aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorbnewbold <bnewbold@robocracy.org>2022-06-22 18:41:36 -0700
committerbnewbold <bnewbold@robocracy.org>2022-06-22 18:41:36 -0700
commitdb539aade1b9daa4ba1b0347ed4cb0e39b0a2af4 (patch)
tree9584818df99934ffff6fe28ab236c929036e8c89 /roles
parent810d4269058feb550083f6032ffa63af185f9a8d (diff)
parentf6d3dac3b7b125f825c4a67d8f5dfeb22cd5dcc2 (diff)
downloadinfra-db539aade1b9daa4ba1b0347ed4cb0e39b0a2af4.tar.gz
infra-db539aade1b9daa4ba1b0347ed4cb0e39b0a2af4.zip
Merge branch 'master' of adze:infra
Diffstat (limited to 'roles')
-rw-r--r--roles/common/tasks/main.yml20
-rw-r--r--roles/debian_bullseye/defaults/main.yml2
-rw-r--r--roles/debian_bullseye/tasks/main.yml10
-rw-r--r--roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j24
-rw-r--r--roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j294
-rw-r--r--roles/debian_bullseye/templates/etc_apt_sources_list.j215
-rw-r--r--roles/mailserver/handlers/main.yml8
-rw-r--r--roles/mailserver/tasks/dovecot.yml39
-rw-r--r--roles/mailserver/tasks/main.yml6
-rw-r--r--roles/mailserver/tasks/postfix.yml18
-rw-r--r--roles/mailserver/tasks/rspamd.yml52
-rw-r--r--roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j226
-rw-r--r--roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j253
-rw-r--r--roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j248
-rw-r--r--roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j264
-rw-r--r--roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2138
-rw-r--r--roles/mailserver/templates/etc_postfix_main.cf.j2126
-rw-r--r--roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j25
-rw-r--r--roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j25
-rw-r--r--roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j25
-rw-r--r--roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j25
-rw-r--r--roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j25
-rw-r--r--roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j25
-rw-r--r--roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j247
-rw-r--r--roles/mailserver/templates/mailserver.sql.j257
-rw-r--r--roles/mailserver/templates/usr_share_z-push_config.php.j2306
-rw-r--r--roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j229
-rw-r--r--roles/nginx/HOWTO_letsencrypt.txt15
-rw-r--r--roles/nginx/HOWTO_new_site.txt22
29 files changed, 1223 insertions, 6 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a4818b0..a1f4500 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -13,28 +13,35 @@
- name: Install necessities and nice-to-haves
apt: pkg={{ item }} state=installed
with_items:
+ # fail2ban in security
+ # rkhunter in security
- apt-transport-https
- apticron
- aptitude
+ - bash-completion
- bzip2
- ca-certificates
- curl
- debian-goodies
- dialog
- dnsutils
+ - dstat
- etckeeper
- # fail2ban in security
+ - fd-find
- file
- git
- htop
+ - httpie
- iftop
- ifupdown
- iotop
- iproute
- iputils-ping
- isc-dhcp-client
+ - jq
- less
- libui-dialog-perl
+ - lnav
- locales
- locales-all
- lsof
@@ -42,27 +49,32 @@
- man-db
- manpages-dev
- molly-guard
+ - moreutils
- mosh
- mtr-tiny
+ - net-tools
- netbase
- netcat
- - net-tools
- ngrep
- openssh-server
- openssl
+ - parallel
+ - pigz
- pv
- python
- python-software-properties
- # rkhunter in security
+ - ripgrep
- screen
+ - sqlite3
- sudo
- tcpdump
- tree
- - unzip
- unattended-upgrades
+ - unzip
- util-linux
- vim-nox
- wget
+ - zip
tags:
- dependencies
diff --git a/roles/debian_bullseye/defaults/main.yml b/roles/debian_bullseye/defaults/main.yml
new file mode 100644
index 0000000..3703452
--- /dev/null
+++ b/roles/debian_bullseye/defaults/main.yml
@@ -0,0 +1,2 @@
+
+admin_email: "root"
diff --git a/roles/debian_bullseye/tasks/main.yml b/roles/debian_bullseye/tasks/main.yml
new file mode 100644
index 0000000..6ca1691
--- /dev/null
+++ b/roles/debian_bullseye/tasks/main.yml
@@ -0,0 +1,10 @@
+
+- name: Configure sources.list for bullseye
+ template: src=etc_apt_sources_list.j2 dest=/etc/apt/sources.list
+
+- name: Enable automatic upgrades
+ template: src=etc_apt_apt_confd_20auto_upgrades.j2 dest=/etc/apt/apt.conf.d/20auto-upgrades
+
+- name: Configure unattended upgrades for bullseye
+ template: src=etc_apt_apt_confd_50unattended_upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades
+
diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2
new file mode 100644
index 0000000..c75a5d7
--- /dev/null
+++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2
new file mode 100644
index 0000000..967abb1
--- /dev/null
+++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2
@@ -0,0 +1,94 @@
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// {{ ansible_managed }}
+//
+// Lines below have the format format is "keyword=value,...". A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line. (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted. The accepted keywords are:
+// a,archive,suite (eg, "stable")
+// c,component (eg, "main", "crontrib", "non-free")
+// l,label (eg, "Debian", "Debian-Security")
+// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
+// n,codename (eg, "bullseye", "bullseye-updates")
+// site (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+// ${distro_id} Installed origin.
+// ${distro_codename} Installed codename (eg, "bullseye")
+Unattended-Upgrade::Origins-Pattern {
+ // Codename based matching:
+ // This will follow the migration of a release through different
+ // archives (e.g. from testing to stable and later oldstable).
+ "o=Debian,n=bullseye";
+ "o=Debian,n=bullseye-updates";
+// "o=Debian,n=bullseye-proposed-updates";
+ "o=Debian,n=bullseye,l=Debian-Security";
+
+ // Archive or Suite based matching:
+ // Note that this will silently match a different release after
+ // migration to the specified archive (e.g. testing becomes the
+ // new stable).
+// "o=Debian,a=stable";
+// "o=Debian,a=stable-updates";
+// "o=Debian,a=proposed-updates";
+ "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+ "vim";
+ "libc6";
+ "libc6-dev";
+ "libc6-i686";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+// dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "{{ admin_email }}";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+// the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "false";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+// Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
diff --git a/roles/debian_bullseye/templates/etc_apt_sources_list.j2 b/roles/debian_bullseye/templates/etc_apt_sources_list.j2
new file mode 100644
index 0000000..b0644bb
--- /dev/null
+++ b/roles/debian_bullseye/templates/etc_apt_sources_list.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+deb http://http.debian.net/debian/ bullseye main
+deb-src http://http.debian.net/debian/ bullseye main
+
+deb http://security.debian.org/debian-security bullseye-security main
+deb-src http://security.debian.org/debian-security bullseye-security main
+
+# bullseye-updates, previously known as 'volatile'
+deb http://http.debian.net/debian/ bullseye-updates main
+deb-src http://http.debian.net/debian/ bullseye-updates main
+
+# bullseye-backports, previously on backports.debian.org
+deb http://http.debian.net/debian/ bullseye-backports main
+deb-src http://http.debian.net/debian/ bullseye-backports main
diff --git a/roles/mailserver/handlers/main.yml b/roles/mailserver/handlers/main.yml
new file mode 100644
index 0000000..5c5caea
--- /dev/null
+++ b/roles/mailserver/handlers/main.yml
@@ -0,0 +1,8 @@
+- name: restart postfix
+ service: name=postfix state=restarted
+
+- name: restart dovecot
+ service: name=dovecot state=restarted
+
+- name: restart rspamd
+ service: name=rspamd state=restarted
diff --git a/roles/mailserver/tasks/dovecot.yml b/roles/mailserver/tasks/dovecot.yml
new file mode 100644
index 0000000..9d2c20e
--- /dev/null
+++ b/roles/mailserver/tasks/dovecot.yml
@@ -0,0 +1,39 @@
+- name: Install Dovecot and related packages
+ apt: pkg={{ item }} update_cache=yes state=installed
+ with_items:
+ - dovecot-core
+ - dovecot-imapd
+ - dovecot-lmtpd
+ - dovecot-antispam
+ tags:
+ - dependencies
+
+#- name: Copy dovecot.conf into place
+# copy: src=etc_dovecot_dovecot.conf dest=/etc/dovecot/dovecot.conf
+
+#- name: Create before.d sieve scripts directory
+# file: path=/etc/dovecot/sieve/before.d state=directory owner=vmail group=dovecot recurse=yes mode=0770
+# notify: restart dovecot
+
+#- name: Configure sieve script moving spam into Junk folder
+# copy: src=etc_dovecot_sieve_before.d_no-spam.sieve dest=/etc/dovecot/sieve/before.d/no-spam.sieve owner=vmail group=dovecot
+# notify: restart dovecot
+
+#- name: Copy additional Dovecot configuration files in place
+# copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }}
+# with_items:
+# - 10-auth.conf
+# - 10-mail.conf
+# - 10-master.conf
+# - 90-antispam.conf
+# - 90-plugin.conf
+# - 90-sieve.conf
+# notify: restart dovecot
+
+#- name: Update post-certificate-renewal task
+# copy:
+# content: "#!/bin/bash\n\n/etc/init.d/dovecot restart\n"
+# dest: /etc/letsencrypt/postrenew/dovecot.sh
+# mode: 0755
+# owner: root
+# group: root
diff --git a/roles/mailserver/tasks/main.yml b/roles/mailserver/tasks/main.yml
new file mode 100644
index 0000000..7691288
--- /dev/null
+++ b/roles/mailserver/tasks/main.yml
@@ -0,0 +1,6 @@
+- include: postfix.yml
+ tags: postfix
+- include: dovecot.yml
+ tags: dovecot
+- include: rspamd.yml
+ tags: rspamd
diff --git a/roles/mailserver/tasks/postfix.yml b/roles/mailserver/tasks/postfix.yml
new file mode 100644
index 0000000..a36acd6
--- /dev/null
+++ b/roles/mailserver/tasks/postfix.yml
@@ -0,0 +1,18 @@
+- name: Install Postfix and related packages
+ apt: pkg={{ item }} state=installed
+ with_items:
+ - libsasl2-modules
+ - postfix
+ - postfix-pcre
+ - sasl2-bin
+ tags:
+ - dependencies
+
+#- name: Copy main.cf
+# template: src=etc_postfix_main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root
+# notify: restart postfix
+
+#- name: Copy master.cf
+# copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root
+# notify: restart postfix
+
diff --git a/roles/mailserver/tasks/rspamd.yml b/roles/mailserver/tasks/rspamd.yml
new file mode 100644
index 0000000..4d870a8
--- /dev/null
+++ b/roles/mailserver/tasks/rspamd.yml
@@ -0,0 +1,52 @@
+---
+# Installs and configures the Rspamd spam filtering system.
+
+- name: Ensure repository key for Rspamd is in place
+ apt_key: url=https://rspamd.com/apt-stable/gpg.key state=present
+ when: ansible_architecture != "armv7l"
+ tags:
+ - dependencies
+
+- name: Ensure yunohost repository key for Rspamd is in place for ARM
+ apt_key: url=http://repo.yunohost.org/debian/yunohost.asc state=present
+ when: ansible_architecture == "armv7l"
+ tags:
+ - dependencies
+
+- name: Add Rspamd repository
+ apt_repository: repo="deb https://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main"
+ when: ansible_architecture != "armv7l"
+ tags:
+ - dependencies
+
+- name: Add yunohost Rspamd repository for ARM
+ apt_repository: repo="deb http://repo.yunohost.org/debian {{ ansible_distribution_release }} stable"
+ when: ansible_architecture == "armv7l"
+ tags:
+ - dependencies
+
+- name: Install Rspamd and Redis
+ apt: pkg={{ item }} state=installed update_cache=yes
+ with_items:
+ - rspamd
+ tags:
+ - dependencies
+
+#- name: Copy DMARC configuration into place
+# template: src=etc_rspamd_local.d_dmarc.conf.j2 dest=/etc/rspamd/local.d/dmarc.conf owner=root group=root mode="0644"
+# notify: restart rspamd
+
+#- name: Copy DKIM configuration into place
+# copy: src=etc_rspamd_override.d_dkim_signing.conf dest=/etc/rspamd/override.d/dkim_signing.conf owner=root group=root mode="0644"
+# notify: restart rspamd
+
+#- name: Create dkim key directory
+# file: path=/var/lib/rspamd/dkim state=directory owner=_rspamd group=_rspamd
+
+#- name: Generate DKIM keys
+# shell: rspamadm dkim_keygen -s default -d {{ item.name }} -k {{ item.name }}.default.key > {{ item.name }}.default.txt
+# args:
+# creates: /var/lib/rspamd/dkim/{{ item.name }}.default.key
+# chdir: /var/lib/rspamd/dkim/
+# with_items: "{{ mail_virtual_domains }}"
+
diff --git a/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 b/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2
new file mode 100644
index 0000000..1c3a07c
--- /dev/null
+++ b/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2
@@ -0,0 +1,26 @@
+# NOTE: We don't permanently redirect clients to the HTTPS address because some clients, like
+# Thunderbird, dont't follow redirections to the HTTPS URL.
+#
+# Additionally, documentation doesn't say whether the XML file should be served over either HTTP,
+# HTTPS or both, even though only the former is mentioned. Still, we allow clients to choose
+# between HTTP and HTTPS transports.
+
+<VirtualHost *:80>
+
+ ServerName {{ mail_server_autoconfig_hostname }}
+
+ DocumentRoot "/var/www/autoconfig"
+ Options -Indexes
+
+ HostnameLookups Off
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName {{ mail_server_autoconfig_hostname }}
+ SSLEngine On
+
+ DocumentRoot "/var/www/autoconfig"
+ Options -Indexes
+
+ HostnameLookups Off
+</VirtualHost>
diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2
new file mode 100644
index 0000000..8ba6ae5
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2
@@ -0,0 +1,53 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = required
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/letsencrypt/live/{{ domain }}/fullchain.pem
+ssl_key = </etc/letsencrypt/live/{{ domain }}/privkey.pem
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca = /etc/ssl/ca.pem
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# How often to regenerate the SSL parameters file. Generation is quite CPU
+# intensive operation. The value is in hours, 0 disables regeneration
+# entirely.
+#ssl_parameters_regenerate = 168
+
+# SSL protocols to use
+ssl_protocols = !SSLv2 !SSLv3
+
+# SSL ciphers to use
+#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# DH parameters length to use.
+ssl_dh_parameters_length = 2048
diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2
new file mode 100644
index 0000000..b464365
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2
@@ -0,0 +1,48 @@
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@<your domain>.
+postmaster_address = postmaster@{{domain}}
+
+# Hostname to use in various parts of sent mails, eg. in Message-Id.
+# Default is the system's real hostname.
+hostname = {{ mail_server_hostname }}
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+# %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+protocol lda {
+ # Space separated list of plugins to load (default is global mail_plugins).
+ mail_plugins = $mail_plugins sieve
+}
diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2
new file mode 100644
index 0000000..fcd59a5
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2
@@ -0,0 +1,64 @@
+##
+## IMAP specific settings
+##
+
+protocol imap {
+ # Maximum IMAP command line length. Some clients generate very long command
+ # lines with huge mailboxes, so you may need to raise this if you get
+ # "Too long argument" or "IMAP command line too large" errors often.
+ #imap_max_line_length = 64k
+
+ # Maximum number of IMAP connections allowed for a user from each IP address.
+ # NOTE: The username is compared case-sensitively.
+ #mail_max_userip_connections = 10
+
+ # Space separated list of plugins to load (default is global mail_plugins).
+ mail_plugins = $mail_plugins antispam fts fts_solr
+
+ # IMAP logout format string:
+ # %i - total number of bytes read from client
+ # %o - total number of bytes sent to client
+ #imap_logout_format = bytes=%i/%o
+
+ # Override the IMAP CAPABILITY response. If the value begins with '+',
+ # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+ #imap_capability =
+
+ # How long to wait between "OK Still here" notifications when client is
+ # IDLEing.
+ #imap_idle_notify_interval = 2 mins
+
+ # ID field names and values to send to clients. Using * as the value makes
+ # Dovecot use the default value. The following fields have default values
+ # currently: name, version, os, os-version, support-url, support-email.
+ #imap_id_send =
+
+ # ID fields sent by client to log. * means everything.
+ #imap_id_log =
+
+ # Workarounds for various client bugs:
+ # delay-newmail:
+ # Send EXISTS/RECENT new mail notifications only when replying to NOOP
+ # and CHECK commands. Some clients ignore them otherwise, for example OSX
+ # Mail (<v2.1). Outlook Express breaks more badly though, without this it
+ # may show user "Message no longer in server" errors. Note that OE6 still
+ # breaks even with this workaround if synchronization is set to
+ # "Headers Only".
+ # tb-extra-mailbox-sep:
+ # Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+ # adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+ # ignore the extra '/' instead of treating it as invalid mailbox name.
+ # tb-lsub-flags:
+ # Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+ # This makes Thunderbird realize they aren't selectable and show them
+ # greyed out, instead of only later giving "not selectable" popup error.
+ #
+ # The list is space-separated.
+ #imap_client_workarounds =
+}
+
+protocol lmtp {
+ # Space separated list of plugins to load (default is global mail_plugins).
+ mail_plugins = $mail_plugins sieve
+ postmaster_address = postmaster@{{ domain }}
+}
diff --git a/roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2 b/roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2
new file mode 100644
index 0000000..743b83b
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2
@@ -0,0 +1,138 @@
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/SQL
+#
+# For the sql passdb module, you'll need a database with a table that
+# contains fields for at least the username and password. If you want to
+# use the user@domain syntax, you might want to have a separate domain
+# field as well.
+#
+# If your users all have the same uig/gid, and have predictable home
+# directories, you can use the static userdb module to generate the home
+# dir based on the username and domain. In this case, you won't need fields
+# for home, uid, or gid in the database.
+#
+# If you prefer to use the sql userdb module, you'll want to add fields
+# for home, uid, and gid. Here is an example table:
+#
+# CREATE TABLE users (
+# username VARCHAR(128) NOT NULL,
+# domain VARCHAR(128) NOT NULL,
+# password VARCHAR(64) NOT NULL,
+# home VARCHAR(255) NOT NULL,
+# uid INTEGER NOT NULL,
+# gid INTEGER NOT NULL,
+# active CHAR(1) DEFAULT 'Y' NOT NULL
+# );
+
+# Database driver: mysql, pgsql, sqlite
+driver = pgsql
+
+# Database connection string. This is driver-specific setting.
+#
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
+# pgsql:
+# For available options, see the PostgreSQL documention for the
+# PQconnectdb function of libpq.
+# Use maxconns=n (default 5) to change how many connections Dovecot can
+# create to pgsql.
+#
+# mysql:
+# Basic options emulate PostgreSQL option names:
+# host, port, user, password, dbname
+#
+# But also adds some new settings:
+# client_flags - See MySQL manual
+# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
+# ssl_cert, ssl_key - For sending client-side certificates to server
+# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
+# option_file - Read options from the given file instead of
+# the default my.cnf location
+# option_group - Read options from the given group (default: client)
+#
+# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
+# Note that currently you can't use spaces in parameters.
+#
+# sqlite:
+# The path to the database file.
+#
+# Examples:
+# connect = host=192.168.1.1 dbname=users
+# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
+# connect = /etc/dovecot/authdb.sqlite
+#
+connect = "host=127.0.0.1 dbname={{ mail_db_database }} user={{ mail_db_username }} password='{{ mail_db_password }}'"
+
+# Default password scheme.
+#
+# List of supported schemes is in
+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
+#
+default_pass_scheme = SHA512-CRYPT
+
+# passdb query to retrieve the password. It can return fields:
+# password - The user's password. This field must be returned.
+# user - user@domain from the database. Needed with case-insensitive lookups.
+# username and domain - An alternative way to represent the "user" field.
+#
+# The "user" field is often necessary with case-insensitive lookups to avoid
+# e.g. "name" and "nAme" logins creating two different mail directories. If
+# your user and domain names are in separate fields, you can return "username"
+# and "domain" fields instead of "user".
+#
+# The query can also return other fields which have a special meaning, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#
+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
+# for full list):
+# %u = entire user@domain
+# %n = user part of user@domain
+# %d = domain part of user@domain
+#
+# Note that these can be used only as input to SQL query. If the query outputs
+# any of these substitutions, they're not touched. Otherwise it would be
+# difficult to have eg. usernames containing '%' characters.
+#
+# Example:
+# password_query = SELECT userid AS user, pw AS password \
+# FROM users WHERE userid = '%u' AND active = 'Y'
+#
+#password_query = \
+# SELECT username, domain, password \
+# FROM users WHERE username = '%n' AND domain = '%d'
+
+password_query = SELECT email AS user, password FROM virtual_users WHERE email = '%u';
+
+# userdb query to retrieve the user information. It can return fields:
+# uid - System UID (overrides mail_uid setting)
+# gid - System GID (overrides mail_gid setting)
+# home - Home directory
+# mail - Mail location (overrides mail_location setting)
+#
+# None of these are strictly required. If you use a single UID and GID, and
+# home or mail directory fits to a template string, you could use userdb static
+# instead. For a list of all fields that can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#
+# Examples:
+# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
+# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
+# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
+#
+#user_query = \
+# SELECT home, uid, gid \
+# FROM users WHERE username = '%n' AND domain = '%d'
+
+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
+# also have to return userdb fields in password_query prefixed with "userdb_"
+# string. For example:
+#password_query = \
+# SELECT userid AS user, password, \
+# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
+# FROM users WHERE userid = '%u'
+
+# Query to get a list of all usernames.
+#iterate_query = SELECT username AS user FROM users
diff --git a/roles/mailserver/templates/etc_postfix_main.cf.j2 b/roles/mailserver/templates/etc_postfix_main.cf.j2
new file mode 100644
index 0000000..2416789
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_main.cf.j2
@@ -0,0 +1,126 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Modified as per http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# Accept messages up to 50MB
+message_size_limit = 51200000
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# antispam
+smtpd_helo_required = yes
+smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
+smtpd_sender_restrictions = reject_unknown_address
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+invalid_hostname_reject_code = 554
+multi_recipient_bounce_reject_code = 554
+non_fqdn_reject_code = 554
+relay_domains_reject_code = 554
+unknown_address_reject_code = 554
+unknown_client_reject_code = 554
+unknown_hostname_reject_code = 554
+unknown_local_recipient_reject_code = 554
+unknown_relay_recipient_reject_code = 554
+unknown_virtual_alias_reject_code = 554
+unknown_virtual_mailbox_reject_code = 554
+unverified_recipient_reject_code = 554
+unverified_sender_reject_code = 554
+
+# TLS parameters
+smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ domain }}/privkey.pem
+smtpd_use_tls=yes
+smtpd_tls_auth_only = yes
+smtp_tls_security_level = may
+smtp_tls_loglevel = 2
+smtpd_tls_received_header = yes
+smtp_tls_note_starttls_offer = yes
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+# http://www.postfix.org/FORWARD_SECRECY_README.html
+smtp_tls_ciphers = medium
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparam2048.pem
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+
+# set to empty value for backwards compatibility
+# as per http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
+smtpd_relay_restrictions =
+
+smtpd_recipient_restrictions =
+ permit_sasl_authenticated,
+ permit_mynetworks,
+ reject_unauth_pipelining,
+ reject_unauth_destination,
+ reject_invalid_hostname,
+ reject_non_fqdn_hostname,
+ reject_non_fqdn_recipient,
+ reject_unknown_recipient_domain,
+ permit
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ mail_server_hostname }}
+myorigin = $mydomain
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ ' '.join(friendly_networks) }}
+#mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+# dovecot db
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+mailbox_transport = lmtp:unix:private/dovecot-lmtp
+
+dovecot_destination_recipient_limit = 1
+virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
+virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
+virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
+local_recipient_maps = $virtual_mailbox_maps
+
+# Milters: Rspamd
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = $smtpd_milters
+milter_protocol = 6
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
+milter_default_action = accept
+
+smtpd_client_restrictions = permit_sasl_authenticated
+
+# Postscreen
+postscreen_access_list = permit_mynetworks
+postscreen_dnsbl_sites =
+ sbl-xbl.spamhaus.org*2
+ cbl.abuseat.org*2
+ bl.spamcop.net*2
+ dnsbl.sorbs.net*1
+ spam.spamrats.com*2
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_action = enforce
+postscreen_greet_action = enforce
+
+{% if mail_header_privacy == 1 %}
+# Remove local client IP from headers
+smtp_header_checks = pcre:/etc/postfix/maps/smtp_header_checks.pcre
+{% endif %}
diff --git a/roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2
new file mode 100644
index 0000000..daa0d00
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT destination FROM virtual_aliases WHERE source='%s'
diff --git a/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2 b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2
new file mode 100644
index 0000000..d9d35a9
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_domains WHERE name='%s'
diff --git a/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2
new file mode 100644
index 0000000..b2f7165
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_users WHERE email='%s'
diff --git a/roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j2
new file mode 100644
index 0000000..daa0d00
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT destination FROM virtual_aliases WHERE source='%s'
diff --git a/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j2 b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j2
new file mode 100644
index 0000000..d9d35a9
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_domains WHERE name='%s'
diff --git a/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2
new file mode 100644
index 0000000..b2f7165
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_users WHERE email='%s'
diff --git a/roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2 b/roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2
new file mode 100644
index 0000000..a850af9
--- /dev/null
+++ b/roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2
@@ -0,0 +1,47 @@
+# Enables storing reporting information to redis
+reporting = true;
+
+# Actions to enforce based on DMARC disposition
+actions = {
+ quarantine = "add_header";
+ reject = "reject";
+}
+
+# From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
+# send_reports MUST be true
+send_reports = true;
+
+# report_settings MUST be present
+report_settings {
+ # The following elements MUST be present
+ # organisation name to use for reports
+ org_name = "{{ organization }}";
+
+ # organisation domain
+ domain = "{{ domain }}";
+
+ # sender address to use for reports
+ email = "postmaster@{{ domain }}";
+
+ # The following elements MAY be present
+ # SMTP host to send reports to ("127.0.0.1" if unset)
+ # smtp = "127.0.0.1";
+
+ # TCP port to use for SMTP (25 if unset)
+ # smtp_port = 25;
+
+ # HELO to use for SMTP ("rspamd" if unset)
+ # helo = "rspamd";
+
+ # Number of retries on temporary errors (2 if unset)
+ # retries = 2;
+
+ # Send DMARC reports here instead of domain owners
+ # override_address = "postmaster@example.net";
+
+ # Send DMARC reports here in addition to domain owners
+ additional_address = "postmaster@{{ domain }}";
+
+ # Number of records to request with HSCAN
+ # hscan_count = 200
+}
diff --git a/roles/mailserver/templates/mailserver.sql.j2 b/roles/mailserver/templates/mailserver.sql.j2
new file mode 100644
index 0000000..203c3d8
--- /dev/null
+++ b/roles/mailserver/templates/mailserver.sql.j2
@@ -0,0 +1,57 @@
+-- If tables are not dropped, have to truncate before insert or use "insert or replace" (not postgres compatible)
+
+DROP TABLE IF EXISTS "virtual_users";
+DROP TABLE IF EXISTS "virtual_aliases";
+DROP TABLE IF EXISTS "virtual_domains";
+
+CREATE TABLE IF NOT EXISTS "virtual_domains" (
+ "id" SERIAL,
+ "name" TEXT NOT NULL,
+ PRIMARY KEY ("id")
+);
+
+CREATE UNIQUE INDEX name_idx ON virtual_domains (name);
+
+CREATE TABLE IF NOT EXISTS "virtual_users" (
+ "id" SERIAL,
+ "domain_id" int NOT NULL,
+ "password" TEXT NOT NULL,
+ "email" TEXT NOT NULL UNIQUE,
+ PRIMARY KEY ("id"),
+ FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+);
+
+
+CREATE UNIQUE INDEX email_idx ON virtual_users (email);
+
+CREATE TABLE IF NOT EXISTS "virtual_aliases" (
+ "id" SERIAL,
+ "domain_id" int NOT NULL,
+ "source" TEXT NOT NULL,
+ "destination" TEXT NOT NULL,
+ PRIMARY KEY ("id"),
+ FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+);
+
+CREATE INDEX source_idx ON virtual_aliases (source);
+
+{% for virtual_domain in mail_virtual_domains %}
+INSERT INTO "virtual_domains" ("id", "name")
+ VALUES ('{{ virtual_domain.pk_id }}', '{{ virtual_domain.name }}');
+{% endfor %}
+
+{% for virtual_user in mail_virtual_users %}
+INSERT INTO "virtual_users" ("domain_id", "password" , "email")
+ VALUES (
+ '{{ virtual_user.domain_pk_id }}',
+ '{{ virtual_user.password | doveadm_pw_hash }}',
+ '{{ virtual_user.account }}@{{ virtual_user.domain }}'
+ );
+{% endfor %}
+
+{% if mail_virtual_aliases is defined %}
+{% for virtual_alias in mail_virtual_aliases %}
+INSERT INTO "virtual_aliases" ("domain_id", "source", "destination")
+ VALUES ('{{ virtual_alias.domain_pk_id }}', '{{ virtual_alias.source }}', '{{virtual_alias.destination }}');
+{% endfor %}
+{% endif %}
diff --git a/roles/mailserver/templates/usr_share_z-push_config.php.j2 b/roles/mailserver/templates/usr_share_z-push_config.php.j2
new file mode 100644
index 0000000..a351df1
--- /dev/null
+++ b/roles/mailserver/templates/usr_share_z-push_config.php.j2
@@ -0,0 +1,306 @@
+<?php
+/***********************************************
+* File : config.php
+* Project : Z-Push
+* Descr : Main configuration file
+*
+* Created : 01.10.2007
+*
+* Copyright 2007 - 2013 Zarafa Deutschland GmbH
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation with the following additional
+* term according to sec. 7:
+*
+* According to sec. 7 of the GNU Affero General Public License, version 3,
+* the terms of the AGPL are supplemented with the following terms:
+*
+* "Zarafa" is a registered trademark of Zarafa B.V.
+* "Z-Push" is a registered trademark of Zarafa Deutschland GmbH
+* The licensing of the Program under the AGPL does not imply a trademark license.
+* Therefore any rights, title and interest in our trademarks remain entirely with us.
+*
+* However, if you propagate an unmodified version of the Program you are
+* allowed to use the term "Z-Push" to indicate that you distribute the Program.
+* Furthermore you may use our trademarks where it is necessary to indicate
+* the intended purpose of a product or service provided you use it in accordance
+* with honest practices in industrial or commercial matters.
+* If you want to propagate modified versions of the Program under the name "Z-Push",
+* you may only do so if you have a written permission by Zarafa Deutschland GmbH
+* (to acquire a permission please contact Zarafa at trademark@zarafa.com).
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program. If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+
+/**********************************************************************************
+ * Default settings
+ */
+ // Defines the default time zone, change e.g. to "Europe/London" if necessary
+ define('TIMEZONE', '{{ zpush_timezone }}');
+
+ // Defines the base path on the server
+ define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
+
+ // Try to set unlimited timeout
+ define('SCRIPT_TIMEOUT', 0);
+
+ // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
+ define('USE_X_FORWARDED_FOR_HEADER', false);
+
+ // When using client certificates, we can check if the login sent matches the owner of the certificate.
+ // This setting specifies the owner parameter in the certificate to look at.
+ define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
+
+/**********************************************************************************
+ * Default FileStateMachine settings
+ */
+ define('STATE_DIR', '/decrypted/zpush-state/');
+
+
+/**********************************************************************************
+ * Logging settings
+ * Possible LOGLEVEL and LOGUSERLEVEL values are:
+ * LOGLEVEL_OFF - no logging
+ * LOGLEVEL_FATAL - log only critical errors
+ * LOGLEVEL_ERROR - logs events which might require corrective actions
+ * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
+ * LOGLEVEL_INFO - usually completed actions
+ * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
+ * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
+ * LOGLEVEL_DEVICEID - also prints the device id for every log entry
+ * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
+ *
+ * The verbosity increases from top to bottom. More verbose levels include less verbose
+ * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ * LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ */
+ define('LOGFILEDIR', '/var/log/z-push/');
+ define('LOGFILE', LOGFILEDIR . 'z-push.log');
+ define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
+ define('LOGLEVEL', LOGLEVEL_INFO);
+ define('LOGAUTHFAIL', false);
+
+
+ // To save e.g. WBXML data only for selected users, add the usernames to the array
+ // The data will be saved into a dedicated file per user in the LOGFILEDIR
+ // Users have to be encapusulated in quotes, several users are comma separated, like:
+ // $specialLogUsers = array('info@domain.com', 'myusername');
+ define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
+ $specialLogUsers = array();
+
+ // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
+ // Uncomment and modify the following line if the validation of the certificates fails.
+ // define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
+
+/**********************************************************************************
+ * Mobile settings
+ */
+ // Device Provisioning
+ define('PROVISIONING', true);
+
+ // This option allows the 'loose enforcement' of the provisioning policies for older
+ // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution
+ // false (default) - Enforce provisioning for all devices
+ // true - allow older devices, but enforce policies on devices which support it
+ define('LOOSE_PROVISIONING', false);
+
+ // Default conflict preference
+ // Some devices allow to set if the server or PIM (mobile)
+ // should win in case of a synchronization conflict
+ // SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
+ // SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default)
+ define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
+
+ // Global limitation of items to be synchronized
+ // The mobile can define a sync back period for calendar and email items
+ // For large stores with many items the time period could be limited to a max value
+ // If the mobile transmits a wider time period, the defined max value is used
+ // Applicable values:
+ // SYNC_FILTERTYPE_ALL (default, no limitation)
+ // SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS,
+ // SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS
+ define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_3MONTHS);
+
+ // Interval in seconds before checking if there are changes on the server when in Ping.
+ // It means the highest time span before a change is pushed to a mobile. Set it to
+ // a higher value if you have a high load on the server.
+ define('PING_INTERVAL', 30);
+
+ // Interval in seconds to force a re-check of potentially missed notifications when
+ // using a changes sink. Default are 300 seconds (every 5 min).
+ // This can also be disabled by setting it to false
+ define('SINK_FORCERECHECK', 300);
+
+ // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
+ // It will only affect new/modified contacts on the mobile which then are synced to the server.
+ // Possible values are:
+ // SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname"
+ // SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename"
+ // SYNC_FILEAS_COMPANYONLY - fileas will be "Company"
+ // SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)"
+ // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)"
+ // SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)"
+ // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)"
+ // The company-fileas will only be set if a contact has a company set. If one of
+ // company-fileas is selected and a contact doesn't have a company set, it will default
+ // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first
+ // option is selected for company).
+ // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set
+ // SYNC_FILEAS_LASTFIRST will be used
+ define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST);
+
+ // Amount of items to be synchronized per request
+ // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
+ // Exporting too much items can cause mobile timeout on busy systems.
+ // Z-Push will use the lowest value, either set here or by the mobile.
+ // default: 100 - value used if mobile does not limit amount of items
+ define('SYNC_MAX_ITEMS', 100);
+
+ // The devices usually send a list of supported properties for calendar and contact
+ // items. If a device does not includes such a supported property in Sync request,
+ // it means the property's value will be deleted on the server.
+ // However some devices do not send a list of supported properties. It is then impossible
+ // to tell if a property was deleted or it was not set at all if it does not appear in Sync.
+ // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
+ // supported properties.
+ // See also https://jira.zarafa.com/browse/ZP-302.
+ // Possible values:
+ // false - do not unset properties which are not sent during Sync (default)
+ // true - unset properties which are not sent during Sync
+ define('UNSET_UNDEFINED_PROPERTIES', false);
+
+ // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked
+ // in the semantic sanity checks and contacts with larger photos are not synchronized.
+ // This limitation is not being followed by the ActiveSync clients which set much bigger
+ // contact photos. You can override the default value of the max photo size.
+ // default: 49152 - 48 KB default max photo size in bytes
+ define('SYNC_CONTACTS_MAXPICTURESIZE', 49152);
+
+/**********************************************************************************
+ * Backend settings
+ */
+ // the backend data provider
+ define('BACKEND_PROVIDER', 'BackendIMAP');
+
+
+ // ************************
+ // BackendZarafa settings
+ // ************************
+ // Defines the server to which we want to connect
+ define('MAPI_SERVER', 'file:///var/run/zarafa');
+
+
+ // ************************
+ // BackendIMAP settings
+ // ************************
+ // Defines the server to which we want to connect
+ define('IMAP_SERVER', 'localhost');
+ // connecting to default port (143)
+ define('IMAP_PORT', 993);
+ // best cross-platform compatibility (see http://php.net/imap_open for options)
+ define('IMAP_OPTIONS', '/ssl/novalidate-cert');
+ // overwrite the "from" header if it isn't set when sending emails
+ // options: 'username' - the username will be set (usefull if your login is equal to your emailaddress)
+ // 'domain' - the value of the "domain" field is used
+ // '@mydomain.com' - the username is used and the given string will be appended
+ define('IMAP_DEFAULTFROM', '');
+ // copy outgoing mail to this folder. If not set d-push will try the default folders
+ define('IMAP_SENTFOLDER', 'Sent');
+ // forward messages inline (default false - as attachment)
+ define('IMAP_INLINE_FORWARD', false);
+ // don't use imap_mail() to send emails.
+ // true (default, uses imap_mail, which is broken - false uses mail(),
+ // which handles cc and from in a more sane way)
+ define('IMAP_USE_IMAPMAIL', false);
+
+
+ // ************************
+ // BackendMaildir settings
+ // ************************
+ define('MAILDIR_BASE', '/tmp');
+ define('MAILDIR_SUBDIR', 'Maildir');
+
+ // **********************
+ // BackendVCardDir settings
+ // **********************
+ define('VCARDDIR_DIR', '/home/%u/.kde/share/apps/kabc/stdvcf');
+
+
+/**********************************************************************************
+ * Search provider settings
+ *
+ * Alternative backend to perform SEARCH requests (GAL search)
+ * By default the main Backend defines the preferred search functionality.
+ * If set, the Search Provider will always be preferred.
+ * Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php)
+ */
+ define('SEARCH_PROVIDER', '');
+ // Time in seconds for the server search. Setting it too high might result in timeout.
+ // Setting it too low might not return all results. Default is 10.
+ define('SEARCH_WAIT', 10);
+ // The maximum number of results to send to the client. Setting it too high
+ // might result in timeout. Default is 10.
+ define('SEARCH_MAXRESULTS', 10);
+
+
+/**********************************************************************************
+ * Synchronize additional folders to all mobiles
+ *
+ * With this feature, special folders can be synchronized to all mobiles.
+ * This is useful for e.g. global company contacts.
+ *
+ * This feature is supported only by certain devices, like iPhones.
+ * Check the compatibility list for supported devices:
+ * http://z-push.sf.net/compatibility
+ *
+ * To synchronize a folder, add a section setting all parameters as below:
+ * store: the ressource where the folder is located.
+ * Zarafa users use 'SYSTEM' for the 'Public Folder'
+ * folderid: folder id of the folder to be synchronized
+ * name: name to be displayed on the mobile device
+ * type: supported types are:
+ * SYNC_FOLDER_TYPE_USER_CONTACT
+ * SYNC_FOLDER_TYPE_USER_APPOINTMENT
+ * SYNC_FOLDER_TYPE_USER_TASK
+ * SYNC_FOLDER_TYPE_USER_MAIL
+ *
+ * Additional notes:
+ * - on Zarafa systems use backend/zarafa/listfolders.php script to get a list
+ * of available folders
+ *
+ * - all Z-Push users must have full writing permissions (secretary rights) so
+ * the configured folders can be synchronized to the mobile
+ *
+ * - this feature is only partly suitable for multi-tenancy environments,
+ * as ALL users from ALL tenents need access to the configured store & folder.
+ * When configuring a public folder, this will cause problems, as each user has
+ * a different public folder in his tenant, so the folder are not available.
+
+ * - changing this configuration could cause HIGH LOAD on the system, as all
+ * connected devices will be updated and load the data contained in the
+ * added/modified folders.
+ */
+
+ $additionalFolders = array(
+ // demo entry for the synchronization of contacts from the public folder.
+ // uncomment (remove '/*' '*/') and fill in the folderid
+/*
+ array(
+ 'store' => "SYSTEM",
+ 'folderid' => "",
+ 'name' => "Public Contacts",
+ 'type' => SYNC_FOLDER_TYPE_USER_CONTACT,
+ ),
+*/
+ );
+
+?> \ No newline at end of file
diff --git a/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2 b/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2
new file mode 100644
index 0000000..8ca98ab
--- /dev/null
+++ b/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<clientConfig version="1.1">
+ <emailProvider id="{{ domain }}">
+ <domain>{{ domain }}</domain>
+ <displayName>{{ domain }}</displayName>
+ <displayShortName>{{ domain }}</displayShortName>
+ <incomingServer type="imap">
+ <hostname>{{ mail_server_hostname }}</hostname>
+ <port>993</port>
+ <socketType>SSL</socketType>
+ <authentication>password-cleartext</authentication>
+ <username>%EMAILADDRESS%</username>
+ </incomingServer>
+ <incomingServer type="pop3">
+ <hostname>{{ mail_server_hostname }}</hostname>
+ <port>995</port>
+ <socketType>SSL</socketType>
+ <authentication>password-cleartext</authentication>
+ <username>%EMAILADDRESS%</username>
+ </incomingServer>
+ <outgoingServer type="smtp">
+ <hostname>{{ mail_server_hostname }}</hostname>
+ <port>587</port>
+ <socketType>STARTTLS</socketType>
+ <authentication>password-cleartext</authentication>
+ <username>%EMAILADDRESS%</username>
+ </outgoingServer>
+ </emailProvider>
+</clientConfig>
diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt
index ada7075..bf9d0d7 100644
--- a/roles/nginx/HOWTO_letsencrypt.txt
+++ b/roles/nginx/HOWTO_letsencrypt.txt
@@ -39,6 +39,21 @@ cert), do something like this:
-d static.bnewbold.net \
-d git.bnewbold.net
+ sudo letsencrypt certonly \
+ --non-interactive \
+ --agree-tos \
+ --email bnewbold@the-nsa.org \
+ --webroot -w /var/www/letsencrypt \
+ -d bnewbold.the-nsa.org \
+ -d files.bnewbold.the-nsa.org \
+ -d hashbase.bnewbold.the-nsa.org \
+ -d modelthing.the-nsa.org \
+ -d obscurity.bnewbold.the-nsa.org \
+ -d repro.bnewbold.the-nsa.org \
+ -d perf.bnewbold.the-nsa.org --expand
+
+ # formerly: very-flat.com
+
The above will yield a cert at the following path (presumably path has the
first domain name):
diff --git a/roles/nginx/HOWTO_new_site.txt b/roles/nginx/HOWTO_new_site.txt
index 1834e93..777665b 100644
--- a/roles/nginx/HOWTO_new_site.txt
+++ b/roles/nginx/HOWTO_new_site.txt
@@ -21,6 +21,11 @@ For a reverse proxied website:
listen [::]:80;
server_name <example.com>;
+ location = /favicon.ico {
+ access_log off;
+ log_not_found off;
+ }
+
location /theme_static/ {
alias /some/static/files/dir/theme_static/;
}
@@ -35,19 +40,32 @@ For a reverse proxied website:
For SSL stuff, add this to the body:
- listen 443 ssl spdy;
- listen [::]:443 ssl spdy;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/<cert-name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<cert-name>/privkey.pem;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'";
+ #add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
add_header X-Frame-Options "SAMEORIGIN"; # 'always' if nginx > 1.7.5
add_header X-Content-Type-Options "nosniff"; # 'always' if nginx > 1.7.5
add_header X-Xss-Protection "1";
# Enable STS with one year period (breaks http; optional)
#add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
+
+ if ($scheme = http) {
+ return 301 https://$server_name$request_uri;
+ }
+
+ # Let's Encrypt SSL Certs
+ location /.well-known/acme-challenge/ {
+ root /var/www/letsencrypt;
+ autoindex off;
+ }
+
+
If your site is going to have inline Javascript (pretty common), you might need
to swith the Content-Security-Policy line to: