diff --git a/.gitignore b/.gitignore index c393c8d255e59d9f109cddafe552b6eed58f8315..9196865f6d07290beefdae3949a174ed44f41446 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,2 @@ -# ide files -.idea -*.iml - -# docker config files -docker-compose.yml -.env - -# data for the local installation -config-dynamic/ -volumes/ +*.retry +credentials/ \ No newline at end of file diff --git a/README.md b/README.md index 47f14169fcad7edd87ffd79df11310a086a25b78..f1d4d843fa68ff1ab2a1e98200ecdce3ad23bcca 100644 --- a/README.md +++ b/README.md @@ -15,14 +15,21 @@ For the setup without OnlyOffice, requirements are a bit lower: Disk space only refers to the basic installation. You will need additional space for any emails, documents and files you store on the server. -### Required packages (these should be included with Ubuntu by default) +### Required packages in server (these should be included with Ubuntu by default) - curl - bash +- python3 + +### Other Requirements +- A user with root access or root user. +- Server must have ssh setup and accessible through ssh key based authentication +- Server must be accessible through a public ip. +- A Domain name for your server. # Installation ## Create Ubuntu VM & set reverse DNS -This examplpes uses Hetzner cloud (sorry Gael ;)). +This examplpes uses Hetzner cloud. You can use whatever provider you want. Just make sure to set rdns correctly before running the bootstrap script (works via Webui with some other hosters) ``` @@ -30,30 +37,88 @@ $ hcloud server create --image=ubuntu-18.04 --name server1 --type cx31 --ssh-key $ hcloud server set-rdns server1 --hostname mail.example.com ``` -### Start bootstrap process -Login to server as root. Execute this command and follow its on-screen instructions: - -``` -# wget https://gitlab.e.foundation/e/infra/bootstrap/raw/master/bootstrap-generic.sh -# bash bootstrap-generic.sh https://gitlab.e.foundation/e/priv/infra/compose +## Setup the server +The playbook can be run directly on the server or in your personal computer (must have access to server via ssh key based authentication). + +1. Install ansible in the server/personal computer. (For Ubuntu 18.04) + ```bash + sudo apt-get update + sudo apt-get install ansible + ``` + +2. Download the anisble playbook sources in server/personal computer + ```bash + git clone -b ansible https://gitlab.e.foundation/e/priv/infra/compose ansible-ecloud + ``` + +3. Edit the `hosts` file and replace `` with your registered domain name, `` with your public ip address and `` with the user with root access. + ```bash + ansible_host= ansible_ssh_user= ansible_ssh_pipelining=yes ansible_python_interpreter=/usr/bin/python3 + ``` + +4. Edit the `group_vars/all` configuration file and specify +- `ecloud_domain` - with your registered domain name (Required) +- `ecloud_additional_domains` - specify if you want additional domains as email alias. (Optional) +- `user_alternate_email_for_signup` - your personal email id (Required) +- `ecloud_install_onlyoffice` - set it `true` if you want to install onlyoffice, else `false` (Required, Default: false) +- `ecloud_gitlab_docker_repo_user` - specify your e-foundation gitlab username (Required, until the repo is made public) +- `ecloud_gitlab_docker_repo_password` - specify your e-foundation gitlab password (Required, until the repo is made public) + ```bash + ecloud_domain: "" + ecloud_additional_domains: [] + user_alternate_email_for_signup: "" + ecloud_install_onlyoffice: false + ecloud_gitlab_docker_repo_user: "" + ecloud_gitlab_docker_repo_password: "" + ... + ... + ... + ``` + +4. Run the playbook to setup up and start your own ecloud server! + ```bash + ansible-playbook -i hosts ecloud.yml --tags=setup + ``` + +5. **Follow the installation and make sure the DNS records are created with your domain registrar as mentioned during execution.** + +6. That's it. If everything goes well, the server must be all set. + +### **Important** : +1. Note down the DKIM DNS record, admin credentials for spam management, e-drive(Nextcloud), Mail server management (Postfixadmin), and **the new user sign up url**. +2. Open the sign up url to create your first ecloud-server account! +3. All credentials are stored as plain-text in the `credentials/` directory. Take the necessary step secure it. +(Preferrably, user can use ansible-vaults to secure them and replace the the password values in `group_vars/all` with the encrypted value) + +# Additional Options + +## Generate Sign Up URL for new user +```bash +ansible-playbook -i hosts ecloud.yml --tags=generate_signup_link --extra-vars="new_user_email=" ``` -**ATTENTION:** -You need to login to gitlab once during this step. -(repos will be public later making the bootstrapping run unattended) +## Start/Stop all services +```bash +# For Stopping +ansible-playbook -i hosts ecloud.yml --tags=stop +# For Starting +ansible-playbook -i hosts ecloud.yml --tags=start +``` -# Available Services +## View DNS configuration +```bash +ansible-playbook -i hosts ecloud.yml --tags=dns-configure +``` -You can find login information for these services by running `showInfo.sh`. +## View Admin Credentials +```bash +ansible-playbook -i hosts ecloud.yml --tags=admin-credentials +``` -- $DOMAIN: File hosting with [Nextcloud](https://nextcloud.com/), email with - [rainloop.net](https://www.rainloop.net/) -- welcome.$DOMAIN: Allows users to sign up for a new account (you can create signup links with - `bash /mnt/repo-base/scripts/generate-signup-link.sh`) -- office.$DOMAIN: Create and edit office documents ([onlyoffice.com](https://www.onlyoffice.com/)) +## View DKIM DNS Record +```bash +ansible-playbook -i hosts ecloud.yml --tags=dkim-record +``` -# Administration -- spam.$DOMAIN: Email spam filter ([rspamd.com](https://www.rspamd.com/)) -- mail.$DOMAIN: Administrate email and create accounts ([postfixadmin.sourceforge.net](http://postfixadmin.sourceforge.net/)) diff --git a/config-dynamic/automx/.keep b/config-dynamic/automx/.keep deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/config-dynamic/letsencrypt/autorenew/.keep b/config-dynamic/letsencrypt/autorenew/.keep deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/config-dynamic/nginx/sites-enabled/.keep b/config-dynamic/nginx/sites-enabled/.keep deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/deployment/questionnaire/answers.dat b/deployment/questionnaire/answers.dat deleted file mode 100644 index 9c6b5f95c6e56f1dfe9e807aa67f208a8d2f0536..0000000000000000000000000000000000000000 --- a/deployment/questionnaire/answers.dat +++ /dev/null @@ -1,4 +0,0 @@ -DOMAIN=maindomain.com -ADD_DOMAINS=domainA.com,domainB.com -ENABLE_POP3=false -DISABLE_RATELIMITING=false \ No newline at end of file diff --git a/deployment/questionnaire/questionnaire.dat b/deployment/questionnaire/questionnaire.dat deleted file mode 100644 index 5fa04c2c04ca20e17dedc5877c19f20ce5e3a9e2..0000000000000000000000000000000000000000 --- a/deployment/questionnaire/questionnaire.dat +++ /dev/null @@ -1,36 +0,0 @@ -DOMAIN=Enter your mailserver (management) domain (e.g. domainA.com): -ADD_DOMAINS=Optionally enter additional domain(s) (comma separated, no white spaces) to handle mail for (e.g. domainB.com,domainC.com) or just press enter if you need none: -ALT_EMAIL=Enter alternative email: -INSTALL_ONLYOFFICE=Do you want to install OnlyOffice? [y/n]||||^[yY|nN]$;;;;Please enter 'y' or 'n' - -# Generate and display -RSPAMD_PASSWORD=@@@generate@@@:20@ -NEXTCLOUD_ADMIN_USER=ncadmin_@@@generate@@@:4@ -NEXTCLOUD_ADMIN_PASSWORD=@@@generate@@@:20@ - - -# Generate and use "under the hood" -MYSQL_USER_NC=nc_@@@generate@@@:4@ -MYSQL_PASSWORD_NC=@@@generate@@@:20@ -MYSQL_DATABASE_NC=ncdb_@@@generate@@@:4@ -SMTP_PW=@@@generate@@@:20@ -PFDB_DB=postfix;default -PFDB_USR=postfix;default -MYSQL_ROOT_PASSWORD=@@@generate@@@:20@ -DBPASS=@@@generate@@@:20@ -DBA_PASSWORD=@@@generate@@@:16@ -DRIVE_SMTP_PASSWORD=@@@generate@@@:16@ -POSTFIXADMIN_SSH_PASSWORD=@@@generate@@@:20@ -CREATE_ACCOUNT_PASSWORD=@@@generate@@@:20@ - -PFA_SUPERADMIN_PASSWORD=1@@@generate@@@:16@2 - -# fixed defaults -ENABLE_POP3=false;default -DISABLE_RATELIMITING=false;default -DBA_USER=phpmyadmin;default - -# To be constructed repo specific -#SMTP_FROM=welcome@domainA.com -#VIRTUAL_HOST (for each domain two subdomains autoconfig/autodiscover) -#VHOSTS_ACCOUNTS=welcome.domainA.com diff --git a/deployment/salt/base/docker-compose.sls b/deployment/salt/base/docker-compose.sls deleted file mode 100644 index 16794e97a03eec15f635c3af8b98a652d13dfd5d..0000000000000000000000000000000000000000 --- a/deployment/salt/base/docker-compose.sls +++ /dev/null @@ -1,51 +0,0 @@ -upgrade-all: - pkg.uptodate: - - name: update - - refresh: true - cmd.run: - - name: apt-get -y upgrade -o Dpkg::Options::="--force-confold" && apt-get -y autoremove - - shell: /bin/bash - -install-deps: - pkg.installed: - - pkgs: - - apt-transport-https - - ca-certificates - - curl - - software-properties-common - - apache2-utils - - docker.io - - docker-compose - - gnupg2 - - pass - - require: - - upgrade-all - -docker-running: - service.running: - - name: docker - - enable: true - - require: - - install-deps - -cron-renew-ssl-certs: - cron.present: - - name: bash /mnt/repo-base/scripts/ssl-renew.sh - - user: root - - special: '@daily' - - identifier: 'refresh-tls-certs' - -cron-check-updates: - cron.present: - - name: bash /mnt/repo-base/scripts/check-update.sh - - user: root - - special: '@daily' - - identifier: 'check-updates' - -/etc/docker/daemon.json: - file.managed: - - source: salt://docker-daemon.json - - user: root - - group: root - - mode: 644 - - makedirs: True diff --git a/deployment/salt/base/docker-daemon.json b/deployment/salt/base/docker-daemon.json deleted file mode 100644 index 242c7069576e23360592b15fa710a27d059c784d..0000000000000000000000000000000000000000 --- a/deployment/salt/base/docker-daemon.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "log-driver": "json-file", - "log-opts": { - "max-size": "50m", - "max-file": "4" - } -} diff --git a/deployment/salt/init-config/masterless.conf b/deployment/salt/init-config/masterless.conf deleted file mode 100644 index ffa00ee09a80add1b016e1549f7d1bedb9702e30..0000000000000000000000000000000000000000 --- a/deployment/salt/init-config/masterless.conf +++ /dev/null @@ -1,5 +0,0 @@ -file_client: local -minion_id_caching: false -file_roots: - base: - - /mnt/repo-base/deployment/salt/base diff --git a/docs/add_vhost.md b/docs/add_vhost.md deleted file mode 100644 index ae004df6f626f53e60f947e7fd6263a0914702fd..0000000000000000000000000000000000000000 --- a/docs/add_vhost.md +++ /dev/null @@ -1,63 +0,0 @@ -## DNS prerequisite -- Add CNAME entry for your new vhost to point to "mail.ecloud.global." - -## Login -ssh root@mail.ecloud.global - -## Execute the script commands below manually verifying each step (not well tested yet) -```shell - -# Tweak variable to your needs -NEWVHOST=thilo-test.ecloud.global - - -# Request cert from LE -echo -e "sub\t$NEWVHOST" >> /mnt/docker/letsencrypt/autrenew/ssl-domains.dat -/mnt/docker/letsencrypt/autrenew/ssl-renew.sh - - -# Add vhost to docker-compose configuration -sed -i "s@VHOSTS_DOMAINS=@VHOSTS_DOMAINS=$NEWVHOST,@g" /mnt/docker/compose/.env - - -# Create dir to host php files -mkdir -p /mnt/docker/www/$NEWVHOST/htdocs/ - -# Create nginx proxy vhost to point to dockered vhost -echo "server { - listen 8000; - server_name ${NEWVHOST}; - return 301 https://\$host\$request_uri; -} -server { - listen 4430 ssl http2; - server_name ${NEWVHOST}; - ssl_certificate /certs/live/${NEWVHOST}/fullchain.pem; - ssl_certificate_key /certs/live/${NEWVHOST}/privkey.pem; - include /etc/nginx/conf/ssl_params; - include /etc/nginx/conf/headers_params; - location / { - add_header Content-Security-Policy upgrade-insecure-requests always; - proxy_pass http://vhosts:80; - include /etc/nginx/conf/proxy_params; - } -}" > /mnt/docker/nginx/sites-enabled/${NEWVHOST}.conf - -# Place file to check it is working -echo "hello world" > /mnt/docker/www/$NEWVHOST/htdocs/index.php -chown www-data: /mnt/docker/www/$NEWVHOST/ -R - -# Restart services to bring changes into effect -cd /mnt/docker/compose && docker-compose up -d -docker restart nginx -``` - -## Final checks -Health check: -- Is this still working or did we break something: https://webmail.ecloud.global/ -- Is new host working? https://thilo-test.ecloud.global - -# Happy hacking -Update you code in /mnt/docker/www/$NEWVHOST/htdocs/ to your liking :) - -Enjoy! diff --git a/docs/env_file.md b/docs/env_file.md deleted file mode 100644 index f1713f743ed069531d10b1db1a9993ab6f22d677..0000000000000000000000000000000000000000 --- a/docs/env_file.md +++ /dev/null @@ -1,40 +0,0 @@ -## General configuration -``` -DOMAIN=example.com # the main domain for your installation -ADD_DOMAINS=example.com, example2.com # one or more domains that are used for email -ALT_EMAIL=myname@gmail.com # admin email address -INSTALL_ONLYOFFICE=n # y or n, whether Onlyoffice is installed -``` - -## Nextcloud -``` -NEXTCLOUD_ADMIN_USER=ncadmin_z5BL -NEXTCLOUD_ADMIN_PASSWORD=sxOY26y0wKm1Q8SGhqmZ -``` - -## Mail -``` -RSPAMD_PASSWORD=gsteZuLgWLUNCs5b1Ksz -SMTP_PW=wGfQsTXPD3Ipm8Lfyk8y -PFA_SUPERADMIN_PASSWORD=1oyHLEWikVlKx0bz72 -DISABLE_RATELIMITING=false -DRIVE_SMTP_PASSWORD=FL8D6SRnRWOdyMsN -ENABLE_POP3=false -VIRTUAL_HOST=autoconfig.domaina.pw,autodiscover.domaina.pw -``` - -## Database -``` -MYSQL_USER_NC=nc_0VwU -MYSQL_PASSWORD_NC=LxsjA8bzNuzUcTYtkfof -MYSQL_DATABASE_NC=ncdb_aJWW -PFDB_DB=postfix -PFDB_USR=postfix -MYSQL_ROOT_PASSWORD=RqT9WkfrZ9e6SzX2ARoN -DBPASS=QPpTpgFkLFA2ABPizXwk -DBA_USER=phpmyadmin -DBA_PASSWORD=T1N2tYn7aDILXYNS -``` -VHOSTS_ACCOUNTS=welcome.domaina.pw -SMTP_FROM=welcome@domaina.pw - diff --git a/docs/folders.md b/docs/folders.md deleted file mode 100644 index fafd4121fbc99b3a025ff511f0f2669edf4bca1e..0000000000000000000000000000000000000000 --- a/docs/folders.md +++ /dev/null @@ -1,20 +0,0 @@ -Files and Folders -------- - -- `config-dynamic/` Config files that are generated based on templates, and contain hardcoded values like the local domain - -- `config-static/` Config files that are included with the git repo and don't change (except in repo updates) - -- `deployment/` Files that are required for the initial installation - -- `docs/` General project documentation - -- `scripts/` Various scripts that are used for installation, updating and administration - -- `templates/` Used to dynamically generate various config files - -- `volumes/` Docker volumes used to store data for the different applications (eg Nextcloud files, mail data) - -- `.env` Defines passwords and other variables (see [env_file.md](env_file.md) for details) - -- `docker-compose.yml` Defines the Docker images and volumes. Run `docker-compose up -d` to start the services, and `docker-compose down` to stop them. diff --git a/docs/ports.md b/docs/ports.md deleted file mode 100644 index b50019cc9a855b6dc782bfd1bb4d0b86bdf0aef8..0000000000000000000000000000000000000000 --- a/docs/ports.md +++ /dev/null @@ -1,14 +0,0 @@ -Ports -===== - -* `25/tcp` - SMTP - used for incoming mail and sending mail by clients. Plaintext but Postfix requires `STARTTLS` -* `80/tcp` and `443/tcp` - HTTP and HTTPS -* `587/tcp` - the same as SMTP but used to send mail by clients whose `25/tcp` is blocked by their ISP -* `993/tcp` - IMAPS - IMAP over TLS used to fetch email by clients -* `110/tcp` - plaintext POP3 - clients should be using IMAPS instead -* `143/tcp` - plaintext IMAP - clients should be using IMAPS instead -* `465/tcp` - SMTP over TLS - nobody is using it as `STARTTLS` on `25/tcp` does it better -* `995/tcp` - POP3 over TLS - clients should be using IMAPS instead -* `4190/tcp` - Dovecot mail rule modiication service - requires client-side support, we need to decide on this one -* `5222/tcp` - XMPP requires client-side support, we need to decide on this one - diff --git a/docs/update_onlyoffice.md b/docs/update_onlyoffice.md deleted file mode 100644 index b3bf922fdfc378d44b782679150f28bbad9134ec..0000000000000000000000000000000000000000 --- a/docs/update_onlyoffice.md +++ /dev/null @@ -1,53 +0,0 @@ -# UPDATE PROCEDURE (expect downtime) - -```shell -# this is knowingly not using compose functionality to stop/rm/pull - -# Stop containers -docker stop onlyoffice-community-server -docker stop onlyoffice-document-server -docker stop onlyoffice-mail-server - -#Create backup copy of files -cp -pR /mnt/docker/onlyoffice{,.bck} - -# Save image IDs of old images to a file -docker images | grep office > /somewhere/a-file.txt - - -docker rm onlyoffice-community-server -docker rm onlyoffice-document-server -docker rm onlyoffice-mail-server - -docker pull onlyoffice/documentserver -docker pull onlyoffice/communityserver -docker pull onlyoffice/mailserver - -# Start again -cd /mnt/docker/compose -docker-compose up -d -``` - -# ROLLBACK IN CASE OF ISSUE (expect downtime) - -```shell -# Stop and delete containers as above - -# Delete new images -docker rmi onlyoffice/documentserver -docker rmi onlyoffice/communityserver -docker rmi onlyoffice/mailserver - -# Retag the previous images version (see a-file.txt) IMAGE iDs to the correct name, e.g.: -docker tag 9a77d093202e onlyoffice/documentserver -docker tag 0e667b917252 onlyoffice/communityserver -dockr tag 6b2398f473ea onlyoffice/mailserver - -# Move current files to yet another location and move previous backup into original location -mv /mnt/docker/onlyoffice /mnt/docker/onlyoffice.bck.rolledback -mv /mnt/docker/onlyoffice.bck /mnt/docker/onlyoffice - -# Start again -cd /mnt/docker/compose -docker-compose up -d -``` \ No newline at end of file diff --git a/ecloud.yml b/ecloud.yml new file mode 100644 index 0000000000000000000000000000000000000000..1bb736269891c638578bcc7dc2fc31142c582123 --- /dev/null +++ b/ecloud.yml @@ -0,0 +1,14 @@ +- name: "Set up a ecloud server" + hosts: "all" + become: true + + roles: + - ecloud-base + - ecloud-certs + - ecloud-database + - ecloud-mailserver + - ecloud-drive + - ecloud-accounts + - ecloud-onlyoffice + - ecloud-webserver + - ecloud-postinstall \ No newline at end of file diff --git a/group_vars/all b/group_vars/all new file mode 100644 index 0000000000000000000000000000000000000000..55498156713f745cd86d71edf79b14bbd4a47f1a --- /dev/null +++ b/group_vars/all @@ -0,0 +1,28 @@ +# MUST SPECIFY +ecloud_domain: "" +ecloud_additional_domains: [] +user_alternate_email_for_signup: "" +ecloud_install_onlyoffice: false +ecloud_gitlab_docker_repo_user: "" +ecloud_gitlab_docker_repo_password: "" + +# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING +ecloud_gitlab_docker_repo: "registry.gitlab.e.foundation:5000" +ecloud_all_domains: "{{ [ ecloud_domain ] + ecloud_additional_domains }}" +ecloud_mysql_root_password: "{{ lookup('password', 'credentials/mysql_root_password length=20') }}" +ecloud_nextcloud_admin_user: "ncadmin" +ecloud_nextcloud_admin_password: "{{ lookup('password', 'credentials/nextcloud_admin_password length=20') }}" +ecloud_nextcloud_mysql_database: "ncdb" +ecloud_nextcloud_mysql_user: "ncmysqluser" +ecloud_nextcloud_mysql_password: "{{ lookup('password', 'credentials/nextcloud_mysql_password length=20') }}" +ecloud_smtp_password: "{{ lookup('password', 'credentials/smtp_password length=20') }}" +ecloud_drive_smtp_password: "{{ lookup('password', 'credentials/drive_smtp_password length=20') }}" +ecloud_rspamd_password: "{{ lookup('password', 'credentials/rspamd_password length=20') }}" +ecloud_postfix_database: "postfix" +ecloud_postfix_user: "postfix" +ecloud_postfix_admin_ssh_password: "{{ lookup('password', 'credentials/postfix_admin_ssh_password length=20') }}" +ecloud_postfix_superadmin_password: "{{ lookup('password', 'credentials/postfix_superadmin_password length=20') }}" +ecloud_database_password: "{{ lookup('password', 'credentials/database_password length=20') }}" +ecloud_database_admin: "phpmyadmin" +ecloud_database_admin_password: "{{ lookup('password', 'credentials/database_admin_password length=20') }}" +ecloud_create_account_password: "{{ lookup('password', 'credentials/create_account_password length=20') }}" \ No newline at end of file diff --git a/hosts b/hosts new file mode 100644 index 0000000000000000000000000000000000000000..33210461a1b88136328fa63e3d8def7f8805e2a5 --- /dev/null +++ b/hosts @@ -0,0 +1 @@ + ansible_host= ansible_ssh_user= ansible_ssh_pipelining=yes ansible_python_interpreter=/usr/bin/python3 \ No newline at end of file diff --git a/roles/ecloud-accounts/defaults/main.yml b/roles/ecloud-accounts/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..370e121d9879be70af719b2f10f7f8e6885a8111 --- /dev/null +++ b/roles/ecloud-accounts/defaults/main.yml @@ -0,0 +1,2 @@ +docker_image_welcome: "registry.gitlab.e.foundation:5000/e/infra/docker-welcome:0.2.2" +docker_image_create_account: "registry.gitlab.e.foundation:5000/e/infra/docker-create-account:0.1.6" diff --git a/roles/ecloud-accounts/tasks/main.yml b/roles/ecloud-accounts/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..a6b41ee3d2fd812537100519723bfe2d30a2240f --- /dev/null +++ b/roles/ecloud-accounts/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-accounts/tasks/setup.yml b/roles/ecloud-accounts/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..97e0c67ab940c23eee6cd23c301485b4237cfdc9 --- /dev/null +++ b/roles/ecloud-accounts/tasks/setup.yml @@ -0,0 +1,22 @@ +- name: Create necessary directories for accounts container + file: + path: /ecloud/volumes/accounts + owner: root + group: root + state: directory + mode: '0755' + +- name: Log into e-foundation private docker repository + docker_login: + registry: "{{ ecloud_gitlab_docker_repo }}" + username: "{{ ecloud_gitlab_docker_repo_user }}" + password: "{{ ecloud_gitlab_docker_repo_password }}" + reauthorize: yes + +- name: Ensure accounts Docker image is pulled + docker_image: + name: "{{ docker_image_welcome }}" + +- name: Ensure create-account Docker image is pulled + docker_image: + name: "{{ docker_image_create_account }}" \ No newline at end of file diff --git a/roles/ecloud-accounts/tasks/start.yml b/roles/ecloud-accounts/tasks/start.yml new file mode 100644 index 0000000000000000000000000000000000000000..0074dd50e297b2214d701f7db16669b5b4d0f980 --- /dev/null +++ b/roles/ecloud-accounts/tasks/start.yml @@ -0,0 +1,39 @@ +- name: Starting Accounts container + docker_container: + image: "{{ docker_image_welcome }}" + name: accounts + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + DOMAINS: "welcome.{{ ecloud_domain }}" + DOMAIN: "{{ ecloud_domain }}" + IS_WELCOME: true + PFDB_HOST: mariadb + PFDB_DB: "{{ ecloud_postfix_database }}" + PFDB_USR: "{{ ecloud_postfix_user }}" + PFDB_PW: "{{ ecloud_database_password }}" + SMTP_HOST: "mail.{{ ecloud_domain }}" + SMTP_FROM: "welcome@{{ ecloud_domain }}" + SMTP_PW: "{{ ecloud_smtp_password }}" + CREATE_ACCOUNT_PASSWORD: "{{ ecloud_create_account_password }}" + volumes: + - /ecloud/volumes/accounts:/var/accounts + +- name: Starting create-account container + docker_container: + image: "{{ docker_image_create_account }}" + name: create-account + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + NEXTCLOUD_ADMIN_USER: "{{ ecloud_nextcloud_admin_user }}" + NEXTCLOUD_ADMIN_PASSWORD: "{{ ecloud_nextcloud_admin_password }}" + POSTFIXADMIN_SSH_PASSWORD: "{{ ecloud_postfix_admin_ssh_password }}" + DOMAIN: "{{ ecloud_domain }}" + CREATE_ACCOUNT_PASSWORD: "{{ ecloud_create_account_password }}" \ No newline at end of file diff --git a/roles/ecloud-accounts/tasks/stop.yml b/roles/ecloud-accounts/tasks/stop.yml new file mode 100644 index 0000000000000000000000000000000000000000..f90c17328228f1ff92444763206e5bee314365f1 --- /dev/null +++ b/roles/ecloud-accounts/tasks/stop.yml @@ -0,0 +1,9 @@ +- name: Stopping accounts container + docker_container: + name: accounts + state: stopped + +- name: Stopping create-account container + docker_container: + name: create-account + state: stopped \ No newline at end of file diff --git a/roles/ecloud-base/tasks/dns_configure.yml b/roles/ecloud-base/tasks/dns_configure.yml new file mode 100644 index 0000000000000000000000000000000000000000..ce3da7008d930425f8ccda70af5b7a5891a2a456 --- /dev/null +++ b/roles/ecloud-base/tasks/dns_configure.yml @@ -0,0 +1,47 @@ +- name: Generating DNS Records + shell: | + rm -f /ecloud/config/dnsrecords.txt + echo "RECORD,|,HOST,|,VALUE,|,PRIORITY" >> /ecloud/config/dnsrecords.txt + echo "------,|,----,|,-----,|,--------" >> /ecloud/config/dnsrecords.txt + echo "A,|,mail.{{ ecloud_domain }},|,,|,-" >> /ecloud/config/dnsrecords.txt +- shell: | + echo "A,|,{{ item }},|,,|,-" >> /ecloud/config/dnsrecords.txt + with_items: "{{ ecloud_all_domains }}" +- shell: | + echo "MX,|,{{ item }},|,,|,10" >> /ecloud/config/dnsrecords.txt + with_items: "{{ ecloud_all_domains }}" +- shell: | + echo "PTR (For Reverse DNS),|,,|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt +- shell: | + echo "CNAME,|,autoconfig.{{ item }},|,,|,-" >> /ecloud/config/dnsrecords.txt + echo "CNAME,|,autodiscover.{{ item }},|,,|,-" >> /ecloud/config/dnsrecords.txt + with_items: "{{ ecloud_all_domains }}" +- shell: | + echo "CNAME,|,spam.{{ ecloud_domain }},|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt + echo "CNAME,|,welcome.{{ ecloud_domain }},|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt + echo "CNAME,|,office.{{ ecloud_domain }},|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt + column "/ecloud/config/dnsrecords.txt" -t -s "," + register: dnsrecords + +- name: "===================================<-DNS Records->=======================================" + debug: + msg: "{{ dnsrecords.stdout.split('\n') }}" + +- name: "Confirm DNS records" + pause: + prompt: 'Please verify that the DNS records are configured correctly! Press "Enter" to continue.' + +- name: "Checking if DNS is configured correctly" + shell: | + IP=$(dig mail.{{ ecloud_domain }}| grep mail.{{ ecloud_domain }} | grep -v '^;' | awk '{ print $NF }') + if [ -z "$IP" ] + then + echo "mail.{{ ecloud_domain }} not resolving to IP" + exit 1 + fi + PTR=$(nslookup $IP | grep "name = mail.{{ ecloud_domain }}" | wc -l) + if [ "1" != "$PTR" ] + then + echo "$IP not resolving to mail.{{ ecloud_domain }} (PTR record missing or wrong.." + exit 1 + fi \ No newline at end of file diff --git a/roles/ecloud-base/tasks/docker_setup.yml b/roles/ecloud-base/tasks/docker_setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..faa42213bc24dcf1e0dc793b67096e21f074ffd5 --- /dev/null +++ b/roles/ecloud-base/tasks/docker_setup.yml @@ -0,0 +1,10 @@ +- name: Ensure Docker is running + service: + name: "docker" + state: started + enabled: yes + +- name: Creating Docker network + docker_network: + name: serverbase + driver: bridge \ No newline at end of file diff --git a/roles/ecloud-base/tasks/main.yml b/roles/ecloud-base/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..e5c15cf253c3d2dd71742713e29d9dafb77b3789 --- /dev/null +++ b/roles/ecloud-base/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/dns_configure.yml" + tags: + - setup + - dns-configure + +- import_tasks: "{{ role_path }}/tasks/docker_setup.yml" + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-base/tasks/setup.yml b/roles/ecloud-base/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..fd13d677d0489bbe443716c0e4c409bef3fb8843 --- /dev/null +++ b/roles/ecloud-base/tasks/setup.yml @@ -0,0 +1,58 @@ +- name: Upgrade all packages to the latest version + apt: + name: "*" + state: latest + update_cache: yes + force_apt_get: yes + when: ansible_facts['distribution'] == "Ubuntu" + +- name: Ensure all APT package dependencies are installed (Ubuntu) + apt: + name: + - apt-transport-https + - ca-certificates + - curl + - software-properties-common + - apache2-utils + - docker.io + - docker-compose + - gnupg2 + - pass + - python3-pip + - virtualenv + state: present + update_cache: yes + force_apt_get: yes + when: ansible_facts['distribution'] == "Ubuntu" + +- pip: + name: docker + executable: pip3 + +- name: Remove dependencies that are no longer required + apt: + autoremove: yes + force_apt_get: yes + when: ansible_facts['distribution'] == "Ubuntu" + + +- name: Fail if required variables are undefined + fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value" + with_items: + - ecloud_domain + - ecloud_additional_domains + - ecloud_install_onlyoffice + when: "item not in vars or vars[item] is none" + +- name: Create ecloud directory structure + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud + - /ecloud/config + - /ecloud/volumes \ No newline at end of file diff --git a/roles/ecloud-certs/defaults/main.yml b/roles/ecloud-certs/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..8080087fdcf1880e36121275f824d31c37576a5d --- /dev/null +++ b/roles/ecloud-certs/defaults/main.yml @@ -0,0 +1 @@ +docker_image_letsencrypt: "certbot/certbot:v0.33.1" \ No newline at end of file diff --git a/roles/ecloud-certs/tasks/letsencrypt_obtain_cert.yml b/roles/ecloud-certs/tasks/letsencrypt_obtain_cert.yml new file mode 100644 index 0000000000000000000000000000000000000000..20e7786e35d6ef654d6b5648025890a11f85b56a --- /dev/null +++ b/roles/ecloud-certs/tasks/letsencrypt_obtain_cert.yml @@ -0,0 +1,57 @@ +- debug: + msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}" + tags: + - setup + +- set_fact: + domain_name_certificate_path: "/ecloud/config/letsencrypt/certstore/live/{{ domain_name }}/fullchain.pem" + tags: + - setup + +- name: Check if a certificate for the domain already exists + stat: + path: "{{ domain_name_certificate_path }}" + register: domain_name_certificate_path_stat + tags: + - setup + +- set_fact: + domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" + tags: + - setup + +- debug: + msg: "Certificates are already present. Skipping certificate retrivel!" + when: "not domain_name_needs_cert" + tags: + - setup + +- name: Attempt SSL certificate retrieval with Certbot + shell: >- + docker run + -t + --rm + -v /ecloud/config/letsencrypt/certstore:/etc/letsencrypt + -p 0.0.0.0:80:80 -p 0.0.0.0:443:443 + {{ docker_image_letsencrypt }} + certonly + --non-interactive + --agree-tos + -m admin@{{ domain_name }} + -d {{ domain_name }} + --standalone + when: domain_name_needs_cert|bool + register: result_certbot_direct + ignore_errors: true + tags: + - setup + +- name: Fail if all SSL certificate retrieval attempts failed + fail: + msg: | + Failed to obtain a certificate directly using Let's encrypt certbot + and no existing certificate is present as {{ domain_name_certificate_path }} + See above for details. + when: "domain_name_needs_cert and result_certbot_direct.failed" + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-certs/tasks/main.yml b/roles/ecloud-certs/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..ffcbe5c2201ae901fd4c1f97f110946b2a4a5896 --- /dev/null +++ b/roles/ecloud-certs/tasks/main.yml @@ -0,0 +1,18 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- name: Obtaining certificates using Let's Encrypt Certbot + include_tasks: "{{ role_path }}/tasks/letsencrypt_obtain_cert.yml" + with_flattened: + - "{{ ecloud_all_domains }}" + - "mail.{{ ecloud_domain }}" + - "spam.{{ ecloud_domain }}" + - "welcome.{{ ecloud_domain }}" + - "office.{{ ecloud_domain }}" + - "{{ ecloud_all_domains | map('regex_replace','^','autoconfig.') | list }}" + - "{{ ecloud_all_domains | map('regex_replace','^','autodiscover.') | list }}" + loop_control: + loop_var: domain_name + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-certs/tasks/setup.yml b/roles/ecloud-certs/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..f5f782feba5938f9ecef39fdeda21bc1322a8df1 --- /dev/null +++ b/roles/ecloud-certs/tasks/setup.yml @@ -0,0 +1,14 @@ +- name: Create Let's Encrypt config directory + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/config/letsencrypt/certstore + - /ecloud/config/letsencrypt/acme-challenge + +- name: Ensure certbot Docker image is pulled + docker_image: + name: "{{ docker_image_letsencrypt }}" \ No newline at end of file diff --git a/roles/ecloud-database/defaults/main.yml b/roles/ecloud-database/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..5987be506c62616ee82fa87c0d3d62ec35bb6c3e --- /dev/null +++ b/roles/ecloud-database/defaults/main.yml @@ -0,0 +1,2 @@ +docker_image_mariadb: "mariadb:10.3" +docker_image_redis: "redis:4.0-alpine" \ No newline at end of file diff --git a/roles/ecloud-database/tasks/main.yml b/roles/ecloud-database/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..a6b41ee3d2fd812537100519723bfe2d30a2240f --- /dev/null +++ b/roles/ecloud-database/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-database/tasks/setup.yml b/roles/ecloud-database/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..7eecad30a6d8fb2cade313cdc8899a1dda5013bc --- /dev/null +++ b/roles/ecloud-database/tasks/setup.yml @@ -0,0 +1,19 @@ +- name: Create necessary directories for mariadb and redis container + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/mysql/db + - /ecloud/config/nextcloud/database + - /ecloud/volumes/redis/db + +- name: Ensure mariadb Docker image is pulled + docker_image: + name: "{{ docker_image_mariadb }}" + +- name: Ensure redis Docker image is pulled + docker_image: + name: "{{ docker_image_redis }}" \ No newline at end of file diff --git a/roles/ecloud-database/tasks/start.yml b/roles/ecloud-database/tasks/start.yml new file mode 100644 index 0000000000000000000000000000000000000000..1a676c3e97839d8e15b96b6eb20a4e4a64ff66d0 --- /dev/null +++ b/roles/ecloud-database/tasks/start.yml @@ -0,0 +1,30 @@ +- name: Starting MariaDB container + docker_container: + name: mariadb + image: "{{ docker_image_mariadb }}" + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + MYSQL_ROOT_PASSWORD: "{{ ecloud_mysql_root_password }}" + MYSQL_DATABASE: "{{ ecloud_postfix_database }}" + MYSQL_USER: "{{ ecloud_postfix_user }}" + MYSQL_PASSWORD: "{{ ecloud_database_password }}" + volumes: + - /ecloud/volumes/mysql/db:/var/lib/mysql + - /ecloud/config/nextcloud/database:/docker-entrypoint-initdb.d + +- name: Starting Redis container + docker_container: + name: redis + image: "{{ docker_image_redis }}" + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + command: redis-server --appendonly yes + volumes: + - /ecloud/volumes/redis/db:/data \ No newline at end of file diff --git a/roles/ecloud-database/tasks/stop.yml b/roles/ecloud-database/tasks/stop.yml new file mode 100644 index 0000000000000000000000000000000000000000..2cea73561a0f2aa3bacb0ac8253654e52beaa7d9 --- /dev/null +++ b/roles/ecloud-database/tasks/stop.yml @@ -0,0 +1,9 @@ +- name: Stopping mariadb container + docker_container: + name: mariadb + state: stopped + +- name: Stopping redis container + docker_container: + name: redis + state: stopped \ No newline at end of file diff --git a/roles/ecloud-drive/defaults/main.yml b/roles/ecloud-drive/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..f3ba2c7591968adfafa4521154f06dbf58ab1f45 --- /dev/null +++ b/roles/ecloud-drive/defaults/main.yml @@ -0,0 +1 @@ +docker_image_nextcloud: "nextcloud:15.0.8" diff --git a/roles/ecloud-drive/tasks/main.yml b/roles/ecloud-drive/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..a6b41ee3d2fd812537100519723bfe2d30a2240f --- /dev/null +++ b/roles/ecloud-drive/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-drive/tasks/setup.yml b/roles/ecloud-drive/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..923c2fcd66b140f4de8166f6067e8683bf8ea025 --- /dev/null +++ b/roles/ecloud-drive/tasks/setup.yml @@ -0,0 +1,24 @@ +- name: Create necessary directories for Nextcloud container + file: + path: "{{ item }}" + owner: www-data + group: www-data + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/nextcloud + - /ecloud/volumes/nextcloud/html + - /ecloud/volumes/nextcloud/custom_apps + - /ecloud/volumes/nextcloud/config + - /ecloud/volumes/nextcloud/data + +- name: Copy Nextcloud configuration to server + template: + src: "{{ role_path }}/templates/config.j2" + dest: /ecloud/volumes/nextcloud/config/config.php + owner: www-data + group: www-data + +- name: Ensure Nextcloud Docker image is pulled + docker_image: + name: "{{ docker_image_nextcloud }}" \ No newline at end of file diff --git a/roles/ecloud-drive/tasks/start.yml b/roles/ecloud-drive/tasks/start.yml new file mode 100644 index 0000000000000000000000000000000000000000..23ddc646addeac382dbd8a9506225dea2f2b7616 --- /dev/null +++ b/roles/ecloud-drive/tasks/start.yml @@ -0,0 +1,21 @@ +- name: Starting Nextcloud container + docker_container: + image: "{{ docker_image_nextcloud }}" + name: nextcloud + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + MYSQL_DATABASE: "{{ ecloud_nextcloud_mysql_database }}" + MYSQL_USER: "{{ ecloud_nextcloud_mysql_user }}" + MYSQL_PASSWORD: "{{ ecloud_nextcloud_mysql_password }}" + MYSQL_HOST: mariadb + NEXTCLOUD_ADMIN_USER: "{{ ecloud_nextcloud_admin_user }}" + NEXTCLOUD_ADMIN_PASSWORD: "{{ ecloud_nextcloud_admin_password }}" + volumes: + - /ecloud/volumes/nextcloud/html:/var/www/html/ + - /ecloud/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ + - /ecloud/volumes/nextcloud/config:/var/www/html/config/ + - /ecloud/volumes/nextcloud/data:/var/www/html/data/ \ No newline at end of file diff --git a/roles/ecloud-drive/tasks/stop.yml b/roles/ecloud-drive/tasks/stop.yml new file mode 100644 index 0000000000000000000000000000000000000000..5978f45f16f3a533f7d2f32711a928eba7aef966 --- /dev/null +++ b/roles/ecloud-drive/tasks/stop.yml @@ -0,0 +1,4 @@ +- name: Stopping nextcloud container + docker_container: + name: nextcloud + state: stopped \ No newline at end of file diff --git a/templates/nextcloud/config.php b/roles/ecloud-drive/templates/config.j2 similarity index 77% rename from templates/nextcloud/config.php rename to roles/ecloud-drive/templates/config.j2 index e1dcc922838e5070282410168e90018cd72c4dc3..5d643f98362841b450efee0b28cb9bf5ec8bcbe5 100644 --- a/templates/nextcloud/config.php +++ b/roles/ecloud-drive/templates/config.j2 @@ -1,6 +1,6 @@ 'https://mail.@@@DOMAIN@@@/users/password-recover.php', + 'lost_password_link' => 'https://mail.{{ ecloud_domain }}/users/password-recover.php', 'htaccess.RewriteBase' => '/', 'memcache.local' => '\\OC\\Memcache\\APCu', 'apps_paths' => @@ -20,21 +20,21 @@ $CONFIG = array ( ), 'trusted_domains' => array ( - 0 => '@@@DOMAIN@@@', + 0 => '{{ ecloud_domain }}', ), 'datadirectory' => '/var/www/html/data', - 'overwrite.cli.url' => 'https://@@@DOMAIN@@@', + 'overwrite.cli.url' => 'https://{{ ecloud_domain }}', 'overwriteprotocol' => 'https', 'mysql.utf8mb4' => true, 'maintenance' => true, 'mail_from_address' => 'drive', 'mail_smtpmode' => 'smtp', 'mail_smtpauthtype' => 'PLAIN', - 'mail_domain' => '@@@DOMAIN@@@', + 'mail_domain' => '{{ ecloud_domain }}', 'mail_smtpauth' => 1, - 'mail_smtphost' => 'mail.@@@DOMAIN@@@', - 'mail_smtpname' => 'drive@@@@DOMAIN@@@', - 'mail_smtppassword' => '@@@DRIVE_SMTP_PASSWORD@@@', + 'mail_smtphost' => 'mail.{{ ecloud_domain }}', + 'mail_smtpname' => 'drive@{{ ecloud_domain }}', + 'mail_smtppassword' => '{{ ecloud_drive_smtp_password }}', 'mail_smtpport' => '587', 'mail_smtpsecure' => 'tls', 'installed' => false, @@ -43,9 +43,9 @@ $CONFIG = array ( 'db_type' => 'mariadb', 'db_host' => 'mariadb', 'db_port' => '3306', - 'db_name' => 'postfix', - 'db_user' => 'postfix', - 'db_password' => '@@@PFDB_DBPASS@@@', + 'db_name' => '{{ ecloud_postfix_database }}', + 'db_user' => '{{ ecloud_postfix_user }}', + 'db_password' => '{{ ecloud_database_password }}', 'mariadb_charset' => 'utf8mb4', 'queries' => array ( diff --git a/roles/ecloud-mailserver/defaults/main.yml b/roles/ecloud-mailserver/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..d9227568e45bf8bcf8562c9ad71a51d959511fb9 --- /dev/null +++ b/roles/ecloud-mailserver/defaults/main.yml @@ -0,0 +1,7 @@ +docker_image_mailserver: "hardware/mailserver:1.1-stable" +docker_image_postfixadmin: "registry.gitlab.e.foundation:5000/e/infra/docker-postfixadmin:0.1.2" +docker_image_automx: "registry.gitlab.e.foundation:5000/e/infra/docker-mailstack:automx-0.1.0" + +automx_virtual_host: "{{ ecloud_all_domains | map('regex_replace','^','autoconfig.') | list | join(',') }},{{ ecloud_all_domains | map('regex_replace','^','autodiscover.') | list | join(',') }}" +enable_pop3: false +disable_ratelimiting: false \ No newline at end of file diff --git a/config-static/mail/dovecot/10-mail.conf b/roles/ecloud-mailserver/files/dovecot/10-mail.conf similarity index 100% rename from config-static/mail/dovecot/10-mail.conf rename to roles/ecloud-mailserver/files/dovecot/10-mail.conf diff --git a/config-static/mail/dovecot/90-quota.conf b/roles/ecloud-mailserver/files/dovecot/90-quota.conf similarity index 100% rename from config-static/mail/dovecot/90-quota.conf rename to roles/ecloud-mailserver/files/dovecot/90-quota.conf diff --git a/config-static/mail/dovecot/90-sieve.conf b/roles/ecloud-mailserver/files/dovecot/90-sieve.conf similarity index 100% rename from config-static/mail/dovecot/90-sieve.conf rename to roles/ecloud-mailserver/files/dovecot/90-sieve.conf diff --git a/roles/ecloud-mailserver/tasks/main.yml b/roles/ecloud-mailserver/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..a6b41ee3d2fd812537100519723bfe2d30a2240f --- /dev/null +++ b/roles/ecloud-mailserver/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-mailserver/tasks/setup.yml b/roles/ecloud-mailserver/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..ddf5a6f7beca41bc25dde0b6c50b4d0067cf498e --- /dev/null +++ b/roles/ecloud-mailserver/tasks/setup.yml @@ -0,0 +1,42 @@ +- name: Create necessary directories for mailserver container + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/mail + - /ecloud/config/mail/dovecot + - /ecloud/config/automx + +- name: Copy mailserver configuration to server + copy: + src: "{{ role_path }}/files/dovecot/" + dest: /ecloud/config/mail/dovecot + +- name: Copy automx configuration to server + template: + src: "{{ role_path }}/templates/automx.j2" + dest: /ecloud/config/automx/automx.conf + owner: www-data + group: www-data + +- name: Log into e-foundation private docker repository + docker_login: + registry: "{{ ecloud_gitlab_docker_repo }}" + username: "{{ ecloud_gitlab_docker_repo_user }}" + password: "{{ ecloud_gitlab_docker_repo_password }}" + reauthorize: yes + +- name: Ensure mailserver Docker image is pulled + docker_image: + name: "{{ docker_image_mailserver }}" + +- name: Ensure postfixadmin Docker image is pulled + docker_image: + name: "{{ docker_image_postfixadmin }}" + +- name: Ensure automx Docker image is pulled + docker_image: + name: "{{ docker_image_automx }}" \ No newline at end of file diff --git a/roles/ecloud-mailserver/tasks/start.yml b/roles/ecloud-mailserver/tasks/start.yml new file mode 100644 index 0000000000000000000000000000000000000000..03b377bf60f7add0dac395fb5f4312453524ac32 --- /dev/null +++ b/roles/ecloud-mailserver/tasks/start.yml @@ -0,0 +1,66 @@ +- name: Starting mailserver container + docker_container: + image: "{{ docker_image_mailserver }}" + name: mailserver + domainname: "{{ ecloud_domain }}" # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. + hostname: mail + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + ports: + - "25:25" # SMTP - Required + - "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients + - "143:143" # IMAP STARTTLS - Optional - For webmails/desktop clients + # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled + - "587:587" # Submission STARTTLS - Optional - For webmails/desktop clients + - "993:993" # IMAPS SSL/TLS - Optional - For webmails/desktop clients + - "995:995" # POP3S SSL/TLS - Optional - For webmails/desktop clients + - "4190:4190" # SIEVE STARTTLS - Optional - Recommended for mail filtering + env: + DBPASS: "{{ ecloud_database_password }}" + RSPAMD_PASSWORD: "{{ ecloud_rspamd_password }}" + ADD_DOMAINS: "{{ ecloud_all_domains|join(',') }}" + ENABLE_POP3: "{{ enable_pop3 }}" + DISABLE_RATELIMITING: "{{ disable_ratelimiting }}" + RELAY_NETWORKS: 172.16.0.0/12 + volumes: + - /ecloud/volumes/mail:/var/mail + - /ecloud/config/letsencrypt/certstore:/etc/letsencrypt + - /ecloud/config/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf + - /ecloud/config/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf + - /ecloud/config/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf + +- name: Starting postfixadmin container + docker_container: + image: "{{ docker_image_postfixadmin }}" + name: postfixadmin + domainname: "{{ ecloud_domain }}" + hostname: mail + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + DBPASS: "{{ ecloud_database_password }}" + POSTFIXADMIN_SSH_PASSWORD: "{{ ecloud_postfix_admin_ssh_password }}" + +- name: Starting automx container + docker_container: + image: "{{ docker_image_automx }}" + name: automx + domainname: "{{ ecloud_domain }}" + hostname: automx + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + VIRTUAL_HOST: "{{ automx_virtual_host }}" + DOMAIN: "{{ ecloud_domain }}" + HOSTNAME: automx + volumes: + - /ecloud/config/automx/automx.conf:/etc/automx.conf \ No newline at end of file diff --git a/roles/ecloud-mailserver/tasks/stop.yml b/roles/ecloud-mailserver/tasks/stop.yml new file mode 100644 index 0000000000000000000000000000000000000000..91d71ac2f8c64f31071c7393bedd505caa1016b3 --- /dev/null +++ b/roles/ecloud-mailserver/tasks/stop.yml @@ -0,0 +1,14 @@ +- name: Stopping mailserver container + docker_container: + name: mailserver + state: stopped + +- name: Stopping postfixadmin container + docker_container: + name: postfixadmin + state: stopped + +- name: Stopping automx container + docker_container: + name: automx + state: stopped \ No newline at end of file diff --git a/templates/automx/automx.conf b/roles/ecloud-mailserver/templates/automx.j2 similarity index 91% rename from templates/automx/automx.conf rename to roles/ecloud-mailserver/templates/automx.j2 index 8c69952ab92cde571995fe37195eb272520d70be..7ae31660b58f902d1ea08012af4b2f1984bf29bd 100644 --- a/templates/automx/automx.conf +++ b/roles/ecloud-mailserver/templates/automx.j2 @@ -1,7 +1,7 @@ # file: /etc/automx.conf [automx] -provider = @@@DOMAIN@@@ +provider = {{ ecloud_domain }} domains = * #debug = yes @@ -37,7 +37,7 @@ action = settings #sign_key = /certs/autodiscover.eelo.io.key smtp = yes -smtp_server = mail.@@@DOMAIN@@@ +smtp_server = mail.{{ ecloud_domain }} smtp_port = 587 smtp_encryption = starttls smtp_auth = plaintext @@ -46,11 +46,11 @@ smtp_refresh_ttl = 6 smtp_default = yes imap = yes -imap_server = mail.@@@DOMAIN@@@ +imap_server = mail.{{ ecloud_domain }} imap_port = 993 imap_encryption = ssl imap_auth = plaintext imap_auth_identity = %s imap_refresh_ttl = 6 -pop = no +pop = no \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/defaults/main.yml b/roles/ecloud-onlyoffice/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..42fad081a6a44cf096b389581079ae553c82c4d8 --- /dev/null +++ b/roles/ecloud-onlyoffice/defaults/main.yml @@ -0,0 +1,3 @@ +docker_image_onlyoffice_documentserver: "onlyoffice/documentserver:5.2.6.3" +docker_image_onlyoffice_mailserver: "onlyoffice/mailserver:1.6.35" +docker_image_onlyoffice_communityserver: "onlyoffice/communityserver:9.6.5.771" \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/main.yml b/roles/ecloud-onlyoffice/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..17d961e815f86456e7083f6e07ebd7758ace67cd --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: ecloud_install_onlyoffice|bool + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + when: ecloud_install_onlyoffice|bool + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + when: ecloud_install_onlyoffice|bool + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/setup.yml b/roles/ecloud-onlyoffice/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..de055c62116bd1449337a6ddd18c57b1d8638164 --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/setup.yml @@ -0,0 +1,29 @@ +- name: Create necessary directories for onlyoffice containers + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/onlyoffice/DocumentServer/data + - /ecloud/volumes/onlyoffice/DocumentServer/logs + - /ecloud/volumes/onlyoffice/MailServer/data + - /ecloud/volumes/onlyoffice/MailServer/data/certs + - /ecloud/volumes/onlyoffice/MailServer/logs + - /ecloud/volumes/onlyoffice/MailServer/mysql + - /ecloud/volumes/onlyoffice/CommunityServer/data + - /ecloud/volumes/onlyoffice/CommunityServer/mysql + - /ecloud/volumes/onlyoffice/CommunityServer/logs + +- name: Ensure onlyoffice documentserver docker image is pulled + docker_image: + name: "{{ docker_image_onlyoffice_documentserver }}" + +- name: Ensure onlyoffice mailserver docker image is pulled + docker_image: + name: "{{ docker_image_onlyoffice_mailserver }}" + +- name: Ensure onlyoffice communityserver docker image is pulled + docker_image: + name: "{{ docker_image_onlyoffice_communityserver }}" \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/start.yml b/roles/ecloud-onlyoffice/tasks/start.yml new file mode 100644 index 0000000000000000000000000000000000000000..84a8587a6669588040a31f2836b30950dfa880bb --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/start.yml @@ -0,0 +1,48 @@ +- name: Starting onlyoffice documentserver container + docker_container: + image: "{{ docker_image_onlyoffice_documentserver }}" + name: onlyoffice-document-server + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + volumes: + - /ecloud/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data + - /ecloud/volumes/onlyoffice/DocumentServer/logs:/var/log/onlyoffice + +- name: Starting onlyoffice mailserver container + docker_container: + image: "{{ docker_image_onlyoffice_mailserver }}" + name: onlyoffice-mail-server + hostname: cleus.eu + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + volumes: + - /ecloud/volumes/onlyoffice/MailServer/data:/var/vmail + - /ecloud/volumes/onlyoffice/MailServer/data/certs:/etc/pki/tls/mailserver + - /ecloud/volumes/onlyoffice/MailServer/logs:/var/log + - /ecloud/volumes/onlyoffice/MailServer/mysql:/var/lib/mysql + +- name: Starting onlyoffice communityserver container + docker_container: + image: "{{ docker_image_onlyoffice_communityserver }}" + name: onlyoffice-community-server + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + DOCUMENT_SERVER_PORT_80_TCP_ADDR: onlyoffice-document-server + MAIL_SERVER_DB_HOST: onlyoffice-mail-server + ports: + - 5222:5222 + volumes: + - /ecloud/volumes/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data + - /ecloud/volumes/onlyoffice/CommunityServer/mysql:/var/lib/mysql + - /ecloud/volumes/onlyoffice/CommunityServer/logs:/var/log/onlyoffice + - /ecloud/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/DocumentServerData \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/stop.yml b/roles/ecloud-onlyoffice/tasks/stop.yml new file mode 100644 index 0000000000000000000000000000000000000000..279c3580f3b9d1a2ff25f81bbd9aecc69c0cd994 --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/stop.yml @@ -0,0 +1,14 @@ +- name: Stopping onlyoffice-document-server container + docker_container: + name: onlyoffice-document-server + state: stopped + +- name: Stopping onlyoffice-mail-server container + docker_container: + name: onlyoffice-mail-server + state: stopped + +- name: Stopping onlyoffice-community-server container + docker_container: + name: onlyoffice-community-server + state: stopped \ No newline at end of file diff --git a/templates/rainloop/domain-config.ini b/roles/ecloud-postinstall/files/domain-config.ini similarity index 100% rename from templates/rainloop/domain-config.ini rename to roles/ecloud-postinstall/files/domain-config.ini diff --git a/roles/ecloud-postinstall/tasks/admin_credentials.yml b/roles/ecloud-postinstall/tasks/admin_credentials.yml new file mode 100644 index 0000000000000000000000000000000000000000..fe817803470259fde51eb5cf822513954c50c9cb --- /dev/null +++ b/roles/ecloud-postinstall/tasks/admin_credentials.yml @@ -0,0 +1,21 @@ +- name: Gathering Administration credentials for ecloud server + shell: | + SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /ecloud/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') + RSPAMD_PASSWORD="{{ ecloud_rspamd_password }}" + + NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /ecloud/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') + NEXTCLOUD_ADMIN_USER="{{ ecloud_nextcloud_admin_user }}" + NEXTCLOUD_ADMIN_PASSWORD="{{ ecloud_nextcloud_admin_password }}" + + POSTFIX_UI=$(grep server_name $(grep -l postfixadmin:8888 /ecloud/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') + POSTFIX_USER="{{ user_alternate_email_for_signup }}" + POSTFIX_PASSWORD="{{ ecloud_postfix_superadmin_password }}" + + echo "Your password for the SPAM filter mgmt UI ( https://$SPAM_UI ) is $RSPAMD_PASSWORD" + echo "Your admin credentials for nextcloud are ( https://$NEXTCLOUD_UI ) is $NEXTCLOUD_ADMIN_USER / $NEXTCLOUD_ADMIN_PASSWORD" + echo "Your credentials for postfix admin ( https://$POSTFIX_UI ) are $POSTFIX_USER / $POSTFIX_PASSWORD" + register: admininfo + +- name: "===============================<---Important! Admin Credentials for ecloud server--->====================================" + debug: + msg: "{{ admininfo.stdout.split('\n') }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/dkim_record.yml b/roles/ecloud-postinstall/tasks/dkim_record.yml new file mode 100644 index 0000000000000000000000000000000000000000..e2aca1642de09822c61afbe9eec162c28afc0093 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/dkim_record.yml @@ -0,0 +1,10 @@ +- name: Gathering DKIM record for domain + shell: | + # display DKIM DNS setup info/instructions to the user + echo "Please add the following records to your domain's DNS configuration:" + find /ecloud/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do DOMAIN=$(basename $line); echo " - DKIM record (TXT) for $DOMAIN:" && cat $line/public.key; done + register: dkimrecordinfo + +- name: "===============================< DKIM Record for Domain >====================================" + debug: + msg: "{{ dkimrecordinfo.stdout.split('\n') }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/generate_signup_link.yml b/roles/ecloud-postinstall/tasks/generate_signup_link.yml new file mode 100644 index 0000000000000000000000000000000000000000..7e3c32888996002fd9cb974e66d3444622cca170 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/generate_signup_link.yml @@ -0,0 +1,18 @@ +- name: Generating new user signup link for ecloud server + shell: | + touch /ecloud/volumes/accounts/auth.file.done + ACCOUNTS_UID=$(docker exec --user www-data accounts id -u | tr -d '\r') + chown "$ACCOUNTS_UID:$ACCOUNTS_UID" /ecloud/volumes/accounts/auth.file.done + + AUTH_SECRET=$(tr -d -c "a-zA-Z0-9" < /dev/urandom | head -c 16) + echo "{{ new_user_email }}:$AUTH_SECRET" >> /ecloud/volumes/accounts/auth.file + SIGNUP_URL="https://welcome.{{ ecloud_domain }}/?authmail={{ new_user_email }}&authsecret=$AUTH_SECRET" + echo "The new user can sign up now at $SIGNUP_URL" + + #send mail to user with signup link + echo "You can now sign up for your {{ ecloud_domain }} account at $SIGNUP_URL" | docker exec -i mailserver sendmail -f "drive@{{ ecloud_domain }}" -t "{{ new_user_email }}" -s "Signup for {{ ecloud_domain }}" + register: newuserinfo + +- name: "===============================<---New User Sign Up Link--->====================================" + debug: + msg: "{{ newuserinfo.stdout.split('\n') }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/main.yml b/roles/ecloud-postinstall/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..3517133b6f2c174761ed309b84a542fa7d611a8d --- /dev/null +++ b/roles/ecloud-postinstall/tasks/main.yml @@ -0,0 +1,34 @@ +- import_tasks: "{{ role_path }}/tasks/nextcloud.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/rainloop.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/postfixadmin.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/dkim_record.yml" + tags: + - setup + - dkim_record + +- import_tasks: "{{ role_path }}/tasks/admin_credentials.yml" + tags: + - setup + - admin_credentials + +- import_tasks: "{{ role_path }}/tasks/generate_signup_link.yml" + vars: + new_user_email: "{{ user_alternate_email_for_signup }}" + tags: + - setup + - generate_signup_link + +- name: "===============================< Success!!! Important Instructions!! >====================================" + debug: + msg: "Please note the DKIM DNS record for domain, Admin Credentials for the ecloud server and New user Sign Up link from the output of the previous tasks. Click on the sign up link to create your first e-cloud account! Enjoy!" + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/nextcloud.yml b/roles/ecloud-postinstall/tasks/nextcloud.yml new file mode 100644 index 0000000000000000000000000000000000000000..402d78c19e2a22b54bbb24311b53e908d32eae8b --- /dev/null +++ b/roles/ecloud-postinstall/tasks/nextcloud.yml @@ -0,0 +1,39 @@ +- name: Create Nextcloud mysql database and user + shell: | + docker exec mariadb mysql --user=root --password="{{ ecloud_mysql_root_password }}" \ + -e "CREATE USER '{{ ecloud_nextcloud_mysql_user }}'@'%' IDENTIFIED BY '{{ ecloud_nextcloud_mysql_password }}';" + docker exec mariadb mysql --user=root --password="{{ ecloud_mysql_root_password }}" \ + -e "CREATE DATABASE {{ ecloud_nextcloud_mysql_database }} DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;" + docker exec mariadb mysql --user=root --password="{{ ecloud_mysql_root_password }}" \ + -e "GRANT ALL PRIVILEGES ON {{ ecloud_nextcloud_mysql_database }}.* TO '{{ ecloud_nextcloud_mysql_user }}'@'%' WITH GRANT OPTION;" + +- name: Install Nextcloud + shell: | + docker exec --user www-data nextcloud php occ maintenance:install \ + --admin-user="{{ ecloud_nextcloud_admin_user }}" --admin-pass="{{ ecloud_nextcloud_admin_password }}" \ + --admin-email="{{ user_alternate_email_for_signup }}" --database="mysql" --database-pass="{{ ecloud_nextcloud_mysql_password }}" \ + --database-name="{{ ecloud_nextcloud_mysql_database }}" --database-host="mariadb" --database-user="{{ ecloud_nextcloud_mysql_user }}" \ + --database-port="3306" --database-table-prefix="" + +- name: Configure Nextcloud + shell: | + docker exec --user www-data nextcloud php occ db:convert-filecache-bigint --no-interaction + docker exec --user www-data nextcloud php occ config:system:set trusted_domains 0 --value="{{ ecloud_domain }}" + +- name: Install Nextcloud Plugins + shell: | + docker exec --user www-data nextcloud php /var/www/html/occ app:install calendar + docker exec --user www-data nextcloud php /var/www/html/occ app:install tasks + docker exec --user www-data nextcloud php /var/www/html/occ app:install notes + docker exec --user www-data nextcloud php /var/www/html/occ app:install user_backend_sql_raw + docker exec --user www-data nextcloud php /var/www/html/occ app:install rainloop + docker exec --user www-data nextcloud php /var/www/html/occ config:app:set rainloop rainloop-autologin --value 1 + +- name: Install Nextcloud theme + shell: | + wget "https://gitlab.e.foundation/api/v4/projects/315/repository/archive.tar.gz?private_token=qV5kExhz6mDY5QET8z56" -O "/tmp/nextcloud-theme.tar.gz" + tar -xzf "/tmp/nextcloud-theme.tar.gz" -C "/ecloud/volumes/nextcloud/html/themes/" --strip-components=1 + chown www-data:www-data "/ecloud/volumes/nextcloud/html/themes/" -R + rm "/tmp/nextcloud-theme.tar.gz" + docker exec --user www-data nextcloud php /var/www/html/occ config:system:set theme --value eelo + docker exec --user www-data nextcloud php occ maintenance:mode --off \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/postfixadmin.yml b/roles/ecloud-postinstall/tasks/postfixadmin.yml new file mode 100644 index 0000000000000000000000000000000000000000..8bd385167d1d13e308d6fcc928ef7f1db8370615 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/postfixadmin.yml @@ -0,0 +1,13 @@ +- name: Create postfix database schema + uri: + url: https://mail.{{ ecloud_domain }}/setup.php + follow_redirects: all + +- name: Configure postfixadmin for first use + shell: | + docker exec postfixadmin /postfixadmin/scripts/postfixadmin-cli admin add "{{ user_alternate_email_for_signup }}" --password "{{ ecloud_postfix_superadmin_password }}" --password2 "{{ ecloud_postfix_superadmin_password }}" --superadmin + # Adding domains to postfixadmin + echo "{{ ecloud_all_domains|join(',') }}" | tr "," "\n" | while read line; do docker exec -t postfixadmin /postfixadmin/scripts/postfixadmin-cli domain add $line; done + # Adding email accounts used by system senders (drive, welcome, ...) + docker exec postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add drive@"{{ ecloud_domain }}" --password "{{ ecloud_drive_smtp_password }}" --password2 "{{ ecloud_drive_smtp_password }}" --name "drive" --email-other "{{ user_alternate_email_for_signup }}" + docker exec postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add welcome@"{{ ecloud_domain }}" --password "{{ ecloud_smtp_password }}" --password2 "{{ ecloud_smtp_password }}" --name "welcome" --email-other "{{ user_alternate_email_for_signup }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/rainloop.yml b/roles/ecloud-postinstall/tasks/rainloop.yml new file mode 100644 index 0000000000000000000000000000000000000000..b085771b0ee522f73b119d5b07275e2245c89551 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/rainloop.yml @@ -0,0 +1,23 @@ +- name: Create necessary directories for rainloop + file: + path: /ecloud/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains + owner: www-data + group: www-data + state: directory + mode: '0755' + +- name: Copy rainloop configuration to server + copy: + src: "{{ role_path }}/files/domain-config.ini" + dest: "/ecloud/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/{{ item }}.ini" + owner: www-data + group: www-data + with_items: "{{ ecloud_all_domains }}" + +- name: Ensure nextcloud and rainloop has right permissiosn + file: + path: /ecloud/volumes/nextcloud + state: directory + recurse: yes + owner: www-data + group: www-data \ No newline at end of file diff --git a/roles/ecloud-webserver/defaults/main.yml b/roles/ecloud-webserver/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..23b2814d91cd22e11b2778a8763939b22241fdfb --- /dev/null +++ b/roles/ecloud-webserver/defaults/main.yml @@ -0,0 +1 @@ +docker_image_nginx: "registry.gitlab.e.foundation:5000/e/infra/docker-nginx:1.15" \ No newline at end of file diff --git a/config-static/nginx/params/headers_params b/roles/ecloud-webserver/files/params/headers_params similarity index 100% rename from config-static/nginx/params/headers_params rename to roles/ecloud-webserver/files/params/headers_params diff --git a/config-static/nginx/params/proxy_params b/roles/ecloud-webserver/files/params/proxy_params similarity index 100% rename from config-static/nginx/params/proxy_params rename to roles/ecloud-webserver/files/params/proxy_params diff --git a/config-static/nginx/params/ssl_params b/roles/ecloud-webserver/files/params/ssl_params similarity index 100% rename from config-static/nginx/params/ssl_params rename to roles/ecloud-webserver/files/params/ssl_params diff --git a/roles/ecloud-webserver/tasks/main.yml b/roles/ecloud-webserver/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..a6b41ee3d2fd812537100519723bfe2d30a2240f --- /dev/null +++ b/roles/ecloud-webserver/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-webserver/tasks/setup.yml b/roles/ecloud-webserver/tasks/setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..27c2a75ac9b5bd6c698dbcfd22769d6af8b75814 --- /dev/null +++ b/roles/ecloud-webserver/tasks/setup.yml @@ -0,0 +1,64 @@ +- name: Create necessary directories for nginx webserver container + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/config/nginx + - /ecloud/config/nginx/params + - /ecloud/config/nginx/passwds + - /ecloud/config/nginx/sites-enabled + +- name: Copy nginx configuration to server + copy: + src: "{{ role_path }}/files/params/" + dest: /ecloud/config/nginx/params + +- name: Copy autoconfig nginx configuration to server + template: + src: "{{ role_path }}/templates/autoconfig.j2" + dest: "/ecloud/config/nginx/sites-enabled/autoconfig.{{ item }}.conf" + owner: root + group: root + with_items: "{{ ecloud_all_domains }}" + +- name: Copy autodiscover nginx configuration to server + template: + src: "{{ role_path }}/templates/autodiscover.j2" + dest: "/ecloud/config/nginx/sites-enabled/autodiscover.{{ item }}.conf" + owner: root + group: root + with_items: "{{ ecloud_all_domains }}" + +- name: Copy onlyoffice nginx configuration to server + template: + src: "{{ role_path }}/templates/onlyoffice.j2" + dest: "/ecloud/config/nginx/sites-enabled/onlyoffice.conf" + owner: root + group: root + when: ecloud_install_onlyoffice|bool + +- name: Copy other nginx configuration to server + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "/ecloud/config/nginx/sites-enabled/{{ item }}.conf" + owner: root + group: root + with_items: + - nextcloud + - postfixadmin + - rspamd + - welcome + +- name: Log into e-foundation private docker repository + docker_login: + registry: "{{ ecloud_gitlab_docker_repo }}" + username: "{{ ecloud_gitlab_docker_repo_user }}" + password: "{{ ecloud_gitlab_docker_repo_password }}" + reauthorize: yes + +- name: Ensure nginx webserver Docker image is pulled + docker_image: + name: "{{ docker_image_nginx }}" \ No newline at end of file diff --git a/roles/ecloud-webserver/tasks/start.yml b/roles/ecloud-webserver/tasks/start.yml new file mode 100644 index 0000000000000000000000000000000000000000..ed2e1286d4ec855ff306041ad0353252ce6550c5 --- /dev/null +++ b/roles/ecloud-webserver/tasks/start.yml @@ -0,0 +1,18 @@ +- name: Starting nginx webserver container + docker_container: + image: "{{ docker_image_nginx }}" + name: nginx + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + ports: + - "80:8000" + - "443:4430" + volumes: + - /ecloud/config/nginx/sites-enabled:/etc/nginx/conf.d/ + - /ecloud/config/nginx/params:/etc/nginx/params/ + - /ecloud/config/nginx/passwds:/passwds + - /ecloud/config/letsencrypt/certstore:/certs + - /ecloud/config/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge \ No newline at end of file diff --git a/roles/ecloud-webserver/tasks/stop.yml b/roles/ecloud-webserver/tasks/stop.yml new file mode 100644 index 0000000000000000000000000000000000000000..386487d9079c076e2a4be8e495f5fec6e6ce1264 --- /dev/null +++ b/roles/ecloud-webserver/tasks/stop.yml @@ -0,0 +1,4 @@ +- name: Stopping nginx container + docker_container: + name: nginx + state: stopped \ No newline at end of file diff --git a/templates/nginx/sites-enabled/autoconfig.conf b/roles/ecloud-webserver/templates/autoconfig.j2 similarity index 73% rename from templates/nginx/sites-enabled/autoconfig.conf rename to roles/ecloud-webserver/templates/autoconfig.j2 index b203a0bf75ad079972f3cac9563a53b3c7b0552a..bacd98caee15a07feac9d81f5da234db2a0ec022 100644 --- a/templates/nginx/sites-enabled/autoconfig.conf +++ b/roles/ecloud-webserver/templates/autoconfig.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name @@@SERVICE@@@.@@@DOMAIN@@@; + server_name autoconfig.{{ item }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name @@@SERVICE@@@.@@@DOMAIN@@@; + server_name autoconfig.{{ item }}; - ssl_certificate /certs/live/@@@SERVICE@@@.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@SERVICE@@@.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/autoconfig.{{ item }}/fullchain.pem; + ssl_certificate_key /certs/live/autoconfig.{{ item }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/roles/ecloud-webserver/templates/autodiscover.j2 b/roles/ecloud-webserver/templates/autodiscover.j2 new file mode 100644 index 0000000000000000000000000000000000000000..3057b40efb787a15fd757085d11bbbdb48ba2523 --- /dev/null +++ b/roles/ecloud-webserver/templates/autodiscover.j2 @@ -0,0 +1,32 @@ +server { + listen 8000; + server_name autodiscover.{{ item }}; + location /.well-known/acme-challenge/ { + alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; + } + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 4430 ssl http2; + server_name autodiscover.{{ item }}; + + ssl_certificate /certs/live/autodiscover.{{ item }}/fullchain.pem; + ssl_certificate_key /certs/live/autodiscover.{{ item }}/privkey.pem; + + include /etc/nginx/params/ssl_params; + include /etc/nginx/params/headers_params; + + #add_header Strict-Transport-Security "max-age=;"; + #client_max_body_size M; + + #auth_basic "Who's this?"; + #auth_basic_user_file /passwds/.htpasswd; + + location / { + proxy_pass http://automx:80; + include /etc/nginx/params/proxy_params; + } +} diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/roles/ecloud-webserver/templates/nextcloud.j2 similarity index 83% rename from templates/nginx/sites-enabled/nextcloud.conf rename to roles/ecloud-webserver/templates/nextcloud.j2 index 53a940d8b991cb5f98eb93842d5b4743809e2e9e..27dcb69a9545a39413f484ac0082c8d843b167a2 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/roles/ecloud-webserver/templates/nextcloud.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name @@@DOMAIN@@@; + server_name {{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name @@@DOMAIN@@@; + server_name {{ ecloud_domain }}; - ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; # Nextcloud already sets these headers, the include would just duplicate them diff --git a/templates/nginx/sites-enabled/onlyoffice.conf b/roles/ecloud-webserver/templates/onlyoffice.j2 similarity index 84% rename from templates/nginx/sites-enabled/onlyoffice.conf rename to roles/ecloud-webserver/templates/onlyoffice.j2 index 25d70591d2a506f02773b96cc17446bcb991186c..b9c7960d8f72faf66fc73d8ac7b6063b72e653c5 100644 --- a/templates/nginx/sites-enabled/onlyoffice.conf +++ b/roles/ecloud-webserver/templates/onlyoffice.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name office.@@@DOMAIN@@@; + server_name office.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name office.@@@DOMAIN@@@; + server_name office.{{ ecloud_domain }}; - ssl_certificate /certs/live/office.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/office.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/office.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/office.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/postfixadmin.conf b/roles/ecloud-webserver/templates/postfixadmin.j2 similarity index 74% rename from templates/nginx/sites-enabled/postfixadmin.conf rename to roles/ecloud-webserver/templates/postfixadmin.j2 index 714bef3fa2d8d17dd1dccfe8f2c3a15c5f41ce54..1251f7544a327d51e2c800c0dc97b4977f2139b1 100644 --- a/templates/nginx/sites-enabled/postfixadmin.conf +++ b/roles/ecloud-webserver/templates/postfixadmin.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name mail.@@@DOMAIN@@@; + server_name mail.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name mail.@@@DOMAIN@@@; + server_name mail.{{ ecloud_domain }}; - ssl_certificate /certs/live/mail.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/mail.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/mail.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/mail.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/rspamd.conf b/roles/ecloud-webserver/templates/rspamd.j2 similarity index 74% rename from templates/nginx/sites-enabled/rspamd.conf rename to roles/ecloud-webserver/templates/rspamd.j2 index fc722b9a7cf1043f8fe0e608427b9915f50f3d72..4a9f85bf8882a05a0da88e809fd83d4661cc5c3a 100644 --- a/templates/nginx/sites-enabled/rspamd.conf +++ b/roles/ecloud-webserver/templates/rspamd.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name spam.@@@DOMAIN@@@; + server_name spam.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name spam.@@@DOMAIN@@@; + server_name spam.{{ ecloud_domain }}; - ssl_certificate /certs/live/spam.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/spam.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/spam.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/spam.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/welcome.conf b/roles/ecloud-webserver/templates/welcome.j2 similarity index 73% rename from templates/nginx/sites-enabled/welcome.conf rename to roles/ecloud-webserver/templates/welcome.j2 index 832adb892ccc516c96f8f0a7c8b1f275de8d3f9c..68bf2e58ba89b996c3f24a9c972653409205f8ac 100644 --- a/templates/nginx/sites-enabled/welcome.conf +++ b/roles/ecloud-webserver/templates/welcome.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name welcome.@@@DOMAIN@@@; + server_name welcome.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name welcome.@@@DOMAIN@@@; + server_name welcome.{{ ecloud_domain }}; - ssl_certificate /certs/live/welcome.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/welcome.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/welcome.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/welcome.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/scripts/base.sh b/scripts/base.sh deleted file mode 100755 index f447bb84e2bcc46e740af776d1ce2d341b6bf967..0000000000000000000000000000000000000000 --- a/scripts/base.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -# No set -e, because that would close the ssh connection if we source base.sh -# into an interactive shell. - -cd "/mnt/repo-base/" - -ENVFILE="/mnt/repo-base/.env" - -DOMAIN=$(grep ^DOMAIN= "$ENVFILE" | awk -F= '{ print $NF }') -ADD_DOMAINS=$(grep ^ADD_DOMAINS= "$ENVFILE" | awk -F= '{ print $NF }') -ALT_EMAIL=$(grep ^ALT_EMAIL= "$ENVFILE" | awk -F= '{ print $NF }') - -DBA_USER=$(grep ^DBA_USER= "$ENVFILE" | awk -F= '{ print $NF }') -DBA_PASSWORD=$(grep ^DBA_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') -NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -MYSQL_DATABASE_NC=$(grep ^MYSQL_DATABASE_NC= "$ENVFILE" | awk -F= '{ print $NF }') -MYSQL_USER_NC=$(grep ^MYSQL_USER_NC= "$ENVFILE" | awk -F= '{ print $NF }') -MYSQL_PASSWORD_NC=$(grep ^MYSQL_PASSWORD_NC= "$ENVFILE" | awk -F= '{ print $NF }') -MYSQL_ROOT_PASSWORD=$(grep ^MYSQL_ROOT_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -INSTALL_ONLYOFFICE=$(grep ^INSTALL_ONLYOFFICE= "$ENVFILE" | awk -F= '{ print $NF }') - -DRIVE_SMTP_PASSWORD=$(grep ^DRIVE_SMTP_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -PFA_SUPERADMIN_PASSWORD=$(grep ^PFA_SUPERADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -PFDB_DB=$(grep ^PFDB_DB= "$ENVFILE" | awk -F= '{ print $NF }') -PFDB_USR=$(grep ^PFDB_USR= "$ENVFILE" | awk -F= '{ print $NF }') -PFDB_DBPASS=$(grep ^DBPASS= "$ENVFILE" | awk -F= '{ print $NF }') - -SMTP_FROM=$(grep ^SMTP_FROM= "$ENVFILE" | awk -F= '{ print $NF }') -SMTP_PW=$(grep ^SMTP_PW= "$ENVFILE" | awk -F= '{ print $NF }') - -SMTP_HOST=$(grep ^SMTP_HOST= "$ENVFILE" | awk -F= '{ print $NF }') - - -# the encoding/decoding is taken from here: https://stackoverflow.com/questions/296536/how-to-urlencode-data-for-curl-command/10660730#10660730 -urlencode() { - local string="${1}" - local strlen=${#string} - local encoded="" - local pos c o - - for (( pos=0 ; pos "$CURRENT_VERSION_DATE" ]] -then - echo "New version $LATEST_TAG is available!" - if [ "$LATEST_TAG" != "$(cat $KNOWN_VERSION_FILE)" ] - then - echo "$LATEST_TAG" > "$KNOWN_VERSION_FILE" - cat "templates/mail/update-notification.txt" | \ - sed "s/@@@DOMAIN@@@/$DOMAIN/g" | \ - docker-compose exec -T eelomailserver sendmail -f "drive@$DOMAIN" -t "$ALT_EMAIL" - fi -else - echo "No update available" -fi diff --git a/scripts/generate-signup-link.sh b/scripts/generate-signup-link.sh deleted file mode 100755 index 359d6b3809d845c79ab4177347f2e1d23082f482..0000000000000000000000000000000000000000 --- a/scripts/generate-signup-link.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -set -e - -source /mnt/repo-base/scripts/base.sh - -if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then - echo "Usage: `basename $0` -- Creates a new signup link - options: - --user-email Pass the email address for the new user, so there is no need to prompt for it - --help Show this help" - exit 0 -fi - -if [[ "$1" == "--user-email" ]]; then - EMAIL="$2" -else - echo "What is the new user's current email address?" - read EMAIL -fi - - -AUTH_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) -echo "$EMAIL:$AUTH_SECRET" >> /mnt/repo-base/volumes/accounts/auth.file -SIGNUP_URL="https://welcome.$DOMAIN/?authmail=$(urlencode "$EMAIL")&authsecret=$AUTH_SECRET" -echo "The new user can sign up now at $SIGNUP_URL" - -echo -e "Subject:Signup for $DOMAIN -You can now sign up for your $DOMAIN account at $SIGNUP_URL" | \ -docker-compose exec -T eelomailserver sendmail -f "drive@$DOMAIN" -t "$EMAIL" diff --git a/scripts/init-repo.sh b/scripts/init-repo.sh deleted file mode 100755 index 9a7c0917135c0d3cf1da9d54af06165547918fcd..0000000000000000000000000000000000000000 --- a/scripts/init-repo.sh +++ /dev/null @@ -1,205 +0,0 @@ -#!/bin/bash -set -e - -function validateDomains { - INPUT="$1" - (INPUT=$(echo "$INPUT"| sed 's@;@,@g' | sed 's@ @,@g'); IFS=','; for DOMAIN in $INPUT; do echo "$DOMAIN" | xargs; done) | while read line; do echo "$line"; done | sort -u | while read line; do echo $line | grep -P '(?=^.{4,253}$)(^(?:[a-zA-Z0-9](?:(?:[a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$)'; done | tr "\n" "," | sed 's@,$@@g' -} - -source <(curl -s https://gitlab.e.foundation/e/infra/bootstrap/raw/master/bootstrap-commons.sh) - -cd "/mnt/repo-base/" -ENVFILE="/mnt/repo-base/.env" - -while true; -do - rm -f "$ENVFILE" - # Create .env file - generateEnvFile deployment/questionnaire/questionnaire.dat deployment/questionnaire/answers.dat "$ENVFILE" - source /mnt/repo-base/scripts/base.sh - - VALIDATED_DOMAIN=$(validateDomains "$DOMAIN") - - echo "$VALIDATED_DOMAIN" | grep -q "," && (echo "Error: You can specify only a single management domain, use the additional domains question for more domains - try again") && continue - - if [ -z "$VALIDATED_DOMAIN" ]; then - echo "Error : Entering at least the managemnt domain is mandatory - try again" - continue - fi - - VALIDATED_ADD_DOMAINS=$(validateDomains "$(echo $ADD_DOMAINS | sed "s@$VALIDATED_DOMAIN@@g")") - - if [ -z "$VALIDATED_ADD_DOMAINS" ]; then - VALIDATED_ADD_DOMAINS="[N/A]" - fi - - echo "Your management domain is: $VALIDATED_DOMAIN" - echo "Your additional domains are: $VALIDATED_ADD_DOMAINS" - read -r -p "Is this correct? (yes or no) " response - if [[ $response =~ ^([yY][eE][sS]|[yY])$ ]]; then - break - fi -done - -sed -i '/DOMAIN/d' "$ENVFILE" -echo "DOMAIN=$VALIDATED_DOMAIN" >> "$ENVFILE" -if [ "$VALIDATED_ADD_DOMAINS" == "[N/A]" ]; then - sed -i '/ADD_DOMAINS/d' "$ENVFILE" - echo "ADD_DOMAINS=$VALIDATED_DOMAIN" >> "$ENVFILE" -elif ! echo "$VALIDATED_ADD_DOMAINS" | grep -q "$VALIDATED_DOMAIN" ; then - sed -i '/ADD_DOMAINS/d' "$ENVFILE" - echo "ADD_DOMAINS=$VALIDATED_ADD_DOMAINS,$VALIDATED_DOMAIN" >> "$ENVFILE" -fi -source /mnt/repo-base/scripts/base.sh - -DC_DIR="templates/docker-compose/" -case $INSTALL_ONLYOFFICE in - [Yy]* ) - cat "${DC_DIR}docker-compose-base.yml" "${DC_DIR}docker-compose-onlyoffice.yml" "${DC_DIR}docker-compose-networks.yml" > docker-compose.yml; - cat "templates/nginx/sites-enabled/onlyoffice.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/onlyoffice.conf" - OFFICE_DOMAIN=",office.$DOMAIN" - OFFICE_LETSENCRYPT_KEY="config-dynamic/letsencrypt/certstore/live/office.$DOMAIN/privkey.pem" - NUM_CERTIFICATES="4" - ;; - [Nn]* ) - cat "${DC_DIR}docker-compose-base.yml" "${DC_DIR}docker-compose-networks.yml" > docker-compose.yml - NUM_CERTIFICATES="3" - ;; -esac - -# To be constructed repo specific -echo "VHOSTS_ACCOUNTS=welcome.$DOMAIN" >> "$ENVFILE" -echo "SMTP_FROM=welcome@$DOMAIN" >> "$ENVFILE" -echo "SMTP_HOST=mail.$DOMAIN" >> "$ENVFILE" - -VIRTUAL_HOST=$(echo "$ADD_DOMAINS" | tr "," "\n" | while read line; do echo "autoconfig.$line,autodiscover.$line"; done | tr "\n" "," | sed 's/.$//g') - -echo "VIRTUAL_HOST=$VIRTUAL_HOST" >> "$ENVFILE" - -# finished .env file generation - -# fill autorenew config -rm -f "/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat" -echo "$DOMAIN,$VIRTUAL_HOST,mail.$DOMAIN,spam.$DOMAIN,welcome.$DOMAIN$OFFICE_DOMAIN" | tr "," "\n" | while read CURDOMAIN; do - echo "$CURDOMAIN" >> config-dynamic/letsencrypt/autorenew/ssl-domains.dat -:; done - - -# Configure automx -cat templates/automx/automx.conf | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/automx/automx.conf" -chown www-data:www-data "config-dynamic/automx/automx.conf" - -# Configure nginx vhost - -# automx -echo "$DOMAIN,$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do - cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autoconfig/g" > "config-dynamic/nginx/sites-enabled/autoconfig.$CURDOMAIN.conf" - cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autodiscover/g" > "config-dynamic/nginx/sites-enabled/autodiscover.$CURDOMAIN.conf" -:; done - -# other hosts -cat "templates/nginx/sites-enabled/nextcloud.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/nextcloud.conf" -cat "templates/nginx/sites-enabled/postfixadmin.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/postfixadmin.conf" -cat "templates/nginx/sites-enabled/rspamd.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/rspamd.conf" -cat "templates/nginx/sites-enabled/welcome.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/welcome.conf" - -# confirm DNS is ready -echo "" -echo "" -echo "=================================================================================================================================" -echo "Please setup the following DNS records for your domains before you proceed (subsequent steps will fail if a record is missing):" -echo "=================================================================================================================================" -tempfile=$(mktemp /tmp/ecloud.dns.XXXXXX) -echo "RECORD,|,HOST,|,VALUE,|,Priority" >> "$tempfile" -echo "------,|,----,|,-----,|,--------" >> "$tempfile" -echo "A,|,mail.$DOMAIN,|,,|,-" >> "$tempfile" -echo "$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do - echo "A,|,$CURDOMAIN,|,,|,-" >> "$tempfile" -:; done -echo "$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do - echo "MX,|,$CURDOMAIN,|,mail.$DOMAIN,|,10" >> "$tempfile" -:; done -echo "PTR(For reverse DNS),|,,|,mail.$DOMAIN,|,-" >> "$tempfile" -echo "" -echo "$VIRTUAL_HOST,spam.$DOMAIN,welcome.$DOMAIN$OFFICE_DOMAIN" | tr "," "\n" | while read CURDOMAIN; do - echo "CNAME,|,$CURDOMAIN,|,mail.$DOMAIN,|,-" >> "$tempfile" -:; done -column "$tempfile" -t -s "," -rm "$tempfile" -echo "=================================================================================================================================" -echo "=================================================================================================================================" -echo "" - -echo "Type 'yes' and hit ENTER to confirm that you have setup DNS properly before we continue:" -read CONFIRM -while [ "$CONFIRM" != "yes" ] -do - read CONFIRM -done - -# Verify DOMAIN lookup forward and reverse (very important) -IP=$(dig mail.$DOMAIN| grep mail.$DOMAIN | grep -v '^;' | awk '{ print $NF }') - -if [ -z "$IP" ] -then - echo "mail.$DOMAIN not resolving to IP" - exit 1 -fi -PTR=$(nslookup $IP | grep "name = mail.$DOMAIN" | wc -l) - -if [ "1" != "$PTR" ] -then - echo "$IP not resolving to mail.$DOMAIN (PTR record missing or wrong.." - exit 1 -fi - -# Run LE cert request -bash scripts/ssl-renew.sh - -# verify LE status -CTR_LE=$(find config-dynamic/letsencrypt/certstore/live/mail.$DOMAIN/privkey.pem config-dynamic/letsencrypt/certstore/live/spam.$DOMAIN/privkey.pem config-dynamic/letsencrypt/certstore/live/welcome.$DOMAIN/privkey.pem $OFFICE_LETSENCRYPT_KEY 2>/dev/null| wc -l) -CTR_AC_LE=$(echo "$VIRTUAL_HOST" | tr "," "\n" | while read CURDOMAIN; do find config-dynamic/letsencrypt/certstore/live/$CURDOMAIN/privkey.pem 2>/dev/null | grep $CURDOMAIN && echo found || echo missing; done | grep missing | wc -l) - -if [ "$CTR_LE$CTR_AC_LE" = "${NUM_CERTIFICATES}0" ] -then - echo "All LE certs present." -else - echo "Verification of LE status failed. Some expected certificates are missing" - echo "$CTR_LE of $NUM_CERTIFICATES certifcates found." - echo "$CTR_AC_LE autoconfig/autodiscovery certificates are missing." - exit 1 -fi - -# create nextcloud config -mkdir -p "/mnt/repo-base/volumes/nextcloud/config/" -cat /mnt/repo-base/templates/nextcloud/config.php | sed "s/@@@DOMAIN@@@/$DOMAIN/g" | \ - sed "s/@@@DRIVE_SMTP_PASSWORD@@@/$DRIVE_SMTP_PASSWORD/g" | sed "s/@@@MYSQL_PASSWORD_NC@@@/$MYSQL_PASSWORD_NC/g" | \ - sed "s/@@@MYSQL_DATABASE_NC@@@/$MYSQL_DATABASE_NC/g" | sed "s/@@@MYSQL_USER_NC@@@/$MYSQL_USER_NC/g" | \ - sed "s/@@@PFDB_DBPASS@@@/$PFDB_DBPASS/g" > \ - "/mnt/repo-base/volumes/nextcloud/config/config.php" -chown www-data:www-data "/mnt/repo-base/volumes/nextcloud/" -R - -# Login to /e/ registry | not necessary when going public -echo "Please login with your gitlab.e.foundation username and password" -docker login registry.gitlab.e.foundation:5000 - -docker-compose up -d - -echo -e "\nHack: restart everything to ensure that database and nextcloud are initialized" -docker-compose restart - -# needed to store created accounts, and needs to be writable by welcome -touch /mnt/repo-base/volumes/accounts/auth.file.done -ACCOUNTS_UID=$(docker-compose exec --user www-data accounts id -u | tr -d '\r') -chown "$ACCOUNTS_UID:$ACCOUNTS_UID" /mnt/repo-base/volumes/accounts/auth.file.done - - -printf "$(date): Waiting for Nextcloud to finish installation" -# sleep for 300 seconds -for i in {0..300}; do - sleep 1 - printf "." -done - - -bash scripts/postinstall.sh diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh deleted file mode 100755 index c19f86c86eb8190316b4dfb9c81359d84ddbe328..0000000000000000000000000000000000000000 --- a/scripts/postinstall.sh +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env bash -set -e - -source /mnt/repo-base/scripts/base.sh - -# Create Nextcloud mysql database and user -docker-compose exec -T mariadb mysql --user=root --password="$MYSQL_ROOT_PASSWORD" \ - -e "CREATE USER '$MYSQL_USER_NC'@'%' IDENTIFIED BY '$MYSQL_PASSWORD_NC';" -docker-compose exec -T mariadb mysql --user=root --password="$MYSQL_ROOT_PASSWORD" \ - -e "CREATE DATABASE $MYSQL_DATABASE_NC DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;" -docker-compose exec -T mariadb mysql --user=root --password="$MYSQL_ROOT_PASSWORD" \ - -e "GRANT ALL PRIVILEGES ON $MYSQL_DATABASE_NC.* TO '$MYSQL_USER_NC'@'%' WITH GRANT OPTION;" - -# The maintenance:install command does not support environment variables for -# database configuration. -# https://github.com/nextcloud/server/issues/6185 -docker-compose exec -T --user www-data nextcloud php occ maintenance:install \ - --admin-user="$NEXTCLOUD_ADMIN_USER" --admin-pass="$NEXTCLOUD_ADMIN_PASSWORD" \ - --admin-email="$ALT_EMAIL" --database="mysql" --database-pass="$MYSQL_PASSWORD_NC" \ - --database-name="$MYSQL_DATABASE_NC" --database-host="mariadb" --database-user="$MYSQL_USER_NC" \ - --database-port="3306" --database-table-prefix="" -docker-compose exec -T --user www-data nextcloud php occ db:convert-filecache-bigint --no-interaction - -# Nextcloud resets trusted_domains to localhost during installation, so we have to set it again -docker-compose exec -T --user www-data nextcloud php occ config:system:set trusted_domains 0 --value="$DOMAIN" - -echo "Installing nextcloud plugins" -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install calendar -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install tasks -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install notes -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install user_backend_sql_raw -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install rainloop -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:app:set rainloop rainloop-autologin --value 1 - -echo "Installing Nextcloud theme" -wget "https://gitlab.e.foundation/api/v4/projects/315/repository/archive.tar.gz?private_token=qV5kExhz6mDY5QET8z56" -O "/tmp/nextcloud-theme.tar.gz" -tar -xzf "/tmp/nextcloud-theme.tar.gz" -C "volumes/nextcloud/html/themes/" --strip-components=1 -chown www-data:www-data "volumes/nextcloud/html/themes/" -R -rm "/tmp/nextcloud-theme.tar.gz" - -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set theme --value eelo - -docker-compose exec -T --user www-data nextcloud php occ maintenance:mode --off - -echo "Restarting Nextcloud container" -docker-compose restart nextcloud - -echo "Configuring Rainloop" -mkdir -p "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/" -echo "$ADD_DOMAINS" | tr "," "\n" | while read add_domain; do - cp "templates/rainloop/domain-config.ini" "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/$add_domain.ini" -done -chown www-data:www-data /mnt/repo-base/volumes/nextcloud/ -R - -echo "Creating postfix database schema" -curl --silent -L https://mail.$DOMAIN/setup.php > /dev/null - -echo "Adding Postfix admin superadmin account" -docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli admin add $ALT_EMAIL --password $PFA_SUPERADMIN_PASSWORD --password2 $PFA_SUPERADMIN_PASSWORD --superadmin - -# Adding domains to postfix is done by docker exec instead of docker-compose exec on purpose. Reason: with compose the loop aborts after the first item for an unknown reason -echo "Adding domains to Postfix" -echo "$ADD_DOMAINS" | tr "," "\n" | while read line; do docker exec -t postfixadmin /postfixadmin/scripts/postfixadmin-cli domain add $line; done - -echo "Adding email accounts used by system senders (drive, ...)" -docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add drive@$DOMAIN --password $DRIVE_SMTP_PASSWORD --password2 $DRIVE_SMTP_PASSWORD --name "drive" --email-other $ALT_EMAIL -docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add $SMTP_FROM --password $SMTP_PW --password2 $SMTP_PW --name "welcome" --email-other $ALT_EMAIL - -# display DKIM DNS setup info/instructions to the user -echo -e "\n\n\n" -echo -e "Please add the following records to your domain's DNS configuration:\n" -find /mnt/repo-base/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do DOMAIN=$(basename $line); echo " - DKIM record (TXT) for $DOMAIN:" && cat $line/public.key; done - -echo "=================================================================================================================================" -echo "=================================================================================================================================" -echo "Your logins:" -bash scripts/show-info.sh - -echo "=================================================================================================================================" -echo "Your signup link:" -bash scripts/generate-signup-link.sh --user-email $ALT_EMAIL - -echo "Please reboot the server now" diff --git a/scripts/show-info.sh b/scripts/show-info.sh deleted file mode 100755 index fbbe6849a627516ca879f2c5a949c38811862618..0000000000000000000000000000000000000000 --- a/scripts/show-info.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env bash -set -e - -source /mnt/repo-base/scripts/base.sh - -SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') -RSPAMD_PASSWORD=$(grep ^RSPAMD_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') -NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') -NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -POSTFIX_UI=$(grep server_name $(grep -l postfixadmin:8888 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') -POSTFIX_USER=$(grep ALT_EMAIL= "$ENVFILE" | awk -F= '{ print $NF }') -POSTFIX_PASSWORD=$(grep PFA_SUPERADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - - -echo "Your password for the SPAM filter mgmt UI (https://$SPAM_UI) is: $RSPAMD_PASSWORD" -echo "Your admin credentials for nextcloud are (https://$NEXTCLOUD_UI) is: $NEXTCLOUD_ADMIN_USER / $NEXTCLOUD_ADMIN_PASSWORD" -echo "Your credentials for postfix admin (https://$POSTFIX_UI) are: $POSTFIX_USER / $POSTFIX_PASSWORD" - diff --git a/scripts/ssl-renew.sh b/scripts/ssl-renew.sh deleted file mode 100755 index 5768b968d1a2fff0754d66fa6ee0c7689e76e1ad..0000000000000000000000000000000000000000 --- a/scripts/ssl-renew.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash -set -e - -source /mnt/repo-base/scripts/base.sh - -if [ "$(whoami)" != "root" ] -then - exit 1 -fi - -MAILHOST="mail.$DOMAIN" -CONFIG=/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat -OPENSSLBIN=/usr/bin/openssl -CERTSTOREBASE=/mnt/repo-base/config-dynamic/letsencrypt/certstore -CERTSTORE=$CERTSTOREBASE/live -SERVERADMIN="admin@$DOMAIN" -PUBIP=0.0.0.0 -CERTBOT_IMAGE="certbot/certbot:v0.33.1" - -cat "$CONFIG" | while read DOMAIN; do - # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. - if [ ! -f "$CERTSTORE/$DOMAIN/fullchain.pem" ] - then - docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt \ - -p $PUBIP:80:80 -p $PUBIP:443:443 \ - "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $SERVERADMIN -d $DOMAIN \ - --standalone - else - docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt \ - -v /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge \ - "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $SERVERADMIN -d $DOMAIN \ - --webroot -w /etc/letsencrypt/acme-challenge \ - --post-hook "touch /etc/letsencrypt/live/$DOMAIN/cert-updated" - CERT_UPDATED_FILE="$CERTSTORE/$DOMAIN/cert-updated" - if [ -f "$CERT_UPDATED_FILE" ] - then - echo "Reloading SSL certificates" - rm "$CERT_UPDATED_FILE" - docker exec nginx nginx -s reload - NVALIDTHRU=$($OPENSSLBIN x509 -enddate -noout -in $CERTSTORE/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') - echo "Certificate for $DOMAIN renewed and is valid until: $NVALIDTHRU" - if [ "$DOMAIN" = "$MAILHOST" ] - then - cd /mnt/repo-base/ - docker-compose restart eelomailserver - fi - fi - fi -:;done diff --git a/scripts/update.sh b/scripts/update.sh deleted file mode 100755 index 30a4de0ea2bdb7652add80cab85cd133eebd4071..0000000000000000000000000000000000000000 --- a/scripts/update.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -set -e - -source /mnt/repo-base/scripts/base.sh - -CURRENT_VERSION_DATE=$(git show -s --format=%ci HEAD) -git fetch --tags -LATEST_TAG=$(git tag --sort=creatordate | tail -n 1) -LATEST_VERSION_DATE=$(git show -s --format=%ci "$LATEST_TAG") - -if [[ ! "$CURRENT_VERSION_DATE" < "$LATEST_VERSION_DATE" ]] -then - echo "No update available" - exit -fi - -echo "New version is $LATEST_TAG -Changelog: https://gitlab.e.foundation/e/priv/infra/compose/tags/$LATEST_TAG -Do you want to upgrade? [y/N]" -read answer - -# https://stackoverflow.com/a/27875395 -if [ "$answer" == "${answer#[Yy]}" ] ;then - echo "aborted" - exit -fi - -echo -e "\n\nUpdating git repository to latest version" -git checkout "$LATEST_TAG" - -echo -e "\n\nUpdating Docker images" -docker-compose pull -docker-compose up -d - -echo -e "\n\nUpdate complete. Consider running 'docker image prune --all' to reclaim space from old images" diff --git a/templates/docker-compose/docker-compose-base.yml b/templates/docker-compose/docker-compose-base.yml deleted file mode 100644 index ba6e9d6746fde16d61ddbf31bd69fb6e548de4a7..0000000000000000000000000000000000000000 --- a/templates/docker-compose/docker-compose-base.yml +++ /dev/null @@ -1,152 +0,0 @@ -version: '2.1' - -services: - eelomailserver: - image: hardware/mailserver:1.1-stable - container_name: mailserver - domainname: ${DOMAIN} # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. - hostname: mail - restart: always - networks: - - serverbase - ports: - - "25:25" # SMTP - Required - - "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients - - "143:143" # IMAP STARTTLS - Optional - For webmails/desktop clients - # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled - - "587:587" # Submission STARTTLS - Optional - For webmails/desktop clients - - "993:993" # IMAPS SSL/TLS - Optional - For webmails/desktop clients - - "995:995" # POP3S SSL/TLS - Optional - For webmails/desktop clients - - "4190:4190" # SIEVE STARTTLS - Optional - Recommended for mail filtering - environment: - - DBPASS=${DBPASS} - - RSPAMD_PASSWORD=${RSPAMD_PASSWORD} - - ADD_DOMAINS=${ADD_DOMAINS} - - ENABLE_POP3=${ENABLE_POP3} - - DISABLE_RATELIMITING=${DISABLE_RATELIMITING} - - RELAY_NETWORKS=172.16.0.0/12 - # Full list of options: https://github.com/hardware/mailserver#environment-variables - volumes: - - /mnt/repo-base/volumes/mail:/var/mail - - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/etc/letsencrypt - - /mnt/repo-base/config-static/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf - - /mnt/repo-base/config-static/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf - - /mnt/repo-base/config-static/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf - depends_on: - - mariadb - - redis - - postfixadmin: - image: registry.gitlab.e.foundation:5000/e/infra/docker-postfixadmin:0.1.2 - container_name: postfixadmin - domainname: ${DOMAIN} - hostname: mail - restart: always - networks: - - serverbase - environment: - - DBPASS=${DBPASS} - - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} - depends_on: - - eelomailserver - - mariadb - - mariadb: - image: mariadb:10.3 - container_name: mariadb - restart: always - networks: - - serverbase - environment: - # Note: These variables are only used for the first start. Later changes are ignored. - - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - - MYSQL_DATABASE=${PFDB_DB} - - MYSQL_USER=${PFDB_USR} - - MYSQL_PASSWORD=${DBPASS} - volumes: - - /mnt/repo-base/volumes/mysql/db:/var/lib/mysql - - /mnt/repo-base/config-dynamic/nextcloud/database:/docker-entrypoint-initdb.d - - redis: - image: redis:4.0-alpine - container_name: redis - restart: always - networks: - - serverbase - command: redis-server --appendonly yes - volumes: - - /mnt/repo-base/volumes/redis/db:/data - - accounts: - image: registry.gitlab.e.foundation:5000/e/infra/docker-welcome:0.2.2 - container_name: accounts - environment: - - DOMAINS=${VHOSTS_ACCOUNTS} - - DOMAIN=${DOMAIN} - - IS_WELCOME=true - - PFDB_HOST=mariadb - - PFDB_DB=${PFDB_DB} - - PFDB_USR=${PFDB_USR} - - PFDB_PW=${DBPASS} - - SMTP_HOST=${SMTP_HOST} - - SMTP_FROM=${SMTP_FROM} - - SMTP_PW=${SMTP_PW} - - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/accounts:/var/accounts - depends_on: - - mariadb - - nextcloud: - image: nextcloud:15.0.8 - container_name: nextcloud - environment: - - MYSQL_DATABASE=${MYSQL_DATABASE_NC} - - MYSQL_USER=${MYSQL_USER_NC} - - MYSQL_PASSWORD=${MYSQL_PASSWORD_NC} - - MYSQL_HOST=mariadb - - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/nextcloud/html:/var/www/html/ - - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ - - /mnt/repo-base/volumes/nextcloud/config:/var/www/html/config/ - - /mnt/repo-base/volumes/nextcloud/data:/var/www/html/data/ - depends_on: - - mariadb - - automx: - image: registry.gitlab.e.foundation:5000/e/infra/docker-mailstack:automx-0.1.0 - container_name: automx - hostname: automx - environment: - - VIRTUAL_HOST=${VIRTUAL_HOST} - - DOMAIN=${DOMAIN} - - HOSTNAME=automx - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/config-dynamic/automx/automx.conf:/etc/automx.conf - - create-account: - image: registry.gitlab.e.foundation:5000/e/infra/docker-create-account:0.1.6 - container_name: create-account - restart: always - environment: - - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} - - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} - - DOMAIN=${DOMAIN} - - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} - networks: - - serverbase - depends_on: - - nextcloud - - postfixadmin diff --git a/templates/docker-compose/docker-compose-networks.yml b/templates/docker-compose/docker-compose-networks.yml deleted file mode 100644 index 02e7b59292f7a66799ed00a4cbc30b4005171acf..0000000000000000000000000000000000000000 --- a/templates/docker-compose/docker-compose-networks.yml +++ /dev/null @@ -1,28 +0,0 @@ - - nginx: - image: registry.gitlab.e.foundation:5000/e/infra/docker-nginx:1.15 - container_name: nginx - restart: always - networks: - - serverbase - ports: - - "80:8000" - - "443:4430" - volumes: - - /mnt/repo-base/config-dynamic/nginx/sites-enabled:/etc/nginx/conf.d/ - - /mnt/repo-base/config-static/nginx/params:/etc/nginx/params/ - - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs - - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge - depends_on: - - nextcloud - - create-account - - automx - - postfixadmin - - accounts - - eelomailserver - #- onlyoffice-community-server - -networks: - serverbase: - driver: 'bridge' diff --git a/templates/docker-compose/docker-compose-onlyoffice.yml b/templates/docker-compose/docker-compose-onlyoffice.yml deleted file mode 100644 index 9387ad7605243f556cec6b8657dfc2d3b6072f4c..0000000000000000000000000000000000000000 --- a/templates/docker-compose/docker-compose-onlyoffice.yml +++ /dev/null @@ -1,43 +0,0 @@ - - onlyoffice-documentserver: - image: onlyoffice/documentserver:5.2.6.3 - container_name: onlyoffice-document-server - stdin_open: true - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/logs:/var/log/onlyoffice - onlyoffice-mail-server: - image: onlyoffice/mailserver:1.6.35 - container_name: onlyoffice-mail-server - hostname: cleus.eu - stdin_open: true - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/onlyoffice/MailServer/data:/var/vmail - - /mnt/repo-base/volumes/onlyoffice/MailServer/data/certs:/etc/pki/tls/mailserver - - /mnt/repo-base/volumes/onlyoffice/MailServer/logs:/var/log - - /mnt/repo-base/volumes/onlyoffice/MailServer/mysql:/var/lib/mysql - onlyoffice-community-server: - image: onlyoffice/communityserver:9.6.5.771 - container_name: onlyoffice-community-server - restart: always - networks: - - serverbase - ports: - - 5222:5222 - environment: - - DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server - - MAIL_SERVER_DB_HOST=onlyoffice-mail-server - volumes: - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/mysql:/var/lib/mysql - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/logs:/var/log/onlyoffice - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/DocumentServerData - depends_on: - - onlyoffice-documentserver - - onlyoffice-mail-server diff --git a/templates/mail/update-notification.txt b/templates/mail/update-notification.txt deleted file mode 100644 index 04d42f8f2889cfb7d1d08e89166b8480c819a205..0000000000000000000000000000000000000000 --- a/templates/mail/update-notification.txt +++ /dev/null @@ -1,5 +0,0 @@ -Subject:Update available for @@@DOMAIN@@@ -A new update is available. Please login via ssh and run the following -command: - -bash /mnt/repo-base/scripts/update.sh diff --git a/templates/nextcloud/plugin-config/user_sql_raw_config.conf b/templates/nextcloud/plugin-config/user_sql_raw_config.conf deleted file mode 100644 index 08b54a8cfd162bd88c3a9469a25da3a12f83e63c..0000000000000000000000000000000000000000 --- a/templates/nextcloud/plugin-config/user_sql_raw_config.conf +++ /dev/null @@ -1,21 +0,0 @@ - 'user_backend_sql_raw' => - array ( - 'db_type' => 'mariadb', - 'db_host' => 'mariadb', - 'db_port' => '3306', - 'db_name' => '@@@DBNAME@@@', - 'db_user' => '@@@DBUSER@@@', - 'db_password' => '@@@DBPW@@@', - 'queries' => - array ( - 'get_password_hash_for_user' => 'SELECT substr(password,15,3000) AS password_hash FROM mailbox WHERE username = BINARY :username', - 'user_exists' => 'SELECT EXISTS(SELECT 1 FROM mailbox WHERE username = :username)', - 'get_users' => 'select username as fqda from mailbox where username like :search or name like :search', - 'set_password_hash_for_user' => 'UPDATE mailbox SET password = CONCAT(\'{SHA512-CRYPT}\',:new_password_hash) WHERE username = BINARY :username', - 'get_display_name' => 'SELECT name FROM mailbox where username = BINARY :username', - 'set_display_name' => 'UPDATE mailbox SET name = :new_display_name WHERE username = BINARY :username', - 'count_users' => 'SELECT COUNT(*) FROM mailbox', - ), - 'hash_algorithm_for_new_passwords' => 'sha512', - ) -);