Commit 67cec5f1 authored by Chris Croome's avatar Chris Croome
Browse files

Lots of old, unneeded code removed

parent e18d35fd
......@@ -20,6 +20,7 @@ using keys by adding your keys to `/root/.ssh/authorized_keys`, edit
```bash
export SERVERNAME="webarch.email"
ansible-galaxy install -r requirements.yml --force -p roles
ansible-playbook mailcow.yml -u root -i ${SERVERNAME}, -e "hostname=${SERVERNAME}"
```
......
......@@ -6,14 +6,12 @@
distro: stretch
nameserver_1: 81.95.52.30
nameserver_2: 81.95.52.27
docker_compose_version: 1.22.0
# If this isn't defined or isn't set to True then a Munin node won't be configured
munin_node_install: True
vars_prompt:
- name: "docker_compose_version"
prompt: "The Docker Compose version from https://github.com/docker/compose/releases"
private: no
default: "1.14.0"
- name: "passwd_reminder"
prompt: "If this is a first run you MUST complete the following password fields:"
private: no
......@@ -31,16 +29,8 @@
roles:
- docker
- docker-compose
- mailcow
# - letsencrypt mailcow now provisions let's encrypt certs
- dovecot
- rspamd
# Syslog was throwing errors and there is now a web interface to view some
# logs
# - syslog
- postfix
- theme
- resolv
- munin-node
---
# https://docs.docker.com/compose/install/
- name: Get the kernel name
command: uname -s
register: kernel_name
- debug:
msg: "Kernel name: {{ kernel_name.stdout }}"
- name: Get the machine hardware
command: uname -m
register: machine_hardware
- debug:
msg: "Machine hardware: {{ machine_hardware.stdout }}"
- debug:
msg: "About to fetch https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-{{ kernel_name.stdout }}-{{ machine_hardware.stdout }}"
- name: Docker Compose version {{ docker_compose_version }} installed
get_url:
url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-{{ kernel_name.stdout }}-{{ machine_hardware.stdout }}"
dest: /usr/local/bin/docker-compose
force: yes
backup: yes
mode: 0755
- name: Docker Compose Bash completion in place
get_url:
url: "https://raw.githubusercontent.com/docker/compose/{{ docker_compose_version }}/contrib/completion/bash/docker-compose"
dest: /etc/bash_completion.d/docker-compose
force: yes
backup: yes
mode: 0644
---
- name: Update apt package list
apt:
update_cache: yes
- name: Check if the Webarchitects logchange script is installed
command: which logchange
register: logchange
- block:
- name: Get a list of the updates
shell: "apt-show-versions -b -u | xargs"
register: apt_updates
- name: Record the updates in the /root/Changelog
command: 'logchange "{{ apt_updates.stdout }} : updated"'
when: apt_updates.stdout != ""
when: logchange.stdout != ""
- name: Update all packages
apt:
upgrade: dist
autoclean: yes
- name: Check if the Munin apt state file exists
stat:
path: "/var/lib/munin-node/plugin-state/nobody/plugin-apt.state"
register: munin_apt_state
- block:
- name: Delete the Munin apt state file
file:
dest: "/var/lib/munin-node/plugin-state/nobody/plugin-apt.state"
state: absent
- name: Update the Munin apt state file
command: munin-run apt_all
when: munin_apt_state.stat.exists == True
---
# https://docs.docker.com/engine/installation/linux/debian/
- name: Git and APT HTTPS packages installed
apt:
pkg: "{{ item }}"
state: latest
update_cache: yes
with_items:
- apt-transport-https
- ca-certificates
- curl
- git
- software-properties-common
- name: Docker GPG key present
apt_key:
id: 0EBFCD88
url: https://download.docker.com/linux/debian/gpg
