Provides the command nickserv/ajoin.
*
* Used for configuring channels to join once you identify.
*/
module
{
name = "ns_ajoin"
/*
* The maximum number of channels a user can have on NickServ's AJOIN command.
*/
ajoinmax = 10
}
command { service = "NickServ"; name = "AJOIN"; command = "nickserv/ajoin"; }
/*
* ns_alist
*
* Provides the command nickserv/alist.
*
* Used for viewing what channels you have access to.
*/
module { name = "ns_alist" }
command { service = "NickServ"; name = "ALIST"; command = "nickserv/alist"; }
/*
* ns_cert
*
* Provides the command nickserv/cert.
*
* Used for configuring your SSL certificate list, which can be used to automatically identify you.
*/
module
{
name = "ns_cert"
/*
* The maximum number of entries allowed on a nickname's certificate fingerprint list.
* The default is 5. This number cannot be set to 0.
*/
max = 5
}
command { service = "NickServ"; name = "CERT"; command = "nickserv/cert"; }
/*
* ns_drop
*
* Provides the command nickserv/drop.
*
* Used for unregistering names.
*/
module { name = "ns_drop" }
command { service = "NickServ"; name = "DROP"; command = "nickserv/drop"; }
/*
* ns_getemail
*
* Provides the command nickserv/getemail.
*
* Used for getting registered accounts by searching for emails.
*/
module { name = "ns_getemail" }
command { service = "NickServ"; name = "GETEMAIL"; command = "nickserv/getemail"; permission = "nickserv/getemail"; group = "nickserv/admin"; }
/*
* [DEPRECATED] ns_getpass
*
* Provides the command nickserv/getpass.
*
* Used for getting users passwords.
*
* Requires no encryption is being used.
*/
#module { name = "ns_getpass" }
#command { service = "NickServ"; name = "GETPASS"; command = "nickserv/getpass"; permission = "nickserv/getpass"; }
/*
* ns_group
*
* Provides the commands nickserv/group, nickserv/glist, and nickserv/ungroup.
*
* Used for controlling nick groups.
*/
module
{
name = "ns_group"
/*
* The maximum number of nicks allowed in a group.
*
* This directive is optional, but recommended. If not set or set to 0, no limits will be applied.
*/
maxaliases = 16
/*
* If set, the NickServ GROUP command won't allow any group changes. This is recommended to
* prevent users from accidentally dropping their nicks, as it forces users to explicitly
* drop their nicks before adding it to another group.
*
* This directive is optional, but recommended.
*/
nogroupchange = yes
}
command { service = "NickServ"; name = "GLIST"; command = "nickserv/glist"; }
command { service = "NickServ"; name = "GROUP"; command = "nickserv/group"; }
command { service = "NickServ"; name = "UNGROUP"; command = "nickserv/ungroup"; }
/*
* ns_identify
*
* Provides the command nickserv/identify.
*
* Used for identifying to accounts.
*/
module
{
name = "ns_identify"
/*
* If set, limits the number of concurrent users that can be logged in as a given account at once.
*/
maxlogins = 10
}
command { service = "NickServ"; name = "ID"; command = "nickserv/identify"; hide = yes; }
command { service = "NickServ"; name = "IDENTIFY"; command = "nickserv/identify"; }
/*
* ns_info
*
* Provides the commands:
* nickserv/info. - Used for gathering information about an account.
* nickserv/set/hide, nickserv/saset/hide - Used for configuring which options are publicly shown in nickserv/info.
*
*/
module { name = "ns_info" }
command { service = "NickServ"; name = "INFO"; command = "nickserv/info"; }
command { service = "NickServ"; name = "SET HIDE"; command = "nickserv/set/hide"; }
command { service = "NickServ"; name = "SASET HIDE"; command = "nickserv/saset/hide"; permission = "nickserv/saset/hide"; }
/*
* ns_list
*
* Provides the commands:
* nickserv/list - Used for retrieving and searching the registered account list.
* nickserv/set/private, nickserv/saset/private - Used for configuring whether or a users account shows up in nickserv/list.
*
*/
module
{
name = "ns_list"
/*
* The maximum number of nicks to be returned for a NickServ LIST command.
*/
listmax = 50
}
command { service = "NickServ"; name = "LIST"; command = "nickserv/list"; }
command { service = "NickServ"; name = "SET PRIVATE"; command = "nickserv/set/private"; }
command { service = "NickServ"; name = "SASET PRIVATE"; command = "nickserv/saset/private"; permission = "nickserv/saset/private"; }
/*
* ns_logout
*
* Provides the command nickserv/logout.
*
* Used for logging out of your account.
*/
module { name = "ns_logout" }
command { service = "NickServ"; name = "LOGOUT"; command = "nickserv/logout"; }
/*
* ns_recover
*
* Provides the command nickserv/recover.
*
* Used for recovering your nick from services or another user.
*/
module
{
name = "ns_recover"
/*
* If set, Services will svsnick and svsjoin users who use the recover
* command on an identified user to the nick and channels of the recovered user.
*
* This directive is optional.
*/
restoreonrecover = yes
}
command { service = "NickServ"; name = "RECOVER"; command = "nickserv/recover"; }
# Uncomment below to emulate 1.8's behavior of ghost and release.
#command { service = "NickServ"; name = "GHOST"; command = "nickserv/recover"; }
#command { service = "NickServ"; name = "RELEASE"; command = "nickserv/recover"; }
/*
* ns_register
*
* Provides the commands nickserv/confirm, nickserv/register, and nickserv/resend.
*
* Used for registering accounts.
*/
module
{
name = "ns_register"
/*
* Registration confirmation setting. Set to "none" for no registration confirmation,
* "mail" for email confirmation, and "admin" to have services operators manually confirm
* every registration. Set to "disable" to completely disable all registrations.
*/
registration = "none"
/*
* The minimum length of time between consecutive uses of NickServ's RESEND command.
*
* This directive is optional, but recommended. If not set, this restriction will be disabled.
*/
resenddelay = 90s
/*
* Prevents users from registering their nick if they are not connected
* for at least the given number of seconds.
*
* This directive is optional.
*/
#nickregdelay = 30s
/*
* The length of time a user using an unconfirmed account has
* before the account will be released for general use again.
*/
#unconfirmedexpire = 1d
}
command { service = "NickServ"; name = "CONFIRM"; command = "nickserv/confirm"; }
command { service = "NickServ"; name = "REGISTER"; command = "nickserv/register"; }
command { service = "NickServ"; name = "RESEND"; command = "nickserv/resend"; }
/*
* ns_resetpass
*
* Provides the command nickserv/resetpass.
*
* Used for resetting passwords by emailing users a temporary one.
*/
module { name = "ns_resetpass" }
command { service = "NickServ"; name = "RESETPASS"; command = "nickserv/resetpass"; }
/*
* ns_set
*
* Provides the commands:
* nickserv/set, nickserv/saset - Dummy help wrappers for the SET and SASET commands.
* nickserv/set/autoop, nickserv/saset/autoop - Determines whether or not modes are automatically set users when joining a channel.
* nickserv/set/display, nickserv/saset/display - Used for setting a users display name.
* nickserv/set/email, nickserv/saset/email - Used for setting a users email address.
* nickserv/set/keepmodes, nickserv/saset/keepmodes - Configure whether or not services should retain a user's modes across sessions.
* nickserv/set/kill, nickserv/saset/kill - Used for configuring nickname protection.
* nickserv/set/language, nickserv/saset/language - Used for configuring what language services use.
* nickserv/set/message, nickserv/saset/message - Used to configure how services send messages to you.
* nickserv/set/password, nickserv/saset/password - Used for changing a users password.
* nickserv/set/secure, nickserv/saset/secure - Used for configuring whether a user can identify by simply being recognized by nickserv/access.
* nickserv/saset/noexpire - Used for configuring noexpire, which prevents nicks from expiring.
*/
module
{
name = "ns_set"
/*
* Allow the use of the IMMED option in the NickServ SET KILL command.
*
* This directive is optional.
*/
#allowkillimmed = yes
}
command { service = "NickServ"; name = "SET"; command = "nickserv/set"; }
command { service = "NickServ"; name = "SASET"; command = "nickserv/saset"; permission = "nickserv/saset/"; group = "nickserv/admin"; }
command { service = "NickServ"; name = "SET AUTOOP"; command = "nickserv/set/autoop"; }
command { service = "NickServ"; name = "SASET AUTOOP"; command = "nickserv/saset/autoop"; permission = "nickserv/saset/autoop"; }
command { service = "NickServ"; name = "SET DISPLAY"; command = "nickserv/set/display"; }
command { service = "NickServ"; name = "SASET DISPLAY"; command = "nickserv/saset/display"; permission = "nickserv/saset/display"; }
command { service = "NickServ"; name = "SET EMAIL"; command = "nickserv/set/email"; }
command { service = "NickServ"; name = "SASET EMAIL"; command = "nickserv/saset/email"; permission = "nickserv/saset/email"; }
command { service = "NickServ"; name = "SET KEEPMODES"; command = "nickserv/set/keepmodes"; }
command { service = "NickServ"; name = "SASET KEEPMODES"; command = "nickserv/saset/keepmodes"; permission = "nickserv/saset/keepmodes"; }
command { service = "NickServ"; name = "SET KILL"; command = "nickserv/set/kill"; }
command { service = "NickServ"; name = "SASET KILL"; command = "nickserv/saset/kill"; permission = "nickserv/saset/kill"; }
command { service = "NickServ"; name = "SET LANGUAGE"; command = "nickserv/set/language"; }
command { service = "NickServ"; name = "SASET LANGUAGE"; command = "nickserv/saset/language"; permission = "nickserv/saset/language"; }
command { service = "NickServ"; name = "SET MESSAGE"; command = "nickserv/set/message"; }
command { service = "NickServ"; name = "SASET MESSAGE"; command = "nickserv/saset/message"; permission = "nickserv/saset/message"; }
command { service = "NickServ"; name = "SET PASSWORD"; command = "nickserv/set/password"; }
command { service = "NickServ"; name = "SASET PASSWORD"; command = "nickserv/saset/password"; permission = "nickserv/saset/password"; }
command { service = "NickServ"; name = "SET SECURE"; command = "nickserv/set/secure"; }
command { service = "NickServ"; name = "SASET SECURE"; command = "nickserv/saset/secure"; permission = "nickserv/saset/secure"; }
command { service = "NickServ"; name = "SASET NOEXPIRE"; command = "nickserv/saset/noexpire"; permission = "nickserv/saset/noexpire"; }
/*
* ns_set_misc
*
* Provides the command nickserv/set/misc.
