bee/beepi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mail

Browse Source
This commit is contained in:
bee
2026-05-24 19:38:38 +02:00
parent 8c66580dab
commit 366a8cc197
35 changed files with 998 additions and 372 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+1
View File
@@ -4,3 +4,4 @@ registry/
.vault-password
*.private
*.secret
mail.txt
.vscode/tasks.json
Vendored
+10
View File
@@ -80,6 +80,16 @@
"panel": "dedicated"
}
},
{
"label": "Deploy: wireguard",
"type": "shell",
"command": "make deploy-wireguard",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
},
{
"label": "Deploy: matrix",
"type": "shell",
playbooks/anope/anope-2.0.19.tar.gz → archive/anope/anope-2.0.19.tar.gz
View File
playbooks/anope/anope.yml → archive/anope/anope.yml
View File
playbooks/anope/modules.conf → archive/anope/modules.conf
View File
playbooks/anope/nickserv.conf → archive/anope/nickserv.conf
View File
playbooks/anope/services.conf.j2 → archive/anope/services.conf.j2
View File
containers/opendkim/Containerfile → archive/opendkim/Containerfile
View File
containers/postfix/Containerfile → archive/postfix/Containerfile
View File
playbooks/thelounge/config.js → archive/thelounge/config.js
View File
playbooks/thelounge/thelounge.yml → archive/thelounge/thelounge.yml
View File
playbooks/thelounge/thelounge_4.4.3_all.deb → archive/thelounge/thelounge_4.4.3_all.deb
View File
playbooks/gitea/gitea.yml
+4 -4
View File
@@ -22,24 +22,24 @@
- name: Create gitea directory
ansible.builtin.file:
path: /opt/gitea
path: /opt/beeserver/gitea
state: directory
mode: '0755'
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/gitea/docker-compose.yml
dest: /opt/beeserver/gitea/docker-compose.yml
mode: '0644'
- name: Compose down
changed_when: true
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/gitea
chdir: /opt/beeserver/gitea
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/gitea
chdir: /opt/beeserver/gitea
playbooks/letsencrypt/letsencrypt.yml
+2 -2
View File
@@ -38,14 +38,14 @@
- name: Add post hook script
ansible.builtin.copy:
src: irc-post-hook.sh
dest: /opt/irc-post-hook.sh
dest: /opt/beeserver/irc-post-hook.sh
owner: root
group: root
mode: '0755'
- name: Renew for post hook
changed_when: true
ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/irc-post-hook.sh --force-renewal
ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/beeserver/irc-post-hook.sh --force-renewal
- name: Change permission on live
ansible.builtin.file:
playbooks/mail/99-local.conf.j2
-27
View File
@@ -1,27 +0,0 @@
service auth {
inet_listener auth-inet {
port = 12345
}
}
service lmtp {
inet_listener lmtp {
port = 2424
}
}
auth_mechanisms = plain login
passdb passwd-file {
passwd_file_path = /etc/dovecot/users
}
userdb passwd-file {
passwd_file_path = /etc/dovecot/users
}
mail_home = /var/vmail/%{user | domain}/%{user | username}
mail_path = ~/mail
ssl = required
auth_allow_cleartext = no
playbooks/mail/docker-compose.yml.j2
+19 -51
View File
@@ -1,55 +1,23 @@
networks:
mail:
external: false
services:
dovecot:
image: docker.io/dovecot/dovecot:latest
container_name: dovecot
restart: always
networks:
- mail
volumes:
- /opt/mail/99-local.conf:/etc/dovecot/conf.d/99-local.conf:ro
- /opt/mail/users:/etc/dovecot/users:ro
- mail-data:/srv/vmail
ports:
- "31143:31143"
- "31993:31993"
- "31110:31110"
- "31995:31995"
- "31587:31587"
- "31024:31024"
- "34190:34190"
- "8080:8080"
- "127.0.0.1:2424:2424"
- "127.0.0.1:9110:9110"
postfix:
image: git.secretbee.buzz/bee/postfix:latest
container_name: postfix
restart: always
pull_policy: always
networks:
- mail
volumes:
- /etc/letsencrypt/live/mail.secretbee.buzz/fullchain.pem:/etc/postfix/fullchain.pem:ro
- /etc/letsencrypt/live/mail.secretbee.buzz/privkey.pem:/etc/postfix/privkey.pem:ro
- /opt/mail/main.cf:/etc/postfix/main.cf:ro
- /opt/mail/master.cf:/etc/postfix/master.cf:ro
services: # https://docker-mailserver.github.io/docker-mailserver/latest/
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:latest
container_name: mailserver
hostname: mail.secretbee.buzz
env_file: mailserver.env
ports:
- "25:25"
- "143:143"
- "465:465"
- "587:587"
opendkim:
image: git.secretbee.buzz/bee/opendkim:latest
container_name: opendkim
- "993:993"
volumes:
- /opt/beeserver/mail/mail-data/:/var/mail/
- /opt/beeserver/mail/mail-state/:/var/mail-state/
- /opt/beeserver/mail/mail-logs/:/var/log/mail/
- /opt/beeserver/mail/config/:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
- /etc/letsencrypt:/etc/letsencrypt
restart: always
networks:
- mail
volumes:
- /opt/mail/opendkim.conf:/etc/opendkim.conf:ro
- /opt/mail/mail.private:/etc/opendkim/keys/mail.private:ro
volumes:
mail-data:
stop_grace_period: 1m
cap_add:
- NET_ADMIN
playbooks/mail/mail.yml
+14 -127
View File
@@ -2,97 +2,14 @@
hosts: pi
become: true
vars:
dkim_key: !vault |
relay_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
36363638363937326662323932306438333134613966313739393938383337656262373736653065
3736633466613763373161666236336630306565323433630a643937313131616565313434356461
32643261666565383935396230306664366332313338613438323332343139303338373039303932
3539373239336637300a656264633864666261613962316563373663373735393864306334626664
33363734366265663234373131613864386236323632363534363166343134373065313938313033
66383935306133306233623738353561656261313330346333653865336463386163393637333733
37306237633638383830613262646237643531343362336637366663363864353865323565326137
35316134373436323461356630623661306564636135313533383533366265613934303834356431
61343464613830626339393238636439333265383439336136666231363933356566366466386135
64376162616562646235613332613931623861373036366530313966306235626338326238623233
34616536346533656436623232643236623838336232343132643561653030643538643137643861
65393964336531383638613436323831346131393865373830346637616330646133316430343536
65336233306537633761643261316230326237393037636236366638616139343936396533646136
34363763333263346439633366626166393631323838306565356464326431393130633432353866
64343639366232303930373564323038366639646365326537326634366336323835333364663264
38373237656264366437333564363164356663613539623466383931623834626236656131316362
39623431356536343563356561653465653638333539643132303463383332373831346535626438
62333230383134346264616432343461313332386230353433643534326161306462623130656534
63386661363436653830626334616431353464663236356435643435643732396364616539363663
31363730333036313163353939343066343130396166376638366561373134393965353838356666
64623961393761363835353865613762393766356532306131323437646261616362653630643133
34323263653763343562323063343234643064613537626334306261396537663030366330613766
64383533613736326562313362383066633437666438316535623131643431333636343030363363
66616433626536353135323937343862643930303963383066643032373931376636643831636139
61313530376566343635396430396230343836643632636335376362623962643638396434356264
38303233313461666135323632333637343363353534636334646532333763343433353931343936
37353530393561356636643865353866303637623433373737383535383565346532343738373862
38656366646433653636356432353963333531333538633364316261666334646639353165656130
