8 changed files with 156 additions and 0 deletions
@ -0,0 +1,5 @@
|
||||
- hosts: maddy |
||||
roles: |
||||
- caddy |
||||
- maddy |
||||
tags: maddy |
@ -0,0 +1,40 @@
|
||||
[Unit] |
||||
Description=Maddy email server |
||||
Documentation=https://github.com/emersion/maddy |
||||
After=network-online.target |
||||
Wants=network-online.target systemd-networkd-wait-online.service |
||||
|
||||
[Service] |
||||
Restart=on-failure |
||||
|
||||
; User and group the process will run as. |
||||
User=maddy |
||||
Group=maddy |
||||
|
||||
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. |
||||
ExecStart=/usr/local/bin/maddy |
||||
ExecReload=/bin/kill -USR1 $MAINPID |
||||
|
||||
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. |
||||
LimitNOFILE=1048576 |
||||
; Unmodified maddy is not expected to use more than that. |
||||
LimitNPROC=64 |
||||
|
||||
; Use private /tmp and /var/tmp, which are discarded after maddy stops. |
||||
PrivateTmp=true |
||||
; Use a minimal /dev |
||||
PrivateDevices=true |
||||
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. |
||||
ProtectHome=true |
||||
; Make /usr, /boot, /etc and possibly some more folders read-only. |
||||
ProtectSystem=full |
||||
; ... except /var/lib/maddy, because we want Letsencrypt-certificates there. |
||||
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! |
||||
ReadWriteDirectories=/var/lib/maddy |
||||
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE |
||||
NoNewPrivileges=true |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,54 @@
|
||||
--- |
||||
|
||||
- name: Install maddy binary |
||||
copy: |
||||
dest: /usr/local/bin/maddy |
||||
src: "{{ inventory_dir }}/vendor/maddy" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
|
||||
- name: Create maddy group |
||||
group: |
||||
name: maddy |
||||
system: True |
||||
|
||||
- name: Create maddy user |
||||
user: |
||||
name: maddy |
||||
system: True |
||||
group: maddy |
||||
home: /var/lib/maddy |
||||
shell: /bin/bash |
||||
|
||||
- name: Create /etc/maddy |
||||
file: |
||||
path: /etc/maddy |
||||
state: directory |
||||
owner: maddy |
||||
group: maddy |
||||
mode: 0755 |
||||
|
||||
- name: Install maddy config |
||||
template: |
||||
dest: /etc/maddy/maddy.conf |
||||
src: etc/maddy/maddy.conf.tmpl |
||||
owner: maddy |
||||
group: maddy |
||||
mode: 0644 |
||||
|
||||
- name: Add Maddy systemd unit |
||||
copy: |
||||
dest: /etc/systemd/system/maddy.service |
||||
src: "{{ role_path }}/files/maddy.service" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
notify: reload systemd |
||||
|
||||
- name: Enable and start maddy |
||||
service: |
||||
name: maddy |
||||
enabled: yes |
||||
state: started |
||||
|
@ -0,0 +1,45 @@
|
||||
# Location of TLS certificate and private key. Global directive is used for all |
||||
# endpoints. |
||||
tls /etc/maddy/maddy.crt.pem /etc/maddy/maddy.key.pem |
||||
|
||||
# hostname is used in several places, mainly in greeting for IMAP and SMTP. |
||||
hostname {{ domain }} |
||||
|
||||
log stderr |
||||
|
||||
# Create and initialize sql module, it provides simple authentication and |
||||
# storage backend using one database for everything. |
||||
sql { |
||||
driver postgres |
||||
dsn "user=maddy dbname=maddy_prod host=/run/postgresql" |
||||
} |
||||
|
||||
smtp smtp://[::]:25 { |
||||
auth sql |
||||
|
||||
# Verify that hostname in EHLO/HELO resolves to the source IP. Fail if it is not. |
||||
filter check_source_hostname |
||||
|
||||
# Deliver all mail into sql module storage |
||||
destination {{ domain }} { |
||||
deliver sql |
||||
} |
||||
} |
||||
|
||||
submission smtps://[::]:465 smtp://[::]:587 { |
||||
# Use sql module for authentication. |
||||
auth sql |
||||
|
||||
# Deliver all mail for @example.org into sql module storage. |
||||
destination {{ domain }} { |
||||
deliver sql |
||||
} |
||||
|
||||
# No remote delivery is implemented now, just deliver it to /dev/null for now. |
||||
deliver out-queue |
||||
} |
||||
|
||||
imap imaps://[::]:993 imap://[::]:143 { |
||||
auth sql |
||||
storage sql |
||||
} |
Loading…
Reference in new issue