*
* Allows you to create arbitrary commands to set data, and have that data show up in nickserv/info.
* A field named misc_description may be given for use with help output.
*/
module { name = "ns_set_misc" }
command { service = "NickServ"; name = "SET URL"; command = "nickserv/set/misc"; misc_description = _("Associate a URL with your account"); }
command { service = "NickServ"; name = "SASET URL"; command = "nickserv/saset/misc"; misc_description = _("Associate a URL with this account"); permission = "nickserv/saset/url"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET DISCORD"; command = "nickserv/set/misc"; misc_description = _("Associate a Discord account with your account"); }
#command { service = "NickServ"; name = "SASET DISCORD"; command = "nickserv/saset/misc"; misc_description = _("Associate a Discord account with this account"); permission = "nickserv/saset/discord"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET MASTODON"; command = "nickserv/set/misc"; misc_description = _("Associate a Mastodon account with your account"); }
#command { service = "NickServ"; name = "SASET MASTODON"; command = "nickserv/saset/misc"; misc_description = _("Associate a Mastodon account with this account"); permission = "nickserv/saset/mastodon"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET TIMEZONE"; command = "nickserv/set/misc"; misc_description = _("Associate a time zone with your account"); }
#command { service = "NickServ"; name = "SASET TIMEZONE"; command = "nickserv/saset/misc"; misc_description = _("Associate a time zone with this account"); permission = "nickserv/saset/timezone"; group = "nickserv/admin"; }
/*
* ns_status
*
* Provides the nickserv/status command.
*
* Used to determine if a user is recognized or identified by services.
*/
module { name = "ns_status" }
command { service = "NickServ"; name = "STATUS"; command = "nickserv/status"; }
/*
* ns_suspend
*
* Provides the commands nickserv/suspend and nickserv/unsuspend.
*
* Used to suspend and unsuspend nicknames. Suspended nicknames can not be used but their settings are preserved.
*/
module
{
name = "ns_suspend"
/*
* The length of time before a suspended nick becomes unsuspended.
*
* This directive is optional. If not set, the default is never.
*/
#suspendexpire = 90d
/*
* Settings to show to non-opers in NickServ's INFO output.
* Comment to completely disable showing any information about
* suspended nicknames to non-opers.
*/
show = "suspended, by, reason, on, expires"
}
command { service = "NickServ"; name = "SUSPEND"; command = "nickserv/suspend"; permission = "nickserv/suspend"; group = "nickserv/admin"; }
command { service = "NickServ"; name = "UNSUSPEND"; command = "nickserv/unsuspend"; permission = "nickserv/suspend"; group = "nickserv/admin"; }
/*
* ns_update
*
* Provides the command nickserv/update.
*
* Used to update your status on all channels, turn on your vHost, etc.
*/
module { name = "ns_update" }
command { service = "NickServ"; name = "UPDATE"; command = "nickserv/update"; }
/*
* Extra NickServ related modules.
*/
/*
* ns_maxemail
*
* Limits how many times the same email address may be used in Anope
* to register accounts.
*/
#module
{
name = "ns_maxemail"
/*
* The limit to how many registered nicks can use the same e-mail address. If set to 0 or left
* commented, there will be no limit enforced when registering new accounts or using
* /msg NickServ SET EMAIL.
*/
maxemails = 1
}
playbooks/anope/services.conf.j2
-202
View File
@@ -1,202 +0,0 @@
define
{
name = "services.host"
value = "services.secretbee.buzz"
}
uplink
{
host = "127.0.0.1"
ipv6 = no
ssl = no
port = 7000
password = "{{ uplink_password }}"
}
serverinfo
{
name = "services.secretbee.buzz"
description = "Beeservices"
pid = "data/services.pid"
motd = "conf/services.motd"
}
module
{
name = "inspircd3"
use_server_side_mlock = yes
use_server_side_topiclock = yes
}
networkinfo
{
networkname = "LocalNet"
nicklen = 31
userlen = 10
hostlen = 64
chanlen = 32
modelistsize = 100
vhost_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-/"
allow_undotted_vhosts = no
disallow_start_or_end = ".-/"
}
options
{
user = "anope"
group = "anope"
casemap = "rfc1459"
seed = 1865235
strictpasswords = yes
badpasslimit = 5
badpasstimeout = 1h
updatetimeout = 5m
expiretimeout = 30m
readtimeout = 5s
timeoutcheck = 3s
#useprivmsg = yes
#usestrictprivmsg = yes
retrywait = 60s
hideprivilegedcommands = yes
hideregisteredcommands = yes
languages = "ca_ES.UTF-8 de_DE.UTF-8 el_GR.UTF-8 es_ES.UTF-8 fr_FR.UTF-8 hu_HU.UTF-8 it_IT.UTF-8 nl_NL.UTF-8 pl_PL.UTF-8 pt_PT.UTF-8 ru_RU.UTF-8 tr_TR.UTF-8"
}
include
{
type = "file"
name = "modules.conf"
}
include
{
type = "file"
name = "botserv.example.conf"
}
include
{
type = "file"
name = "chanserv.example.conf"
}
include
{
type = "file"
name = "global.example.conf"
}
include
{
type = "file"
name = "hostserv.example.conf"
}
include
{
type = "file"
name = "memoserv.example.conf"
}
include
{
type = "file"
name = "nickserv.conf"
}
include
{
type = "file"
name = "operserv.example.conf"
}
log
{
target = "services.log"
bot = "Global"
logage = 7
admin = "*"
override = "chanserv/* nickserv/* memoserv/set ~botserv/set botserv/*"
commands = "~operserv/* *"
servers = "*"
users = "connect disconnect nick"
other = "*"
rawio = no
debug = no
}
log
{
bot = "Global"
target = "globops"
admin = "global/* operserv/chankill operserv/mode operserv/kick operserv/akill operserv/s*line operserv/noop operserv/jupe operserv/oline operserv/set operserv/svsnick operserv/svsjoin operserv/svspart nickserv/getpass */drop"
servers = "squit"
users = "oper"
other = "expire/* bados akill/*"
}
opertype
{
/* The name of this opertype */
name = "Helper"
/* What commands (see above) this opertype has */
commands = "hostserv/*"
}
opertype
{
/* The name of this opertype */
name = "Services Operator"
/* What opertype(s) this inherits from. Separate with a comma. */
inherits = "Helper, Another Helper"
/* What commands (see above) this opertype may use */
commands = "chanserv/list chanserv/suspend chanserv/topic memoserv/staff nickserv/list nickserv/suspend operserv/mode operserv/chankill operserv/akill operserv/session operserv/modinfo operserv/sqline operserv/oper operserv/kick operserv/ignore operserv/snline"
/* What privs (see above) this opertype has */
privs = "chanserv/auspex chanserv/no-register-limit memoserv/* nickserv/auspex nickserv/confirm"
}
opertype
{
name = "Services Administrator"
inherits = "Services Operator"
commands = "botserv/* chanserv/access/list chanserv/drop chanserv/getkey chanserv/saset/noexpire memoserv/sendall nickserv/saset/* nickserv/getemail operserv/news operserv/jupe operserv/svs operserv/stats operserv/oline operserv/noop operserv/forbid global/*"
privs = "*"
}
opertype
{
name = "Services Root"
commands = "*"
privs = "*"
}
oper
{
name = "root"
type = "Services Root"
require_oper = yes
password = "{{ anope_oper_password }}"
}
module
{
name = "db_flatfile"
database = "anope.db"
keepbackups = 7
fork = no
}
module
{
name = "enc_sha256"
}
playbooks/gitea/gitea.yml
+4 -4
View File
@@ -22,24 +22,24 @@
- name: Create gitea directory
ansible.builtin.file:
path: /opt/gitea
path: /opt/beeserver/gitea
state: directory
mode: '0755'
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/gitea/docker-compose.yml
dest: /opt/beeserver/gitea/docker-compose.yml
mode: '0644'
- name: Compose down
changed_when: true
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/gitea
chdir: /opt/beeserver/gitea
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/gitea
chdir: /opt/beeserver/gitea
playbooks/letsencrypt/letsencrypt.yml
+2 -2
View File
@@ -38,14 +38,14 @@
- name: Add post hook script
ansible.builtin.copy:
src: irc-post-hook.sh
dest: /opt/irc-post-hook.sh
dest: /opt/beeserver/irc-post-hook.sh
owner: root
group: root
mode: '0755'
- name: Renew for post hook
changed_when: true
ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/irc-post-hook.sh --force-renewal
ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/beeserver/irc-post-hook.sh --force-renewal
- name: Change permission on live
ansible.builtin.file:
playbooks/mail/99-local.conf.j2
-27
View File
@@ -1,27 +0,0 @@
service auth {
inet_listener auth-inet {
port = 12345
}
}
service lmtp {
inet_listener lmtp {
port = 2424
}
}
auth_mechanisms = plain login
passdb passwd-file {
passwd_file_path = /etc/dovecot/users
}
userdb passwd-file {
passwd_file_path = /etc/dovecot/users
}
mail_home = /var/vmail/%{user | domain}/%{user | username}
mail_path = ~/mail
ssl = required
auth_allow_cleartext = no
playbooks/mail/docker-compose.yml.j2
+19 -51
View File
@@ -1,55 +1,23 @@
networks:
mail:
external: false
services:
dovecot:
image: docker.io/dovecot/dovecot:latest
container_name: dovecot
restart: always
networks:
- mail
volumes:
- /opt/mail/99-local.conf:/etc/dovecot/conf.d/99-local.conf:ro
- /opt/mail/users:/etc/dovecot/users:ro
- mail-data:/srv/vmail
ports:
- "31143:31143"
- "31993:31993"
- "31110:31110"
- "31995:31995"
- "31587:31587"
- "31024:31024"
- "34190:34190"
- "8080:8080"
- "127.0.0.1:2424:2424"
- "127.0.0.1:9110:9110"
postfix:
image: git.secretbee.buzz/bee/postfix:latest
container_name: postfix
restart: always
pull_policy: always
networks:
- mail
volumes:
- /etc/letsencrypt/live/mail.secretbee.buzz/fullchain.pem:/etc/postfix/fullchain.pem:ro
- /etc/letsencrypt/live/mail.secretbee.buzz/privkey.pem:/etc/postfix/privkey.pem:ro
- /opt/mail/main.cf:/etc/postfix/main.cf:ro
- /opt/mail/master.cf:/etc/postfix/master.cf:ro
services: # https://docker-mailserver.github.io/docker-mailserver/latest/
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:latest
container_name: mailserver
hostname: mail.secretbee.buzz
env_file: mailserver.env
ports:
- "25:25"
- "143:143"
- "465:465"
- "587:587"
opendkim:
image: git.secretbee.buzz/bee/opendkim:latest
container_name: opendkim
restart: always
networks:
- mail
- "993:993"
volumes:
- /opt/mail/opendkim.conf:/etc/opendkim.conf:ro
- /opt/mail/mail.private:/etc/opendkim/keys/mail.private:ro
volumes:
mail-data:
- /opt/beeserver/mail/mail-data/:/var/mail/
- /opt/beeserver/mail/mail-state/:/var/mail-state/
- /opt/beeserver/mail/mail-logs/:/var/log/mail/
- /opt/beeserver/mail/config/:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
- /etc/letsencrypt:/etc/letsencrypt
restart: always
stop_grace_period: 1m
cap_add:
- NET_ADMIN
playbooks/mail/mail.yml
+15 -128
View File
@@ -2,97 +2,14 @@
hosts: pi
become: true
vars:
dkim_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
36363638363937326662323932306438333134613966313739393938383337656262373736653065
3736633466613763373161666236336630306565323433630a643937313131616565313434356461
32643261666565383935396230306664366332313338613438323332343139303338373039303932
3539373239336637300a656264633864666261613962316563373663373735393864306334626664
33363734366265663234373131613864386236323632363534363166343134373065313938313033
66383935306133306233623738353561656261313330346333653865336463386163393637333733
37306237633638383830613262646237643531343362336637366663363864353865323565326137
35316134373436323461356630623661306564636135313533383533366265613934303834356431
61343464613830626339393238636439333265383439336136666231363933356566366466386135
64376162616562646235613332613931623861373036366530313966306235626338326238623233
34616536346533656436623232643236623838336232343132643561653030643538643137643861
65393964336531383638613436323831346131393865373830346637616330646133316430343536
65336233306537633761643261316230326237393037636236366638616139343936396533646136
34363763333263346439633366626166393631323838306565356464326431393130633432353866
64343639366232303930373564323038366639646365326537326634366336323835333364663264
38373237656264366437333564363164356663613539623466383931623834626236656131316362
39623431356536343563356561653465653638333539643132303463383332373831346535626438
62333230383134346264616432343461313332386230353433643534326161306462623130656534
63386661363436653830626334616431353464663236356435643435643732396364616539363663
31363730333036313163353939343066343130396166376638366561373134393965353838356666
64623961393761363835353865613762393766356532306131323437646261616362653630643133
34323263653763343562323063343234643064613537626334306261396537663030366330613766
64383533613736326562313362383066633437666438316535623131643431333636343030363363
66616433626536353135323937343862643930303963383066643032373931376636643831636139
61313530376566343635396430396230343836643632636335376362623962643638396434356264
38303233313461666135323632333637343363353534636334646532333763343433353931343936
37353530393561356636643865353866303637623433373737383535383565346532343738373862
38656366646433653636356432353963333531333538633364316261666334646639353165656130
62383637626537303433613836636431393637333234616632663739376464336134636261633164
34383939363136666263376634633733663366366432376134343333623639393131623234636537
63653838393530656131623536386166323963396434323736396234626239666333393765616633
38633535333836623861663161663565316631623862363561313237643735393933343238383262
36303531306566393961643836636438666539623835636234306536646335616231643134373032
31373364643738343131353066346464396565303630363230306435663136386138636266633436
61646630323066323833366262633735626438303436306161653033656232363761663762623932
63613733376434333164643036633961336534366238663566323538336665323131653735323265
36616361343732346531303030343565333638616261323137366361626465373231376162663830
61383664373238623536396336333264643235633162616665393463663561636461326565336334
30636430613232646265386133336437303339393338383332636262363165656432663764303263
66376436643865373632313162383433336536333862376665616535396437303762386265373631
39613865656235613465373864313462633838353039316161346166396632306638386533383865
30386365326161333066616432626236323263313163363238306161393265386332323733303763
62376430336630643161383130636230323538363464303838653733633837316663633565623863
62623364636262393065333636646433366365623662323238383336663764633864353863376337
35393737633639633035636534363865356631623035653839393338353366626561636430303066
39333563626561373365313232383633393364653463313866343235383734343234353637363432
38336237616530373134333334666132333636353235313565623265303435363537343731303339
64366464663061333661643337653262333663623764396138386533623239363739343232613436
63396666663931666138616566326462646362306530643334343230316334383837353065656232
33656431316164623164363130323735386136666238326361333431383732323933353238383266
66313430323362393931393132306234393031306534616565366261626336363430343664656530
32303661313662616232303964323337663736633238356462313131343430653638386137306531
66643562623534613739363138336265393232646162376665653165333533333965656263623439
65363665663030356530633863393864363831313637336133333163636564363965313265363263
36626134646238373530303132383734363166323937653030383639643637626332343863633961
36313065346537666232623232383333386561353139373133633033326235653738636439363139
30663365653935366266613933623838653133623435393633636537316163373461633863646133
30623463613231366438633431396330396363646664653534383531346163343037363764373436
62326166336639663434386261333261616334366465383132333231623034613364623661373865
65636435666235336339373335623934633861393764366535373365306336666131663330353031
32313762663363303739346365346263393733363864636637333666343561363332336132326264
32353166626266633564646362663862353433393535643938383131373737393366383038396430
36363738326630376432666637373562666366646536393363633365306637643564316234643430
61316234333165303532333963626635353538363832303833343532333934393264653864366339
63656431626132303761396361326464613563353632633633393261666366393536306133353765
37663337633363366139343237663565663232623266313530633630316238633566373336373065
35343133363234393137303631353932313561373466333438636263326566623336633235643965
32636536373231623565363939393764393964343265356235613134336263383131633330333838
63316361636234313836353264346334386639623861643239646163663462306630633064366261
39663639336439386439663039653462656338623237393033306539353435623039383333623163
39366563643731663835303763386365373232393435366664343264323035333631326331626437
36643130333138616631366465396635323666393339386438303161623364393433386431353665
32396239396333623061623563643933356130613166653933363636303937336665613763613265
39633635326339616539346664653065386531646661343438636565363939613633323266326462
65353339333233633931363830663835616661626663323961316562343739383063646164333939
34383163326664303130333434646633346563373630653532393264336132313264343134326132
30323934346531393931353365303430393461333065386636346139643731383866373636353234
30623665386331333639623639353766313633383539613864306336316562393533356237333331
32623838666535353462393762616236336663376537316163356461366238326637303164336666
31356234633832396436643663343961663763366266396464636661323064366338383634393731
30666135316430643038663936623832306435653161373435616138376162356232633636356238
64353433656366366266633932653264376232313633383163663066663132373733356662353932
62333239336163303632356231363164343039613431363664626662316265396338336162373239
31366539376566323032616335616263623162623934323034383364663436323366636139313838
64663839623266373338306439616337653237616365663463323739366431663839303839636663
61346534386435646632396566396535636136393337343039333364643433303165383761666437
36396232313965353334643664663464343537346430373334393461303965663230313836323966
65303930373664316234346364336430383838643164616338653034393836396166633866366131
65336237346635626362663439376339303439303263653238346563333738386266
relay_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62623366656634653035626534353134343961313434373635393163623134393132336465383838
3635646434353935396136346135373238623433666563340a626463653537326331303233363734
65633237386135313266366533386465396662663561396265343731666337363062663263323537
3165616638653634310a666238656466306433346235396537386539366436333032373866333731
64323037613336613538613866343738613236323739333339313133386263323037313837636131
6533666231663438336566386130366536623565383837623164
tasks:
- name: Install podman
@@ -117,59 +34,29 @@
state: directory
mode: '0755'
loop:
- /opt/mail
- /opt/beeserver/mail
- name: Compose down
changed_when: true
failed_when: false
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/mail
chdir: /opt/beeserver/mail
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/mail/docker-compose.yml
dest: /opt/beeserver/mail/docker-compose.yml
mode: '0644'
- name: Copy Dovecot config
- name: Copy mailserver.env
ansible.builtin.template:
src: 99-local.conf.j2
dest: /opt/mail/99-local.conf
mode: '0644'
- name: Copy main.cf
ansible.builtin.template:
src: main.cf.j2
dest: /opt/mail/main.cf
mode: '0644'
- name: Copy master.cf
ansible.builtin.template:
src: master.cf.j2
dest: /opt/mail/master.cf
mode: '0644'
- name: Copy Users
ansible.builtin.template:
src: users.j2
dest: /opt/mail/users
mode: '0644'
- name: Copy mail.private
ansible.builtin.copy:
src: mail.private
dest: /opt/mail/mail.private
mode: '0600'
- name: Copy opendkim.conf
ansible.builtin.template:
src: opendkim.conf.j2
dest: /opt/mail/opendkim.conf
src: mailserver.env.j2
dest: /opt/beeserver/mail/mailserver.env
mode: '0644'
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/mail
chdir: /opt/beeserver/mail
playbooks/mail/mailserver.env.j2
+660
View File
@@ -0,0 +1,660 @@
# -----------------------------------------------
# --- Mailserver Environment Variables ----------
# -----------------------------------------------
# DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER
# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/
# -----------------------------------------------
# --- General Section ---------------------------
# -----------------------------------------------
# **empty** => Internally uses the `hostname --fqdn` command to get the canonical hostname assigned to the DMS container.
# => Specify an FQDN (fully-qualified domain name) to serve mail for. The hostname is required for DMS to function correctly
#
# **WARNING**: Setting OVERRIDE_HOSTNAME can have difficult to predict side effects:
# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/#override_hostname
OVERRIDE_HOSTNAME=
# Set the log level for DMS.
# This is mostly relevant for container startup scripts and change detection event feedback.
#
# Valid values (in order of increasing verbosity) are: `error`, `warn`, `info`, `debug` and `trace`.
# The default log level is `info`.
LOG_LEVEL=info
# critical => Only show critical messages
# error => Only show erroneous output
# **warn** => Show warnings
# info => Normal informational output
# debug => Also show debug messages
SUPERVISOR_LOGLEVEL=
# Support for deployment where these defaults are not compatible (eg: some NAS appliances):
# /var/mail vmail User ID (default: 5000)
DMS_VMAIL_UID=
# /var/mail vmail Group ID (default: 5000)
DMS_VMAIL_GID=
# **empty** => use FILE
# LDAP => use LDAP authentication
# OIDC => use OIDC authentication (not yet implemented)
# FILE => use local files (this is used as the default)
ACCOUNT_PROVISIONER=
# empty => postmaster@domain.com
# => Specify the postmaster address
POSTMASTER_ADDRESS=
# Check for updates on container start and then once a day
# If an update is available, a mail is sent to POSTMASTER_ADDRESS
# 0 => Update check disabled
# 1 => Update check enabled
ENABLE_UPDATE_CHECK=1
# Customize the update check interval.
# Number + Suffix. Suffix must be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days.
UPDATE_CHECK_INTERVAL=1d
# Set different options for mynetworks option (can be overwrite in postfix-main.cf)
# **WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or
# `connected-networks` option, can create an open relay
# https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498
# The same can happen for rootless podman. To prevent this, set the value to "none" or configure slirp4netns
# https://github.com/docker-mailserver/docker-mailserver/issues/2377
#
# none => Explicitly force authentication
# container => Container IP address only
# host => Add docker container network (ipv4 only)
# network => Add all docker container networks (ipv4 only)
# connected-networks => Add all connected docker networks (ipv4 only)
PERMIT_DOCKER=none
# Set the timezone. If this variable is unset, the container runtime will try to detect the time using
# `/etc/localtime`, which you can alternatively mount into the container. The value of this variable
# must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`.
# You can lookup all available timezones here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
TZ=
# In case you network interface differs from 'eth0', e.g. when you are using HostNetworking in Kubernetes,
# you can set NETWORK_INTERFACE to whatever interface you want. This interface will then be used.
# - **empty** => eth0
NETWORK_INTERFACE=
# empty => modern
# modern => Limits the cipher suite to secure ciphers only.
# intermediate => Relaxes security by adding additional ciphers for broader compatibility.
# NOTE: The minimum TLS version supported is 1.2, if you need to lower that follow this workaround advice:
# https://github.com/docker-mailserver/docker-mailserver/pull/2945#issuecomment-1949907964
TLS_LEVEL=
# Configures the handling of creating mails with forged sender addresses.
#
# **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
# 1 => Mail spoofing denied. Each user may only send with their own or their alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=
# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/main/README.rst) for further explanation.
# - **0** => Disabled
# - 1 => Enabled
ENABLE_SRS=0
# Enables the OpenDKIM service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDKIM=1
# Enables the OpenDMARC service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDMARC=1
# Enabled `policyd-spf` in Postfix's configuration. You will likely want to set this
# to `0` in case you're using Rspamd (`ENABLE_RSPAMD=1`).
#
# - 0 => Disabled
# - **1** => Enabled
ENABLE_POLICYD_SPF=1
# Enables POP3 service
# - **0** => Disabled
# - 1 => Enabled
ENABLE_POP3=
# Enables IMAP service
# - 0 => Disabled
# - **1** => Enabled
ENABLE_IMAP=1
# Enables ClamAV, and anti-virus scanner.
# 1 => Enabled
# **0** => Disabled
ENABLE_CLAMAV=0
# Add the value of this ENV as a prefix to the mail subject when spam is detected.
# NOTE: This subject prefix may be redundant (by default spam is delivered to a junk folder).
# It provides value when your junk mail is stored alongside legitimate mail instead of a separate location (like with `SPAMASSASSIN_SPAM_TO_INBOX=1` or `MOVE_SPAM_TO_JUNK=0` or a POP3 only setup, without IMAP).
# NOTE: When not using Docker Compose, other CRI may not support quote-wrapping the value here to preserve any trailing white-space.
SPAM_SUBJECT=
# Enables Rspamd
# **0** => Disabled
# 1 => Enabled
ENABLE_RSPAMD=0
# When `ENABLE_RSPAMD=1`, an internal Redis instance is enabled implicitly.
# This setting provides an opt-out to allow using an external instance instead.
# 0 => Disabled
# 1 => Enabled
ENABLE_RSPAMD_REDIS=
# When enabled,
#
# 1. the "[autolearning][rspamd-autolearn]" feature is turned on;
# 2. the Bayes classifier will be trained when moving mails from or to the Junk folder (with the help of Sieve scripts).
#
# **0** => disabled
# 1 => enabled
RSPAMD_LEARN=0
# This settings controls whether checks should be performed on emails coming
# from authenticated users (i.e. most likely outgoing emails). The default value
# is `0` in order to align better with SpamAssassin. We recommend reading
# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
# decide for yourself whether you need and want this feature.
#
# Note that DKIM signing of e-mails will still happen.
RSPAMD_CHECK_AUTHENTICATED=0
# Controls whether the Rspamd Greylisting module is enabled.
# This module can further assist in avoiding spam emails by greylisting
# e-mails with a certain spam score.
#
# **0** => disabled
# 1 => enabled
RSPAMD_GREYLISTING=0
# Can be used to enable or disable the Hfilter group module.
#
# - 0 => Disabled
# - **1** => Enabled
RSPAMD_HFILTER=1
# Can be used to control the score when the HFILTER_HOSTNAME_UNKNOWN symbol applies. A higher score is more punishing. Setting it to 15 is equivalent to rejecting the email when the check fails.
#
# Default: 6
RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
# Can be used to enable or disable the (still experimental) neural module.
#
# - **0** => Disabled
# - 1 => Enabled
RSPAMD_NEURAL=0
# Amavis content filter (used for ClamAV & SpamAssassin)
# 0 => Disabled
# 1 => Enabled
ENABLE_AMAVIS=1
# -1/-2/-3 => Only show errors
# **0** => Show warnings
# 1/2 => Show default informational output
# 3/4/5 => log debug information (very verbose)
AMAVIS_LOGLEVEL=0
# This enables DNS block lists in Postscreen.
# Note: Emails will be rejected, if they don't pass the block list checks!
# **0** => DNS block lists are disabled
# 1 => DNS block lists are enabled
ENABLE_DNSBL=0
# If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
# cap_add:
# - NET_ADMIN
# Otherwise, `nftables` won't be able to ban IPs.
ENABLE_FAIL2BAN=1
# Fail2Ban blocktype
# drop => drop packet (send NO reply)
# reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop
# 1 => Enables Managesieve on port 4190
# empty => disables Managesieve
ENABLE_MANAGESIEVE=
# **enforce** => Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
# drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
# ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
POSTSCREEN_ACTION=enforce
# empty => all daemons start
# 1 => only launch postfix smtp
SMTP_ONLY=
# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl) for more information.
#
# empty => SSL disabled
# letsencrypt => Enables Let's Encrypt certificates
# custom => Enables custom certificates
# manual => Let's you manually specify locations of your SSL certificates for non-standard cases
# self-signed => Enables self-signed certificates
SSL_TYPE=letsencrypt
# These are only supported with `SSL_TYPE=manual`.
# Provide the path to your cert and key files that you've mounted access to within the container.
SSL_CERT_PATH=
SSL_KEY_PATH=
# Optional: A 2nd certificate can be supported as fallback (dual cert support), eg ECDSA with an RSA fallback.
# Useful for additional compatibility with older MTA and MUA (eg pre-2015).
SSL_ALT_CERT_PATH=
SSL_ALT_KEY_PATH=
# Set how many days a virusmail will stay on the server before being deleted
# empty => 7 days
VIRUSMAILS_DELETE_DELAY=
# Configure Postfix `virtual_transport` to deliver mail to a different LMTP client (default is a dovecot socket).
# Provide any valid URI. Examples:
#
# empty => `lmtp:unix:/var/run/dovecot/lmtp` (default, configured in Postfix main.cf)
# `lmtp:unix:private/dovecot-lmtp` (use socket)
# `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
# `lmtp:<kopano-host>:2003` (use kopano as mailstore)
POSTFIX_DAGENT=
# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
#
# empty => 0
POSTFIX_MAILBOX_SIZE_LIMIT=
# See https://docker-mailserver.github.io/docker-mailserver/latest/config/account-management/overview/#quotas
# 0 => Dovecot quota is disabled
# 1 => Dovecot quota is enabled
ENABLE_QUOTAS=1
# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
#
# empty => 10240000 (~10 MB)
POSTFIX_MESSAGE_SIZE_LIMIT=
# Mails larger than this limit won't be scanned.
# ClamAV must be enabled (ENABLE_CLAMAV=1) for this.
#
# empty => 25M (25 MB)
CLAMAV_MESSAGE_SIZE_LIMIT=
# Enables regular pflogsumm mail reports.
# This is a new option. The old REPORT options are still supported for backwards compatibility. If this is not set and reports are enabled with the old options, logrotate will be used.
