bee/beepi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

matrix

Browse Source
This commit is contained in:
bee
2026-05-23 17:48:04 +02:00
parent 3273885e11
commit 8c66580dab
21 changed files with 518 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+3 -1
View File
@@ -1,4 +1,6 @@
registry/
.ansible/
.vscode/settings.json
.vault-password
.vault-password
*.private
*.secret
.vscode/tasks.json
Vendored
+30
View File
@@ -70,6 +70,26 @@
"panel": "dedicated"
}
},
{
"label": "Deploy: mail",
"type": "shell",
"command": "make deploy-mail",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
},
{
"label": "Deploy: matrix",
"type": "shell",
"command": "make deploy-matrix",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
},
{
"label": "Build & Push: postfix",
"type": "shell",
@@ -79,6 +99,16 @@
"reveal": "always",
"panel": "dedicated"
}
},
{
"label": "Build & Push: opendkim",
"type": "shell",
"command": "make push-opendkim",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
}
],
"inputs": [
containers/opendkim/Containerfile
+5
View File
@@ -0,0 +1,5 @@
FROM debian:bookworm-slim
RUN apt-get update \
&& apt-get install -y --no-install-recommends opendkim \
&& rm -rf /var/lib/apt/lists/*
CMD ["opendkim", "-f"]
containers/postfix/Containerfile
-2
View File
@@ -6,8 +6,6 @@ RUN apt-get update \
libsasl2-modules \
&& rm -rf /var/lib/apt/lists/*
COPY main.cf /etc/postfix/main.cf
EXPOSE 25 587
CMD ["postfix", "start-fg"]
containers/postfix/main.cf
-31
View File
@@ -1,31 +0,0 @@
# Postfix main configuration
# https://www.postfix.org/postconf.5.html
# --- Identity ---
myhostname = mail.secretbee.buzz
mydomain = secretbee.buzz
myorigin = $mydomain
# --- Network ---
inet_interfaces = all
inet_protocols = ipv4
# --- Local delivery ---
mydestination = $myhostname, localhost.$mydomain, localhost
# --- Relay ---
mynetworks = 127.0.0.0/8
relayhost =
# --- TLS (outbound) ---
smtp_tls_security_level = enforce
smtp_tls_loglevel = 1
smtpd_tls_chain_files =
/etc/postfix/fullchain.pem
/etc/postfix/privkey.pem
# --- Mailbox ---
home_mailbox = Maildir/
# --- Limits ---
message_size_limit = 52428800
playbooks/autodns/autodns.yml
+13
View File
@@ -0,0 +1,13 @@
- name: Inspircd
hosts: pi
become: true
vars:
njalla_api_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
65666463616462633533663835383164353566326437333336616266333864333465613732346633
6534633837373937393563633966343738316562653930610a346461613236653266303237306663
66663234313832373939346539386633316465373861663862646537303662313564363038303164
3865666132613130380a623737663837343438333837626338346565653735613435313164373663
33316231366334623461303263386136656234613133373361353262346366636133396134663838
3733353465643235653337306434396366623935303862633737
tasks:
playbooks/fail2ban/jail.local.j2
+10
View File
@@ -13,3 +13,13 @@ enabled = true
[nginx-limit-req]
enabled = true
[postfix]
enabled = true
port = smtp,submission
logpath = /var/log/mail.log
[dovecot]
enabled = true
port = imaps,pop3s
logpath = /var/log/mail.log
playbooks/letsencrypt/letsencrypt.yml
+4
View File
@@ -31,6 +31,10 @@
changed_when: true
ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains mail.secretbee.buzz
- name: Request matrix certificates
changed_when: true
ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains matrix.secretbee.buzz
- name: Add post hook script
ansible.builtin.copy:
src: irc-post-hook.sh
playbooks/mail/99-local.conf.j2
+27
View File
@@ -0,0 +1,27 @@
service auth {
inet_listener auth-inet {
port = 12345
}
}
service lmtp {
inet_listener lmtp {
port = 2424
}
}
auth_mechanisms = plain login
passdb passwd-file {
passwd_file_path = /etc/dovecot/users
}
userdb passwd-file {
passwd_file_path = /etc/dovecot/users
}
mail_home = /var/vmail/%{user | domain}/%{user | username}
mail_path = ~/mail