62383637626537303433613836636431393637333234616632663739376464336134636261633164
34383939363136666263376634633733663366366432376134343333623639393131623234636537
63653838393530656131623536386166323963396434323736396234626239666333393765616633
38633535333836623861663161663565316631623862363561313237643735393933343238383262
36303531306566393961643836636438666539623835636234306536646335616231643134373032
31373364643738343131353066346464396565303630363230306435663136386138636266633436
61646630323066323833366262633735626438303436306161653033656232363761663762623932
63613733376434333164643036633961336534366238663566323538336665323131653735323265
36616361343732346531303030343565333638616261323137366361626465373231376162663830
61383664373238623536396336333264643235633162616665393463663561636461326565336334
30636430613232646265386133336437303339393338383332636262363165656432663764303263
66376436643865373632313162383433336536333862376665616535396437303762386265373631
39613865656235613465373864313462633838353039316161346166396632306638386533383865
30386365326161333066616432626236323263313163363238306161393265386332323733303763
62376430336630643161383130636230323538363464303838653733633837316663633565623863
62623364636262393065333636646433366365623662323238383336663764633864353863376337
35393737633639633035636534363865356631623035653839393338353366626561636430303066
39333563626561373365313232383633393364653463313866343235383734343234353637363432
38336237616530373134333334666132333636353235313565623265303435363537343731303339
64366464663061333661643337653262333663623764396138386533623239363739343232613436
63396666663931666138616566326462646362306530643334343230316334383837353065656232
33656431316164623164363130323735386136666238326361333431383732323933353238383266
66313430323362393931393132306234393031306534616565366261626336363430343664656530
32303661313662616232303964323337663736633238356462313131343430653638386137306531
66643562623534613739363138336265393232646162376665653165333533333965656263623439
65363665663030356530633863393864363831313637336133333163636564363965313265363263
36626134646238373530303132383734363166323937653030383639643637626332343863633961
36313065346537666232623232383333386561353139373133633033326235653738636439363139
30663365653935366266613933623838653133623435393633636537316163373461633863646133
30623463613231366438633431396330396363646664653534383531346163343037363764373436
62326166336639663434386261333261616334366465383132333231623034613364623661373865
65636435666235336339373335623934633861393764366535373365306336666131663330353031
32313762663363303739346365346263393733363864636637333666343561363332336132326264
32353166626266633564646362663862353433393535643938383131373737393366383038396430
36363738326630376432666637373562666366646536393363633365306637643564316234643430
61316234333165303532333963626635353538363832303833343532333934393264653864366339
63656431626132303761396361326464613563353632633633393261666366393536306133353765
37663337633363366139343237663565663232623266313530633630316238633566373336373065
35343133363234393137303631353932313561373466333438636263326566623336633235643965
32636536373231623565363939393764393964343265356235613134336263383131633330333838
63316361636234313836353264346334386639623861643239646163663462306630633064366261
39663639336439386439663039653462656338623237393033306539353435623039383333623163
39366563643731663835303763386365373232393435366664343264323035333631326331626437
36643130333138616631366465396635323666393339386438303161623364393433386431353665
32396239396333623061623563643933356130613166653933363636303937336665613763613265
39633635326339616539346664653065386531646661343438636565363939613633323266326462
65353339333233633931363830663835616661626663323961316562343739383063646164333939
34383163326664303130333434646633346563373630653532393264336132313264343134326132
30323934346531393931353365303430393461333065386636346139643731383866373636353234
30623665386331333639623639353766313633383539613864306336316562393533356237333331
32623838666535353462393762616236336663376537316163356461366238326637303164336666
31356234633832396436643663343961663763366266396464636661323064366338383634393731
30666135316430643038663936623832306435653161373435616138376162356232633636356238
64353433656366366266633932653264376232313633383163663066663132373733356662353932
62333239336163303632356231363164343039613431363664626662316265396338336162373239
31366539376566323032616335616263623162623934323034383364663436323366636139313838
64663839623266373338306439616337653237616365663463323739366431663839303839636663
61346534386435646632396566396535636136393337343039333364643433303165383761666437
36396232313965353334643664663464343537346430373334393461303965663230313836323966
65303930373664316234346364336430383838643164616338653034393836396166633866366131
65336237346635626362663439376339303439303263653238346563333738386266
62623366656634653035626534353134343961313434373635393163623134393132336465383838
3635646434353935396136346135373238623433666563340a626463653537326331303233363734
65633237386135313266366533386465396662663561396265343731666337363062663263323537
3165616638653634310a666238656466306433346235396537386539366436333032373866333731
64323037613336613538613866343738613236323739333339313133386263323037313837636131
6533666231663438336566386130366536623565383837623164
tasks:
- name: Install podman
@@ -117,59 +34,29 @@
state: directory
mode: '0755'
loop:
- /opt/mail
- /opt/beeserver/mail
- name: Compose down
changed_when: true
failed_when: false
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/mail
chdir: /opt/beeserver/mail
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/mail/docker-compose.yml
dest: /opt/beeserver/mail/docker-compose.yml
mode: '0644'
- name: Copy Dovecot config
- name: Copy mailserver.env
ansible.builtin.template:
src: 99-local.conf.j2
dest: /opt/mail/99-local.conf
mode: '0644'
- name: Copy main.cf
ansible.builtin.template:
src: main.cf.j2
dest: /opt/mail/main.cf
mode: '0644'
- name: Copy master.cf
ansible.builtin.template:
src: master.cf.j2
dest: /opt/mail/master.cf
mode: '0644'
- name: Copy Users
ansible.builtin.template:
src: users.j2
dest: /opt/mail/users
mode: '0644'
- name: Copy mail.private
ansible.builtin.copy:
src: mail.private
dest: /opt/mail/mail.private
mode: '0600'
- name: Copy opendkim.conf
ansible.builtin.template:
src: opendkim.conf.j2
dest: /opt/mail/opendkim.conf
src: mailserver.env.j2
dest: /opt/beeserver/mail/mailserver.env
mode: '0644'
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/mail
chdir: /opt/beeserver/mail
playbooks/mail/mailserver.env.j2
+660
View File
@@ -0,0 +1,660 @@
# -----------------------------------------------
# --- Mailserver Environment Variables ----------
# -----------------------------------------------
# DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER
# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/
# -----------------------------------------------
# --- General Section ---------------------------
# -----------------------------------------------
# **empty** => Internally uses the `hostname --fqdn` command to get the canonical hostname assigned to the DMS container.
