First attempt to make maddy run

inventory

@@ -4,11 +4,15 @@ endgame.ur.gs backup_role=client
 
 [database]
 ur.gs
+maddy.email
 
 [dns]
 outpost.ur.gs dns_role=slave
 endgame.ur.gs dns_role=master
 
+[maddy]
+maddy.email domain=maddy.email
+
 [ur_gs]
 ur.gs domain=ur.gs
 

playbooks/maddy.yaml

@@ -0,0 +1,5 @@
+- hosts: maddy
+  roles:
+    - caddy
+    - maddy
+  tags: maddy

roles/maddy/files/maddy.service

@@ -0,0 +1,40 @@
+[Unit]
+Description=Maddy email server
+Documentation=https://github.com/emersion/maddy
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-failure
+
+; User and group the process will run as.
+User=maddy
+Group=maddy
+
+; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
+ExecStart=/usr/local/bin/maddy
+ExecReload=/bin/kill -USR1 $MAINPID
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+; Unmodified maddy is not expected to use more than that.
+LimitNPROC=64
+
+; Use private /tmp and /var/tmp, which are discarded after maddy stops.
+PrivateTmp=true
+; Use a minimal /dev
+PrivateDevices=true
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+; ... except /var/lib/maddy, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/var/lib/maddy
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target

roles/maddy/tasks/install.yaml

@@ -0,0 +1,54 @@
+---
+
+- name: Install maddy binary
+  copy:
+    dest: /usr/local/bin/maddy
+    src: "{{ inventory_dir }}/vendor/maddy"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Create maddy group
+  group:
+    name: maddy
+    system: True
+
+- name: Create maddy user
+  user:
+    name: maddy
+    system: True
+    group: maddy
+    home: /var/lib/maddy
+    shell: /bin/bash
+
+- name: Create /etc/maddy
+  file:
+    path: /etc/maddy
+    state: directory
+    owner: maddy
+    group: maddy
+    mode: 0755
+
+- name: Install maddy config
+  template:
+    dest: /etc/maddy/maddy.conf
+    src: etc/maddy/maddy.conf.tmpl
+    owner: maddy
+    group: maddy
+    mode: 0644
+
+- name: Add Maddy systemd unit
+  copy:
+    dest: /etc/systemd/system/maddy.service
+    src: "{{ role_path }}/files/maddy.service"
+    owner: root
+    group: root
+    mode: 0755
+  notify: reload systemd
+
+- name: Enable and start maddy
+  service:
+    name: maddy
+    enabled: yes
+    state: started
+

roles/maddy/tasks/main.yaml

@@ -0,0 +1,2 @@
+---
+- include: install.yaml

roles/maddy/templates/etc/maddy/maddy.conf.tmpl

@@ -0,0 +1,45 @@
+# Location of TLS certificate and private key. Global directive is used for all
+# endpoints.
+tls /etc/maddy/maddy.crt.pem /etc/maddy/maddy.key.pem
+
+# hostname is used in several places, mainly in greeting for IMAP and SMTP.
+hostname {{ domain }}
+
+log stderr
+
+# Create and initialize sql module, it provides simple authentication and
+# storage backend using one database for everything.
+sql {
+    driver postgres
+    dsn "user=maddy dbname=maddy_prod host=/run/postgresql"
+}
+
+smtp smtp://[::]:25 {
+    auth sql
+
+    # Verify that hostname in EHLO/HELO resolves to the source IP. Fail if it is not.
+    filter check_source_hostname
+
+    # Deliver all mail into sql module storage
+    destination {{ domain }} {
+        deliver sql
+    }
+}
+
+submission smtps://[::]:465 smtp://[::]:587 {
+    # Use sql module for authentication.
+    auth sql
+
+    # Deliver all mail for @example.org into sql module storage.
+    destination {{ domain }} {
+        deliver sql
+    }
+
+    # No remote delivery is implemented now, just deliver it to /dev/null for now.
+    deliver out-queue
+}
+
+imap imaps://[::]:993 imap://[::]:143 {
+    auth sql
+    storage sql
+}

site.yaml

@@ -3,5 +3,6 @@
 
 - include: playbooks/database.yaml
 - include: playbooks/dns.yaml
+- include: playbooks/maddy.yaml
 - include: playbooks/ur_gs.yaml
 - include: playbooks/vpn.yaml

templates/caddy/maddy.email.Caddyfile.tmpl

@@ -0,0 +1,5 @@
+{{ domain }} {
+  root /var/lib/caddy/{{ domain }}/public
+  log stderr
+
+}