First attempt to make maddy run
parent
410a4446f5
commit
fabd4b08fb
|
@ -4,11 +4,15 @@ endgame.ur.gs backup_role=client
|
|||
|
||||
[database]
|
||||
ur.gs
|
||||
maddy.email
|
||||
|
||||
[dns]
|
||||
outpost.ur.gs dns_role=slave
|
||||
endgame.ur.gs dns_role=master
|
||||
|
||||
[maddy]
|
||||
maddy.email domain=maddy.email
|
||||
|
||||
[ur_gs]
|
||||
ur.gs domain=ur.gs
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
- hosts: maddy
|
||||
roles:
|
||||
- caddy
|
||||
- maddy
|
||||
tags: maddy
|
|
@ -0,0 +1,40 @@
|
|||
[Unit]
|
||||
Description=Maddy email server
|
||||
Documentation=https://github.com/emersion/maddy
|
||||
After=network-online.target
|
||||
Wants=network-online.target systemd-networkd-wait-online.service
|
||||
|
||||
[Service]
|
||||
Restart=on-failure
|
||||
|
||||
; User and group the process will run as.
|
||||
User=maddy
|
||||
Group=maddy
|
||||
|
||||
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
|
||||
ExecStart=/usr/local/bin/maddy
|
||||
ExecReload=/bin/kill -USR1 $MAINPID
|
||||
|
||||
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
|
||||
LimitNOFILE=1048576
|
||||
; Unmodified maddy is not expected to use more than that.
|
||||
LimitNPROC=64
|
||||
|
||||
; Use private /tmp and /var/tmp, which are discarded after maddy stops.
|
||||
PrivateTmp=true
|
||||
; Use a minimal /dev
|
||||
PrivateDevices=true
|
||||
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
|
||||
ProtectHome=true
|
||||
; Make /usr, /boot, /etc and possibly some more folders read-only.
|
||||
ProtectSystem=full
|
||||
; ... except /var/lib/maddy, because we want Letsencrypt-certificates there.
|
||||
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
|
||||
ReadWriteDirectories=/var/lib/maddy
|
||||
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
NoNewPrivileges=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
|
||||
- name: Install maddy binary
|
||||
copy:
|
||||
dest: /usr/local/bin/maddy
|
||||
src: "{{ inventory_dir }}/vendor/maddy"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Create maddy group
|
||||
group:
|
||||
name: maddy
|
||||
system: True
|
||||
|
||||
- name: Create maddy user
|
||||
user:
|
||||
name: maddy
|
||||
system: True
|
||||
group: maddy
|
||||
home: /var/lib/maddy
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Create /etc/maddy
|
||||
file:
|
||||
path: /etc/maddy
|
||||
state: directory
|
||||
owner: maddy
|
||||
group: maddy
|
||||
mode: 0755
|
||||
|
||||
- name: Install maddy config
|
||||
template:
|
||||
dest: /etc/maddy/maddy.conf
|
||||
src: etc/maddy/maddy.conf.tmpl
|
||||
owner: maddy
|
||||
group: maddy
|
||||
mode: 0644
|
||||
|
||||
- name: Add Maddy systemd unit
|
||||
copy:
|
||||
dest: /etc/systemd/system/maddy.service
|
||||
src: "{{ role_path }}/files/maddy.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
notify: reload systemd
|
||||
|
||||
- name: Enable and start maddy
|
||||
service:
|
||||
name: maddy
|
||||
enabled: yes
|
||||
state: started
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
- include: install.yaml
|
|
@ -0,0 +1,45 @@
|
|||
# Location of TLS certificate and private key. Global directive is used for all
|
||||
# endpoints.
|
||||
tls /etc/maddy/maddy.crt.pem /etc/maddy/maddy.key.pem
|
||||
|
||||
# hostname is used in several places, mainly in greeting for IMAP and SMTP.
|
||||
hostname {{ domain }}
|
||||
|
||||
log stderr
|
||||
|
||||
# Create and initialize sql module, it provides simple authentication and
|
||||
# storage backend using one database for everything.
|
||||
sql {
|
||||
driver postgres
|
||||
dsn "user=maddy dbname=maddy_prod host=/run/postgresql"
|
||||
}
|
||||
|
||||
smtp smtp://[::]:25 {
|
||||
auth sql
|
||||
|
||||
# Verify that hostname in EHLO/HELO resolves to the source IP. Fail if it is not.
|
||||
filter check_source_hostname
|
||||
|
||||
# Deliver all mail into sql module storage
|
||||
destination {{ domain }} {
|
||||
deliver sql
|
||||
}
|
||||
}
|
||||
|
||||
submission smtps://[::]:465 smtp://[::]:587 {
|
||||
# Use sql module for authentication.
|
||||
auth sql
|
||||
|
||||
# Deliver all mail for @example.org into sql module storage.
|
||||
destination {{ domain }} {
|
||||
deliver sql
|
||||
}
|
||||
|
||||
# No remote delivery is implemented now, just deliver it to /dev/null for now.
|
||||
deliver out-queue
|
||||
}
|
||||
|
||||
imap imaps://[::]:993 imap://[::]:143 {
|
||||
auth sql
|
||||
storage sql
|
||||
}
|
|
@ -3,5 +3,6 @@
|
|||
|
||||
- include: playbooks/database.yaml
|
||||
- include: playbooks/dns.yaml
|
||||
- include: playbooks/maddy.yaml
|
||||
- include: playbooks/ur_gs.yaml
|
||||
- include: playbooks/vpn.yaml
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
{{ domain }} {
|
||||
root /var/lib/caddy/{{ domain }}/public
|
||||
log stderr
|
||||
|
||||
}
|
Loading…
Reference in New Issue