# => Specify an FQDN (fully-qualified domain name) to serve mail for. The hostname is required for DMS to function correctly
#
# **WARNING**: Setting OVERRIDE_HOSTNAME can have difficult to predict side effects:
# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/#override_hostname
OVERRIDE_HOSTNAME=
# Set the log level for DMS.
# This is mostly relevant for container startup scripts and change detection event feedback.
#
# Valid values (in order of increasing verbosity) are: `error`, `warn`, `info`, `debug` and `trace`.
# The default log level is `info`.
LOG_LEVEL=info
# critical => Only show critical messages
# error => Only show erroneous output
# **warn** => Show warnings
# info => Normal informational output
# debug => Also show debug messages
SUPERVISOR_LOGLEVEL=
# Support for deployment where these defaults are not compatible (eg: some NAS appliances):
# /var/mail vmail User ID (default: 5000)
DMS_VMAIL_UID=
# /var/mail vmail Group ID (default: 5000)
DMS_VMAIL_GID=
# **empty** => use FILE
# LDAP => use LDAP authentication
# OIDC => use OIDC authentication (not yet implemented)
# FILE => use local files (this is used as the default)
ACCOUNT_PROVISIONER=
# empty => postmaster@domain.com
# => Specify the postmaster address
POSTMASTER_ADDRESS=
# Check for updates on container start and then once a day
# If an update is available, a mail is sent to POSTMASTER_ADDRESS
# 0 => Update check disabled
# 1 => Update check enabled
ENABLE_UPDATE_CHECK=1
# Customize the update check interval.
# Number + Suffix. Suffix must be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days.
UPDATE_CHECK_INTERVAL=1d
# Set different options for mynetworks option (can be overwrite in postfix-main.cf)
# **WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or
# `connected-networks` option, can create an open relay
# https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498
# The same can happen for rootless podman. To prevent this, set the value to "none" or configure slirp4netns
# https://github.com/docker-mailserver/docker-mailserver/issues/2377
#
# none => Explicitly force authentication
# container => Container IP address only
# host => Add docker container network (ipv4 only)
# network => Add all docker container networks (ipv4 only)
# connected-networks => Add all connected docker networks (ipv4 only)
PERMIT_DOCKER=none
# Set the timezone. If this variable is unset, the container runtime will try to detect the time using
# `/etc/localtime`, which you can alternatively mount into the container. The value of this variable
# must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`.
# You can lookup all available timezones here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
TZ=
# In case you network interface differs from 'eth0', e.g. when you are using HostNetworking in Kubernetes,
# you can set NETWORK_INTERFACE to whatever interface you want. This interface will then be used.
# - **empty** => eth0
NETWORK_INTERFACE=
# empty => modern
# modern => Limits the cipher suite to secure ciphers only.
# intermediate => Relaxes security by adding additional ciphers for broader compatibility.
# NOTE: The minimum TLS version supported is 1.2, if you need to lower that follow this workaround advice:
# https://github.com/docker-mailserver/docker-mailserver/pull/2945#issuecomment-1949907964
TLS_LEVEL=
# Configures the handling of creating mails with forged sender addresses.
#
# **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
# 1 => Mail spoofing denied. Each user may only send with their own or their alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=
# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/main/README.rst) for further explanation.
# - **0** => Disabled
# - 1 => Enabled
ENABLE_SRS=0
# Enables the OpenDKIM service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDKIM=1
# Enables the OpenDMARC service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDMARC=1
# Enabled `policyd-spf` in Postfix's configuration. You will likely want to set this
# to `0` in case you're using Rspamd (`ENABLE_RSPAMD=1`).
#
# - 0 => Disabled
# - **1** => Enabled
ENABLE_POLICYD_SPF=1
# Enables POP3 service
# - **0** => Disabled
# - 1 => Enabled
ENABLE_POP3=
# Enables IMAP service
# - 0 => Disabled
# - **1** => Enabled
ENABLE_IMAP=1
# Enables ClamAV, and anti-virus scanner.
# 1 => Enabled
# **0** => Disabled
ENABLE_CLAMAV=0
# Add the value of this ENV as a prefix to the mail subject when spam is detected.
# NOTE: This subject prefix may be redundant (by default spam is delivered to a junk folder).
# It provides value when your junk mail is stored alongside legitimate mail instead of a separate location (like with `SPAMASSASSIN_SPAM_TO_INBOX=1` or `MOVE_SPAM_TO_JUNK=0` or a POP3 only setup, without IMAP).
# NOTE: When not using Docker Compose, other CRI may not support quote-wrapping the value here to preserve any trailing white-space.
