From 9729b2868152bbc809d66912d58e9c791fb75ef2 Mon Sep 17 00:00:00 2001
From: bee <secretbumblebee@proton.me>
Date: Mon, 25 May 2026 11:09:11 +0200
Subject: [PATCH] mail done

---
 playbooks/backup/backup.yml          |  0
 playbooks/fail2ban/jail.local.j2     |  6 +-
 playbooks/mail/docker-compose.yml.j2 |  7 +--
 playbooks/mail/mail.yml              | 25 ++++++++-
 playbooks/mail/mailserver.env.j2     | 25 +++++----
 playbooks/nginx/html/index.html      |  8 ++-
 playbooks/ufw/ufw.yml                | 84 +++++++++++++++-------------
 playbooks/wireguard/wg0.conf.j2      | 15 ++++-
 playbooks/wireguard/wg0.conf.server  |  6 +-
 playbooks/wireguard/wireguard.yml    | 18 ++++--
 10 files changed, 123 insertions(+), 71 deletions(-)
 create mode 100644 playbooks/backup/backup.yml

diff --git a/playbooks/backup/backup.yml b/playbooks/backup/backup.yml
new file mode 100644
index 0000000..e69de29
diff --git a/playbooks/fail2ban/jail.local.j2 b/playbooks/fail2ban/jail.local.j2
index 53cf771..e7db6d4 100644
--- a/playbooks/fail2ban/jail.local.j2
+++ b/playbooks/fail2ban/jail.local.j2
@@ -3,6 +3,8 @@ bantime  = 24h
 findtime = 10m
 maxretry = 5
 banaction = ufw
+bantime.increment = true
+bantime.multipliers = 1 5 30 60 300 720 1440 2880
 
 [sshd]
 enabled = true
@@ -17,9 +19,9 @@ enabled = true
 [postfix]
 enabled  = true
 port     = smtp,submission
-logpath  = /var/log/mail.log
+logpath  = /opt/beeserver/mail/mail-logs/mail.log
 
 [dovecot]
 enabled  = true
 port     = imaps,pop3s
-logpath  = /var/log/mail.log
\ No newline at end of file
+logpath  = /opt/beeserver/mail/mail-logs/mail.log
\ No newline at end of file
diff --git a/playbooks/mail/docker-compose.yml.j2 b/playbooks/mail/docker-compose.yml.j2
index f492c69..da156e4 100644
--- a/playbooks/mail/docker-compose.yml.j2
+++ b/playbooks/mail/docker-compose.yml.j2
@@ -1,12 +1,11 @@
 services: # https://docker-mailserver.github.io/docker-mailserver/latest/
   mailserver:
-    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    image: ghcr.io/docker-mailserver/docker-mailserver:15.1.0
     container_name: mailserver
     hostname: mail.secretbee.buzz
     env_file: mailserver.env
     ports:
       - "25:25"
-      - "143:143"
       - "465:465"
       - "587:587"
       - "993:993"
@@ -16,8 +15,6 @@ services: # https://docker-mailserver.github.io/docker-mailserver/latest/
       - /opt/beeserver/mail/mail-logs/:/var/log/mail/
       - /opt/beeserver/mail/config/:/tmp/docker-mailserver/
       - /etc/localtime:/etc/localtime:ro
-      - /etc/letsencrypt:/etc/letsencrypt
+      - /etc/letsencrypt:/etc/letsencrypt:ro
     restart: always
     stop_grace_period: 1m
-    cap_add:
-      - NET_ADMIN
diff --git a/playbooks/mail/mail.yml b/playbooks/mail/mail.yml
index 2871f64..29d8faf 100644
--- a/playbooks/mail/mail.yml
+++ b/playbooks/mail/mail.yml
@@ -10,6 +10,27 @@
               3165616638653634310a666238656466306433346235396537386539366436333032373866333731
               64323037613336613538613866343738613236323739333339313133386263323037313837636131
               6533666231663438336566386130366536623565383837623164
+    relay_user: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              66636637636636363133366335653835343130616134356330386531653537346138326432336662
+              3231636236393635646465626538643736326432633866620a633166346632613132323530373631
+              38333935373565616633363530616533656536313461363935623966336265613264373439613461
+              3133383935656337370a653461363636616537343836383935356432303532363861383863363639
+              31316537333565623530333332353435353437313466353935636139653762643930
+    relay_password_smtp2go: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              30353034303936383336616430373037316663333039326337633838336532326462643039323930
+              3865396234396464363032346335663961323462643232310a363163353231303763323032646637
+              61346265343333303735623635633638393265336530656539623063346338646636643661333962
+              3961643332623365660a336130313864326463623365333435383533623837623831326234323466
+              39303363393736616230343331623734636364313039356137643864383833616664
+    relay_user_smtp2go: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              33313138356235346465333737303766626463636438316366353262356430316636636462613066
+              3166353663663163306536363536366462633365616161650a613061306630356533343033366333
+              31643364646665653330326435666366313763633135323063373736666337316130316233396235
+              3834313832393237650a636138363436376631323338303232356137353063616561313039313130
+              3236
 
