mailman wip

bundles/mailman/files/postfix.cf

@@ -0,0 +1,56 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
+# fresh installs.
+compatibility_level = 3.6
+
+
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = <%text>btree:${data_directory}/smtp_scache</%text>
+
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = ${hostname}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = $myhostname, localhost, localhost.localdomain, ${hostname}
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+unknown_local_recipient_reject_code = 550
+owner_request_special = no
+
+transport_maps =
+    hash:/opt/mailman/mm/var/data/postfix_lmtp
+local_recipient_maps =
+    hash:/opt/mailman/mm/var/data/postfix_lmtp
+relay_domains =
+    hash:/opt/mailman/mm/var/data/postfix_domains

bundles/mailman/items.py

@@ -0,0 +1,34 @@
+files = {
+    '/etc/postfix/main.cf': {
+        'source': 'postfix.cf',
+        'content_type': 'mako',
+        'mode': '0644',
+        'context': {
+            'hostname': node.metadata.get('mailman/hostname'),
+        },
+        'needs': {
+            'pkg_apt:postfix',
+        },
+        'triggers': {
+            'svc_systemd:postfix.service:restart',
+        },
+    }
+}
+
+svc_systemd = {
+    'postfix.service': {
+        'needs': {
+            'pkg_apt:postfix',
+        },
+    },
+    'mailman3.service': {
+        'needs': {
+            'pkg_apt:mailman3-full',
+        },
+    },
+    'mailman3-web.service': {
+        'needs': {
+            'pkg_apt:mailman3-full',
+        },
+    },
+}

bundles/mailman/metadata.py

@@ -0,0 +1,29 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'mailman3-full': {},
+            'postfix': {},
+            'apache2': {
+                'installed': False,
+                'needs': {
+                    'pkg_apt:mailman3-full',
+                },
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('mailman/hostname'): {
+                    'content': 'mailman/vhost.conf',
+                },
+            },
+        },
+    }

data/mailman/vhost.conf

@@ -0,0 +1,31 @@
+upstream mailman3 {
+    server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${server_name};
+
+  ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
+    server_tokens off;
+
+    location / {
+        uwsgi_pass mailman3;
+        include /etc/nginx/params/uwsgi;
+    }
+
+    location /mailman3/static {
+        alias /var/lib/mailman3/web/static;
+    }
+
+    location /mailman3/static/favicon.ico {
+        alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
+    }
+
+#    return 301 https://$server_name$request_uri;
+    access_log /var/log/nginx/mailman3/access.log combined;
+    error_log /var/log/nginx/mailman3/error.log;
+}

nodes/htz.mails.py

@@ -200,6 +200,11 @@
                         '10.0.228.0/24',
                     ],
                 },
+                'mseibert.mailman': {
+                    'allowed_ips': [
+                        '10.0.229.0/24',
+                    ],
+                },
             },
             'clients': {
                 'macbook': {

nodes/mseibert.mailman.py

@@ -0,0 +1,67 @@
+# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/
+# https://console.hetzner.cloud/projects/889138/servers/46578341
+
+# mailman.ckn.li
+
+{
+    'hostname': '91.99.123.176',
+    'groups': [
+        #'backup',
+        'debian-12',
+        #'monitored',
+        'webserver',
+    ],
+    'bundles': [
+        'mailman',
+        #'wireguard',
+        #'zfs',
+    ],
+    'metadata': {
+        'id': '854cb39f-d964-4cc7-9051-ba6574708820',
+        'network': {
+            'internal': {
+                'interface': 'ens10',
+                'ipv4': '10.0.229.2/24',
+            },
+            'external': {
+                'interface': 'eth0',
+                'ipv4': '91.99.123.176/32',
+                'gateway4': '172.31.1.1',
+                'ipv6': '2a01:4f8:c013:2030::2/64',
+                'gateway6': 'fe80::1',
+            },
+        },
+        'mailman': {
+            'hostname': 'mailman.ckn.li',
+        },
+        'overwrite_nameservers': [
+            '8.8.8.8',
+        ],
+        'vm': {
+            'cores': 2,
+            'ram': 4096,
+        },
+        'wireguard': {
+            'my_ip': '172.30.0.240/32',
+            's2s': {
+                'htz.mails': {
+                    'allowed_ips': [
+                        '10.0.0.0/24',
+                        '10.0.2.0/24',
+                        '10.0.9.0/24',
+                        '10.0.10.0/24',
+                    ],
+                },
+            },
+        },
+        'zfs': {
+            'pools': {
+                'tank': {
+                    'devices': [
+                        '/var/lib/zfs_file',
+                    ],
+                },
+            },
+        },
+    },
+}