SPAM_SUBJECT=
# Enables Rspamd
# **0** => Disabled
# 1 => Enabled
ENABLE_RSPAMD=0
# When `ENABLE_RSPAMD=1`, an internal Redis instance is enabled implicitly.
# This setting provides an opt-out to allow using an external instance instead.
# 0 => Disabled
# 1 => Enabled
ENABLE_RSPAMD_REDIS=
# When enabled,
#
# 1. the "[autolearning][rspamd-autolearn]" feature is turned on;
# 2. the Bayes classifier will be trained when moving mails from or to the Junk folder (with the help of Sieve scripts).
#
# **0** => disabled
# 1 => enabled
RSPAMD_LEARN=0
# This settings controls whether checks should be performed on emails coming
# from authenticated users (i.e. most likely outgoing emails). The default value
# is `0` in order to align better with SpamAssassin. We recommend reading
# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
# decide for yourself whether you need and want this feature.
#
# Note that DKIM signing of e-mails will still happen.
RSPAMD_CHECK_AUTHENTICATED=0
# Controls whether the Rspamd Greylisting module is enabled.
# This module can further assist in avoiding spam emails by greylisting
# e-mails with a certain spam score.
#
# **0** => disabled
# 1 => enabled
RSPAMD_GREYLISTING=0
# Can be used to enable or disable the Hfilter group module.
#
# - 0 => Disabled
# - **1** => Enabled
RSPAMD_HFILTER=1
# Can be used to control the score when the HFILTER_HOSTNAME_UNKNOWN symbol applies. A higher score is more punishing. Setting it to 15 is equivalent to rejecting the email when the check fails.
#
# Default: 6
RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
# Can be used to enable or disable the (still experimental) neural module.
#
# - **0** => Disabled
# - 1 => Enabled
RSPAMD_NEURAL=0
# Amavis content filter (used for ClamAV & SpamAssassin)
# 0 => Disabled
# 1 => Enabled
ENABLE_AMAVIS=1
# -1/-2/-3 => Only show errors
# **0** => Show warnings
# 1/2 => Show default informational output
# 3/4/5 => log debug information (very verbose)
AMAVIS_LOGLEVEL=0
# This enables DNS block lists in Postscreen.
# Note: Emails will be rejected, if they don't pass the block list checks!
# **0** => DNS block lists are disabled
# 1 => DNS block lists are enabled
ENABLE_DNSBL=0
# If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
# cap_add:
# - NET_ADMIN
# Otherwise, `nftables` won't be able to ban IPs.
ENABLE_FAIL2BAN=1
# Fail2Ban blocktype
# drop => drop packet (send NO reply)
# reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop
# 1 => Enables Managesieve on port 4190
# empty => disables Managesieve
ENABLE_MANAGESIEVE=
# **enforce** => Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
# drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
# ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
POSTSCREEN_ACTION=enforce
# empty => all daemons start
# 1 => only launch postfix smtp
SMTP_ONLY=
# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl) for more information.
#
# empty => SSL disabled
# letsencrypt => Enables Let's Encrypt certificates
# custom => Enables custom certificates
# manual => Let's you manually specify locations of your SSL certificates for non-standard cases
# self-signed => Enables self-signed certificates
SSL_TYPE=letsencrypt
# These are only supported with `SSL_TYPE=manual`.
# Provide the path to your cert and key files that you've mounted access to within the container.
SSL_CERT_PATH=
SSL_KEY_PATH=
# Optional: A 2nd certificate can be supported as fallback (dual cert support), eg ECDSA with an RSA fallback.
# Useful for additional compatibility with older MTA and MUA (eg pre-2015).
SSL_ALT_CERT_PATH=
SSL_ALT_KEY_PATH=
# Set how many days a virusmail will stay on the server before being deleted
# empty => 7 days
VIRUSMAILS_DELETE_DELAY=
# Configure Postfix `virtual_transport` to deliver mail to a different LMTP client (default is a dovecot socket).
# Provide any valid URI. Examples:
#
# empty => `lmtp:unix:/var/run/dovecot/lmtp` (default, configured in Postfix main.cf)
# `lmtp:unix:private/dovecot-lmtp` (use socket)
# `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
# `lmtp:<kopano-host>:2003` (use kopano as mailstore)
POSTFIX_DAGENT=
# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
#
# empty => 0
POSTFIX_MAILBOX_SIZE_LIMIT=
# See https://docker-mailserver.github.io/docker-mailserver/latest/config/account-management/overview/#quotas
# 0 => Dovecot quota is disabled
# 1 => Dovecot quota is enabled
ENABLE_QUOTAS=1
# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
#
# empty => 10240000 (~10 MB)
POSTFIX_MESSAGE_SIZE_LIMIT=
# Mails larger than this limit won't be scanned.
# ClamAV must be enabled (ENABLE_CLAMAV=1) for this.
#
# empty => 25M (25 MB)
CLAMAV_MESSAGE_SIZE_LIMIT=
# Enables regular pflogsumm mail reports.
# This is a new option. The old REPORT options are still supported for backwards compatibility. If this is not set and reports are enabled with the old options, logrotate will be used.
#
# not set => No report
# daily_cron => Daily report for the previous day
# logrotate => Full report based on the mail log when it is rotated
PFLOGSUMM_TRIGGER=
# Recipient address for pflogsumm reports.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
PFLOGSUMM_RECIPIENT=
# Sender address (`FROM`) for pflogsumm reports if pflogsumm reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
PFLOGSUMM_SENDER=
# Interval for logwatch report.
#
# none => No report is generated
# daily => Send a daily report
# weekly => Send a report every week
LOGWATCH_INTERVAL=
# Recipient address for logwatch reports if they are enabled.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
LOGWATCH_RECIPIENT=
# Sender address (`FROM`) for logwatch reports if logwatch reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
LOGWATCH_SENDER=
# Defines who receives reports if they are enabled.
# **empty** => ${POSTMASTER_ADDRESS}
# => Specify the recipient address
REPORT_RECIPIENT=
# Defines who sends reports if they are enabled.
# **empty** => mailserver-report@${DOMAINNAME}
# => Specify the sender address
REPORT_SENDER=
# Changes the interval in which log files are rotated
# **weekly** => Rotate log files weekly
# daily => Rotate log files daily
# monthly => Rotate log files monthly
#
# Note: This Variable actually controls logrotate inside the container
# and rotates the log files depending on this setting. The main log output is
# still available in its entirety via `docker logs mail` (Or your
# respective container name). If you want to control logrotation for
# the Docker-generated logfile see:
# https://docs.docker.com/config/containers/logging/configure/
#
# Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger).