#
# not set => No report
# daily_cron => Daily report for the previous day
# logrotate => Full report based on the mail log when it is rotated
PFLOGSUMM_TRIGGER=
# Recipient address for pflogsumm reports.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
PFLOGSUMM_RECIPIENT=
# Sender address (`FROM`) for pflogsumm reports if pflogsumm reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
PFLOGSUMM_SENDER=
# Interval for logwatch report.
#
# none => No report is generated
# daily => Send a daily report
# weekly => Send a report every week
LOGWATCH_INTERVAL=
# Recipient address for logwatch reports if they are enabled.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
LOGWATCH_RECIPIENT=
# Sender address (`FROM`) for logwatch reports if logwatch reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
LOGWATCH_SENDER=
# Defines who receives reports if they are enabled.
# **empty** => ${POSTMASTER_ADDRESS}
# => Specify the recipient address
REPORT_RECIPIENT=
# Defines who sends reports if they are enabled.
# **empty** => mailserver-report@${DOMAINNAME}
# => Specify the sender address
REPORT_SENDER=
# Changes the interval in which log files are rotated
# **weekly** => Rotate log files weekly
# daily => Rotate log files daily
# monthly => Rotate log files monthly
#
# Note: This Variable actually controls logrotate inside the container
# and rotates the log files depending on this setting. The main log output is
# still available in its entirety via `docker logs mail` (Or your
# respective container name). If you want to control logrotation for
# the Docker-generated logfile see:
# https://docs.docker.com/config/containers/logging/configure/
#
# Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger).
LOGROTATE_INTERVAL=weekly
# Defines how many log files are kept by logrorate
LOGROTATE_COUNT=4
# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration.
#
# - **0** => Disabled
# - 1 => Enabled
POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
# Choose TCP/IP protocols for postfix to use
# **all** => All possible protocols.
# ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
# ipv6 => Use only IPv6 traffic.
#
# Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
POSTFIX_INET_PROTOCOLS=all
# Enables MTA-STS support for outbound mail.
# More details: https://docker-mailserver.github.io/docker-mailserver/v13.3/config/best-practices/mta-sts/
# - **0** ==> MTA-STS disabled
# - 1 => MTA-STS enabled
ENABLE_MTA_STS=0
# Choose TCP/IP protocols for dovecot to use
# **all** => Listen on all interfaces
# ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
# ipv6 => Listen only on IPv6 interfaces.
#
# Note: More information at https://dovecot.org/doc/dovecot-example.conf
DOVECOT_INET_PROTOCOLS=all
# -----------------------------------------------
# --- SpamAssassin Section ----------------------
# -----------------------------------------------
ENABLE_SPAMASSASSIN=0
# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
# - **0** => KAM disabled
# - 1 => KAM enabled
#
# Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
ENABLE_SPAMASSASSIN_KAM=0
# deliver spam messages to the inbox (tagged using SPAM_SUBJECT)
SPAMASSASSIN_SPAM_TO_INBOX=1
# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
MOVE_SPAM_TO_JUNK=1
# spam messages will be marked as read
MARK_SPAM_AS_READ=0
# add 'spam info' headers at, or above this level
SA_TAG=2.0
# add 'spam detected' headers at, or above this level
SA_TAG2=6.31
# triggers spam evasive actions
SA_KILL=10.0
# -----------------------------------------------
# --- Fetchmail Section -------------------------
# -----------------------------------------------
ENABLE_FETCHMAIL=0
# The interval to fetch mail in seconds
FETCHMAIL_POLL=300
# Use multiple fetchmail instances (1 per poll entry in fetchmail.cf)
# Supports multiple IMAP IDLE connections when a server is used across multiple poll entries
# https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
FETCHMAIL_PARALLEL=0
# Enable or disable `getmail`.
#
# - **0** => Disabled
# - 1 => Enabled
ENABLE_GETMAIL=0
# The number of minutes for the interval. Min: 1; Default: 5.
GETMAIL_POLL=5
# -----------------------------------------------
# --- OAUTH2 Section ----------------------------
# -----------------------------------------------
# empty => OAUTH2 authentication is disabled
# 1 => OAUTH2 authentication is enabled
ENABLE_OAUTH2=
# Specify the user info endpoint URL of the oauth2 provider
# Example: https://oauth2.example.com/userinfo/
OAUTH2_INTROSPECTION_URL=
# -----------------------------------------------
# --- LDAP Section ------------------------------
# -----------------------------------------------
# A second container for the ldap service is necessary (i.e. https://hub.docker.com/r/bitnami/openldap/)
# empty => no
# yes => LDAP over TLS enabled for Postfix
LDAP_START_TLS=
# empty => mail.example.com
# Specify the `<dns-name>` / `<ip-address>` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`.
# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
LDAP_SERVER_HOST=
# empty => ou=people,dc=domain,dc=com
# => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local
LDAP_SEARCH_BASE=
# empty => cn=admin,dc=domain,dc=com
# => take a look at examples of SASL_LDAP_BIND_DN
LDAP_BIND_DN=
# empty** => admin
# => Specify the password to bind against ldap
LDAP_BIND_PW=
# e.g. `"(&(mail=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for users
LDAP_QUERY_FILTER_USER=
# e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for groups
LDAP_QUERY_FILTER_GROUP=
# e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for aliases
LDAP_QUERY_FILTER_ALIAS=
# e.g. `"(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for domains
LDAP_QUERY_FILTER_DOMAIN=
# -----------------------------------------------
# --- Dovecot Section ---------------------------
# -----------------------------------------------
# empty => no
# yes => LDAP over TLS enabled for Dovecot
DOVECOT_TLS=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_USER_FILTER=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_PASS_FILTER=
# Define the mailbox format to be used
# default is maildir, supported values are: sdbox, mdbox, maildir
DOVECOT_MAILBOX_FORMAT=maildir
# empty => no
# yes => Allow bind authentication for LDAP
# https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#authentication-bind
DOVECOT_AUTH_BIND=
# -----------------------------------------------
# --- Postgrey Section --------------------------
# -----------------------------------------------
ENABLE_POSTGREY=0
# greylist for N seconds
POSTGREY_DELAY=300
# delete entries older than N days since the last time that they have been seen
POSTGREY_MAX_AGE=35
# response when a mail is greylisted
POSTGREY_TEXT="Delayed by Postgrey"
# whitelist host after N successful deliveries (N=0 to disable whitelisting)
POSTGREY_AUTO_WHITELIST_CLIENTS=5
# -----------------------------------------------
# --- SASL Section ------------------------------
# -----------------------------------------------
ENABLE_SASLAUTHD=0
# empty => ldap
# `ldap` => authenticate against ldap server
# `rimap` => authenticate against imap server
SASLAUTHD_MECHANISMS=
# empty => None
# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
SASLAUTHD_MECH_OPTIONS=
# empty => Use value of LDAP_SERVER_HOST
# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
SASLAUTHD_LDAP_SERVER=
# empty => Use value of LDAP_BIND_DN
# specify an object with privileges to search the directory tree
# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
SASLAUTHD_LDAP_BIND_DN=
# empty => Use value of LDAP_BIND_PW
SASLAUTHD_LDAP_PASSWORD=
# empty => Use value of LDAP_SEARCH_BASE
# specify the search base
SASLAUTHD_LDAP_SEARCH_BASE=
# empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
# e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
# e.g. for openldap: `(&(uid=%U)(objectClass=person))`
SASLAUTHD_LDAP_FILTER=
# empty => no
# yes => LDAP over TLS enabled for SASL
# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
SASLAUTHD_LDAP_START_TLS=
# empty => no
# yes => Require and verify server certificate
# If yes you must/could specify SASLAUTHD_LDAP_TLS_CACERT_FILE or SASLAUTHD_LDAP_TLS_CACERT_DIR.
SASLAUTHD_LDAP_TLS_CHECK_PEER=
# File containing CA (Certificate Authority) certificate(s).
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_file` option
SASLAUTHD_LDAP_TLS_CACERT_FILE=
# Path to directory with CA (Certificate Authority) certificates.
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_dir` option
SASLAUTHD_LDAP_TLS_CACERT_DIR=
# Specify what password attribute to use for password verification.
# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default.