   tasks:
     - name: Install podman
@@ -32,7 +53,7 @@
       ansible.builtin.file:
         path: "{{ item }}"
         state: directory
-        mode: '0755'
+        mode: '0750'
       loop:
         - /opt/beeserver/mail
 
@@ -53,7 +74,7 @@
       ansible.builtin.template:
         src: mailserver.env.j2
         dest: /opt/beeserver/mail/mailserver.env
-        mode: '0644'
+        mode: '0600'
 
     - name: Compose up
       changed_when: true
diff --git a/playbooks/mail/mailserver.env.j2 b/playbooks/mail/mailserver.env.j2
index b33d92d..f4bff1d 100644
--- a/playbooks/mail/mailserver.env.j2
+++ b/playbooks/mail/mailserver.env.j2
@@ -44,7 +44,7 @@ ACCOUNT_PROVISIONER=
 
 # empty => postmaster@domain.com
 # => Specify the postmaster address
-POSTMASTER_ADDRESS=
+POSTMASTER_ADDRESS=postmaster@secretbee.buzz
 
 # Check for updates on container start and then once a day
 # If an update is available, a mail is sent to POSTMASTER_ADDRESS
@@ -92,7 +92,7 @@ TLS_LEVEL=
 #
 # **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
 # 1 => Mail spoofing denied. Each user may only send with their own or their alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
-SPOOF_PROTECTION=
+SPOOF_PROTECTION=1
 
 # Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/main/README.rst) for further explanation.
 #  - **0** => Disabled
@@ -195,7 +195,7 @@ RSPAMD_NEURAL=0
 # Amavis content filter (used for ClamAV & SpamAssassin)
 # 0 => Disabled
 # 1 => Enabled
-ENABLE_AMAVIS=1
+ENABLE_AMAVIS=0
 
 # -1/-2/-3 => Only show errors
 # **0**    => Show warnings
@@ -207,13 +207,13 @@ AMAVIS_LOGLEVEL=0
 # Note: Emails will be rejected, if they don't pass the block list checks!
 # **0** => DNS block lists are disabled
 # 1     => DNS block lists are enabled
-ENABLE_DNSBL=0
+ENABLE_DNSBL=1
 
 # If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
 #    cap_add:
 #      - NET_ADMIN
 # Otherwise, `nftables` won't be able to ban IPs.
-ENABLE_FAIL2BAN=1
+ENABLE_FAIL2BAN=0
 
 # Fail2Ban blocktype
 # drop   => drop packet (send NO reply)
@@ -267,7 +267,7 @@ POSTFIX_DAGENT=
 # Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
 #
 # empty => 0
-POSTFIX_MAILBOX_SIZE_LIMIT=
+POSTFIX_MAILBOX_SIZE_LIMIT=10737418240
 
 # See https://docker-mailserver.github.io/docker-mailserver/latest/config/account-management/overview/#quotas
 # 0 => Dovecot quota is disabled
@@ -630,7 +630,8 @@ SRS_SECRET=
 #
 # Set a default host to relay all mail through (optionally include a port)
 # Example: [mail.example.com]:587
-DEFAULT_RELAY_HOST=[email-smtp.eu-north-1.amazonaws.com]:587
+#DEFAULT_RELAY_HOST=[email-smtp.eu-north-1.amazonaws.com]:587
+DEFAULT_RELAY_HOST=[mail-eu.smtp2go.com]:2525
 
 # -----------------------------------------------
 # --- Multi-Domain Relay Section ----------------
@@ -641,11 +642,13 @@ DEFAULT_RELAY_HOST=[email-smtp.eu-north-1.amazonaws.com]:587
 #
 # Set a default host to relay mail through
 # Example: mail.example.com
-RELAY_HOST=email-smtp.eu-north-1.amazonaws.com
+#RELAY_HOST=email-smtp.eu-north-1.amazonaws.com
+RELAY_HOST=
 
 # empty => 25
 # default port to relay mail
-RELAY_PORT=587
+#RELAY_PORT=587
+RELAY_PORT=
 
 # -----------------------------------------------
 # --- Relay Host Credentials Section ------------
@@ -654,7 +657,7 @@ RELAY_PORT=587
 # Configure a relay user and password to use with RELAY_HOST / DEFAULT_RELAY_HOST
 
 # empty => no default
-RELAY_USER=AKIAWBJK5JQUGAW3SR4N
+RELAY_USER={{ relay_user_smtp2go }}
 
 # empty => no default
-RELAY_PASSWORD={{ relay_password }}
+RELAY_PASSWORD={{ relay_password_smtp2go }}
diff --git a/playbooks/nginx/html/index.html b/playbooks/nginx/html/index.html
index 351bb37..15e6799 100644
--- a/playbooks/nginx/html/index.html
+++ b/playbooks/nginx/html/index.html
@@ -9,8 +9,10 @@
 <p>Welcome to the hive.</p>
 <p>Available services:</p>
 <p>&nbsp;</p>
-<h1><strong>irc</strong></h1>
-<p>Grab yourself an irc client (for example <a href="https://www.mirc.com/">mirc</a>) and connect to irc.secretbee.buzz and port 6697.</p>
-<p>All traffic is encrypted and secured.</p>
+<h1><strong>matrix</strong></h1>
+<p>You can reach me at <strong>@happybee:secretbee.buzz</strong>. If you want access to my matrix homeserver, send me a mail.</p>
+<h1><strong>mail</strong></h1>
+<p>Send whatever nonsense comes to your mind to<strong> bee at secretbee dot buzz</strong></p>
+<p>&nbsp;</p>
 </body>
 </html>
\ No newline at end of file
diff --git a/playbooks/ufw/ufw.yml b/playbooks/ufw/ufw.yml
index 173c3fb..eb73c6f 100644
--- a/playbooks/ufw/ufw.yml
+++ b/playbooks/ufw/ufw.yml
@@ -9,61 +9,67 @@
 
     - name: Logging
       community.general.ufw:
-        logging: "low"
+        logging: "medium"
 
-    - name: Allow SSH
+    - name: UFW - Allow SSH
       community.general.ufw:
         rule: allow
-        name: OpenSSH
-        route: true
+        port: "22"
+        proto: tcp
 
-    - name: Allow samba
-      community.general.ufw:
-        rule: allow
-        name: samba
-        route: true
-
-    - name: Allow Mail
+    - name: UFW - Allow TCP in
       community.general.ufw:
         rule: allow
         port: '{{ item }}'
         proto: tcp
       loop:
-        - "465"
-        - "25"
-        - "587"
-        - "110"
-        - "995"
-        - "143"
-        - "993"
+        - "80"
+        - "139" # samba
+        - "443"
+        - "445" # samba
+        - "8448" # matrix federation
 
-    - name: UFW - Allow HTTP connections
+    - name: UFW - Allow TCP forward
       community.general.ufw:
         rule: allow
-        port: "80"
+        port: '{{ item }}'
         proto: tcp
         route: true
+      loop:
+        - "25" # mail
+        - "465" # mail
+        - "587" # mail
+        - "993" # mail
+        - "2222" # gitbee ssh
+        - "8448" # matrix federation
 
-    - name: UFW - Allow HTTPS connections
+    - name: UFW - Allow SMTP return
       community.general.ufw:
         rule: allow
-        port: "443"
-        proto: tcp
         route: true
+        interface_in: wg0
+        proto: tcp
+        to_port: "25"
 
-    - name: UFW - Allow gitbee ssh
+    - name: UFW - Allow UDP in
       community.general.ufw:
         rule: allow
-        port: "2222"
-        proto: tcp
-        route: true
+        port: '{{ item }}'
+        proto: udp
+      loop:
+        - "137" # samba
+        - "138" # samba
 
-    - name: UFW - Allow matrix federation
+    - name: UFW - Limiting
       community.general.ufw:
-        rule: allow
-        port: "8448"
+        rule: limit
+        port: '{{ item }}'
         proto: tcp
         route: true
+      loop:
+        - "465" # mail
+        - "587" # mail
+        - "993" # mail
 
     - name: UFW - Allow podman forwarding
       community.general.ufw:
@@ -72,6 +78,13 @@
         interface_out: podman+
         route: true
 
+    - name: UFW - Enable DNS from podman
+      community.general.ufw:
+        rule: allow
+        interface_in: podman+
+        proto: "udp"
+        to_port: 53
+
     - name: UFW - Allow wireguard incoming
       community.general.ufw:
         rule: allow
@@ -117,27 +130,20 @@
         interface_out: wg0
         route: true
 
-    - name: UFW - Allow podman forwarding 2
+    - name: UFW - Allow local network to podman
       community.general.ufw:
         rule: allow
         interface_in: eth0
         interface_out: podman+
         route: true
 
-    - name: UFW - Allow podman forwarding 3
+    - name: UFW - Allow podman to local network
       community.general.ufw:
         rule: allow
         interface_in: podman+
         interface_out: eth0
         route: true
 
-    - name: UFW - Enable DNS
-      community.general.ufw:
-        rule: allow
-        interface_in: podman+
-        proto: "udp"
-        to_port: 53
-
     - name: UFW - Allow node exporter scraping
       community.general.ufw:
         rule: allow
diff --git a/playbooks/wireguard/wg0.conf.j2 b/playbooks/wireguard/wg0.conf.j2
index 3c65728..ec01ecd 100644
--- a/playbooks/wireguard/wg0.conf.j2
+++ b/playbooks/wireguard/wg0.conf.j2
@@ -1,9 +1,20 @@
 [Interface]
 PrivateKey = {{ wireguard_private_key }}
 Address = 10.10.1.2/24
- 
+
+Table = 123
+PreUp = ip rule add fwmark 1 table 123 priority 455
+PreUp = ip rule add from 10.10.1.2 table 123 priority 456
+PostUp = iptables -t mangle -A PREROUTING -i %i -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
+PostUp = iptables -t mangle -A PREROUTING -m conntrack --ctdir REPLY -j CONNMARK --restore-mark
+
+PreDown = iptables -t mangle -D PREROUTING -i %i -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
+PreDown = iptables -t mangle -D PREROUTING -m conntrack --ctdir REPLY -j CONNMARK --restore-mark
+PostDown = ip rule del fwmark 1 table 123 priority 455
+PostDown = ip rule del from 10.10.1.2 table 123 priority 456
+
 [Peer]
 PublicKey = r0XaxIE3AVud9Z42UPZF3mwoh2R0B0M1EUDY9cvuyDA=
 Endpoint = 192.3.44.243:41194
-AllowedIPs = 10.10.1.0/24
+AllowedIPs = 0.0.0.0/0
 PersistentKeepalive = 25
\ No newline at end of file
diff --git a/playbooks/wireguard/wg0.conf.server b/playbooks/wireguard/wg0.conf.server
index 9b3680e..694976a 100644
--- a/playbooks/wireguard/wg0.conf.server
+++ b/playbooks/wireguard/wg0.conf.server
@@ -7,11 +7,13 @@ PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-des
 PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25
 PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
 PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
+PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465
+PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465
 PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
 PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
 
-PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
-PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
+#PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
+#PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
  
 [Peer]
 PublicKey = oI69uWkbkwtpuIYxDNGmzg4nRjY1BIZFVFjZwguIvwE=
diff --git a/playbooks/wireguard/wireguard.yml b/playbooks/wireguard/wireguard.yml
index 46af56b..f208767 100644
--- a/playbooks/wireguard/wireguard.yml
+++ b/playbooks/wireguard/wireguard.yml
@@ -24,14 +24,22 @@
         name: wireguard
         state: present
 
+    - name: Down wg0
+      changed_when: true
+      ansible.builtin.command: wg-quick down wg0
+
     - name: Copy wg0.conf
       ansible.builtin.template:
         src: wg0.conf.j2
         dest: /etc/wireguard/wg0.conf
         mode: '0600'
 
-    - name: Start service
-      ansible.builtin.service:
-        name: wg-quick@wg0
-        state: restarted
-        enabled: true
+    - name: Up wg0
+      changed_when: true
+      ansible.builtin.command: wg-quick up wg0
+
+    # - name: Start service
+    #   ansible.builtin.service:
+    #     name: wg-quick@wg0
+    #     state: restarted
+    #     enabled: true