LOGROTATE_INTERVAL=weekly
# Defines how many log files are kept by logrorate
LOGROTATE_COUNT=4
# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration.
#
# - **0** => Disabled
# - 1 => Enabled
POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
# Choose TCP/IP protocols for postfix to use
# **all** => All possible protocols.
# ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
# ipv6 => Use only IPv6 traffic.
#
# Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
POSTFIX_INET_PROTOCOLS=all
# Enables MTA-STS support for outbound mail.
# More details: https://docker-mailserver.github.io/docker-mailserver/v13.3/config/best-practices/mta-sts/
# - **0** ==> MTA-STS disabled
# - 1 => MTA-STS enabled
ENABLE_MTA_STS=0
# Choose TCP/IP protocols for dovecot to use
# **all** => Listen on all interfaces
# ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
# ipv6 => Listen only on IPv6 interfaces.
#
# Note: More information at https://dovecot.org/doc/dovecot-example.conf
DOVECOT_INET_PROTOCOLS=all
# -----------------------------------------------
# --- SpamAssassin Section ----------------------
# -----------------------------------------------
ENABLE_SPAMASSASSIN=0
# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
# - **0** => KAM disabled
# - 1 => KAM enabled
#
# Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
ENABLE_SPAMASSASSIN_KAM=0
# deliver spam messages to the inbox (tagged using SPAM_SUBJECT)
SPAMASSASSIN_SPAM_TO_INBOX=1
# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
MOVE_SPAM_TO_JUNK=1
# spam messages will be marked as read
MARK_SPAM_AS_READ=0
# add 'spam info' headers at, or above this level
SA_TAG=2.0
# add 'spam detected' headers at, or above this level
SA_TAG2=6.31
# triggers spam evasive actions
SA_KILL=10.0
# -----------------------------------------------
# --- Fetchmail Section -------------------------
# -----------------------------------------------
ENABLE_FETCHMAIL=0
# The interval to fetch mail in seconds
FETCHMAIL_POLL=300
# Use multiple fetchmail instances (1 per poll entry in fetchmail.cf)
# Supports multiple IMAP IDLE connections when a server is used across multiple poll entries
# https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
FETCHMAIL_PARALLEL=0
# Enable or disable `getmail`.
#
# - **0** => Disabled
# - 1 => Enabled
ENABLE_GETMAIL=0
# The number of minutes for the interval. Min: 1; Default: 5.
GETMAIL_POLL=5
# -----------------------------------------------
# --- OAUTH2 Section ----------------------------
# -----------------------------------------------
# empty => OAUTH2 authentication is disabled
# 1 => OAUTH2 authentication is enabled
ENABLE_OAUTH2=
# Specify the user info endpoint URL of the oauth2 provider
# Example: https://oauth2.example.com/userinfo/
OAUTH2_INTROSPECTION_URL=
# -----------------------------------------------
# --- LDAP Section ------------------------------
# -----------------------------------------------
# A second container for the ldap service is necessary (i.e. https://hub.docker.com/r/bitnami/openldap/)
# empty => no
# yes => LDAP over TLS enabled for Postfix
LDAP_START_TLS=
# empty => mail.example.com
# Specify the `<dns-name>` / `<ip-address>` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`.
# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
LDAP_SERVER_HOST=
# empty => ou=people,dc=domain,dc=com
# => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local
LDAP_SEARCH_BASE=
# empty => cn=admin,dc=domain,dc=com
# => take a look at examples of SASL_LDAP_BIND_DN
LDAP_BIND_DN=
# empty** => admin
# => Specify the password to bind against ldap
LDAP_BIND_PW=
# e.g. `"(&(mail=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for users
LDAP_QUERY_FILTER_USER=
# e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for groups
LDAP_QUERY_FILTER_GROUP=
# e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for aliases
LDAP_QUERY_FILTER_ALIAS=
# e.g. `"(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for domains
LDAP_QUERY_FILTER_DOMAIN=
# -----------------------------------------------
# --- Dovecot Section ---------------------------
# -----------------------------------------------
# empty => no
# yes => LDAP over TLS enabled for Dovecot
DOVECOT_TLS=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_USER_FILTER=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_PASS_FILTER=
# Define the mailbox format to be used
# default is maildir, supported values are: sdbox, mdbox, maildir
DOVECOT_MAILBOX_FORMAT=maildir
# empty => no
# yes => Allow bind authentication for LDAP
# https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#authentication-bind
DOVECOT_AUTH_BIND=
# -----------------------------------------------
# --- Postgrey Section --------------------------
# -----------------------------------------------
ENABLE_POSTGREY=0
# greylist for N seconds
POSTGREY_DELAY=300
# delete entries older than N days since the last time that they have been seen
POSTGREY_MAX_AGE=35
# response when a mail is greylisted
POSTGREY_TEXT="Delayed by Postgrey"
# whitelist host after N successful deliveries (N=0 to disable whitelisting)
POSTGREY_AUTO_WHITELIST_CLIENTS=5
# -----------------------------------------------
# --- SASL Section ------------------------------
# -----------------------------------------------
ENABLE_SASLAUTHD=0
# empty => ldap
# `ldap` => authenticate against ldap server
# `rimap` => authenticate against imap server
SASLAUTHD_MECHANISMS=
# empty => None
# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
SASLAUTHD_MECH_OPTIONS=
# empty => Use value of LDAP_SERVER_HOST
# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
SASLAUTHD_LDAP_SERVER=
# empty => Use value of LDAP_BIND_DN
# specify an object with privileges to search the directory tree
# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
SASLAUTHD_LDAP_BIND_DN=
# empty => Use value of LDAP_BIND_PW
SASLAUTHD_LDAP_PASSWORD=
# empty => Use value of LDAP_SEARCH_BASE
# specify the search base
SASLAUTHD_LDAP_SEARCH_BASE=
# empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
# e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
# e.g. for openldap: `(&(uid=%U)(objectClass=person))`
SASLAUTHD_LDAP_FILTER=
# empty => no
# yes => LDAP over TLS enabled for SASL
# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
SASLAUTHD_LDAP_START_TLS=
# empty => no
# yes => Require and verify server certificate
# If yes you must/could specify SASLAUTHD_LDAP_TLS_CACERT_FILE or SASLAUTHD_LDAP_TLS_CACERT_DIR.
SASLAUTHD_LDAP_TLS_CHECK_PEER=
# File containing CA (Certificate Authority) certificate(s).
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_file` option
SASLAUTHD_LDAP_TLS_CACERT_FILE=
# Path to directory with CA (Certificate Authority) certificates.
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_dir` option
SASLAUTHD_LDAP_TLS_CACERT_DIR=
# Specify what password attribute to use for password verification.
# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default.