ssl = required
auth_allow_cleartext = no
playbooks/mail/docker-compose.yml.j2
+25 -7
View File
@@ -6,32 +6,50 @@ services:
dovecot:
image: docker.io/dovecot/dovecot:latest
container_name: dovecot
restart: unless-stopped
restart: always
networks:
- mail
volumes:
- mail_data:/srv/vmail
- /opt/mail/99-local.conf:/etc/dovecot/conf.d/99-local.conf:ro
- /opt/mail/users:/etc/dovecot/users:ro
- mail-data:/srv/vmail
ports:
- "31143:31143"
- "31993:31993"
- "31110:31110"
- "31995:31995"
- "1465:1465"
- "31587:31587"
- "31024:31024"
- "34190:34190"
- "8080:8080"
- "127.0.01:9110:9110"
- "127.0.0.1:2424:2424"
- "127.0.0.1:9110:9110"
postfix:
image: git.secretbee.buzz/bee/postfix:latest
container_name: postfix
restart: unless-stopped
restart: always
pull_policy: always
networks:
- mail
volumes:
- /etc/letsencrypt/live/mail.secretbee.buzz/fullchain.pem:/etc/postfix/fullchain.pem
- /etc/letsencrypt/live/mail.secretbee.buzz/privkey.pem:/etc/postfix/privkey.pem
- /etc/letsencrypt/live/mail.secretbee.buzz/fullchain.pem:/etc/postfix/fullchain.pem:ro
- /etc/letsencrypt/live/mail.secretbee.buzz/privkey.pem:/etc/postfix/privkey.pem:ro
- /opt/mail/main.cf:/etc/postfix/main.cf:ro
- /opt/mail/master.cf:/etc/postfix/master.cf:ro
ports:
- "25:25"
- "587:587"
opendkim:
image: git.secretbee.buzz/bee/opendkim:latest
container_name: opendkim
restart: always
networks:
- mail
volumes:
- /opt/mail/opendkim.conf:/etc/opendkim.conf:ro
- /opt/mail/mail.private:/etc/opendkim/keys/mail.private:ro
volumes:
mail-data:
playbooks/mail/mail.yml
+175
View File
@@ -0,0 +1,175 @@
- name: Mail
hosts: pi
become: true
vars:
dkim_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
36363638363937326662323932306438333134613966313739393938383337656262373736653065
3736633466613763373161666236336630306565323433630a643937313131616565313434356461
32643261666565383935396230306664366332313338613438323332343139303338373039303932
3539373239336637300a656264633864666261613962316563373663373735393864306334626664
33363734366265663234373131613864386236323632363534363166343134373065313938313033
66383935306133306233623738353561656261313330346333653865336463386163393637333733
37306237633638383830613262646237643531343362336637366663363864353865323565326137
35316134373436323461356630623661306564636135313533383533366265613934303834356431
61343464613830626339393238636439333265383439336136666231363933356566366466386135
64376162616562646235613332613931623861373036366530313966306235626338326238623233
34616536346533656436623232643236623838336232343132643561653030643538643137643861
65393964336531383638613436323831346131393865373830346637616330646133316430343536
65336233306537633761643261316230326237393037636236366638616139343936396533646136
34363763333263346439633366626166393631323838306565356464326431393130633432353866
64343639366232303930373564323038366639646365326537326634366336323835333364663264
38373237656264366437333564363164356663613539623466383931623834626236656131316362
39623431356536343563356561653465653638333539643132303463383332373831346535626438
62333230383134346264616432343461313332386230353433643534326161306462623130656534
63386661363436653830626334616431353464663236356435643435643732396364616539363663
31363730333036313163353939343066343130396166376638366561373134393965353838356666
64623961393761363835353865613762393766356532306131323437646261616362653630643133
34323263653763343562323063343234643064613537626334306261396537663030366330613766
64383533613736326562313362383066633437666438316535623131643431333636343030363363
66616433626536353135323937343862643930303963383066643032373931376636643831636139
61313530376566343635396430396230343836643632636335376362623962643638396434356264
38303233313461666135323632333637343363353534636334646532333763343433353931343936