# Any value => Fills the `ldap_password_attr` option
SASLAUTHD_LDAP_PASSWORD_ATTR=
# empty => `bind` will be used as a default value
# `fastbind` => The fastbind method is used
# `custom` => The custom method uses userPassword attribute to verify the password
SASLAUTHD_LDAP_AUTH_METHOD=
# Specify the authentication mechanism for SASL bind
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_mech` option
SASLAUTHD_LDAP_MECH=
# -----------------------------------------------
# --- SRS Section -------------------------------
# -----------------------------------------------
# envelope_sender => Rewrite only envelope sender address (default)
# header_sender => Rewrite only header sender (not recommended)
# envelope_sender,header_sender => Rewrite both senders
# An email has an "envelope" sender (indicating the sending server) and a
# "header" sender (indicating who sent it). More strict SPF policies may require
# you to replace both instead of just the envelope sender.
SRS_SENDER_CLASSES=envelope_sender
# empty => Envelope sender will be rewritten for all domains
# provide comma separated list of domains to exclude from rewriting
SRS_EXCLUDE_DOMAINS=
# empty => generated when the image is built
# provide a secret to use in base64
# you may specify multiple keys, comma separated. the first one is used for
# signing and the remaining will be used for verification. this is how you
# rotate and expire keys
SRS_SECRET=
# -----------------------------------------------
# --- Default Relay Host Section ----------------
# -----------------------------------------------
# Setup relaying all mail through a default relay host
#
# Set a default host to relay all mail through (optionally include a port)
# Example: [mail.example.com]:587
DEFAULT_RELAY_HOST=[email-smtp.eu-north-1.amazonaws.com]:587
# -----------------------------------------------
# --- Multi-Domain Relay Section ----------------
# -----------------------------------------------
# Setup relaying for multiple domains based on the domain name of the sender
# optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf
#
# Set a default host to relay mail through
# Example: mail.example.com
RELAY_HOST=email-smtp.eu-north-1.amazonaws.com
# empty => 25
# default port to relay mail
RELAY_PORT=587
# -----------------------------------------------
# --- Relay Host Credentials Section ------------
# -----------------------------------------------
# Configure a relay user and password to use with RELAY_HOST / DEFAULT_RELAY_HOST
# empty => no default
RELAY_USER=AKIAWBJK5JQUGAW3SR4N
# empty => no default
RELAY_PASSWORD={{ relay_password }}
playbooks/mail/main.cf.j2
-60
View File
@@ -1,60 +0,0 @@
# Postfix main configuration
# https://www.postfix.org/postconf.5.html
# --- Identity ---
myhostname = mail.secretbee.buzz
mydomain = secretbee.buzz
myorigin = $mydomain
# --- Network ---
inet_interfaces = all
inet_protocols = ipv4
# --- Local delivery ---
mydestination = $myhostname, localhost.$mydomain, localhost
# --- Relay ---
mynetworks = 127.0.0.0/8
relayhost =
# --- Virtual mailboxes ---
virtual_mailbox_domains = $mydomain
virtual_transport = lmtp:inet:dovecot:2424
# --- TLS ---
smtp_tls_security_level = enforce
smtp_tls_loglevel = 1
smtpd_tls_chain_files =
/etc/postfix/fullchain.pem
/etc/postfix/privkey.pem
smtpd_tls_loglevel = 1
# --- SASL (auth delegated to Dovecot) ---
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:dovecot:12345
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# --- Limits ---
message_size_limit = 52428800
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_banner = $myhostname ESMTP
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:opendkim:8891
non_smtpd_milters = inet:opendkim:8891
playbooks/mail/master.cf.j2
-41
View File
@@ -1,41 +0,0 @@
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
# Port 25: inbound MX delivery — TLS optional, no auth required
smtp inet n - n - - smtpd
# Port 587: authenticated submission — TLS + SASL required
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
playbooks/mail/opendkim.conf.j2
-6
View File
@@ -1,6 +0,0 @@
Syslog yes
Domain secretbee.buzz
Selector mail
KeyFile /etc/opendkim/keys/mail.private
Socket inet:8891@0.0.0.0
OversignHeaders From
playbooks/mail/users.j2
-1
View File
@@ -1 +0,0 @@
bee@secretbee.buzz:{SHA512-CRYPT}$6$GRG/tBZAy62JjDXM$8DyA2Ii0aS2VPJlDs8ML.UjblfI1PYbG5VRmbSjeJB3nii8h9a3F5S7NDxieqBUOeVsa4LIfyp/6tC/dnDnpW.::::::
playbooks/matrix/docker-compose.yml.j2
+7 -7
View File
@@ -7,19 +7,19 @@ services:
- 127.0.0.1:8008:8008
volumes:
- db:/var/lib/continuwuity
- /opt/matrix/resolv.conf:/etc/resolv.conf
- /opt/beeserver/matrix/resolv.conf:/etc/resolv.conf
#- ./continuwuity.toml:/etc/continuwuity.toml
environment:
CONTINUWUITY_SERVER_NAME: matrix.secretbee.buzz
CONTINUWUITY_SERVER_NAME: secretbee.buzz
CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
CONTINUWUITY_ADDRESS: 0.0.0.0
CONTINUWUITY_PORT: 8008
#CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
CONTINUWUITY_WELL_KNOWN: |
{
client=https://secretbee.buzz,
server=secretbee.buzz:443
}
#CONTINUWUITY_WELL_KNOWN: |
# {
# client=https://secretbee.buzz,
# server=secretbee.buzz:443
# }
volumes:
db:
playbooks/matrix/matrix.yml
+5 -5
View File
@@ -19,29 +19,29 @@
state: directory
mode: '0755'
loop:
- /opt/matrix
- /opt/beeserver/matrix
- name: Compose down
changed_when: true
failed_when: false
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/matrix
chdir: /opt/beeserver/matrix
- name: Copy resolv.conf
ansible.builtin.template:
src: resolv.conf.j2
dest: /opt/matrix/resolv.conf
dest: /opt/beeserver/matrix/resolv.conf
mode: '0644'
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/matrix/docker-compose.yml
dest: /opt/beeserver/matrix/docker-compose.yml
mode: '0644'
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/matrix
chdir: /opt/beeserver/matrix
playbooks/monitoring/docker-compose.yml.j2
+4 -4
View File
@@ -11,7 +11,7 @@ services:
- '127.0.0.1:9090:9090'
volumes:
- prometheus-data:/prometheus
- /opt/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
- /opt/beeserver/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
networks:
- monitoring
@@ -40,7 +40,7 @@ services:
- '127.0.0.1:9096:9096'
volumes:
- loki-data:/loki
- /opt/monitoring/local-config.yml:/etc/loki/local-config.yaml
- /opt/beeserver/monitoring/local-config.yml:/etc/loki/local-config.yaml
command: -config.file=/etc/loki/local-config.yaml
restart: always
networks:
@@ -52,8 +52,8 @@ services:
ports:
- '127.0.0.1:12345:12345'
volumes:
- /opt/monitoring/config.alloy:/etc/alloy/config.alloy
- /opt/monitoring/database:/opt/database
- /opt/beeserver/monitoring/config.alloy:/etc/alloy/config.alloy
- /opt/beeserver/monitoring/database:/opt/database
- /var/log:/var/log:ro
- /run/log/journal:/run/log/journal:ro
- /var/log/journal:/var/log/journal:ro
playbooks/monitoring/monitoring.yml
+12 -12
View File
@@ -42,38 +42,38 @@
- name: Create monitoring config directory
ansible.builtin.file:
path: /opt/monitoring
path: /opt/beeserver/monitoring
state: directory
mode: '0755'
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/monitoring/docker-compose.yml
dest: /opt/beeserver/monitoring/docker-compose.yml
mode: '0644'
- name: Compose down
changed_when: true
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/monitoring
chdir: /opt/beeserver/monitoring
- name: Copy prometheus config
ansible.builtin.copy:
src: prometheus_config.yml
dest: /opt/monitoring/prometheus.yml
dest: /opt/beeserver/monitoring/prometheus.yml
mode: '0644'
- name: Copy loki config
ansible.builtin.template:
src: local-config.yml.j2
dest: /opt/monitoring/local-config.yml
dest: /opt/beeserver/monitoring/local-config.yml
mode: '0644'
- name: Copy alloy config
ansible.builtin.template:
src: config.alloy.j2
dest: /opt/monitoring/config.alloy
dest: /opt/beeserver/monitoring/config.alloy
mode: '0644'
- name: Enable podman.socket
@@ -84,20 +84,20 @@
- name: Delete database directory
ansible.builtin.file:
path: /opt/monitoring/database
path: /opt/beeserver/monitoring/database
state: absent
mode: '0755'
- name: Create database directory
ansible.builtin.file:
path: /opt/monitoring/database
path: /opt/beeserver/monitoring/database
state: directory
mode: '0755'
- name: Download geoip database
ansible.builtin.get_url:
url: "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
dest: /opt/monitoring
dest: /opt/beeserver/monitoring
username: "{{ geoip_username }}"
password: "{{ geoip_license }}"
mode: '0644'
@@ -107,7 +107,7 @@
- name: Get geoip tar file
ansible.builtin.find:
paths: /opt/monitoring
paths: /opt/beeserver/monitoring
file_type: file
patterns: '^GeoLite.*.tar.gz$'
use_regex: true
@@ -118,11 +118,11 @@
ansible.builtin.unarchive:
remote_src: true
src: "{{ found.files[0].path }}"
dest: /opt/monitoring/database
dest: /opt/beeserver/monitoring/database
extra_opts: ['--strip-components=1', '--show-stored-names']
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/monitoring
chdir: /opt/beeserver/monitoring
playbooks/nginx/nginx.yml
+8
View File
@@ -20,6 +20,14 @@
group: root
mode: '0644'
- name: Copy upstreamc.onf
ansible.builtin.copy:
src: upstream.conf
dest: /etc/nginx/conf.d/upstream.conf
owner: root
group: root
mode: '0644'
- name: Restart nginx
ansible.builtin.service:
name: nginx
playbooks/nginx/sites-enabled/matrix.secretbee.buzz
+23 -23
View File
@@ -1,33 +1,33 @@
server {
listen 80;
server_name matrix.secretbee.buzz;
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
server_name matrix.secretbee.buzz;
location / {
return 301 https://$host$request_uri;
}
}
ssl_certificate /etc/letsencrypt/live/matrix.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.secretbee.buzz/privkey.pem;
server {
listen 443 ssl;
server_name matrix.secretbee.buzz;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
limit_req zone=mylimit burst=20;
proxy_buffering off;
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
gzip on;
gzip_types application/json;
gzip_min_length 1000;
ssl_certificate /etc/letsencrypt/live/matrix.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.secretbee.buzz/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location /_matrix/ {
proxy_pass http://continuwuity_server;
location / {
client_max_body_size 512M;
proxy_pass http://localhost:8008;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
}
playbooks/nginx/sites-enabled/secretbee.buzz
+20
View File
@@ -12,6 +12,7 @@ server {
server {
listen 443 ssl;
listen [::]:443 ssl http2;
server_name secretbee.buzz;
limit_req zone=mylimit burst=20;
@@ -25,6 +26,25 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location /.well-known/matrix/server {
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"m.server": "matrix.secretbee.buzz:443"}';
}
location /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"m.homeserver": {"base_url": "https://matrix.secretbee.buzz"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.secretbee.buzz"}}';
}
# Matrix Support contact information (MSC1929)
location /.well-known/matrix/support {
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"contacts": [{"matrix_id": "@admin:secretbee.buzz", "email_address": "admin@server.name", "role": "m.role.admin"}]}';
}
location / {
default_type "text/html";
try_files $uri $uri.html $uri/index.html index.html;
playbooks/nginx/upstream.conf
+8
View File
@@ -0,0 +1,8 @@
upstream continuwuity_server {
server 127.0.0.1:8008 max_fails=0;
keepalive 32;
keepalive_requests 1000;
keepalive_time 1h;
keepalive_timeout 600s;
}
playbooks/thelounge/config.js
-465
View File
@@ -1,465 +0,0 @@
"use strict";
module.exports = {
// ## Server settings
// ### `public`
//
// When set to `true`, The Lounge starts in public mode. When set to `false`,
// it starts in private mode.
//
// - A **public server** does not require authentication. Anyone can connect
// to IRC networks in this mode. All IRC connections and channel
// scrollbacks are lost when a user leaves the client.
// - A **private server** requires users to log in. Their IRC connections are
// kept even when they are not using or logged in to the client. All joined
// channels and scrollbacks are available when they come back.
//
// This value is set to `false` by default.
public: false,
// ### `host`
//
// IP address or hostname for the web server to listen to. For example, set it
// to `"127.0.0.1"` to accept connections from localhost only.
//
// For UNIX domain sockets, use `"unix:/absolute/path/to/file.sock"`.
//
// This value is set to `undefined` by default to listen on all interfaces.
host: "127.0.0.1",
// ### `port`
//
// Set the port to listen to.
//
// This value is set to `9000` by default.
port: 9000,
// ### `bind`
//
// Set the local IP to bind to for outgoing connections.
//
// This value is set to `undefined` by default to let the operating system
// pick its preferred one.
bind: undefined,
// ### `reverseProxy`
//
// When set to `true`, The Lounge is marked as served behind a reverse proxy
// and will honor the `X-Forwarded-For` header.
//
// This value is set to `false` by default.
reverseProxy: true,
// ### `maxHistory`
//
// Defines the maximum number of history lines that will be kept in memory per
// channel/query, in order to reduce the memory usage of the server. Setting
// this to `-1` will keep unlimited amount.
//
// This value is set to `10000` by default.
maxHistory: 10000,
// ### `https`
//
// These settings are used to run The Lounge's web server using encrypted TLS.
//
// If you want more control over the webserver,
// [use a reverse proxy instead](https://thelounge.chat/docs/guides/reverse-proxies).
//
// The available keys for the `https` object are:
//
// - `enable`: when set to `false`, HTTPS support is disabled
// and all other values are ignored.
// - `key`: Path to the private key file.
// - `certificate`: Path to the certificate.
// - `ca`: Path to the CA bundle.
//
// The value of `enable` is set to `false` to disable HTTPS by default, in
// which case the other two string settings are ignored.
https: {
enable: false,
key: "",
certificate: "",
ca: "",
},
// ## Client settings
// ### `theme`
//
// Set the default theme to serve to new users. They will be able to select a
// different one in their client settings among those available.
//
// The Lounge ships with two themes (`default` and `morning`) and can be
// extended by installing more themes. Read more about how to manage them
// [here](https://thelounge.chat/docs/guides/theme-creation).
//
// This value needs to be the package name and not the display name. For
// example, the value for Morning would be `morning`, and the value for
// Solarized would be `thelounge-theme-solarized`.
//
// This value is set to `"default"` by default.
theme: "default",
// ### `prefetch`
//
// When set to `true`, The Lounge will load thumbnails and site descriptions
// from URLs posted in channels and private messages.
//
// This value is set to `false` by default.
prefetch: false,
// ### `disableMediaPreview`
//
// When set to `true`, The Lounge will not preview media (images, video and
// audio) hosted on third-party sites. This ensures the client does not
// make any requests to external sites. If `prefetchStorage` is enabled,
// images proxied via the The Lounge will be previewed.
//
// This has no effect if `prefetch` is set to `false`.
//
// This value is set to `false` by default.
disableMediaPreview: false,
// ### `prefetchStorage`
// When set to `true`, The Lounge will store and proxy prefetched images and
// thumbnails on the filesystem rather than directly display the content at
// the original URLs.
//
// This option primarily exists to resolve mixed content warnings by not
// loading images from http hosts. This option does not work for video
// or audio as The Lounge will only load these from https hosts.
//
// If storage is enabled, The Lounge will fetch and store images and thumbnails
// in the `${THELOUNGE_HOME}/storage` folder.
//
// Images are deleted when they are no longer referenced by any message
// (controlled by `maxHistory`), and the folder is cleaned up when The Lounge
// restarts.
//
// This value is set to `false` by default.
prefetchStorage: false,
// ### `prefetchMaxImageSize`
//
// When `prefetch` is enabled, images will only be displayed if their file
// size does not exceed this limit.
//
// This value is set to `2048` kilobytes by default.
prefetchMaxImageSize: 2048,
// ### prefetchMaxSearchSize
//
// This value sets the maximum response size allowed when finding the Open
// Graph tags for link previews. The entire response is temporarily stored
// in memory and for some sites like YouTube this can easily exceed 300
// kilobytes.
//
// This value is set to `50` kilobytes by default.
prefetchMaxSearchSize: 50,
// ### `prefetchTimeout`
//
// When `prefetch` is enabled, this value sets the number of milliseconds
// before The Lounge gives up attempting to fetch a link. This can be useful
// if you've increased the `prefetchMaxImageSize`.
//
// Take caution, however, that an inordinately large value may lead to
// performance issues or even a denial of service, since The Lounge will not
// be able to clean up outgoing connections as quickly. Usually the default
// value is appropriate, so only change it if necessary.
//
// This value is set to `5000` milliseconds by default.
prefetchTimeout: 5000,
// ### `fileUpload`
//
// Allow uploading files to the server hosting The Lounge.
//
// Files are stored in the `${THELOUNGE_HOME}/uploads` folder, do not expire,
// and are not removed by The Lounge. This may cause issues depending on your
// hardware, for example in terms of disk usage.
//
// The available keys for the `fileUpload` object are:
//
// - `enable`: When set to `true`, files can be uploaded on the client with a
// drag-and-drop or using the upload dialog.
// - `maxFileSize`: When file upload is enabled, users sending files above
// this limit will be prompted with an error message in their browser. A value of
// `-1` disables the file size limit and allows files of any size. **Use at
// your own risk.** This value is set to `10240` kilobytes by default.
// - `baseUrl`: If you want to change the URL where uploaded files are accessed,
// you can set this option to `"https://example.com/folder/"` and the final URL
// would look like `"https://example.com/folder/aabbccddeeff1234/name.png"`.
// If you use this option, you must have a reverse proxy configured,
// to correctly proxy the uploads URLs back to The Lounge.
// This value is set to `null` by default.
fileUpload: {
enable: false,
maxFileSize: 10240,
baseUrl: null,
},
// ### `transports`
//
// Set `socket.io` transports.
//
// This value is set to `["polling", "websocket"]` by default.
transports: ["polling", "websocket"],
// ### `leaveMessage`
//
// Set users' default `quit` and `part` messages if they are not providing
// one.
//
// This value is set to `"The Lounge - https://thelounge.chat"` by
// default.
leaveMessage: "Buzz...",
// ## Default network
// ### `defaults`
//
// Specifies default network information that will be used as placeholder
// values in the *Connect* window.
//
// The available keys for the `defaults` object are:
//
// - `name`: Name to display in the channel list of The Lounge. This value is
// not forwarded to the IRC network.
// - `host`: IP address or hostname of the IRC server.
// - `port`: Usually 6667 for unencrypted connections and 6697 for
// connections encrypted with TLS.
// - `password`: Connection password. If the server supports SASL capability,
// then this password will be used in SASL authentication.
// - `tls`: Enable TLS connections
// - `rejectUnauthorized`: Whether the server certificate should be verified
// against the list of supplied Certificate Authorities (CAs) by your
// Node.js installation.
// - `nick`: Nick name. Percent signs (`%`) will be replaced by random
// numbers from 0 to 9. For example, `Guest%%%` may become `Guest123`.
// - `username`: User name.
// - `realname`: Real name displayed by some clients. Defaults to the nick if set to ""
// - `leaveMessage`: Network specific leave message (overrides global leaveMessage)
// - `join`: Comma-separated list of channels to auto-join once connected.
//
// This value is set to connect to the official channel of The Lounge on
// Libera.Chat by default:
//
// ```js
// defaults: {
// name: "Libera.Chat",
// host: "irc.libera.chat",
// port: 6697,
// password: "",
// tls: true,
// rejectUnauthorized: true,
// nick: "thelounge%%",
// username: "thelounge",
// realname: "The Lounge User",
// join: "#thelounge"
// }
// ```
defaults: {
name: "secretbee",
host: "irc.secretbee.buzz",
port: 6697,
password: "",
tls: true,
rejectUnauthorized: true,
nick: "bee%%",
username: "bee",
realname: "",
join: "#thehive",
leaveMessage: "",
},
// ### `lockNetwork`
//
// When set to `true`, users will not be able to modify host, port and TLS
// settings and will be limited to the configured network.
// These fields will also be hidden from the UI.
//
// This value is set to `false` by default.
lockNetwork: true,
// ## User management
// ### `messageStorage`
// The Lounge can log user messages, for example to access them later or to
// reload messages on server restart.
// Set this array with one or multiple values to enable logging:
// - `text`: Messages per network and channel will be stored as text files.
// **Messages will not be reloaded on restart.**
// - `sqlite`: Messages are stored in SQLite database files, one per user.
//
// Logging can be disabled globally by setting this value to an empty array
// `[]`. Logging is also controlled per user individually in the `log` key of
// their JSON configuration file.
//
// This value is set to `["sqlite", "text"]` by default.
messageStorage: ["sqlite", "text"],
// ### `storagePolicy`
// When the sqlite storage is in use, control the maximum storage duration.
// A background task will periodically clean up messages older than the limit.
// The available keys for the `storagePolicy` object are:
//
// - `enabled`: If this is false, the cleaning task is not running.
// - `maxAgeDays`: Maximum age of an entry in days.
// - `deletionPolicy`: Controls what types of messages are being deleted.
// Valid options are:
// - `statusOnly`: Only delete message types which are status related (e.g. away, back, join, parts, mode, ctcp...)
// but keep actual messages from nicks. This keeps the DB size down while retaining "precious" messages.
// - `everything`: Delete everything, including messages from irc nicks
storagePolicy: {
enabled: false,
maxAgeDays: 7,
deletionPolicy: "statusOnly",
},
// ### `useHexIp`
//
// When set to `true`, users' IP addresses will be encoded as hex.
//
// This is done to share the real user IP address with the server for host
// masking purposes. This is encoded in the `username` field and only supports
// IPv4.
