logging stack and firewall

playbooks/mail/Containerfile

@@ -0,0 +1,13 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        postfix \
+        libsasl2-modules \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY main.cf /etc/postfix/main.cf
+
+EXPOSE 25 587
+
+CMD ["postfix", "start-fg"]

playbooks/mail/docker-compose.yml.j2

@@ -0,0 +1,47 @@
+networks:
+  mail:
+    external: false
+
+services:
+  dovecot:
+    image: docker.gitea.com/gitea:1.26.0
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD={{ gitea_db_password }}
+      - GITEA__server__SSH_LISTEN_PORT=2222
+      - GITEA__server__SSH_PORT=2222
+      - SSH_LISTEN_PORT=2222
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "31110:31110"
+      - "31995:31995"
+      - "31143:31143"
+      - "31993:31993"
+      - "31587:31587"
+      - "31024:31024"
+    depends_on:
+      - db
+
+  db:
+    image: docker.io/library/postgres:14
+    restart: always
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD={{ gitea_db_password }}
+      - POSTGRES_DB=gitea
+    networks:
+      - gitea
+    volumes:
+      - ./postgres:/var/lib/postgresql/data

playbooks/mail/main.cf

@@ -0,0 +1,29 @@
+# Postfix main configuration
+# https://www.postfix.org/postconf.5.html
+
+# --- Identity ---
+myhostname = mail.secretbee.buzz
+mydomain = secretbee.buzz
+myorigin = $mydomain
+
+# --- Network ---
+inet_interfaces = all
+inet_protocols = ipv4
+
+# --- Local delivery ---
+mydestination = $myhostname, localhost.$mydomain, localhost
+
+# --- Relay ---
+mynetworks = 127.0.0.0/8
+relayhost =
+
+# --- TLS (outbound) ---
+smtp_tls_security_level = enforce
+smtp_tls_loglevel = 1
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+# --- Mailbox ---
+home_mailbox = Maildir/
+
+# --- Limits ---
+message_size_limit = 52428800