# Any value => Fills the `ldap_password_attr` option
SASLAUTHD_LDAP_PASSWORD_ATTR=
# empty => `bind` will be used as a default value
# `fastbind` => The fastbind method is used
# `custom` => The custom method uses userPassword attribute to verify the password
SASLAUTHD_LDAP_AUTH_METHOD=
# Specify the authentication mechanism for SASL bind
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_mech` option
SASLAUTHD_LDAP_MECH=
# -----------------------------------------------
# --- SRS Section -------------------------------
# -----------------------------------------------
# envelope_sender => Rewrite only envelope sender address (default)
# header_sender => Rewrite only header sender (not recommended)
# envelope_sender,header_sender => Rewrite both senders
# An email has an "envelope" sender (indicating the sending server) and a
# "header" sender (indicating who sent it). More strict SPF policies may require
# you to replace both instead of just the envelope sender.
SRS_SENDER_CLASSES=envelope_sender
# empty => Envelope sender will be rewritten for all domains
# provide comma separated list of domains to exclude from rewriting
SRS_EXCLUDE_DOMAINS=
# empty => generated when the image is built
# provide a secret to use in base64
# you may specify multiple keys, comma separated. the first one is used for
# signing and the remaining will be used for verification. this is how you
# rotate and expire keys
SRS_SECRET=
# -----------------------------------------------
# --- Default Relay Host Section ----------------
# -----------------------------------------------
# Setup relaying all mail through a default relay host
#
# Set a default host to relay all mail through (optionally include a port)
# Example: [mail.example.com]:587
DEFAULT_RELAY_HOST=[email-smtp.eu-north-1.amazonaws.com]:587
# -----------------------------------------------
# --- Multi-Domain Relay Section ----------------
# -----------------------------------------------
# Setup relaying for multiple domains based on the domain name of the sender
# optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf
#
# Set a default host to relay mail through
# Example: mail.example.com
RELAY_HOST=email-smtp.eu-north-1.amazonaws.com
# empty => 25
# default port to relay mail
RELAY_PORT=587
# -----------------------------------------------
# --- Relay Host Credentials Section ------------
# -----------------------------------------------
# Configure a relay user and password to use with RELAY_HOST / DEFAULT_RELAY_HOST
# empty => no default
RELAY_USER=AKIAWBJK5JQUGAW3SR4N
# empty => no default
RELAY_PASSWORD={{ relay_password }}
playbooks/mail/main.cf.j2
-60
View File
@@ -1,60 +0,0 @@
# Postfix main configuration
# https://www.postfix.org/postconf.5.html
# --- Identity ---
myhostname = mail.secretbee.buzz
mydomain = secretbee.buzz
myorigin = $mydomain
# --- Network ---
inet_interfaces = all
inet_protocols = ipv4
# --- Local delivery ---
mydestination = $myhostname, localhost.$mydomain, localhost
# --- Relay ---
mynetworks = 127.0.0.0/8
relayhost =
# --- Virtual mailboxes ---
virtual_mailbox_domains = $mydomain
virtual_transport = lmtp:inet:dovecot:2424
# --- TLS ---
smtp_tls_security_level = enforce
smtp_tls_loglevel = 1
smtpd_tls_chain_files =
/etc/postfix/fullchain.pem
/etc/postfix/privkey.pem
smtpd_tls_loglevel = 1
# --- SASL (auth delegated to Dovecot) ---
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:dovecot:12345
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# --- Limits ---
message_size_limit = 52428800
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_banner = $myhostname ESMTP
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:opendkim:8891
non_smtpd_milters = inet:opendkim:8891
playbooks/mail/master.cf.j2
-41
View File
@@ -1,41 +0,0 @@
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
# Port 25: inbound MX delivery — TLS optional, no auth required
smtp inet n - n - - smtpd
# Port 587: authenticated submission — TLS + SASL required
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
playbooks/mail/opendkim.conf.j2
-6
View File
@@ -1,6 +0,0 @@
Syslog yes
Domain secretbee.buzz
Selector mail
KeyFile /etc/opendkim/keys/mail.private
Socket inet:8891@0.0.0.0
OversignHeaders From
playbooks/mail/users.j2
-1
View File
@@ -1 +0,0 @@
bee@secretbee.buzz:{SHA512-CRYPT}$6$GRG/tBZAy62JjDXM$8DyA2Ii0aS2VPJlDs8ML.UjblfI1PYbG5VRmbSjeJB3nii8h9a3F5S7NDxieqBUOeVsa4LIfyp/6tC/dnDnpW.::::::
playbooks/matrix/docker-compose.yml.j2
+7 -7
View File
@@ -7,19 +7,19 @@ services:
- 127.0.0.1:8008:8008
volumes:
- db:/var/lib/continuwuity
- /opt/matrix/resolv.conf:/etc/resolv.conf
- /opt/beeserver/matrix/resolv.conf:/etc/resolv.conf
#- ./continuwuity.toml:/etc/continuwuity.toml
environment:
CONTINUWUITY_SERVER_NAME: matrix.secretbee.buzz
CONTINUWUITY_SERVER_NAME: secretbee.buzz
CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
CONTINUWUITY_ADDRESS: 0.0.0.0
CONTINUWUITY_PORT: 8008
#CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
CONTINUWUITY_WELL_KNOWN: |
{
client=https://secretbee.buzz,
server=secretbee.buzz:443
}
#CONTINUWUITY_WELL_KNOWN: |
# {
# client=https://secretbee.buzz,
# server=secretbee.buzz:443
# }
volumes:
db:
playbooks/matrix/matrix.yml
+5 -5
View File
@@ -19,29 +19,29 @@
state: directory
mode: '0755'
loop:
- /opt/matrix
- /opt/beeserver/matrix
- name: Compose down
changed_when: true
failed_when: false
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/matrix
chdir: /opt/beeserver/matrix
- name: Copy resolv.conf
ansible.builtin.template:
src: resolv.conf.j2
dest: /opt/matrix/resolv.conf
