diff --git a/bundles/mailman/files/postfix.cf b/bundles/mailman/files/postfix.cf new file mode 100644 index 0000000..4060ed2 --- /dev/null +++ b/bundles/mailman/files/postfix.cf @@ -0,0 +1,56 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on +# fresh installs. +compatibility_level = 3.6 + + + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = <%text>btree:${data_directory}/smtp_scache + + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = ${hostname} +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = $myhostname, localhost, localhost.localdomain, ${hostname} +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all + +unknown_local_recipient_reject_code = 550 +owner_request_special = no + +transport_maps = + hash:/opt/mailman/mm/var/data/postfix_lmtp +local_recipient_maps = + hash:/opt/mailman/mm/var/data/postfix_lmtp +relay_domains = + hash:/opt/mailman/mm/var/data/postfix_domains diff --git a/bundles/mailman/items.py b/bundles/mailman/items.py new file mode 100644 index 0000000..deae9a6 --- /dev/null +++ b/bundles/mailman/items.py @@ -0,0 +1,34 @@ +files = { + '/etc/postfix/main.cf': { + 'source': 'postfix.cf', + 'content_type': 'mako', + 'mode': '0644', + 'context': { + 'hostname': node.metadata.get('mailman/hostname'), + }, + 'needs': { + 'pkg_apt:postfix', + }, + 'triggers': { + 'svc_systemd:postfix.service:restart', + }, + } +} + +svc_systemd = { + 'postfix.service': { + 'needs': { + 'pkg_apt:postfix', + }, + }, + 'mailman3.service': { + 'needs': { + 'pkg_apt:mailman3-full', + }, + }, + 'mailman3-web.service': { + 'needs': { + 'pkg_apt:mailman3-full', + }, + }, +} diff --git a/bundles/mailman/metadata.py b/bundles/mailman/metadata.py new file mode 100644 index 0000000..cf223c4 --- /dev/null +++ b/bundles/mailman/metadata.py @@ -0,0 +1,29 @@ +defaults = { + 'apt': { + 'packages': { + 'mailman3-full': {}, + 'postfix': {}, + 'apache2': { + 'installed': False, + 'needs': { + 'pkg_apt:mailman3-full', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'nginx/vhosts', +) +def nginx(metadata): + return { + 'nginx': { + 'vhosts': { + metadata.get('mailman/hostname'): { + 'content': 'mailman/vhost.conf', + }, + }, + }, + } diff --git a/data/mailman/vhost.conf b/data/mailman/vhost.conf new file mode 100644 index 0000000..6fc4af4 --- /dev/null +++ b/data/mailman/vhost.conf @@ -0,0 +1,31 @@ +upstream mailman3 { + server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ${server_name}; + + ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem; + + server_tokens off; + + location / { + uwsgi_pass mailman3; + include /etc/nginx/params/uwsgi; + } + + location /mailman3/static { + alias /var/lib/mailman3/web/static; + } + + location /mailman3/static/favicon.ico { + alias /var/lib/mailman3/web/static/postorius/img/favicon.ico; + } + +# return 301 https://$server_name$request_uri; + access_log /var/log/nginx/mailman3/access.log combined; + error_log /var/log/nginx/mailman3/error.log; +} \ No newline at end of file diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py index c033591..239c565 100644 --- a/nodes/htz.mails.py +++ b/nodes/htz.mails.py @@ -200,6 +200,11 @@ '10.0.228.0/24', ], }, + 'mseibert.mailman': { + 'allowed_ips': [ + '10.0.229.0/24', + ], + }, }, 'clients': { 'macbook': { diff --git a/nodes/mseibert.mailman.py b/nodes/mseibert.mailman.py new file mode 100644 index 0000000..ef9cd1b --- /dev/null +++ b/nodes/mseibert.mailman.py @@ -0,0 +1,67 @@ +# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/ +# https://console.hetzner.cloud/projects/889138/servers/46578341 + +# mailman.ckn.li + +{ + 'hostname': '91.99.123.176', + 'groups': [ + #'backup', + 'debian-12', + #'monitored', + 'webserver', + ], + 'bundles': [ + 'mailman', + #'wireguard', + #'zfs', + ], + 'metadata': { + 'id': '854cb39f-d964-4cc7-9051-ba6574708820', + 'network': { + 'internal': { + 'interface': 'ens10', + 'ipv4': '10.0.229.2/24', + }, + 'external': { + 'interface': 'eth0', + 'ipv4': '91.99.123.176/32', + 'gateway4': '172.31.1.1', + 'ipv6': '2a01:4f8:c013:2030::2/64', + 'gateway6': 'fe80::1', + }, + }, + 'mailman': { + 'hostname': 'mailman.ckn.li', + }, + 'overwrite_nameservers': [ + '8.8.8.8', + ], + 'vm': { + 'cores': 2, + 'ram': 4096, + }, + 'wireguard': { + 'my_ip': '172.30.0.240/32', + 's2s': { + 'htz.mails': { + 'allowed_ips': [ + '10.0.0.0/24', + '10.0.2.0/24', + '10.0.9.0/24', + '10.0.10.0/24', + ], + }, + }, + }, + 'zfs': { + 'pools': { + 'tank': { + 'devices': [ + '/var/lib/zfs_file', + ], + }, + }, + }, + }, +}