//
// This value is set to `false` by default.
useHexIp: true,
// ## WEBIRC support
//
// When enabled, The Lounge will pass the connecting user's host and IP to the
// IRC server. Note that this requires to obtain a password from the IRC
// network that The Lounge will be connecting to and generally involves a lot
// of trust from the network you are connecting to.
//
// There are 2 ways to configure the `webirc` setting:
//
// - **Basic**: an object where keys are IRC hosts and values are passwords.
// For example:
//
// ```json
// webirc: {
// "irc.example.net": "thisiswebircpassword1",
// "irc.example.org": "thisiswebircpassword2",
// },
// ```
//
// - **Advanced**: an object where keys are IRC hosts and values are functions
// that take two arguments (`webircObj`, `network`) and return an
// object to be directly passed to `irc-framework`. `webircObj` contains the
// generated object which you can modify. For example:
//
// ```js
// webirc: {
// "irc.example.com": (webircObj, network) => {
// webircObj.password = "thisiswebircpassword";
// webircObj.hostname = `webirc/${webircObj.hostname}`;
// return webircObj;
// },
// },
// ```
//
// This value is set to `null` to disable WEBIRC by default.
webirc: null,
// ## identd and oidentd support
// ### `identd`
//
// Run The Lounge with `identd` support.
//
// The available keys for the `identd` object are:
//
// - `enable`: When `true`, the identd daemon runs on server start.
// - `port`: Port to listen for ident requests.
//
// The value of `enable` is set to `false` to disable `identd` support by
// default, in which case the value of `port` is ignored. The default value of
// `port` is 113.
identd: {
enable: false,
port: 113,
},
// ### `oidentd`
//
// When this setting is a string, this enables `oidentd` support using the
// configuration file located at the given path.
//
// This is set to `null` by default to disable `oidentd` support.
oidentd: null,
// ## LDAP support
// These settings enable and configure LDAP authentication.
//
// They are only being used in private mode. To know more about private mode,
// see the `public` setting above.
//
// The authentication process works as follows:
//
// 1. The Lounge connects to the LDAP server with its system credentials.
// 2. It performs an LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. The Lounge tries to connect a second time, but this time using the
// user's DN and password. Authentication is validated if and only if this
// connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
//
// - a base DN `searchDN/base`. Only children nodes of this DN will likely
// be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, built as `(&(<primaryKey>=<username>) <filter>)`
// where `<username>` is the user name provided in the log in request,
// `<primaryKey>` is provided by the config and `<filter>` is a filtering
// complement also given in the config, to filter for instance only for
// nodes of type `inetOrgPerson`, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make The
// Lounge ignore `searchDN` options and assume that the user DN is always
// `<bindDN>,<primaryKey>=<username>`, where `<username>` is the user name
// provided in the log in request, and `<bindDN>` and `<primaryKey>` are
// provided by the configuration.
//
// The available keys for the `ldap` object are:
ldap: {
// - `enable`: when set to `false`, LDAP support is disabled and all other
// values are ignored.
enable: false,
// - `url`: A url of the form `ldaps://<ip>:<port>`.
// For plain connections, use the `ldap` scheme.
url: "ldaps://example.com",
// - `tlsOptions`: LDAP connection TLS options (only used if scheme is
// `ldaps://`). It is an object whose values are Node.js' `tls.connect()`
// options. It is set to `{}` by default.
// For example, this option can be used in order to force the use of IPv6:
// ```js
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
// ```
tlsOptions: {},
// - `primaryKey`: LDAP primary key. It is set to `"uid"` by default.
primaryKey: "uid",
// - `baseDN`: LDAP base DN, alternative to `searchDN`. For example, set it
// to `"ou=accounts,dc=example,dc=com"`.
// When unset, the LDAP auth logic with use `searchDN` instead to locate users.
// - `searchDN`: LDAP search DN settings. This defines the procedure by
// which The Lounge first looks for the user DN before authenticating them.
// It is ignored if `baseDN` is specified. It is an object with the
// following keys:
searchDN: {
// - `rootDN`: This bind DN is used to query the server for the DN of
// the user. This is supposed to be a system user that has access in
// read-only to the DNs of the people that are allowed to log in.
// It is set to `"cn=thelounge,ou=system-users,dc=example,dc=com"` by
// default.
rootDN: "cn=thelounge,ou=system-users,dc=example,dc=com",
// - `rootPassword`: Password of The Lounge LDAP system user.
rootPassword: "1234",
// - `filter`: it is set to `"(&(objectClass=person)(memberOf=ou=accounts,dc=example,dc=com))"`
// by default.
filter: "(&(objectClass=person)(memberOf=ou=accounts,dc=example,dc=com))",
// - `base`: LDAP search base (search only within this node). It is set
// to `"dc=example,dc=com"` by default.
base: "dc=example,dc=com",
// - `scope`: LDAP search scope. It is set to `"sub"` by default.
scope: "sub",
},
},
// ## Debugging settings
// The `debug` object contains several settings to enable debugging in The
// Lounge. Use them to learn more about an issue you are noticing but be aware
// this may produce more logging or may affect connection performance so it is
// not recommended to use them by default.
//
// All values in the `debug` object are set to `false`.
debug: {
// ### `debug.ircFramework`
//
// When set to true, this enables extra debugging output provided by
// [`irc-framework`](https://github.com/kiwiirc/irc-framework), the
// underlying IRC library for Node.js used by The Lounge.
ircFramework: false,
// ### `debug.raw`
//
// When set to `true`, this enables logging of raw IRC messages into each
// server window, displayed on the client.
raw: false,
},
};
playbooks/thelounge/thelounge.yml
-29
View File
@@ -1,29 +0,0 @@
- name: Thelounge
hosts: pi
become: true
tasks:
- name: Install nodejs
ansible.builtin.apt:
name: nodejs
state: present
- name: Copy install
ansible.builtin.copy:
src: thelounge_4.4.3_all.deb
dest: /tmp/thelounge_4.4.3_all.deb
owner: root
group: root
mode: '0755'
- name: Copy config
ansible.builtin.copy:
src: config.js
dest: /etc/thelounge/config.js
owner: thelounge
group: thelounge
mode: '0660'
- name: Restart service
ansible.builtin.service:
name: thelounge
state: restarted
playbooks/thelounge/thelounge_4.4.3_all.deb
BIN
View File
Binary file not shown.
playbooks/ufw/ufw.yml
+66
View File
@@ -23,6 +23,20 @@
name: samba
route: true
- name: Allow Mail
community.general.ufw:
rule: allow
port: '{{ item }}'
proto: tcp
loop:
- "465"
- "25"
- "587"
- "110"
- "995"
- "143"
- "993"
- name: UFW - Allow HTTP connections
community.general.ufw:
rule: allow
@@ -44,6 +58,13 @@
proto: tcp
route: true
- name: UFW - Allow matrix federation
community.general.ufw:
rule: allow
port: "8448"
proto: tcp
route: true
- name: UFW - Allow podman forwarding
community.general.ufw:
rule: allow
@@ -51,6 +72,51 @@
interface_out: podman+
route: true
- name: UFW - Allow wireguard incoming
community.general.ufw:
rule: allow
interface_in: wg0
- name: UFW - Allow wireguard outgoing
community.general.ufw:
rule: allow
interface_out: wg0
- name: UFW - Allow wireguard forwarding
community.general.ufw:
rule: allow
interface_in: wg0
interface_out: wg0
route: true
- name: UFW - Allow wireguard to local network
community.general.ufw:
rule: allow
interface_in: wg0
interface_out: eth0
route: true
- name: UFW - Allow wireguard to podman
community.general.ufw:
rule: allow
interface_in: wg0
interface_out: podman+
route: true
- name: UFW - Allow podman to wireguard
community.general.ufw:
rule: allow
interface_in: podman+
interface_out: wg0
route: true
- name: UFW - Allow local network to wireguard
community.general.ufw:
rule: allow
interface_in: eth0
interface_out: wg0
route: true
- name: UFW - Allow podman forwarding 2
community.general.ufw:
rule: allow
playbooks/wireguard/wg0.conf.j2
+9
View File
@@ -0,0 +1,9 @@
[Interface]
PrivateKey = {{ wireguard_private_key }}
Address = 10.10.1.2/24
[Peer]
PublicKey = r0XaxIE3AVud9Z42UPZF3mwoh2R0B0M1EUDY9cvuyDA=
Endpoint = 192.3.44.243:41194
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25
playbooks/wireguard/wg0.conf.server
+18
View File
@@ -0,0 +1,18 @@
[Interface]
PrivateKey = {{ wireguard_server_private_key }}
Address = 10.10.1.1/24
ListenPort = 41194
PostUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
[Peer]
PublicKey = oI69uWkbkwtpuIYxDNGmzg4nRjY1BIZFVFjZwguIvwE=
AllowedIPs = 10.10.1.2/32
playbooks/wireguard/wireguard.yml
+37
View File
@@ -0,0 +1,37 @@
- name: Wireguard
hosts: pi
become: true
vars:
wireguard_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
64663235376666616263333732653733633362393634663130356638353431633635373437323961
3030636636626339316366326161623236303937623338380a656639636338643937323037366139
64633263646664303962323830663435343531393231393939663633343165383163626466633231
3138326563386233390a386237633630656436663062633264366562616632633035343733323331
64366538386364623938663836336661313632376131336338643432646338303738616438623361
6237653737666662336665326237623331383132653431343466
wireguard_server_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
38633732343939346261653834393536313335376166616661373266616266353938633363373464
3233646466303834656633656237643632666462323264360a333066313361323038366265316330
32626534313239353833653638353364313136333932386331373132356333663935366466653435
3636323037366333350a313761643565633165643938303330386431623237356262323332306533
34623734623661333266393930306439336533343566306635633638326334303364353036383036
3461343263306434386135356638623636393030646236346531
tasks:
- name: Install wireguard
ansible.builtin.apt:
name: wireguard
state: present
- name: Copy wg0.conf
ansible.builtin.template:
src: wg0.conf.j2
dest: /etc/wireguard/wg0.conf
mode: '0600'
- name: Start service
ansible.builtin.service:
name: wg-quick@wg0
state: restarted
enabled: true