dest: /opt/beeserver/matrix/resolv.conf
mode: '0644'
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/matrix/docker-compose.yml
dest: /opt/beeserver/matrix/docker-compose.yml
mode: '0644'
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/matrix
chdir: /opt/beeserver/matrix
playbooks/monitoring/docker-compose.yml.j2
+4 -4
View File
@@ -11,7 +11,7 @@ services:
- '127.0.0.1:9090:9090'
volumes:
- prometheus-data:/prometheus
- /opt/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
- /opt/beeserver/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
networks:
- monitoring
@@ -40,7 +40,7 @@ services:
- '127.0.0.1:9096:9096'
volumes:
- loki-data:/loki
- /opt/monitoring/local-config.yml:/etc/loki/local-config.yaml
- /opt/beeserver/monitoring/local-config.yml:/etc/loki/local-config.yaml
command: -config.file=/etc/loki/local-config.yaml
restart: always
networks:
@@ -52,8 +52,8 @@ services:
ports:
- '127.0.0.1:12345:12345'
volumes:
- /opt/monitoring/config.alloy:/etc/alloy/config.alloy
- /opt/monitoring/database:/opt/database
- /opt/beeserver/monitoring/config.alloy:/etc/alloy/config.alloy
- /opt/beeserver/monitoring/database:/opt/database
- /var/log:/var/log:ro
- /run/log/journal:/run/log/journal:ro
- /var/log/journal:/var/log/journal:ro
playbooks/monitoring/monitoring.yml
+12 -12
View File
@@ -42,38 +42,38 @@
- name: Create monitoring config directory
ansible.builtin.file:
path: /opt/monitoring
path: /opt/beeserver/monitoring
state: directory
mode: '0755'
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/monitoring/docker-compose.yml
dest: /opt/beeserver/monitoring/docker-compose.yml
mode: '0644'
- name: Compose down
changed_when: true
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/monitoring
chdir: /opt/beeserver/monitoring
- name: Copy prometheus config
ansible.builtin.copy:
src: prometheus_config.yml
dest: /opt/monitoring/prometheus.yml
dest: /opt/beeserver/monitoring/prometheus.yml
mode: '0644'
- name: Copy loki config
ansible.builtin.template:
src: local-config.yml.j2
dest: /opt/monitoring/local-config.yml
dest: /opt/beeserver/monitoring/local-config.yml
mode: '0644'
- name: Copy alloy config
ansible.builtin.template:
src: config.alloy.j2
dest: /opt/monitoring/config.alloy
dest: /opt/beeserver/monitoring/config.alloy
mode: '0644'
- name: Enable podman.socket
@@ -84,20 +84,20 @@
- name: Delete database directory
ansible.builtin.file:
path: /opt/monitoring/database
path: /opt/beeserver/monitoring/database
state: absent
mode: '0755'
- name: Create database directory
ansible.builtin.file:
path: /opt/monitoring/database
path: /opt/beeserver/monitoring/database
state: directory
mode: '0755'
- name: Download geoip database
ansible.builtin.get_url:
url: "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
dest: /opt/monitoring
dest: /opt/beeserver/monitoring
username: "{{ geoip_username }}"
password: "{{ geoip_license }}"
mode: '0644'
@@ -107,7 +107,7 @@
- name: Get geoip tar file
ansible.builtin.find:
paths: /opt/monitoring
paths: /opt/beeserver/monitoring
file_type: file
patterns: '^GeoLite.*.tar.gz$'
use_regex: true
@@ -118,11 +118,11 @@
ansible.builtin.unarchive:
remote_src: true
src: "{{ found.files[0].path }}"
dest: /opt/monitoring/database
dest: /opt/beeserver/monitoring/database
extra_opts: ['--strip-components=1', '--show-stored-names']
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/monitoring
chdir: /opt/beeserver/monitoring
playbooks/nginx/nginx.yml
+8
View File
@@ -20,6 +20,14 @@
group: root
mode: '0644'
- name: Copy upstreamc.onf
ansible.builtin.copy:
src: upstream.conf
dest: /etc/nginx/conf.d/upstream.conf
owner: root
group: root
mode: '0644'
- name: Restart nginx
ansible.builtin.service:
name: nginx
playbooks/nginx/sites-enabled/matrix.secretbee.buzz
+22 -22
View File
@@ -1,33 +1,33 @@
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
server_name matrix.secretbee.buzz;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name matrix.secretbee.buzz;
limit_req zone=mylimit burst=20;
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/matrix.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.secretbee.buzz/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
client_max_body_size 512M;
proxy_pass http://localhost:8008;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
proxy_buffering off;
gzip on;
gzip_types application/json;
gzip_min_length 1000;
location /_matrix/ {
proxy_pass http://continuwuity_server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
}
playbooks/nginx/sites-enabled/secretbee.buzz
+20
View File
@@ -12,6 +12,7 @@ server {
server {
listen 443 ssl;
listen [::]:443 ssl http2;
server_name secretbee.buzz;
limit_req zone=mylimit burst=20;
@@ -25,6 +26,25 @@ server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location /.well-known/matrix/server {
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"m.server": "matrix.secretbee.buzz:443"}';
}
location /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"m.homeserver": {"base_url": "https://matrix.secretbee.buzz"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.secretbee.buzz"}}';
}
# Matrix Support contact information (MSC1929)
location /.well-known/matrix/support {
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"contacts": [{"matrix_id": "@admin:secretbee.buzz", "email_address": "admin@server.name", "role": "m.role.admin"}]}';
}
location / {
default_type "text/html";
try_files $uri $uri.html $uri/index.html index.html;
playbooks/nginx/upstream.conf
+8
View File
@@ -0,0 +1,8 @@
upstream continuwuity_server {
server 127.0.0.1:8008 max_fails=0;
