First attempt to make maddy run

main
Nick Thomas 2019-05-11 21:58:16 +01:00
parent 410a4446f5
commit fabd4b08fb
Signed by: lupine
GPG Key ID: 1F1A7ECCCFE0B92F
8 changed files with 156 additions and 0 deletions

View File

@ -4,11 +4,15 @@ endgame.ur.gs backup_role=client
[database]
ur.gs
maddy.email
[dns]
outpost.ur.gs dns_role=slave
endgame.ur.gs dns_role=master
[maddy]
maddy.email domain=maddy.email
[ur_gs]
ur.gs domain=ur.gs

5
playbooks/maddy.yaml Normal file
View File

@ -0,0 +1,5 @@
- hosts: maddy
roles:
- caddy
- maddy
tags: maddy

View File

@ -0,0 +1,40 @@
[Unit]
Description=Maddy email server
Documentation=https://github.com/emersion/maddy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-failure
; User and group the process will run as.
User=maddy
Group=maddy
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/maddy
ExecReload=/bin/kill -USR1 $MAINPID
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified maddy is not expected to use more than that.
LimitNPROC=64
; Use private /tmp and /var/tmp, which are discarded after maddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; ... except /var/lib/maddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/var/lib/maddy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,54 @@
---
- name: Install maddy binary
copy:
dest: /usr/local/bin/maddy
src: "{{ inventory_dir }}/vendor/maddy"
owner: root
group: root
mode: 0755
- name: Create maddy group
group:
name: maddy
system: True
- name: Create maddy user
user:
name: maddy
system: True
group: maddy
home: /var/lib/maddy
shell: /bin/bash
- name: Create /etc/maddy
file:
path: /etc/maddy
state: directory
owner: maddy
group: maddy
mode: 0755
- name: Install maddy config
template:
dest: /etc/maddy/maddy.conf
src: etc/maddy/maddy.conf.tmpl
owner: maddy
group: maddy
mode: 0644
- name: Add Maddy systemd unit
copy:
dest: /etc/systemd/system/maddy.service
src: "{{ role_path }}/files/maddy.service"
owner: root
group: root
mode: 0755
notify: reload systemd
- name: Enable and start maddy
service:
name: maddy
enabled: yes
state: started

View File

@ -0,0 +1,2 @@
---
- include: install.yaml

View File

@ -0,0 +1,45 @@
# Location of TLS certificate and private key. Global directive is used for all
# endpoints.
tls /etc/maddy/maddy.crt.pem /etc/maddy/maddy.key.pem
# hostname is used in several places, mainly in greeting for IMAP and SMTP.
hostname {{ domain }}
log stderr
# Create and initialize sql module, it provides simple authentication and
# storage backend using one database for everything.
sql {
driver postgres
dsn "user=maddy dbname=maddy_prod host=/run/postgresql"
}
smtp smtp://[::]:25 {
auth sql
# Verify that hostname in EHLO/HELO resolves to the source IP. Fail if it is not.
filter check_source_hostname
# Deliver all mail into sql module storage
destination {{ domain }} {
deliver sql
}
}
submission smtps://[::]:465 smtp://[::]:587 {
# Use sql module for authentication.
auth sql
# Deliver all mail for @example.org into sql module storage.
destination {{ domain }} {
deliver sql
}
# No remote delivery is implemented now, just deliver it to /dev/null for now.
deliver out-queue
}
imap imaps://[::]:993 imap://[::]:143 {
auth sql
storage sql
}

View File

@ -3,5 +3,6 @@
- include: playbooks/database.yaml
- include: playbooks/dns.yaml
- include: playbooks/maddy.yaml
- include: playbooks/ur_gs.yaml
- include: playbooks/vpn.yaml

View File

@ -0,0 +1,5 @@
{{ domain }} {
root /var/lib/caddy/{{ domain }}/public
log stderr
}