37353530393561356636643865353866303637623433373737383535383565346532343738373862
38656366646433653636356432353963333531333538633364316261666334646639353165656130
62383637626537303433613836636431393637333234616632663739376464336134636261633164
34383939363136666263376634633733663366366432376134343333623639393131623234636537
63653838393530656131623536386166323963396434323736396234626239666333393765616633
38633535333836623861663161663565316631623862363561313237643735393933343238383262
36303531306566393961643836636438666539623835636234306536646335616231643134373032
31373364643738343131353066346464396565303630363230306435663136386138636266633436
61646630323066323833366262633735626438303436306161653033656232363761663762623932
63613733376434333164643036633961336534366238663566323538336665323131653735323265
36616361343732346531303030343565333638616261323137366361626465373231376162663830
61383664373238623536396336333264643235633162616665393463663561636461326565336334
30636430613232646265386133336437303339393338383332636262363165656432663764303263
66376436643865373632313162383433336536333862376665616535396437303762386265373631
39613865656235613465373864313462633838353039316161346166396632306638386533383865
30386365326161333066616432626236323263313163363238306161393265386332323733303763
62376430336630643161383130636230323538363464303838653733633837316663633565623863
62623364636262393065333636646433366365623662323238383336663764633864353863376337
35393737633639633035636534363865356631623035653839393338353366626561636430303066
39333563626561373365313232383633393364653463313866343235383734343234353637363432
38336237616530373134333334666132333636353235313565623265303435363537343731303339
64366464663061333661643337653262333663623764396138386533623239363739343232613436
63396666663931666138616566326462646362306530643334343230316334383837353065656232
33656431316164623164363130323735386136666238326361333431383732323933353238383266
66313430323362393931393132306234393031306534616565366261626336363430343664656530
32303661313662616232303964323337663736633238356462313131343430653638386137306531
66643562623534613739363138336265393232646162376665653165333533333965656263623439
65363665663030356530633863393864363831313637336133333163636564363965313265363263
36626134646238373530303132383734363166323937653030383639643637626332343863633961
36313065346537666232623232383333386561353139373133633033326235653738636439363139
30663365653935366266613933623838653133623435393633636537316163373461633863646133
30623463613231366438633431396330396363646664653534383531346163343037363764373436
62326166336639663434386261333261616334366465383132333231623034613364623661373865
65636435666235336339373335623934633861393764366535373365306336666131663330353031
32313762663363303739346365346263393733363864636637333666343561363332336132326264
32353166626266633564646362663862353433393535643938383131373737393366383038396430
36363738326630376432666637373562666366646536393363633365306637643564316234643430
61316234333165303532333963626635353538363832303833343532333934393264653864366339
63656431626132303761396361326464613563353632633633393261666366393536306133353765
37663337633363366139343237663565663232623266313530633630316238633566373336373065
35343133363234393137303631353932313561373466333438636263326566623336633235643965
32636536373231623565363939393764393964343265356235613134336263383131633330333838
63316361636234313836353264346334386639623861643239646163663462306630633064366261
39663639336439386439663039653462656338623237393033306539353435623039383333623163
39366563643731663835303763386365373232393435366664343264323035333631326331626437
36643130333138616631366465396635323666393339386438303161623364393433386431353665
32396239396333623061623563643933356130613166653933363636303937336665613763613265
39633635326339616539346664653065386531646661343438636565363939613633323266326462
65353339333233633931363830663835616661626663323961316562343739383063646164333939
34383163326664303130333434646633346563373630653532393264336132313264343134326132
30323934346531393931353365303430393461333065386636346139643731383866373636353234
30623665386331333639623639353766313633383539613864306336316562393533356237333331
32623838666535353462393762616236336663376537316163356461366238326637303164336666
31356234633832396436643663343961663763366266396464636661323064366338383634393731
30666135316430643038663936623832306435653161373435616138376162356232633636356238
64353433656366366266633932653264376232313633383163663066663132373733356662353932
62333239336163303632356231363164343039613431363664626662316265396338336162373239
31366539376566323032616335616263623162623934323034383364663436323366636139313838
64663839623266373338306439616337653237616365663463323739366431663839303839636663
61346534386435646632396566396535636136393337343039333364643433303165383761666437
36396232313965353334643664663464343537346430373334393461303965663230313836323966
65303930373664316234346364336430383838643164616338653034393836396166633866366131
65336237346635626362663439376339303439303263653238346563333738386266
tasks:
- name: Install podman
ansible.builtin.apt:
name: podman
state: present
- name: Install podman-compose
ansible.builtin.apt:
name: podman-compose
state: present
- name: Stop exim4
ansible.builtin.service:
name: exim4
state: stopped
enabled: false
- name: Create mail directories
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- /opt/mail
- name: Compose down
changed_when: true
failed_when: false
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/mail
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/mail/docker-compose.yml
mode: '0644'
- name: Copy Dovecot config
ansible.builtin.template:
src: 99-local.conf.j2
dest: /opt/mail/99-local.conf
mode: '0644'
- name: Copy main.cf
ansible.builtin.template:
src: main.cf.j2
dest: /opt/mail/main.cf
mode: '0644'
- name: Copy master.cf
ansible.builtin.template:
src: master.cf.j2
dest: /opt/mail/master.cf
mode: '0644'
- name: Copy Users
ansible.builtin.template:
src: users.j2
dest: /opt/mail/users
mode: '0644'
- name: Copy mail.private
ansible.builtin.copy:
src: mail.private
dest: /opt/mail/mail.private
mode: '0600'
- name: Copy opendkim.conf
ansible.builtin.template:
src: opendkim.conf.j2
dest: /opt/mail/opendkim.conf
mode: '0644'
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/mail
playbooks/mail/main.cf.j2
+60
View File
@@ -0,0 +1,60 @@
# Postfix main configuration
# https://www.postfix.org/postconf.5.html
# --- Identity ---
myhostname = mail.secretbee.buzz
mydomain = secretbee.buzz
myorigin = $mydomain
# --- Network ---
inet_interfaces = all
inet_protocols = ipv4
# --- Local delivery ---
mydestination = $myhostname, localhost.$mydomain, localhost
# --- Relay ---
mynetworks = 127.0.0.0/8
relayhost =
# --- Virtual mailboxes ---
virtual_mailbox_domains = $mydomain
virtual_transport = lmtp:inet:dovecot:2424
# --- TLS ---
smtp_tls_security_level = enforce
smtp_tls_loglevel = 1
smtpd_tls_chain_files =
/etc/postfix/fullchain.pem
/etc/postfix/privkey.pem
smtpd_tls_loglevel = 1
# --- SASL (auth delegated to Dovecot) ---
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:dovecot:12345
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# --- Limits ---
message_size_limit = 52428800
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_banner = $myhostname ESMTP
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:opendkim:8891
non_smtpd_milters = inet:opendkim:8891
playbooks/mail/master.cf.j2
+41
View File
@@ -0,0 +1,41 @@
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
# Port 25: inbound MX delivery — TLS optional, no auth required
smtp inet n - n - - smtpd
# Port 587: authenticated submission — TLS + SASL required
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
playbooks/mail/opendkim.conf.j2
+6
View File
@@ -0,0 +1,6 @@
Syslog yes
Domain secretbee.buzz
Selector mail
KeyFile /etc/opendkim/keys/mail.private
Socket inet:8891@0.0.0.0
OversignHeaders From
playbooks/mail/users.j2
+1
View File
@@ -0,0 +1 @@
bee@secretbee.buzz:{SHA512-CRYPT}$6$GRG/tBZAy62JjDXM$8DyA2Ii0aS2VPJlDs8ML.UjblfI1PYbG5VRmbSjeJB3nii8h9a3F5S7NDxieqBUOeVsa4LIfyp/6tC/dnDnpW.::::::
playbooks/matrix/docker-compose.yml.j2
+25
View File
@@ -0,0 +1,25 @@
services:
homeserver:
image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
restart: always
command: /sbin/conduwuit
ports:
- 127.0.0.1:8008:8008
volumes:
- db:/var/lib/continuwuity
- /opt/matrix/resolv.conf:/etc/resolv.conf
#- ./continuwuity.toml:/etc/continuwuity.toml
environment:
CONTINUWUITY_SERVER_NAME: matrix.secretbee.buzz
CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
CONTINUWUITY_ADDRESS: 0.0.0.0
CONTINUWUITY_PORT: 8008
#CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
CONTINUWUITY_WELL_KNOWN: |
{
client=https://secretbee.buzz,
server=secretbee.buzz:443
}
volumes:
db:
playbooks/matrix/matrix.yml
+47
View File
@@ -0,0 +1,47 @@
- name: Matrix
hosts: pi
become: true
tasks:
- name: Install podman
ansible.builtin.apt:
name: podman
state: present
- name: Install podman-compose
ansible.builtin.apt:
name: podman-compose
state: present
- name: Create matrix directories
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- /opt/matrix
- name: Compose down
changed_when: true
failed_when: false
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/matrix
- name: Copy resolv.conf
ansible.builtin.template:
src: resolv.conf.j2
dest: /opt/matrix/resolv.conf
mode: '0644'
- name: Copy compose
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /opt/matrix/docker-compose.yml
mode: '0644'
- name: Compose up
changed_when: true
ansible.builtin.command:
cmd: podman-compose up -d
chdir: /opt/matrix
playbooks/matrix/resolv.conf.j2
+2
View File
@@ -0,0 +1,2 @@
nameserver 1.0.0.1
nameserver 1.1.1.1
playbooks/monitoring/docker-compose.yml.j2
+5 -4
View File
@@ -6,7 +6,7 @@ services:
prometheus:
image: docker.io/prom/prometheus
container_name: prometheus
restart: unless-stopped
restart: always
ports:
- '127.0.0.1:9090:9090'
volumes:
@@ -18,7 +18,7 @@ services:
grafana:
image: docker.io/grafana/grafana
container_name: grafana
restart: unless-stopped
restart: always
ports:
- '4000:4000'
volumes:
@@ -42,7 +42,7 @@ services:
- loki-data:/loki
- /opt/monitoring/local-config.yml:/etc/loki/local-config.yaml
command: -config.file=/etc/loki/local-config.yaml
restart: unless-stopped
restart: always
networks:
- monitoring
@@ -67,11 +67,12 @@ services:
- --stability.level=experimental
networks:
- monitoring
restart: always
podman-exporter:
image: quay.io/navidys/prometheus-podman-exporter
container_name: podman-exporter
restart: unless-stopped
restart: always
privileged: true
user: root
ports:
playbooks/nginx/sites-enabled/matrix.secretbee.buzz
+33
View File
@@ -0,0 +1,33 @@
server {
listen 80;
server_name matrix.secretbee.buzz;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name matrix.secretbee.buzz;
limit_req zone=mylimit burst=20;
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/matrix.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.secretbee.buzz/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
client_max_body_size 512M;
proxy_pass http://localhost:8008;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
playbooks/ufw/ufw.yml
+6
View File
@@ -17,6 +17,12 @@
name: OpenSSH
route: true
- name: Allow samba
community.general.ufw:
rule: allow
name: samba
route: true
- name: UFW - Allow HTTP connections
community.general.ufw:
rule: allow