keepalive 32;
keepalive_requests 1000;
keepalive_time 1h;
keepalive_timeout 600s;
}
playbooks/ufw/ufw.yml
+66
View File
@@ -23,6 +23,20 @@
name: samba
route: true
- name: Allow Mail
community.general.ufw:
rule: allow
port: '{{ item }}'
proto: tcp
loop:
- "465"
- "25"
- "587"
- "110"
- "995"
- "143"
- "993"
- name: UFW - Allow HTTP connections
community.general.ufw:
rule: allow
@@ -44,6 +58,13 @@
proto: tcp
route: true
- name: UFW - Allow matrix federation
community.general.ufw:
rule: allow
port: "8448"
proto: tcp
route: true
- name: UFW - Allow podman forwarding
community.general.ufw:
rule: allow
@@ -51,6 +72,51 @@
interface_out: podman+
route: true
- name: UFW - Allow wireguard incoming
community.general.ufw:
rule: allow
interface_in: wg0
- name: UFW - Allow wireguard outgoing
community.general.ufw:
rule: allow
interface_out: wg0
- name: UFW - Allow wireguard forwarding
community.general.ufw:
rule: allow
interface_in: wg0
interface_out: wg0
route: true
- name: UFW - Allow wireguard to local network
community.general.ufw:
rule: allow
interface_in: wg0
interface_out: eth0
route: true
- name: UFW - Allow wireguard to podman
community.general.ufw:
rule: allow
interface_in: wg0
interface_out: podman+
route: true
- name: UFW - Allow podman to wireguard
community.general.ufw:
rule: allow
interface_in: podman+
interface_out: wg0
route: true
- name: UFW - Allow local network to wireguard
community.general.ufw:
rule: allow
interface_in: eth0
interface_out: wg0
route: true
- name: UFW - Allow podman forwarding 2
community.general.ufw:
rule: allow
playbooks/wireguard/wg0.conf.j2
+9
View File
@@ -0,0 +1,9 @@
[Interface]
PrivateKey = {{ wireguard_private_key }}
Address = 10.10.1.2/24
[Peer]
PublicKey = r0XaxIE3AVud9Z42UPZF3mwoh2R0B0M1EUDY9cvuyDA=
Endpoint = 192.3.44.243:41194
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25
playbooks/wireguard/wg0.conf.server
+18
View File
@@ -0,0 +1,18 @@
[Interface]
PrivateKey = {{ wireguard_server_private_key }}
Address = 10.10.1.1/24
ListenPort = 41194
PostUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
[Peer]
PublicKey = oI69uWkbkwtpuIYxDNGmzg4nRjY1BIZFVFjZwguIvwE=
AllowedIPs = 10.10.1.2/32
playbooks/wireguard/wireguard.yml
+37
View File
@@ -0,0 +1,37 @@
- name: Wireguard
hosts: pi
become: true
vars:
wireguard_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
64663235376666616263333732653733633362393634663130356638353431633635373437323961
3030636636626339316366326161623236303937623338380a656639636338643937323037366139
64633263646664303962323830663435343531393231393939663633343165383163626466633231
3138326563386233390a386237633630656436663062633264366562616632633035343733323331
64366538386364623938663836336661313632376131336338643432646338303738616438623361
6237653737666662336665326237623331383132653431343466
wireguard_server_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
38633732343939346261653834393536313335376166616661373266616266353938633363373464
3233646466303834656633656237643632666462323264360a333066313361323038366265316330
32626534313239353833653638353364313136333932386331373132356333663935366466653435
3636323037366333350a313761643565633165643938303330386431623237356262323332306533
34623734623661333266393930306439336533343566306635633638326334303364353036383036
3461343263306434386135356638623636393030646236346531
tasks:
- name: Install wireguard
ansible.builtin.apt:
name: wireguard
state: present
- name: Copy wg0.conf
ansible.builtin.template:
src: wg0.conf.j2
dest: /etc/wireguard/wg0.conf
mode: '0600'
- name: Start service
ansible.builtin.service:
name: wg-quick@wg0
state: restarted
enabled: true
pw.py
Executable
+69
View File
@@ -0,0 +1,69 @@
#!/usr/bin/env python3
import hmac
import hashlib
import base64
import argparse
SMTP_REGIONS = [
"us-east-2", # US East (Ohio)
"us-east-1", # US East (N. Virginia)
"us-west-2", # US West (Oregon)
"ap-south-1", # Asia Pacific (Mumbai)
"ap-northeast-2", # Asia Pacific (Seoul)
"ap-southeast-1", # Asia Pacific (Singapore)
"ap-southeast-2", # Asia Pacific (Sydney)
"ap-northeast-1", # Asia Pacific (Tokyo)
"ca-central-1", # Canada (Central)
"eu-central-1", # Europe (Frankfurt)
"eu-west-1", # Europe (Ireland)
"eu-west-2", # Europe (London)
"eu-south-1", # Europe (Milan)
"eu-north-1", # Europe (Stockholm)
"sa-east-1", # South America (Sao Paulo)
"us-gov-west-1", # AWS GovCloud (US)
"us-gov-east-1", # AWS GovCloud (US)
]
# These values are required to calculate the signature. Do not change them.
DATE = "11111111"
SERVICE = "ses"
MESSAGE = "SendRawEmail"
TERMINAL = "aws4_request"
VERSION = 0x04
def sign(key, msg):
return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
def calculate_key(secret_access_key, region):
if region not in SMTP_REGIONS:
raise ValueError(f"The {region} Region doesn't have an SMTP endpoint.")
signature = sign(("AWS4" + secret_access_key).encode("utf-8"), DATE)
signature = sign(signature, region)
signature = sign(signature, SERVICE)
signature = sign(signature, TERMINAL)
signature = sign(signature, MESSAGE)
signature_and_version = bytes([VERSION]) + signature
smtp_password = base64.b64encode(signature_and_version)
return smtp_password.decode("utf-8")
def main():
parser = argparse.ArgumentParser(
description="Convert a Secret Access Key to an SMTP password."
)
parser.add_argument("secret", help="The Secret Access Key to convert.")
parser.add_argument(
"region",
help="The AWS Region where the SMTP password will be used.",
choices=SMTP_REGIONS,
)
args = parser.parse_args()
print(calculate_key(args.secret, args.region))
if __name__ == "__main__":
main()