Improve config to prepare for mail server

2024-10-20 18:03:34 +01:00 · 2024-10-20 18:03:34 +01:00 · 8f6420e2d0
commit 8f6420e2d0
parent 1f9584ca11
8 changed files with 57 additions and 8 deletions
--- a/servers/ansible/ansible.cfg
+++ b/servers/ansible/ansible.cfg
@ -1,3 +1,5 @@
 [privilege_escalation]
 become=True
 become_user=root
+[ssh_connection]
+pipelining=True
--- a/servers/ansible/playbook.yaml
+++ b/servers/ansible/playbook.yaml
@ -8,17 +8,17 @@
      ansible.builtin.debug:
        msg: Hello world
    # - name: Copy conduwuit backup
-    #   ansible.builtin.copy:
+    #   ansible.posix.synchronize:
    #     src: ./conduwuit-testing
    #     dest: /var/opt/
    - name: Copy containers
-      ansible.builtin.copy:
+      ansible.posix.synchronize:
        src: ../containers/
        dest: /etc/containers/systemd
    - name: Reload systemd generators
      ansible.builtin.command: sudo systemctl daemon-reload
    - name: Copy traefik config
-      ansible.builtin.copy:
+      ansible.posix.synchronize:
        src: ../traefik/
        dest: /etc/traefik
    - name: Creates traefik state directory
@ -26,7 +26,7 @@
        path: /var/srv/traefik
        state: directory
    - name: Copy kanidm config
-      ansible.builtin.copy:
+      ansible.posix.synchronize:
        src: ../kanidm/
        dest: /etc/kanidm
    - name: Creates kanidm data directory
@ -34,15 +34,15 @@
        path: /var/opt/kanidm_data
        state: directory
    - name: Copy Element Web config
-      ansible.builtin.copy:
+      ansible.posix.synchronize:
        src: ../element-web/
        dest: /etc/element-web
    - name: Copy homepage config
-      ansible.builtin.copy:
+      ansible.posix.synchronize:
        src: ../homepage/
        dest: /etc/homepage
    - name: Copy sentry relay config
-      ansible.builtin.copy:
+      ansible.posix.synchronize:
        src: ../sentry-relay/
        dest: /etc/sentry-relay
    # - name: install linux-system-roles
--- a/servers/containers/conduwuit-testing.container
+++ b/servers/containers/conduwuit-testing.container
@ -3,6 +3,7 @@
 [Unit]
 Description=Conduwuit testing (matrix)
 Wants=network-online.target
+Wants=traefik.service
 After=network-online.target
 Documentation=https://conduwuit.puppyirl.gay/

--- a/servers/containers/conduwuit.container
+++ b/servers/containers/conduwuit.container
@ -3,6 +3,7 @@
 [Unit]
 Description=Conduwuit (matrix)
 Wants=network-online.target
+Wants=traefik.service
 After=network-online.target
 Documentation=https://conduwuit.puppyirl.gay/

--- a/servers/containers/maubot.container
+++ b/servers/containers/maubot.container
@ -4,6 +4,7 @@
 Description=Maubot
 Wants=network-online.target
 After=network-online.target
+After=conduwuit.service
 Documentation=https://docs.mau.fi/maubot/index.html

 [Container]
--- a/servers/containers/traefik-cert-dumper.container
+++ b/servers/containers/traefik-cert-dumper.container
@ -0,0 +1,19 @@
+[Unit]
+Description=traefik cert dumper
+After=traefik.service
+
+
+[Container]
+ContainerName=traefik-cert-dumper
+NoNewPrivileges=true
+Image=ghcr.io/kereis/traefik-certs-dumper:latest
+Volume=/etc/localtime:/etc/localtime:ro
+Volume=/var/srv/traefik:/traefik:ro
+Volume=traefik-certs.volume:/output
+# AutoUpdate=registry
+
+[Service]
+Restart=unless-stopped
+
+[Install]
+WantedBy=default.target
--- a/servers/containers/traefik-certs.volume
+++ b/servers/containers/traefik-certs.volume
@ -0,0 +1 @@
+[Volume]
--- a/servers/containers/traefik.container
+++ b/servers/containers/traefik.container
@ -12,6 +12,12 @@ ContainerName=traefik
 PodmanArgs=--privileged
 NoNewPrivileges=true
 Image=docker.io/library/traefik:3.0
+
+# Static IPs assigned for proxy-protocol trust
+IP=10.89.0.21
+IP6=fd76:6f6d:f45e:ea1a::15
+
+# HTTP(S)
 PublishPort=0.0.0.0:80:80/tcp
 PublishPort=0.0.0.0:443:443/tcp
 PublishPort=0.0.0.0:443:443/udp
@ -26,9 +32,27 @@ PublishPort=0.0.0.0:8448:8448/udp
 PublishPort=[::]:8448:8448/tcp
 PublishPort=[::]:8448:8448/udp

-# PublishPort=8448:8448/tcp
+# SMTP
+PublishPort=0.0.0.0:25:25/tcp
+PublishPort=0.0.0.0:25:25/udp
+PublishPort=[::]:25:25/tcp
+PublishPort=[::]:25:25/udp
+
+# SMTPS
+PublishPort=0.0.0.0:465:465/tcp
+PublishPort=0.0.0.0:465:465/udp
+PublishPort=[::]:465:465/tcp
+PublishPort=[::]:465:465/udp
+
+# IMAPS
+PublishPort=0.0.0.0:465:465/tcp
+PublishPort=0.0.0.0:465:465/udp
+PublishPort=[::]:465:465/tcp
+PublishPort=[::]:465:465/udp
+
 ReadOnly=true
 Volume=/run/podman/podman.sock:/var/run/docker.sock:z
+Volume=/etc/localtime:/etc/localtime:ro
 Volume=/var/srv/traefik:/certificates:z
 Volume=/etc/traefik:/etc/traefik:ro,z
 Volume=kanidm-certs.volume:/kanidm_certs:ro,z