state: present
- block:
- name: Docker APT repo available
apt_repository:
filename: docker
repo: "deb https://download.docker.com/linux/debian {{ distro }} stable"
state: present
when: ( distro == 'jessie' ) or ( distro == 'stretch' )
- name: Docker CE installed
apt:
name: docker-ce
state: present
update_cache: yes
- name: Docker DNS servers configured
template:
src: templates/daemon.json.j2
dest: /etc/docker/daemon.json
- name: Docker started
service:
name: docker
state: started
default_vsz_limit = 8192 M
default_client_limit = 20000
default_process_limit = 20000
auth_mechanisms = plain login
#mail_debug = yes
log_path = syslog
disable_plaintext_auth = yes
# Uncomment on NFS share
#mmap_disable = yes
#mail_fsync = always
#mail_nfs_index = yes
#mail_nfs_storage = yes
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/
mail_plugins = quota acl zlib #mail_crypt
ssl_protocols = !SSLv3
ssl_prefer_server_ciphers = yes
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
ssl_options = no_compression
# Automatically regenerates every week
ssl_dh_parameters_length = 2048
log_timestamp = "%Y-%m-%d %H:%M:%S "
recipient_delimiter = +
auth_master_user_separator = *
mail_prefetch_count = 30
passdb {
driver = passwd-file
args = /usr/local/etc/dovecot/dovecot-master.passwd
master = yes
pass = yes
}
passdb {
args = /usr/local/etc/dovecot/sql/dovecot-mysql.conf
driver = sql
}
namespace inbox {
inbox = yes
location =
separator = /
mailbox "Trash" {
auto = subscribe
special_use = \Trash
}
mailbox "Deleted Messages" {
special_use = \Trash
}
mailbox "Deleted Items" {
special_use = \Trash
}
mailbox "Gelöschte Objekte" {
special_use = \Trash
}
mailbox "Papierkorb" {
special_use = \Trash
}
mailbox "Itens Excluidos" {
special_use = \Trash
}
mailbox "Itens Excluídos" {
special_use = \Trash
}
mailbox "Lixeira" {
special_use = \Trash
}
mailbox "Prullenbak" {
special_use = \Trash
}
mailbox "Verwijderde items" {
special_use = \Trash
}
mailbox "Archive" {
auto = subscribe
special_use = \Archive
}
mailbox "Archiv" {
special_use = \Archive
}
mailbox "Archives" {
special_use = \Archive
}
mailbox "Arquivo" {
special_use = \Archive
}
mailbox "Arquivos" {
special_use = \Archive
}
mailbox "Archief" {
special_use = \Archive
}
mailbox "Sent" {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox "Sent Items" {
special_use = \Sent
}
mailbox "Gesendet" {
special_use = \Sent
}
mailbox "Gesendete Objekte" {
special_use = \Sent
}
mailbox "Itens Enviados" {
special_use = \Sent
}
mailbox "Enviados" {
special_use = \Sent
}
mailbox "Verzonden items" {
special_use = \Sent
}
mailbox "Verzonden" {
special_use = \Sent
}
mailbox "Drafts" {
auto = subscribe
special_use = \Drafts
}
mailbox "Entwürfe" {
special_use = \Drafts
}
mailbox "Rascunhos" {
special_use = \Drafts
}
mailbox "Concepten" {
special_use = \Drafts
}
mailbox "Junk" {
auto = subscribe
special_use = \Junk
}
mailbox "Junk-E-mail" {
special_use = \Junk
}
mailbox "Junk E-mail" {
special_use = \Junk
}
mailbox "Spam" {
special_use = \Junk
}
mailbox "Lixo Eletrônico" {
special_use = \Junk
}
mailbox "Ongewenste e-mail" {
special_use = \Junk
}
prefix =
}
namespace {
type = shared
separator = /
prefix = Shared/%%u/
location = maildir:%%h/:INDEXPVT=~/Shared/%%u
subscriptions = no
list = yes
}
protocols = imap sieve lmtp pop3
service dict {
unix_listener dict {
mode = 0660
user = vmail
group = vmail
}
}
service auth {
client_limit = 30000
