Initial commit

ansible/templates/acme-client.conf

@@ -0,0 +1,12 @@
+authority letsencrypt {
+    api url "https://acme-v02.api.letsencrypt.org/directory"
+    account key "/etc/acme/letsencrypt-privkey.pem"
+}
+
+{% for domain in mx1_domains %}
+domain "{{ domain }}" {
+    domain key "/etc/ssl/private/{{ domain }}.key"
+    domain full chain certificate "/etc/ssl/{{ domain }}.fullchain.pem"
+    sign with letsencrypt
+}
+{% endfor %}

ansible/templates/dovecot.conf

@@ -0,0 +1,127 @@
+# Enable ssl
+ssl = required
+ssl_cert = < /etc/ssl/{{ mx1_mail_domain }}.fullchain.pem
+ssl_key = < /etc/ssl/private/{{ mx1_mail_domain }}.key
+
+ssl_min_protocol = TLSv1.2
+ssl_prefer_server_ciphers = yes
+
+disable_plaintext_auth = yes
+
+# Define used protocols
+protocols = lmtp imap sieve
+
+service lmtp {
+    unix_listener lmtp {
+        user  = vmail
+        group = vmail
+    }
+}
+
+service imap-login {
+    inet_listener imap {
+        port = 143
+    }
+    inet_listener imaps {
+        port = 993
+    }
+}
+
+# Setup users
+passdb {
+    driver = passwd-file
+    args = scheme=ARGON2ID-CRYPT username_format=%u /etc/dovecot/users
+}
+
+userdb {
+    driver = passwd-file
+    args = username_format=%u /etc/dovecot/users
+    override_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n
+}
+
+# Setup mail location
+mail_location = maildir:~/Maildir
+
+# setup auth listener
+service auth {
+ unix_listener auth-userdb {
+  mode = 0660
+  user = vmail
+  group = vmail
+ }
+}
+
+# change the authworker to run as non-root
+service auth-worker {
+ user = $default_internal_user
+}
+
+# setup local delivery options
+quota_full_tempfail = yes
+protocol lda {
+ mail_plugins = $mail_plugins sieve
+}
+# setup some common mailboxes that are used by different clients to consistent destinations
+namespace inbox {
+ inbox = yes
+ mailbox Spam {
+  special_use = \Junk
+ }
+ mailbox "Deleted Items" {
+  special_use = \Trash
+ }
+}
+
+# setup local delivery protocol
+protocol lmtp {
+ mail_plugins = $mail_plugins sieve
+}
+
+# disable verify quota befor replying rcpt to
+lmtp_rcpt_check_quota = no
+
+# setup stats service
+service stats {
+ unix_listener stats-writer {
+  user =
+  group = $default_internal_group
+  mode = 0660
+ }
+}
+
+# enable mail plugins
+mail_plugins = $mail_plugins notify
+
+# setup metrics
+metric auth_success {
+ filter = event=auth_request_finished AND success=yes
+}
+metric auth_failures {
+ filter = event=auth_request_finished AND NOT success=yes
+}
+metric imap_command {
+ filter = event=imap_command_finished
+ group_by = cmd_name tagged_reply_state
+}
+metric smtp_command {
+ filter = event=smtp_server_command_finished
+ group_by = cmd_name status_code duration:exponential:1:5:10
+}
+metric mail_delivery {
+ filter = event=mail_delivery_finsihed
+ group_by = duration:exponential:1:5:10
+}
+
+# enable IMAP protocol
+protocol imap {
+ mail_plugins = $mail_plugins imap_sieve
+}
+
+# setup sieve plugin options
+# enable if there needs to be default sieve processing
+#plugin {
+#  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
+#  sieve_before = /etc/dovecot/sieve/default.sieve
+#  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+#  sieve_plugins = sieve_imapsieve sieve_extprograms
+#}

ansible/templates/httpd.conf

@@ -0,0 +1,27 @@
+server "{{ inventory_hostname }}" {
+    listen on * port 80
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+    location * {
+        block return 302 "https://$HTTP_HOST$REQUEST_URI"
+    }
+}
+
+{% for vhost in mx1_domains %}
+server "{{ vhost }}" {
+    listen on * tls port 443
+    tls {
+        certificate "/etc/ssl/{{ vhost }}.fullchain.pem"
+        key "/etc/ssl/private/{{ vhost }}.key"
+    }
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+    location * {
+        root "/vhosts/{{ vhost }}"
+    }
+}
+{% endfor %}

ansible/templates/smtpd.conf

@@ -0,0 +1,23 @@
+pki {{ mx1_mail_domain }} cert "/etc/ssl/{{ mx1_mail_domain }}.fullchain.pem"
+pki {{ mx1_mail_domain }} key "/etc/ssl/private/{{ mx1_mail_domain }}.key"
+
+table aliases file:/etc/mail/aliases
+table users passwd:/etc/mail/accounts
+table virtuals file:/etc/mail/virtuals
+
+filter dkimsign_rsa proc-exec "filter-dkimsign -d {{ mx1_mail_domain }} -s selector1 \
+    -k /etc/mail/dkim/{{ mx1_mail_domain }}.key" user _dkimsign group _dkimsign
+
+listen on socket filter dkimsign_rsa
+listen on all tls pki {{ mx1_mail_domain }}
+listen on all port submission tls-require pki {{ mx1_mail_domain }} auth <users> filter dkimsign_rsa
+listen on all port smtps tls-require pki {{ mx1_mail_domain }} auth <users> filter dkimsign_rsa
+
+action "local_mail" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
+action "outbound" relay
+
+{% for domain in mail_domains %}
+match from any for domain {{ domain }} action "local_mail"
+{% endfor %}
+match from local for local action "local_mail"
+match from local for any action "outbound"

ansible/templates/virtuals.conf

@@ -0,0 +1,8 @@
+{% for user in mail_users %}
+{{ user.user }}: vmail
+{% if (user.virtuals is defined) and user.virtuals %}
+{% for virtual in user.virtuals %}
+{{ virtual }}: {{ user.user }}
+{% endfor %}
+{% endif %}
+{% endfor %}