inet_listener auth-inet {
port = 10001
}
unix_listener auth-master {
mode = 0600
user = vmail
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = root
}
service anvil {
client_limit = 30000
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
process_min_avail = 10
vsz_limit = 2048M
}
service imap {
executable = imap imap-postlogin
}
service managesieve {
process_limit = 25600
}
service lmtp {
inet_listener lmtp-inet {
port = 24
}
user = vmail
}
listen = *,[::]
ssl_cert = </etc/ssl/mail/cert.pem
ssl_key = </etc/ssl/mail/key.pem
userdb {
args = /usr/local/etc/dovecot/sql/dovecot-mysql.conf
driver = sql
}
protocol imap {
mail_plugins = quota imap_quota imap_acl acl zlib imap_zlib imap_sieve #mail_crypt
}
protocol lmtp {
mail_plugins = quota sieve acl zlib #mail_crypt
auth_socket_path = /usr/local/var/run/dovecot/auth-master
}
protocol sieve {
managesieve_logout_format = bytes=%i/%o
}
plugin {
acl_anyone = allow
acl_shared_dict = file:/var/vmail/shared-mailboxes.db
acl = vfile
quota = dict:Userquota::proxy::sqlquota
quota_rule2 = Trash:storage=+100%%
sieve = /var/vmail/sieve/%u.sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
# From elsewhere to Spam folder
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
# END
# From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
# END
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
sieve_after = /var/vmail/sieve/global.sieve
sieve_max_script_size = 1M
sieve_quota_max_scripts = 0
sieve_quota_max_storage = 0
#mail_crypt_global_private_key = </mail_crypt/ecprivkey.pem
#mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem
#mail_crypt_save_version = 2
}
dict {
sqlquota = mysql:/usr/local/etc/dovecot/sql/dovecot-dict-sql.conf
}
remote 127.0.0.1 {
disable_plaintext_auth = no
}
submission_host = postfix:588
mail_max_userip_connections = 10000
service imap-postlogin {
executable = script-login /usr/local/bin/postlogin.sh
unix_listener imap-postlogin {
}
}
# https://wiki2.dovecot.org/LoginProcess
service imap-login {
service_count = 1
#process_min_avail = 0
process_min_avail = 10
#process_limit = $default_process_limit
process_limit = 30000
#vsz_limit = 64M
vsz_limit = 2048M
}
---
# check the settings with, cd /var/mailcow
# docker-compose exec dovecot-mailcow doveconf -a | vim -
# and for nicer formatting:
# docker-compose exec dovecot-mailcow doveconf -n | vim -
- name: Custom dovecot.conf configuration in place
copy:
src: files/dovecot.conf
dest: /var/mailcow/data/conf/dovecot/dovecot.conf
owner: mailcow
group: mailcow
mode: 0644
- name: Restart the Dovecot container
command: docker-compose restart dovecot-mailcow
args:
chdir: /var/mailcow
become: yes
become_user: mailcow
#!/bin/bash
cd /var/mailcow
sudo -u mailcow docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
---
- name: Acme.sh git repo cloned / updated
git:
repo: https://github.com/Neilpang/acme.sh.git
dest: /root/acme.sh
update: yes
- name: Acme.sh installed / updated
shell: /root/acme.sh/acme.sh --install
args:
chdir: /root/acme.sh
executable: /bin/bash
- name: Nginx set to redirect to HTTPS
blockinfile:
dest: /var/mailcow/data/conf/nginx/site.conf
block: |
server {
listen 80;
server_name autoconfig.*;
root /web;
location /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
location / {
return 301 https://autoconfig.{{ hostname }}$request_uri;
}
}
server {
listen 80;
server_name autodiscover.*;
root /web;
location /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
location / {
return 301 https://autodiscover.{{ hostname }}$request_uri;
}
}
server {
listen 80 default_server;
server_name {{ hostname }} www.{{ hostname }} autodiscover.{{ hostname }} autoconfig.{{ hostname }};
root /web;
location /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
location /.well-known/autoconfig/mail/ {
allow all;
default_type "text/xml";
}
location / {
return 301 https://{{ hostname }}$request_uri;
}
}
insertbefore: BOF
become: yes
become_user: mailcow
- name: HTTP/2 Enabled
lineinfile:
line: "listen ${HTTPS_PORT} http2;"
state: present
regexp: "^listen"
dest: /var/mailcow/data/conf/nginx/templates/listen_ssl.template
- name: Docker Nginx restarted
command: docker-compose restart nginx-mailcow
args:
chdir: /var/mailcow
become: yes
become_user: mailcow
- name: Reload services after cert change script in place
copy:
src: files/le-reload.sh
dest: /usr/local/bin/le-reload
mode: 0755
- name: Stat /root/.acme.sh/{{ hostname }}/{{ hostname }}.cer
stat:
path: "/root/.acme.sh/{{ hostname }}/{{ hostname }}.cer"
register: le_cert_exists
- name: Stat /var/mailcow/data/assets/ssl/cert.pem
stat:
path: /var/mailcow/data/assets/ssl/cert.pem
register: le_cert_installed
- name: Check the server IP address
command: hostname -i
register: hostname_ip
- debug:
msg: "The results of `hostname -i`: {{ hostname_ip.stdout }}"
- name: Check the IP address of {{ hostname }}
command: dig @8.8.8.8 {{ hostname }} +short
register: hostname_dig_ip
- debug:
msg: "The results of `dig @8.8.8.8 {{ hostname }} +short`: {{ hostname_dig_ip.stdout }}"
- name: Fail if {{ hostname }} doesn't resolve to {{ hostname_ip.stdout }}
fail:
msg: "The hostname, {{ hostname }} needs to resolve to the server ip address, {{ hostname_ip.stdout }}"
when: hostname_dig_ip.stdout != hostname_ip.stdout
- name: Check the IP address of www.{{ hostname }}
command: dig @8.8.8.8 www.{{ hostname }} +short
register: www_hostname_dig_ip
- debug:
msg: "The results of `dig @8.8.8.8 www.{{ hostname }} +short`: {{ www_hostname_dig_ip.stdout }}"
- name: Fail if www.{{ hostname }} doesn't resolve to {{ hostname_ip.stdout }}
fail:
msg: "The hostname, www.{{ hostname }} needs to resolve to the server ip address, {{ hostname_ip.stdout }}"
when: www_hostname_dig_ip.stdout != hostname_ip.stdout
- name: Check the IP address of autodiscover.{{ hostname }}
command: dig @8.8.8.8 autodiscover.{{ hostname }} +short
register: autodiscover_hostname_dig_ip
- debug:
msg: "The results of `dig @8.8.8.8 autodiscover.{{ hostname }} +short`: {{ autodiscover_hostname_dig_ip.stdout }}"
- name: Fail if autodiscover.{{ hostname }} doesn't resolve to {{ hostname_ip.stdout }}
fail:
msg: "The hostname, autodiscover.{{ hostname }} needs to resolve to the server ip address, {{ hostname_ip.stdout }}"
when: autodiscover_hostname_dig_ip.stdout != hostname_ip.stdout
- name: Check the IP address of autoconfig.{{ hostname }}
command: dig @8.8.8.8 autoconfig.{{ hostname }} +short
register: autoconfig_hostname_dig_ip
- debug:
msg: "The results of `dig @8.8.8.8 autoconfig.{{ hostname }} +short`: {{ autoconfig_hostname_dig_ip.stdout }}"
- name: Fail if autoconfig.{{ hostname }} doesn't resolve to {{ hostname_ip.stdout }}
fail:
msg: "The hostname, autodiscover.{{ hostname }} needs to resolve to the server ip address, {{ hostname_ip.stdout }}"
when: autoconfig_hostname_dig_ip.stdout != hostname_ip.stdout
- block: