From cadf95d4ad477e1fce5e87f053c69f09da78218b Mon Sep 17 00:00:00 2001 From: Joel S Date: Fri, 5 Jul 2019 21:19:49 +0530 Subject: [PATCH] Initial Ansible Implementation --- .gitignore | 13 +- README.md | 107 +++++++-- config-dynamic/automx/.keep | 0 config-dynamic/letsencrypt/autorenew/.keep | 0 config-dynamic/nginx/sites-enabled/.keep | 0 deployment/questionnaire/answers.dat | 4 - deployment/questionnaire/questionnaire.dat | 36 --- deployment/salt/base/docker-compose.sls | 51 ----- deployment/salt/base/docker-daemon.json | 7 - deployment/salt/init-config/masterless.conf | 5 - docs/add_vhost.md | 63 ------ docs/env_file.md | 40 ---- docs/folders.md | 20 -- docs/ports.md | 14 -- docs/update_onlyoffice.md | 53 ----- ecloud.yml | 14 ++ group_vars/all | 28 +++ hosts | 1 + roles/ecloud-accounts/defaults/main.yml | 2 + roles/ecloud-accounts/tasks/main.yml | 12 + roles/ecloud-accounts/tasks/setup.yml | 22 ++ roles/ecloud-accounts/tasks/start.yml | 39 ++++ roles/ecloud-accounts/tasks/stop.yml | 9 + roles/ecloud-base/tasks/dns_configure.yml | 47 ++++ roles/ecloud-base/tasks/docker_setup.yml | 10 + roles/ecloud-base/tasks/main.yml | 12 + roles/ecloud-base/tasks/setup.yml | 58 +++++ roles/ecloud-certs/defaults/main.yml | 1 + .../tasks/letsencrypt_obtain_cert.yml | 57 +++++ roles/ecloud-certs/tasks/main.yml | 18 ++ roles/ecloud-certs/tasks/setup.yml | 14 ++ roles/ecloud-database/defaults/main.yml | 2 + roles/ecloud-database/tasks/main.yml | 12 + roles/ecloud-database/tasks/setup.yml | 19 ++ roles/ecloud-database/tasks/start.yml | 30 +++ roles/ecloud-database/tasks/stop.yml | 9 + roles/ecloud-drive/defaults/main.yml | 1 + roles/ecloud-drive/tasks/main.yml | 12 + roles/ecloud-drive/tasks/setup.yml | 24 ++ roles/ecloud-drive/tasks/start.yml | 21 ++ roles/ecloud-drive/tasks/stop.yml | 4 + .../ecloud-drive/templates/config.j2 | 20 +- roles/ecloud-mailserver/defaults/main.yml | 7 + .../files}/dovecot/10-mail.conf | 0 .../files}/dovecot/90-quota.conf | 0 .../files}/dovecot/90-sieve.conf | 0 roles/ecloud-mailserver/tasks/main.yml | 12 + roles/ecloud-mailserver/tasks/setup.yml | 42 ++++ roles/ecloud-mailserver/tasks/start.yml | 66 ++++++ roles/ecloud-mailserver/tasks/stop.yml | 14 ++ .../ecloud-mailserver/templates/automx.j2 | 8 +- roles/ecloud-onlyoffice/defaults/main.yml | 3 + roles/ecloud-onlyoffice/tasks/main.yml | 15 ++ roles/ecloud-onlyoffice/tasks/setup.yml | 29 +++ roles/ecloud-onlyoffice/tasks/start.yml | 48 ++++ roles/ecloud-onlyoffice/tasks/stop.yml | 14 ++ .../files}/domain-config.ini | 0 .../tasks/admin_credentials.yml | 21 ++ .../ecloud-postinstall/tasks/dkim_record.yml | 10 + .../tasks/generate_signup_link.yml | 18 ++ roles/ecloud-postinstall/tasks/main.yml | 34 +++ roles/ecloud-postinstall/tasks/nextcloud.yml | 39 ++++ .../ecloud-postinstall/tasks/postfixadmin.yml | 13 ++ roles/ecloud-postinstall/tasks/rainloop.yml | 23 ++ roles/ecloud-webserver/defaults/main.yml | 1 + .../files}/params/headers_params | 0 .../files}/params/proxy_params | 0 .../ecloud-webserver/files}/params/ssl_params | 0 roles/ecloud-webserver/tasks/main.yml | 12 + roles/ecloud-webserver/tasks/setup.yml | 64 ++++++ roles/ecloud-webserver/tasks/start.yml | 18 ++ roles/ecloud-webserver/tasks/stop.yml | 4 + .../ecloud-webserver/templates/autoconfig.j2 | 8 +- .../templates/autodiscover.j2 | 32 +++ .../ecloud-webserver/templates/nextcloud.j2 | 8 +- .../ecloud-webserver/templates/onlyoffice.j2 | 8 +- .../templates/postfixadmin.j2 | 8 +- .../ecloud-webserver/templates/rspamd.j2 | 8 +- .../ecloud-webserver/templates/welcome.j2 | 8 +- scripts/base.sh | 66 ------ scripts/check-update.sh | 28 --- scripts/generate-signup-link.sh | 29 --- scripts/init-repo.sh | 205 ------------------ scripts/postinstall.sh | 83 ------- scripts/show-info.sh | 21 -- scripts/ssl-renew.sh | 49 ----- scripts/update.sh | 35 --- .../docker-compose/docker-compose-base.yml | 152 ------------- .../docker-compose-networks.yml | 28 --- .../docker-compose-onlyoffice.yml | 43 ---- templates/mail/update-notification.txt | 5 - .../plugin-config/user_sql_raw_config.conf | 21 -- 92 files changed, 1143 insertions(+), 1128 deletions(-) delete mode 100644 config-dynamic/automx/.keep delete mode 100644 config-dynamic/letsencrypt/autorenew/.keep delete mode 100644 config-dynamic/nginx/sites-enabled/.keep delete mode 100644 deployment/questionnaire/answers.dat delete mode 100644 deployment/questionnaire/questionnaire.dat delete mode 100644 deployment/salt/base/docker-compose.sls delete mode 100644 deployment/salt/base/docker-daemon.json delete mode 100644 deployment/salt/init-config/masterless.conf delete mode 100644 docs/add_vhost.md delete mode 100644 docs/env_file.md delete mode 100644 docs/folders.md delete mode 100644 docs/ports.md delete mode 100644 docs/update_onlyoffice.md create mode 100644 ecloud.yml create mode 100644 group_vars/all create mode 100644 hosts create mode 100644 roles/ecloud-accounts/defaults/main.yml create mode 100644 roles/ecloud-accounts/tasks/main.yml create mode 100644 roles/ecloud-accounts/tasks/setup.yml create mode 100644 roles/ecloud-accounts/tasks/start.yml create mode 100644 roles/ecloud-accounts/tasks/stop.yml create mode 100644 roles/ecloud-base/tasks/dns_configure.yml create mode 100644 roles/ecloud-base/tasks/docker_setup.yml create mode 100644 roles/ecloud-base/tasks/main.yml create mode 100644 roles/ecloud-base/tasks/setup.yml create mode 100644 roles/ecloud-certs/defaults/main.yml create mode 100644 roles/ecloud-certs/tasks/letsencrypt_obtain_cert.yml create mode 100644 roles/ecloud-certs/tasks/main.yml create mode 100644 roles/ecloud-certs/tasks/setup.yml create mode 100644 roles/ecloud-database/defaults/main.yml create mode 100644 roles/ecloud-database/tasks/main.yml create mode 100644 roles/ecloud-database/tasks/setup.yml create mode 100644 roles/ecloud-database/tasks/start.yml create mode 100644 roles/ecloud-database/tasks/stop.yml create mode 100644 roles/ecloud-drive/defaults/main.yml create mode 100644 roles/ecloud-drive/tasks/main.yml create mode 100644 roles/ecloud-drive/tasks/setup.yml create mode 100644 roles/ecloud-drive/tasks/start.yml create mode 100644 roles/ecloud-drive/tasks/stop.yml rename templates/nextcloud/config.php => roles/ecloud-drive/templates/config.j2 (77%) create mode 100644 roles/ecloud-mailserver/defaults/main.yml rename {config-static/mail => roles/ecloud-mailserver/files}/dovecot/10-mail.conf (100%) rename {config-static/mail => roles/ecloud-mailserver/files}/dovecot/90-quota.conf (100%) rename {config-static/mail => roles/ecloud-mailserver/files}/dovecot/90-sieve.conf (100%) create mode 100644 roles/ecloud-mailserver/tasks/main.yml create mode 100644 roles/ecloud-mailserver/tasks/setup.yml create mode 100644 roles/ecloud-mailserver/tasks/start.yml create mode 100644 roles/ecloud-mailserver/tasks/stop.yml rename templates/automx/automx.conf => roles/ecloud-mailserver/templates/automx.j2 (91%) create mode 100644 roles/ecloud-onlyoffice/defaults/main.yml create mode 100644 roles/ecloud-onlyoffice/tasks/main.yml create mode 100644 roles/ecloud-onlyoffice/tasks/setup.yml create mode 100644 roles/ecloud-onlyoffice/tasks/start.yml create mode 100644 roles/ecloud-onlyoffice/tasks/stop.yml rename {templates/rainloop => roles/ecloud-postinstall/files}/domain-config.ini (100%) create mode 100644 roles/ecloud-postinstall/tasks/admin_credentials.yml create mode 100644 roles/ecloud-postinstall/tasks/dkim_record.yml create mode 100644 roles/ecloud-postinstall/tasks/generate_signup_link.yml create mode 100644 roles/ecloud-postinstall/tasks/main.yml create mode 100644 roles/ecloud-postinstall/tasks/nextcloud.yml create mode 100644 roles/ecloud-postinstall/tasks/postfixadmin.yml create mode 100644 roles/ecloud-postinstall/tasks/rainloop.yml create mode 100644 roles/ecloud-webserver/defaults/main.yml rename {config-static/nginx => roles/ecloud-webserver/files}/params/headers_params (100%) rename {config-static/nginx => roles/ecloud-webserver/files}/params/proxy_params (100%) rename {config-static/nginx => roles/ecloud-webserver/files}/params/ssl_params (100%) create mode 100644 roles/ecloud-webserver/tasks/main.yml create mode 100644 roles/ecloud-webserver/tasks/setup.yml create mode 100644 roles/ecloud-webserver/tasks/start.yml create mode 100644 roles/ecloud-webserver/tasks/stop.yml rename templates/nginx/sites-enabled/autoconfig.conf => roles/ecloud-webserver/templates/autoconfig.j2 (73%) create mode 100644 roles/ecloud-webserver/templates/autodiscover.j2 rename templates/nginx/sites-enabled/nextcloud.conf => roles/ecloud-webserver/templates/nextcloud.j2 (83%) rename templates/nginx/sites-enabled/onlyoffice.conf => roles/ecloud-webserver/templates/onlyoffice.j2 (84%) rename templates/nginx/sites-enabled/postfixadmin.conf => roles/ecloud-webserver/templates/postfixadmin.j2 (74%) rename templates/nginx/sites-enabled/rspamd.conf => roles/ecloud-webserver/templates/rspamd.j2 (74%) rename templates/nginx/sites-enabled/welcome.conf => roles/ecloud-webserver/templates/welcome.j2 (73%) delete mode 100755 scripts/base.sh delete mode 100755 scripts/check-update.sh delete mode 100755 scripts/generate-signup-link.sh delete mode 100755 scripts/init-repo.sh delete mode 100755 scripts/postinstall.sh delete mode 100755 scripts/show-info.sh delete mode 100755 scripts/ssl-renew.sh delete mode 100755 scripts/update.sh delete mode 100644 templates/docker-compose/docker-compose-base.yml delete mode 100644 templates/docker-compose/docker-compose-networks.yml delete mode 100644 templates/docker-compose/docker-compose-onlyoffice.yml delete mode 100644 templates/mail/update-notification.txt delete mode 100644 templates/nextcloud/plugin-config/user_sql_raw_config.conf diff --git a/.gitignore b/.gitignore index c393c8d..9196865 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,2 @@ -# ide files -.idea -*.iml - -# docker config files -docker-compose.yml -.env - -# data for the local installation -config-dynamic/ -volumes/ +*.retry +credentials/ \ No newline at end of file diff --git a/README.md b/README.md index 47f1416..f1d4d84 100644 --- a/README.md +++ b/README.md @@ -15,14 +15,21 @@ For the setup without OnlyOffice, requirements are a bit lower: Disk space only refers to the basic installation. You will need additional space for any emails, documents and files you store on the server. -### Required packages (these should be included with Ubuntu by default) +### Required packages in server (these should be included with Ubuntu by default) - curl - bash +- python3 + +### Other Requirements +- A user with root access or root user. +- Server must have ssh setup and accessible through ssh key based authentication +- Server must be accessible through a public ip. +- A Domain name for your server. # Installation ## Create Ubuntu VM & set reverse DNS -This examplpes uses Hetzner cloud (sorry Gael ;)). +This examplpes uses Hetzner cloud. You can use whatever provider you want. Just make sure to set rdns correctly before running the bootstrap script (works via Webui with some other hosters) ``` @@ -30,30 +37,88 @@ $ hcloud server create --image=ubuntu-18.04 --name server1 --type cx31 --ssh-key $ hcloud server set-rdns server1 --hostname mail.example.com ``` -### Start bootstrap process -Login to server as root. Execute this command and follow its on-screen instructions: - -``` -# wget https://gitlab.e.foundation/e/infra/bootstrap/raw/master/bootstrap-generic.sh -# bash bootstrap-generic.sh https://gitlab.e.foundation/e/priv/infra/compose +## Setup the server +The playbook can be run directly on the server or in your personal computer (must have access to server via ssh key based authentication). + +1. Install ansible in the server/personal computer. (For Ubuntu 18.04) + ```bash + sudo apt-get update + sudo apt-get install ansible + ``` + +2. Download the anisble playbook sources in server/personal computer + ```bash + git clone -b ansible https://gitlab.e.foundation/e/priv/infra/compose ansible-ecloud + ``` + +3. Edit the `hosts` file and replace `` with your registered domain name, `` with your public ip address and `` with the user with root access. + ```bash + ansible_host= ansible_ssh_user= ansible_ssh_pipelining=yes ansible_python_interpreter=/usr/bin/python3 + ``` + +4. Edit the `group_vars/all` configuration file and specify +- `ecloud_domain` - with your registered domain name (Required) +- `ecloud_additional_domains` - specify if you want additional domains as email alias. (Optional) +- `user_alternate_email_for_signup` - your personal email id (Required) +- `ecloud_install_onlyoffice` - set it `true` if you want to install onlyoffice, else `false` (Required, Default: false) +- `ecloud_gitlab_docker_repo_user` - specify your e-foundation gitlab username (Required, until the repo is made public) +- `ecloud_gitlab_docker_repo_password` - specify your e-foundation gitlab password (Required, until the repo is made public) + ```bash + ecloud_domain: "" + ecloud_additional_domains: [] + user_alternate_email_for_signup: "" + ecloud_install_onlyoffice: false + ecloud_gitlab_docker_repo_user: "" + ecloud_gitlab_docker_repo_password: "" + ... + ... + ... + ``` + +4. Run the playbook to setup up and start your own ecloud server! + ```bash + ansible-playbook -i hosts ecloud.yml --tags=setup + ``` + +5. **Follow the installation and make sure the DNS records are created with your domain registrar as mentioned during execution.** + +6. That's it. If everything goes well, the server must be all set. + +### **Important** : +1. Note down the DKIM DNS record, admin credentials for spam management, e-drive(Nextcloud), Mail server management (Postfixadmin), and **the new user sign up url**. +2. Open the sign up url to create your first ecloud-server account! +3. All credentials are stored as plain-text in the `credentials/` directory. Take the necessary step secure it. +(Preferrably, user can use ansible-vaults to secure them and replace the the password values in `group_vars/all` with the encrypted value) + +# Additional Options + +## Generate Sign Up URL for new user +```bash +ansible-playbook -i hosts ecloud.yml --tags=generate_signup_link --extra-vars="new_user_email=" ``` -**ATTENTION:** -You need to login to gitlab once during this step. -(repos will be public later making the bootstrapping run unattended) +## Start/Stop all services +```bash +# For Stopping +ansible-playbook -i hosts ecloud.yml --tags=stop +# For Starting +ansible-playbook -i hosts ecloud.yml --tags=start +``` -# Available Services +## View DNS configuration +```bash +ansible-playbook -i hosts ecloud.yml --tags=dns-configure +``` -You can find login information for these services by running `showInfo.sh`. +## View Admin Credentials +```bash +ansible-playbook -i hosts ecloud.yml --tags=admin-credentials +``` -- $DOMAIN: File hosting with [Nextcloud](https://nextcloud.com/), email with - [rainloop.net](https://www.rainloop.net/) -- welcome.$DOMAIN: Allows users to sign up for a new account (you can create signup links with - `bash /mnt/repo-base/scripts/generate-signup-link.sh`) -- office.$DOMAIN: Create and edit office documents ([onlyoffice.com](https://www.onlyoffice.com/)) +## View DKIM DNS Record +```bash +ansible-playbook -i hosts ecloud.yml --tags=dkim-record +``` -# Administration -- spam.$DOMAIN: Email spam filter ([rspamd.com](https://www.rspamd.com/)) -- mail.$DOMAIN: Administrate email and create accounts ([postfixadmin.sourceforge.net](http://postfixadmin.sourceforge.net/)) diff --git a/config-dynamic/automx/.keep b/config-dynamic/automx/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/config-dynamic/letsencrypt/autorenew/.keep b/config-dynamic/letsencrypt/autorenew/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/config-dynamic/nginx/sites-enabled/.keep b/config-dynamic/nginx/sites-enabled/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/deployment/questionnaire/answers.dat b/deployment/questionnaire/answers.dat deleted file mode 100644 index 9c6b5f9..0000000 --- a/deployment/questionnaire/answers.dat +++ /dev/null @@ -1,4 +0,0 @@ -DOMAIN=maindomain.com -ADD_DOMAINS=domainA.com,domainB.com -ENABLE_POP3=false -DISABLE_RATELIMITING=false \ No newline at end of file diff --git a/deployment/questionnaire/questionnaire.dat b/deployment/questionnaire/questionnaire.dat deleted file mode 100644 index 5fa04c2..0000000 --- a/deployment/questionnaire/questionnaire.dat +++ /dev/null @@ -1,36 +0,0 @@ -DOMAIN=Enter your mailserver (management) domain (e.g. domainA.com): -ADD_DOMAINS=Optionally enter additional domain(s) (comma separated, no white spaces) to handle mail for (e.g. domainB.com,domainC.com) or just press enter if you need none: -ALT_EMAIL=Enter alternative email: -INSTALL_ONLYOFFICE=Do you want to install OnlyOffice? [y/n]||||^[yY|nN]$;;;;Please enter 'y' or 'n' - -# Generate and display -RSPAMD_PASSWORD=@@@generate@@@:20@ -NEXTCLOUD_ADMIN_USER=ncadmin_@@@generate@@@:4@ -NEXTCLOUD_ADMIN_PASSWORD=@@@generate@@@:20@ - - -# Generate and use "under the hood" -MYSQL_USER_NC=nc_@@@generate@@@:4@ -MYSQL_PASSWORD_NC=@@@generate@@@:20@ -MYSQL_DATABASE_NC=ncdb_@@@generate@@@:4@ -SMTP_PW=@@@generate@@@:20@ -PFDB_DB=postfix;default -PFDB_USR=postfix;default -MYSQL_ROOT_PASSWORD=@@@generate@@@:20@ -DBPASS=@@@generate@@@:20@ -DBA_PASSWORD=@@@generate@@@:16@ -DRIVE_SMTP_PASSWORD=@@@generate@@@:16@ -POSTFIXADMIN_SSH_PASSWORD=@@@generate@@@:20@ -CREATE_ACCOUNT_PASSWORD=@@@generate@@@:20@ - -PFA_SUPERADMIN_PASSWORD=1@@@generate@@@:16@2 - -# fixed defaults -ENABLE_POP3=false;default -DISABLE_RATELIMITING=false;default -DBA_USER=phpmyadmin;default - -# To be constructed repo specific -#SMTP_FROM=welcome@domainA.com -#VIRTUAL_HOST (for each domain two subdomains autoconfig/autodiscover) -#VHOSTS_ACCOUNTS=welcome.domainA.com diff --git a/deployment/salt/base/docker-compose.sls b/deployment/salt/base/docker-compose.sls deleted file mode 100644 index 16794e9..0000000 --- a/deployment/salt/base/docker-compose.sls +++ /dev/null @@ -1,51 +0,0 @@ -upgrade-all: - pkg.uptodate: - - name: update - - refresh: true - cmd.run: - - name: apt-get -y upgrade -o Dpkg::Options::="--force-confold" && apt-get -y autoremove - - shell: /bin/bash - -install-deps: - pkg.installed: - - pkgs: - - apt-transport-https - - ca-certificates - - curl - - software-properties-common - - apache2-utils - - docker.io - - docker-compose - - gnupg2 - - pass - - require: - - upgrade-all - -docker-running: - service.running: - - name: docker - - enable: true - - require: - - install-deps - -cron-renew-ssl-certs: - cron.present: - - name: bash /mnt/repo-base/scripts/ssl-renew.sh - - user: root - - special: '@daily' - - identifier: 'refresh-tls-certs' - -cron-check-updates: - cron.present: - - name: bash /mnt/repo-base/scripts/check-update.sh - - user: root - - special: '@daily' - - identifier: 'check-updates' - -/etc/docker/daemon.json: - file.managed: - - source: salt://docker-daemon.json - - user: root - - group: root - - mode: 644 - - makedirs: True diff --git a/deployment/salt/base/docker-daemon.json b/deployment/salt/base/docker-daemon.json deleted file mode 100644 index 242c706..0000000 --- a/deployment/salt/base/docker-daemon.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "log-driver": "json-file", - "log-opts": { - "max-size": "50m", - "max-file": "4" - } -} diff --git a/deployment/salt/init-config/masterless.conf b/deployment/salt/init-config/masterless.conf deleted file mode 100644 index ffa00ee..0000000 --- a/deployment/salt/init-config/masterless.conf +++ /dev/null @@ -1,5 +0,0 @@ -file_client: local -minion_id_caching: false -file_roots: - base: - - /mnt/repo-base/deployment/salt/base diff --git a/docs/add_vhost.md b/docs/add_vhost.md deleted file mode 100644 index ae004df..0000000 --- a/docs/add_vhost.md +++ /dev/null @@ -1,63 +0,0 @@ -## DNS prerequisite -- Add CNAME entry for your new vhost to point to "mail.ecloud.global." - -## Login -ssh root@mail.ecloud.global - -## Execute the script commands below manually verifying each step (not well tested yet) -```shell - -# Tweak variable to your needs -NEWVHOST=thilo-test.ecloud.global - - -# Request cert from LE -echo -e "sub\t$NEWVHOST" >> /mnt/docker/letsencrypt/autrenew/ssl-domains.dat -/mnt/docker/letsencrypt/autrenew/ssl-renew.sh - - -# Add vhost to docker-compose configuration -sed -i "s@VHOSTS_DOMAINS=@VHOSTS_DOMAINS=$NEWVHOST,@g" /mnt/docker/compose/.env - - -# Create dir to host php files -mkdir -p /mnt/docker/www/$NEWVHOST/htdocs/ - -# Create nginx proxy vhost to point to dockered vhost -echo "server { - listen 8000; - server_name ${NEWVHOST}; - return 301 https://\$host\$request_uri; -} -server { - listen 4430 ssl http2; - server_name ${NEWVHOST}; - ssl_certificate /certs/live/${NEWVHOST}/fullchain.pem; - ssl_certificate_key /certs/live/${NEWVHOST}/privkey.pem; - include /etc/nginx/conf/ssl_params; - include /etc/nginx/conf/headers_params; - location / { - add_header Content-Security-Policy upgrade-insecure-requests always; - proxy_pass http://vhosts:80; - include /etc/nginx/conf/proxy_params; - } -}" > /mnt/docker/nginx/sites-enabled/${NEWVHOST}.conf - -# Place file to check it is working -echo "hello world" > /mnt/docker/www/$NEWVHOST/htdocs/index.php -chown www-data: /mnt/docker/www/$NEWVHOST/ -R - -# Restart services to bring changes into effect -cd /mnt/docker/compose && docker-compose up -d -docker restart nginx -``` - -## Final checks -Health check: -- Is this still working or did we break something: https://webmail.ecloud.global/ -- Is new host working? https://thilo-test.ecloud.global - -# Happy hacking -Update you code in /mnt/docker/www/$NEWVHOST/htdocs/ to your liking :) - -Enjoy! diff --git a/docs/env_file.md b/docs/env_file.md deleted file mode 100644 index f1713f7..0000000 --- a/docs/env_file.md +++ /dev/null @@ -1,40 +0,0 @@ -## General configuration -``` -DOMAIN=example.com # the main domain for your installation -ADD_DOMAINS=example.com, example2.com # one or more domains that are used for email -ALT_EMAIL=myname@gmail.com # admin email address -INSTALL_ONLYOFFICE=n # y or n, whether Onlyoffice is installed -``` - -## Nextcloud -``` -NEXTCLOUD_ADMIN_USER=ncadmin_z5BL -NEXTCLOUD_ADMIN_PASSWORD=sxOY26y0wKm1Q8SGhqmZ -``` - -## Mail -``` -RSPAMD_PASSWORD=gsteZuLgWLUNCs5b1Ksz -SMTP_PW=wGfQsTXPD3Ipm8Lfyk8y -PFA_SUPERADMIN_PASSWORD=1oyHLEWikVlKx0bz72 -DISABLE_RATELIMITING=false -DRIVE_SMTP_PASSWORD=FL8D6SRnRWOdyMsN -ENABLE_POP3=false -VIRTUAL_HOST=autoconfig.domaina.pw,autodiscover.domaina.pw -``` - -## Database -``` -MYSQL_USER_NC=nc_0VwU -MYSQL_PASSWORD_NC=LxsjA8bzNuzUcTYtkfof -MYSQL_DATABASE_NC=ncdb_aJWW -PFDB_DB=postfix -PFDB_USR=postfix -MYSQL_ROOT_PASSWORD=RqT9WkfrZ9e6SzX2ARoN -DBPASS=QPpTpgFkLFA2ABPizXwk -DBA_USER=phpmyadmin -DBA_PASSWORD=T1N2tYn7aDILXYNS -``` -VHOSTS_ACCOUNTS=welcome.domaina.pw -SMTP_FROM=welcome@domaina.pw - diff --git a/docs/folders.md b/docs/folders.md deleted file mode 100644 index fafd412..0000000 --- a/docs/folders.md +++ /dev/null @@ -1,20 +0,0 @@ -Files and Folders -------- - -- `config-dynamic/` Config files that are generated based on templates, and contain hardcoded values like the local domain - -- `config-static/` Config files that are included with the git repo and don't change (except in repo updates) - -- `deployment/` Files that are required for the initial installation - -- `docs/` General project documentation - -- `scripts/` Various scripts that are used for installation, updating and administration - -- `templates/` Used to dynamically generate various config files - -- `volumes/` Docker volumes used to store data for the different applications (eg Nextcloud files, mail data) - -- `.env` Defines passwords and other variables (see [env_file.md](env_file.md) for details) - -- `docker-compose.yml` Defines the Docker images and volumes. Run `docker-compose up -d` to start the services, and `docker-compose down` to stop them. diff --git a/docs/ports.md b/docs/ports.md deleted file mode 100644 index b50019c..0000000 --- a/docs/ports.md +++ /dev/null @@ -1,14 +0,0 @@ -Ports -===== - -* `25/tcp` - SMTP - used for incoming mail and sending mail by clients. Plaintext but Postfix requires `STARTTLS` -* `80/tcp` and `443/tcp` - HTTP and HTTPS -* `587/tcp` - the same as SMTP but used to send mail by clients whose `25/tcp` is blocked by their ISP -* `993/tcp` - IMAPS - IMAP over TLS used to fetch email by clients -* `110/tcp` - plaintext POP3 - clients should be using IMAPS instead -* `143/tcp` - plaintext IMAP - clients should be using IMAPS instead -* `465/tcp` - SMTP over TLS - nobody is using it as `STARTTLS` on `25/tcp` does it better -* `995/tcp` - POP3 over TLS - clients should be using IMAPS instead -* `4190/tcp` - Dovecot mail rule modiication service - requires client-side support, we need to decide on this one -* `5222/tcp` - XMPP requires client-side support, we need to decide on this one - diff --git a/docs/update_onlyoffice.md b/docs/update_onlyoffice.md deleted file mode 100644 index b3bf922..0000000 --- a/docs/update_onlyoffice.md +++ /dev/null @@ -1,53 +0,0 @@ -# UPDATE PROCEDURE (expect downtime) - -```shell -# this is knowingly not using compose functionality to stop/rm/pull - -# Stop containers -docker stop onlyoffice-community-server -docker stop onlyoffice-document-server -docker stop onlyoffice-mail-server - -#Create backup copy of files -cp -pR /mnt/docker/onlyoffice{,.bck} - -# Save image IDs of old images to a file -docker images | grep office > /somewhere/a-file.txt - - -docker rm onlyoffice-community-server -docker rm onlyoffice-document-server -docker rm onlyoffice-mail-server - -docker pull onlyoffice/documentserver -docker pull onlyoffice/communityserver -docker pull onlyoffice/mailserver - -# Start again -cd /mnt/docker/compose -docker-compose up -d -``` - -# ROLLBACK IN CASE OF ISSUE (expect downtime) - -```shell -# Stop and delete containers as above - -# Delete new images -docker rmi onlyoffice/documentserver -docker rmi onlyoffice/communityserver -docker rmi onlyoffice/mailserver - -# Retag the previous images version (see a-file.txt) IMAGE iDs to the correct name, e.g.: -docker tag 9a77d093202e onlyoffice/documentserver -docker tag 0e667b917252 onlyoffice/communityserver -dockr tag 6b2398f473ea onlyoffice/mailserver - -# Move current files to yet another location and move previous backup into original location -mv /mnt/docker/onlyoffice /mnt/docker/onlyoffice.bck.rolledback -mv /mnt/docker/onlyoffice.bck /mnt/docker/onlyoffice - -# Start again -cd /mnt/docker/compose -docker-compose up -d -``` \ No newline at end of file diff --git a/ecloud.yml b/ecloud.yml new file mode 100644 index 0000000..1bb7362 --- /dev/null +++ b/ecloud.yml @@ -0,0 +1,14 @@ +- name: "Set up a ecloud server" + hosts: "all" + become: true + + roles: + - ecloud-base + - ecloud-certs + - ecloud-database + - ecloud-mailserver + - ecloud-drive + - ecloud-accounts + - ecloud-onlyoffice + - ecloud-webserver + - ecloud-postinstall \ No newline at end of file diff --git a/group_vars/all b/group_vars/all new file mode 100644 index 0000000..5549815 --- /dev/null +++ b/group_vars/all @@ -0,0 +1,28 @@ +# MUST SPECIFY +ecloud_domain: "" +ecloud_additional_domains: [] +user_alternate_email_for_signup: "" +ecloud_install_onlyoffice: false +ecloud_gitlab_docker_repo_user: "" +ecloud_gitlab_docker_repo_password: "" + +# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING +ecloud_gitlab_docker_repo: "registry.gitlab.e.foundation:5000" +ecloud_all_domains: "{{ [ ecloud_domain ] + ecloud_additional_domains }}" +ecloud_mysql_root_password: "{{ lookup('password', 'credentials/mysql_root_password length=20') }}" +ecloud_nextcloud_admin_user: "ncadmin" +ecloud_nextcloud_admin_password: "{{ lookup('password', 'credentials/nextcloud_admin_password length=20') }}" +ecloud_nextcloud_mysql_database: "ncdb" +ecloud_nextcloud_mysql_user: "ncmysqluser" +ecloud_nextcloud_mysql_password: "{{ lookup('password', 'credentials/nextcloud_mysql_password length=20') }}" +ecloud_smtp_password: "{{ lookup('password', 'credentials/smtp_password length=20') }}" +ecloud_drive_smtp_password: "{{ lookup('password', 'credentials/drive_smtp_password length=20') }}" +ecloud_rspamd_password: "{{ lookup('password', 'credentials/rspamd_password length=20') }}" +ecloud_postfix_database: "postfix" +ecloud_postfix_user: "postfix" +ecloud_postfix_admin_ssh_password: "{{ lookup('password', 'credentials/postfix_admin_ssh_password length=20') }}" +ecloud_postfix_superadmin_password: "{{ lookup('password', 'credentials/postfix_superadmin_password length=20') }}" +ecloud_database_password: "{{ lookup('password', 'credentials/database_password length=20') }}" +ecloud_database_admin: "phpmyadmin" +ecloud_database_admin_password: "{{ lookup('password', 'credentials/database_admin_password length=20') }}" +ecloud_create_account_password: "{{ lookup('password', 'credentials/create_account_password length=20') }}" \ No newline at end of file diff --git a/hosts b/hosts new file mode 100644 index 0000000..3321046 --- /dev/null +++ b/hosts @@ -0,0 +1 @@ + ansible_host= ansible_ssh_user= ansible_ssh_pipelining=yes ansible_python_interpreter=/usr/bin/python3 \ No newline at end of file diff --git a/roles/ecloud-accounts/defaults/main.yml b/roles/ecloud-accounts/defaults/main.yml new file mode 100644 index 0000000..370e121 --- /dev/null +++ b/roles/ecloud-accounts/defaults/main.yml @@ -0,0 +1,2 @@ +docker_image_welcome: "registry.gitlab.e.foundation:5000/e/infra/docker-welcome:0.2.2" +docker_image_create_account: "registry.gitlab.e.foundation:5000/e/infra/docker-create-account:0.1.6" diff --git a/roles/ecloud-accounts/tasks/main.yml b/roles/ecloud-accounts/tasks/main.yml new file mode 100644 index 0000000..a6b41ee --- /dev/null +++ b/roles/ecloud-accounts/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-accounts/tasks/setup.yml b/roles/ecloud-accounts/tasks/setup.yml new file mode 100644 index 0000000..97e0c67 --- /dev/null +++ b/roles/ecloud-accounts/tasks/setup.yml @@ -0,0 +1,22 @@ +- name: Create necessary directories for accounts container + file: + path: /ecloud/volumes/accounts + owner: root + group: root + state: directory + mode: '0755' + +- name: Log into e-foundation private docker repository + docker_login: + registry: "{{ ecloud_gitlab_docker_repo }}" + username: "{{ ecloud_gitlab_docker_repo_user }}" + password: "{{ ecloud_gitlab_docker_repo_password }}" + reauthorize: yes + +- name: Ensure accounts Docker image is pulled + docker_image: + name: "{{ docker_image_welcome }}" + +- name: Ensure create-account Docker image is pulled + docker_image: + name: "{{ docker_image_create_account }}" \ No newline at end of file diff --git a/roles/ecloud-accounts/tasks/start.yml b/roles/ecloud-accounts/tasks/start.yml new file mode 100644 index 0000000..0074dd5 --- /dev/null +++ b/roles/ecloud-accounts/tasks/start.yml @@ -0,0 +1,39 @@ +- name: Starting Accounts container + docker_container: + image: "{{ docker_image_welcome }}" + name: accounts + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + DOMAINS: "welcome.{{ ecloud_domain }}" + DOMAIN: "{{ ecloud_domain }}" + IS_WELCOME: true + PFDB_HOST: mariadb + PFDB_DB: "{{ ecloud_postfix_database }}" + PFDB_USR: "{{ ecloud_postfix_user }}" + PFDB_PW: "{{ ecloud_database_password }}" + SMTP_HOST: "mail.{{ ecloud_domain }}" + SMTP_FROM: "welcome@{{ ecloud_domain }}" + SMTP_PW: "{{ ecloud_smtp_password }}" + CREATE_ACCOUNT_PASSWORD: "{{ ecloud_create_account_password }}" + volumes: + - /ecloud/volumes/accounts:/var/accounts + +- name: Starting create-account container + docker_container: + image: "{{ docker_image_create_account }}" + name: create-account + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + NEXTCLOUD_ADMIN_USER: "{{ ecloud_nextcloud_admin_user }}" + NEXTCLOUD_ADMIN_PASSWORD: "{{ ecloud_nextcloud_admin_password }}" + POSTFIXADMIN_SSH_PASSWORD: "{{ ecloud_postfix_admin_ssh_password }}" + DOMAIN: "{{ ecloud_domain }}" + CREATE_ACCOUNT_PASSWORD: "{{ ecloud_create_account_password }}" \ No newline at end of file diff --git a/roles/ecloud-accounts/tasks/stop.yml b/roles/ecloud-accounts/tasks/stop.yml new file mode 100644 index 0000000..f90c173 --- /dev/null +++ b/roles/ecloud-accounts/tasks/stop.yml @@ -0,0 +1,9 @@ +- name: Stopping accounts container + docker_container: + name: accounts + state: stopped + +- name: Stopping create-account container + docker_container: + name: create-account + state: stopped \ No newline at end of file diff --git a/roles/ecloud-base/tasks/dns_configure.yml b/roles/ecloud-base/tasks/dns_configure.yml new file mode 100644 index 0000000..ce3da70 --- /dev/null +++ b/roles/ecloud-base/tasks/dns_configure.yml @@ -0,0 +1,47 @@ +- name: Generating DNS Records + shell: | + rm -f /ecloud/config/dnsrecords.txt + echo "RECORD,|,HOST,|,VALUE,|,PRIORITY" >> /ecloud/config/dnsrecords.txt + echo "------,|,----,|,-----,|,--------" >> /ecloud/config/dnsrecords.txt + echo "A,|,mail.{{ ecloud_domain }},|,,|,-" >> /ecloud/config/dnsrecords.txt +- shell: | + echo "A,|,{{ item }},|,,|,-" >> /ecloud/config/dnsrecords.txt + with_items: "{{ ecloud_all_domains }}" +- shell: | + echo "MX,|,{{ item }},|,,|,10" >> /ecloud/config/dnsrecords.txt + with_items: "{{ ecloud_all_domains }}" +- shell: | + echo "PTR (For Reverse DNS),|,,|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt +- shell: | + echo "CNAME,|,autoconfig.{{ item }},|,,|,-" >> /ecloud/config/dnsrecords.txt + echo "CNAME,|,autodiscover.{{ item }},|,,|,-" >> /ecloud/config/dnsrecords.txt + with_items: "{{ ecloud_all_domains }}" +- shell: | + echo "CNAME,|,spam.{{ ecloud_domain }},|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt + echo "CNAME,|,welcome.{{ ecloud_domain }},|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt + echo "CNAME,|,office.{{ ecloud_domain }},|,mail.{{ ecloud_domain }},|,-" >> /ecloud/config/dnsrecords.txt + column "/ecloud/config/dnsrecords.txt" -t -s "," + register: dnsrecords + +- name: "===================================<-DNS Records->=======================================" + debug: + msg: "{{ dnsrecords.stdout.split('\n') }}" + +- name: "Confirm DNS records" + pause: + prompt: 'Please verify that the DNS records are configured correctly! Press "Enter" to continue.' + +- name: "Checking if DNS is configured correctly" + shell: | + IP=$(dig mail.{{ ecloud_domain }}| grep mail.{{ ecloud_domain }} | grep -v '^;' | awk '{ print $NF }') + if [ -z "$IP" ] + then + echo "mail.{{ ecloud_domain }} not resolving to IP" + exit 1 + fi + PTR=$(nslookup $IP | grep "name = mail.{{ ecloud_domain }}" | wc -l) + if [ "1" != "$PTR" ] + then + echo "$IP not resolving to mail.{{ ecloud_domain }} (PTR record missing or wrong.." + exit 1 + fi \ No newline at end of file diff --git a/roles/ecloud-base/tasks/docker_setup.yml b/roles/ecloud-base/tasks/docker_setup.yml new file mode 100644 index 0000000..faa4221 --- /dev/null +++ b/roles/ecloud-base/tasks/docker_setup.yml @@ -0,0 +1,10 @@ +- name: Ensure Docker is running + service: + name: "docker" + state: started + enabled: yes + +- name: Creating Docker network + docker_network: + name: serverbase + driver: bridge \ No newline at end of file diff --git a/roles/ecloud-base/tasks/main.yml b/roles/ecloud-base/tasks/main.yml new file mode 100644 index 0000000..e5c15cf --- /dev/null +++ b/roles/ecloud-base/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/dns_configure.yml" + tags: + - setup + - dns-configure + +- import_tasks: "{{ role_path }}/tasks/docker_setup.yml" + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-base/tasks/setup.yml b/roles/ecloud-base/tasks/setup.yml new file mode 100644 index 0000000..fd13d67 --- /dev/null +++ b/roles/ecloud-base/tasks/setup.yml @@ -0,0 +1,58 @@ +- name: Upgrade all packages to the latest version + apt: + name: "*" + state: latest + update_cache: yes + force_apt_get: yes + when: ansible_facts['distribution'] == "Ubuntu" + +- name: Ensure all APT package dependencies are installed (Ubuntu) + apt: + name: + - apt-transport-https + - ca-certificates + - curl + - software-properties-common + - apache2-utils + - docker.io + - docker-compose + - gnupg2 + - pass + - python3-pip + - virtualenv + state: present + update_cache: yes + force_apt_get: yes + when: ansible_facts['distribution'] == "Ubuntu" + +- pip: + name: docker + executable: pip3 + +- name: Remove dependencies that are no longer required + apt: + autoremove: yes + force_apt_get: yes + when: ansible_facts['distribution'] == "Ubuntu" + + +- name: Fail if required variables are undefined + fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value" + with_items: + - ecloud_domain + - ecloud_additional_domains + - ecloud_install_onlyoffice + when: "item not in vars or vars[item] is none" + +- name: Create ecloud directory structure + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud + - /ecloud/config + - /ecloud/volumes \ No newline at end of file diff --git a/roles/ecloud-certs/defaults/main.yml b/roles/ecloud-certs/defaults/main.yml new file mode 100644 index 0000000..8080087 --- /dev/null +++ b/roles/ecloud-certs/defaults/main.yml @@ -0,0 +1 @@ +docker_image_letsencrypt: "certbot/certbot:v0.33.1" \ No newline at end of file diff --git a/roles/ecloud-certs/tasks/letsencrypt_obtain_cert.yml b/roles/ecloud-certs/tasks/letsencrypt_obtain_cert.yml new file mode 100644 index 0000000..20e7786 --- /dev/null +++ b/roles/ecloud-certs/tasks/letsencrypt_obtain_cert.yml @@ -0,0 +1,57 @@ +- debug: + msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}" + tags: + - setup + +- set_fact: + domain_name_certificate_path: "/ecloud/config/letsencrypt/certstore/live/{{ domain_name }}/fullchain.pem" + tags: + - setup + +- name: Check if a certificate for the domain already exists + stat: + path: "{{ domain_name_certificate_path }}" + register: domain_name_certificate_path_stat + tags: + - setup + +- set_fact: + domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" + tags: + - setup + +- debug: + msg: "Certificates are already present. Skipping certificate retrivel!" + when: "not domain_name_needs_cert" + tags: + - setup + +- name: Attempt SSL certificate retrieval with Certbot + shell: >- + docker run + -t + --rm + -v /ecloud/config/letsencrypt/certstore:/etc/letsencrypt + -p 0.0.0.0:80:80 -p 0.0.0.0:443:443 + {{ docker_image_letsencrypt }} + certonly + --non-interactive + --agree-tos + -m admin@{{ domain_name }} + -d {{ domain_name }} + --standalone + when: domain_name_needs_cert|bool + register: result_certbot_direct + ignore_errors: true + tags: + - setup + +- name: Fail if all SSL certificate retrieval attempts failed + fail: + msg: | + Failed to obtain a certificate directly using Let's encrypt certbot + and no existing certificate is present as {{ domain_name_certificate_path }} + See above for details. + when: "domain_name_needs_cert and result_certbot_direct.failed" + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-certs/tasks/main.yml b/roles/ecloud-certs/tasks/main.yml new file mode 100644 index 0000000..ffcbe5c --- /dev/null +++ b/roles/ecloud-certs/tasks/main.yml @@ -0,0 +1,18 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- name: Obtaining certificates using Let's Encrypt Certbot + include_tasks: "{{ role_path }}/tasks/letsencrypt_obtain_cert.yml" + with_flattened: + - "{{ ecloud_all_domains }}" + - "mail.{{ ecloud_domain }}" + - "spam.{{ ecloud_domain }}" + - "welcome.{{ ecloud_domain }}" + - "office.{{ ecloud_domain }}" + - "{{ ecloud_all_domains | map('regex_replace','^','autoconfig.') | list }}" + - "{{ ecloud_all_domains | map('regex_replace','^','autodiscover.') | list }}" + loop_control: + loop_var: domain_name + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-certs/tasks/setup.yml b/roles/ecloud-certs/tasks/setup.yml new file mode 100644 index 0000000..f5f782f --- /dev/null +++ b/roles/ecloud-certs/tasks/setup.yml @@ -0,0 +1,14 @@ +- name: Create Let's Encrypt config directory + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/config/letsencrypt/certstore + - /ecloud/config/letsencrypt/acme-challenge + +- name: Ensure certbot Docker image is pulled + docker_image: + name: "{{ docker_image_letsencrypt }}" \ No newline at end of file diff --git a/roles/ecloud-database/defaults/main.yml b/roles/ecloud-database/defaults/main.yml new file mode 100644 index 0000000..5987be5 --- /dev/null +++ b/roles/ecloud-database/defaults/main.yml @@ -0,0 +1,2 @@ +docker_image_mariadb: "mariadb:10.3" +docker_image_redis: "redis:4.0-alpine" \ No newline at end of file diff --git a/roles/ecloud-database/tasks/main.yml b/roles/ecloud-database/tasks/main.yml new file mode 100644 index 0000000..a6b41ee --- /dev/null +++ b/roles/ecloud-database/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-database/tasks/setup.yml b/roles/ecloud-database/tasks/setup.yml new file mode 100644 index 0000000..7eecad3 --- /dev/null +++ b/roles/ecloud-database/tasks/setup.yml @@ -0,0 +1,19 @@ +- name: Create necessary directories for mariadb and redis container + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/mysql/db + - /ecloud/config/nextcloud/database + - /ecloud/volumes/redis/db + +- name: Ensure mariadb Docker image is pulled + docker_image: + name: "{{ docker_image_mariadb }}" + +- name: Ensure redis Docker image is pulled + docker_image: + name: "{{ docker_image_redis }}" \ No newline at end of file diff --git a/roles/ecloud-database/tasks/start.yml b/roles/ecloud-database/tasks/start.yml new file mode 100644 index 0000000..1a676c3 --- /dev/null +++ b/roles/ecloud-database/tasks/start.yml @@ -0,0 +1,30 @@ +- name: Starting MariaDB container + docker_container: + name: mariadb + image: "{{ docker_image_mariadb }}" + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + MYSQL_ROOT_PASSWORD: "{{ ecloud_mysql_root_password }}" + MYSQL_DATABASE: "{{ ecloud_postfix_database }}" + MYSQL_USER: "{{ ecloud_postfix_user }}" + MYSQL_PASSWORD: "{{ ecloud_database_password }}" + volumes: + - /ecloud/volumes/mysql/db:/var/lib/mysql + - /ecloud/config/nextcloud/database:/docker-entrypoint-initdb.d + +- name: Starting Redis container + docker_container: + name: redis + image: "{{ docker_image_redis }}" + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + command: redis-server --appendonly yes + volumes: + - /ecloud/volumes/redis/db:/data \ No newline at end of file diff --git a/roles/ecloud-database/tasks/stop.yml b/roles/ecloud-database/tasks/stop.yml new file mode 100644 index 0000000..2cea735 --- /dev/null +++ b/roles/ecloud-database/tasks/stop.yml @@ -0,0 +1,9 @@ +- name: Stopping mariadb container + docker_container: + name: mariadb + state: stopped + +- name: Stopping redis container + docker_container: + name: redis + state: stopped \ No newline at end of file diff --git a/roles/ecloud-drive/defaults/main.yml b/roles/ecloud-drive/defaults/main.yml new file mode 100644 index 0000000..f3ba2c7 --- /dev/null +++ b/roles/ecloud-drive/defaults/main.yml @@ -0,0 +1 @@ +docker_image_nextcloud: "nextcloud:15.0.8" diff --git a/roles/ecloud-drive/tasks/main.yml b/roles/ecloud-drive/tasks/main.yml new file mode 100644 index 0000000..a6b41ee --- /dev/null +++ b/roles/ecloud-drive/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-drive/tasks/setup.yml b/roles/ecloud-drive/tasks/setup.yml new file mode 100644 index 0000000..923c2fc --- /dev/null +++ b/roles/ecloud-drive/tasks/setup.yml @@ -0,0 +1,24 @@ +- name: Create necessary directories for Nextcloud container + file: + path: "{{ item }}" + owner: www-data + group: www-data + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/nextcloud + - /ecloud/volumes/nextcloud/html + - /ecloud/volumes/nextcloud/custom_apps + - /ecloud/volumes/nextcloud/config + - /ecloud/volumes/nextcloud/data + +- name: Copy Nextcloud configuration to server + template: + src: "{{ role_path }}/templates/config.j2" + dest: /ecloud/volumes/nextcloud/config/config.php + owner: www-data + group: www-data + +- name: Ensure Nextcloud Docker image is pulled + docker_image: + name: "{{ docker_image_nextcloud }}" \ No newline at end of file diff --git a/roles/ecloud-drive/tasks/start.yml b/roles/ecloud-drive/tasks/start.yml new file mode 100644 index 0000000..23ddc64 --- /dev/null +++ b/roles/ecloud-drive/tasks/start.yml @@ -0,0 +1,21 @@ +- name: Starting Nextcloud container + docker_container: + image: "{{ docker_image_nextcloud }}" + name: nextcloud + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + MYSQL_DATABASE: "{{ ecloud_nextcloud_mysql_database }}" + MYSQL_USER: "{{ ecloud_nextcloud_mysql_user }}" + MYSQL_PASSWORD: "{{ ecloud_nextcloud_mysql_password }}" + MYSQL_HOST: mariadb + NEXTCLOUD_ADMIN_USER: "{{ ecloud_nextcloud_admin_user }}" + NEXTCLOUD_ADMIN_PASSWORD: "{{ ecloud_nextcloud_admin_password }}" + volumes: + - /ecloud/volumes/nextcloud/html:/var/www/html/ + - /ecloud/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ + - /ecloud/volumes/nextcloud/config:/var/www/html/config/ + - /ecloud/volumes/nextcloud/data:/var/www/html/data/ \ No newline at end of file diff --git a/roles/ecloud-drive/tasks/stop.yml b/roles/ecloud-drive/tasks/stop.yml new file mode 100644 index 0000000..5978f45 --- /dev/null +++ b/roles/ecloud-drive/tasks/stop.yml @@ -0,0 +1,4 @@ +- name: Stopping nextcloud container + docker_container: + name: nextcloud + state: stopped \ No newline at end of file diff --git a/templates/nextcloud/config.php b/roles/ecloud-drive/templates/config.j2 similarity index 77% rename from templates/nextcloud/config.php rename to roles/ecloud-drive/templates/config.j2 index e1dcc92..5d643f9 100644 --- a/templates/nextcloud/config.php +++ b/roles/ecloud-drive/templates/config.j2 @@ -1,6 +1,6 @@ 'https://mail.@@@DOMAIN@@@/users/password-recover.php', + 'lost_password_link' => 'https://mail.{{ ecloud_domain }}/users/password-recover.php', 'htaccess.RewriteBase' => '/', 'memcache.local' => '\\OC\\Memcache\\APCu', 'apps_paths' => @@ -20,21 +20,21 @@ $CONFIG = array ( ), 'trusted_domains' => array ( - 0 => '@@@DOMAIN@@@', + 0 => '{{ ecloud_domain }}', ), 'datadirectory' => '/var/www/html/data', - 'overwrite.cli.url' => 'https://@@@DOMAIN@@@', + 'overwrite.cli.url' => 'https://{{ ecloud_domain }}', 'overwriteprotocol' => 'https', 'mysql.utf8mb4' => true, 'maintenance' => true, 'mail_from_address' => 'drive', 'mail_smtpmode' => 'smtp', 'mail_smtpauthtype' => 'PLAIN', - 'mail_domain' => '@@@DOMAIN@@@', + 'mail_domain' => '{{ ecloud_domain }}', 'mail_smtpauth' => 1, - 'mail_smtphost' => 'mail.@@@DOMAIN@@@', - 'mail_smtpname' => 'drive@@@@DOMAIN@@@', - 'mail_smtppassword' => '@@@DRIVE_SMTP_PASSWORD@@@', + 'mail_smtphost' => 'mail.{{ ecloud_domain }}', + 'mail_smtpname' => 'drive@{{ ecloud_domain }}', + 'mail_smtppassword' => '{{ ecloud_drive_smtp_password }}', 'mail_smtpport' => '587', 'mail_smtpsecure' => 'tls', 'installed' => false, @@ -43,9 +43,9 @@ $CONFIG = array ( 'db_type' => 'mariadb', 'db_host' => 'mariadb', 'db_port' => '3306', - 'db_name' => 'postfix', - 'db_user' => 'postfix', - 'db_password' => '@@@PFDB_DBPASS@@@', + 'db_name' => '{{ ecloud_postfix_database }}', + 'db_user' => '{{ ecloud_postfix_user }}', + 'db_password' => '{{ ecloud_database_password }}', 'mariadb_charset' => 'utf8mb4', 'queries' => array ( diff --git a/roles/ecloud-mailserver/defaults/main.yml b/roles/ecloud-mailserver/defaults/main.yml new file mode 100644 index 0000000..d922756 --- /dev/null +++ b/roles/ecloud-mailserver/defaults/main.yml @@ -0,0 +1,7 @@ +docker_image_mailserver: "hardware/mailserver:1.1-stable" +docker_image_postfixadmin: "registry.gitlab.e.foundation:5000/e/infra/docker-postfixadmin:0.1.2" +docker_image_automx: "registry.gitlab.e.foundation:5000/e/infra/docker-mailstack:automx-0.1.0" + +automx_virtual_host: "{{ ecloud_all_domains | map('regex_replace','^','autoconfig.') | list | join(',') }},{{ ecloud_all_domains | map('regex_replace','^','autodiscover.') | list | join(',') }}" +enable_pop3: false +disable_ratelimiting: false \ No newline at end of file diff --git a/config-static/mail/dovecot/10-mail.conf b/roles/ecloud-mailserver/files/dovecot/10-mail.conf similarity index 100% rename from config-static/mail/dovecot/10-mail.conf rename to roles/ecloud-mailserver/files/dovecot/10-mail.conf diff --git a/config-static/mail/dovecot/90-quota.conf b/roles/ecloud-mailserver/files/dovecot/90-quota.conf similarity index 100% rename from config-static/mail/dovecot/90-quota.conf rename to roles/ecloud-mailserver/files/dovecot/90-quota.conf diff --git a/config-static/mail/dovecot/90-sieve.conf b/roles/ecloud-mailserver/files/dovecot/90-sieve.conf similarity index 100% rename from config-static/mail/dovecot/90-sieve.conf rename to roles/ecloud-mailserver/files/dovecot/90-sieve.conf diff --git a/roles/ecloud-mailserver/tasks/main.yml b/roles/ecloud-mailserver/tasks/main.yml new file mode 100644 index 0000000..a6b41ee --- /dev/null +++ b/roles/ecloud-mailserver/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-mailserver/tasks/setup.yml b/roles/ecloud-mailserver/tasks/setup.yml new file mode 100644 index 0000000..ddf5a6f --- /dev/null +++ b/roles/ecloud-mailserver/tasks/setup.yml @@ -0,0 +1,42 @@ +- name: Create necessary directories for mailserver container + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/mail + - /ecloud/config/mail/dovecot + - /ecloud/config/automx + +- name: Copy mailserver configuration to server + copy: + src: "{{ role_path }}/files/dovecot/" + dest: /ecloud/config/mail/dovecot + +- name: Copy automx configuration to server + template: + src: "{{ role_path }}/templates/automx.j2" + dest: /ecloud/config/automx/automx.conf + owner: www-data + group: www-data + +- name: Log into e-foundation private docker repository + docker_login: + registry: "{{ ecloud_gitlab_docker_repo }}" + username: "{{ ecloud_gitlab_docker_repo_user }}" + password: "{{ ecloud_gitlab_docker_repo_password }}" + reauthorize: yes + +- name: Ensure mailserver Docker image is pulled + docker_image: + name: "{{ docker_image_mailserver }}" + +- name: Ensure postfixadmin Docker image is pulled + docker_image: + name: "{{ docker_image_postfixadmin }}" + +- name: Ensure automx Docker image is pulled + docker_image: + name: "{{ docker_image_automx }}" \ No newline at end of file diff --git a/roles/ecloud-mailserver/tasks/start.yml b/roles/ecloud-mailserver/tasks/start.yml new file mode 100644 index 0000000..03b377b --- /dev/null +++ b/roles/ecloud-mailserver/tasks/start.yml @@ -0,0 +1,66 @@ +- name: Starting mailserver container + docker_container: + image: "{{ docker_image_mailserver }}" + name: mailserver + domainname: "{{ ecloud_domain }}" # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. + hostname: mail + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + ports: + - "25:25" # SMTP - Required + - "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients + - "143:143" # IMAP STARTTLS - Optional - For webmails/desktop clients + # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled + - "587:587" # Submission STARTTLS - Optional - For webmails/desktop clients + - "993:993" # IMAPS SSL/TLS - Optional - For webmails/desktop clients + - "995:995" # POP3S SSL/TLS - Optional - For webmails/desktop clients + - "4190:4190" # SIEVE STARTTLS - Optional - Recommended for mail filtering + env: + DBPASS: "{{ ecloud_database_password }}" + RSPAMD_PASSWORD: "{{ ecloud_rspamd_password }}" + ADD_DOMAINS: "{{ ecloud_all_domains|join(',') }}" + ENABLE_POP3: "{{ enable_pop3 }}" + DISABLE_RATELIMITING: "{{ disable_ratelimiting }}" + RELAY_NETWORKS: 172.16.0.0/12 + volumes: + - /ecloud/volumes/mail:/var/mail + - /ecloud/config/letsencrypt/certstore:/etc/letsencrypt + - /ecloud/config/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf + - /ecloud/config/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf + - /ecloud/config/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf + +- name: Starting postfixadmin container + docker_container: + image: "{{ docker_image_postfixadmin }}" + name: postfixadmin + domainname: "{{ ecloud_domain }}" + hostname: mail + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + DBPASS: "{{ ecloud_database_password }}" + POSTFIXADMIN_SSH_PASSWORD: "{{ ecloud_postfix_admin_ssh_password }}" + +- name: Starting automx container + docker_container: + image: "{{ docker_image_automx }}" + name: automx + domainname: "{{ ecloud_domain }}" + hostname: automx + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + VIRTUAL_HOST: "{{ automx_virtual_host }}" + DOMAIN: "{{ ecloud_domain }}" + HOSTNAME: automx + volumes: + - /ecloud/config/automx/automx.conf:/etc/automx.conf \ No newline at end of file diff --git a/roles/ecloud-mailserver/tasks/stop.yml b/roles/ecloud-mailserver/tasks/stop.yml new file mode 100644 index 0000000..91d71ac --- /dev/null +++ b/roles/ecloud-mailserver/tasks/stop.yml @@ -0,0 +1,14 @@ +- name: Stopping mailserver container + docker_container: + name: mailserver + state: stopped + +- name: Stopping postfixadmin container + docker_container: + name: postfixadmin + state: stopped + +- name: Stopping automx container + docker_container: + name: automx + state: stopped \ No newline at end of file diff --git a/templates/automx/automx.conf b/roles/ecloud-mailserver/templates/automx.j2 similarity index 91% rename from templates/automx/automx.conf rename to roles/ecloud-mailserver/templates/automx.j2 index 8c69952..7ae3166 100644 --- a/templates/automx/automx.conf +++ b/roles/ecloud-mailserver/templates/automx.j2 @@ -1,7 +1,7 @@ # file: /etc/automx.conf [automx] -provider = @@@DOMAIN@@@ +provider = {{ ecloud_domain }} domains = * #debug = yes @@ -37,7 +37,7 @@ action = settings #sign_key = /certs/autodiscover.eelo.io.key smtp = yes -smtp_server = mail.@@@DOMAIN@@@ +smtp_server = mail.{{ ecloud_domain }} smtp_port = 587 smtp_encryption = starttls smtp_auth = plaintext @@ -46,11 +46,11 @@ smtp_refresh_ttl = 6 smtp_default = yes imap = yes -imap_server = mail.@@@DOMAIN@@@ +imap_server = mail.{{ ecloud_domain }} imap_port = 993 imap_encryption = ssl imap_auth = plaintext imap_auth_identity = %s imap_refresh_ttl = 6 -pop = no +pop = no \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/defaults/main.yml b/roles/ecloud-onlyoffice/defaults/main.yml new file mode 100644 index 0000000..42fad08 --- /dev/null +++ b/roles/ecloud-onlyoffice/defaults/main.yml @@ -0,0 +1,3 @@ +docker_image_onlyoffice_documentserver: "onlyoffice/documentserver:5.2.6.3" +docker_image_onlyoffice_mailserver: "onlyoffice/mailserver:1.6.35" +docker_image_onlyoffice_communityserver: "onlyoffice/communityserver:9.6.5.771" \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/main.yml b/roles/ecloud-onlyoffice/tasks/main.yml new file mode 100644 index 0000000..17d961e --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: ecloud_install_onlyoffice|bool + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + when: ecloud_install_onlyoffice|bool + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + when: ecloud_install_onlyoffice|bool + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/setup.yml b/roles/ecloud-onlyoffice/tasks/setup.yml new file mode 100644 index 0000000..de055c6 --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/setup.yml @@ -0,0 +1,29 @@ +- name: Create necessary directories for onlyoffice containers + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/volumes/onlyoffice/DocumentServer/data + - /ecloud/volumes/onlyoffice/DocumentServer/logs + - /ecloud/volumes/onlyoffice/MailServer/data + - /ecloud/volumes/onlyoffice/MailServer/data/certs + - /ecloud/volumes/onlyoffice/MailServer/logs + - /ecloud/volumes/onlyoffice/MailServer/mysql + - /ecloud/volumes/onlyoffice/CommunityServer/data + - /ecloud/volumes/onlyoffice/CommunityServer/mysql + - /ecloud/volumes/onlyoffice/CommunityServer/logs + +- name: Ensure onlyoffice documentserver docker image is pulled + docker_image: + name: "{{ docker_image_onlyoffice_documentserver }}" + +- name: Ensure onlyoffice mailserver docker image is pulled + docker_image: + name: "{{ docker_image_onlyoffice_mailserver }}" + +- name: Ensure onlyoffice communityserver docker image is pulled + docker_image: + name: "{{ docker_image_onlyoffice_communityserver }}" \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/start.yml b/roles/ecloud-onlyoffice/tasks/start.yml new file mode 100644 index 0000000..84a8587 --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/start.yml @@ -0,0 +1,48 @@ +- name: Starting onlyoffice documentserver container + docker_container: + image: "{{ docker_image_onlyoffice_documentserver }}" + name: onlyoffice-document-server + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + volumes: + - /ecloud/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data + - /ecloud/volumes/onlyoffice/DocumentServer/logs:/var/log/onlyoffice + +- name: Starting onlyoffice mailserver container + docker_container: + image: "{{ docker_image_onlyoffice_mailserver }}" + name: onlyoffice-mail-server + hostname: cleus.eu + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + volumes: + - /ecloud/volumes/onlyoffice/MailServer/data:/var/vmail + - /ecloud/volumes/onlyoffice/MailServer/data/certs:/etc/pki/tls/mailserver + - /ecloud/volumes/onlyoffice/MailServer/logs:/var/log + - /ecloud/volumes/onlyoffice/MailServer/mysql:/var/lib/mysql + +- name: Starting onlyoffice communityserver container + docker_container: + image: "{{ docker_image_onlyoffice_communityserver }}" + name: onlyoffice-community-server + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + env: + DOCUMENT_SERVER_PORT_80_TCP_ADDR: onlyoffice-document-server + MAIL_SERVER_DB_HOST: onlyoffice-mail-server + ports: + - 5222:5222 + volumes: + - /ecloud/volumes/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data + - /ecloud/volumes/onlyoffice/CommunityServer/mysql:/var/lib/mysql + - /ecloud/volumes/onlyoffice/CommunityServer/logs:/var/log/onlyoffice + - /ecloud/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/DocumentServerData \ No newline at end of file diff --git a/roles/ecloud-onlyoffice/tasks/stop.yml b/roles/ecloud-onlyoffice/tasks/stop.yml new file mode 100644 index 0000000..279c358 --- /dev/null +++ b/roles/ecloud-onlyoffice/tasks/stop.yml @@ -0,0 +1,14 @@ +- name: Stopping onlyoffice-document-server container + docker_container: + name: onlyoffice-document-server + state: stopped + +- name: Stopping onlyoffice-mail-server container + docker_container: + name: onlyoffice-mail-server + state: stopped + +- name: Stopping onlyoffice-community-server container + docker_container: + name: onlyoffice-community-server + state: stopped \ No newline at end of file diff --git a/templates/rainloop/domain-config.ini b/roles/ecloud-postinstall/files/domain-config.ini similarity index 100% rename from templates/rainloop/domain-config.ini rename to roles/ecloud-postinstall/files/domain-config.ini diff --git a/roles/ecloud-postinstall/tasks/admin_credentials.yml b/roles/ecloud-postinstall/tasks/admin_credentials.yml new file mode 100644 index 0000000..fe81780 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/admin_credentials.yml @@ -0,0 +1,21 @@ +- name: Gathering Administration credentials for ecloud server + shell: | + SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /ecloud/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') + RSPAMD_PASSWORD="{{ ecloud_rspamd_password }}" + + NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /ecloud/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') + NEXTCLOUD_ADMIN_USER="{{ ecloud_nextcloud_admin_user }}" + NEXTCLOUD_ADMIN_PASSWORD="{{ ecloud_nextcloud_admin_password }}" + + POSTFIX_UI=$(grep server_name $(grep -l postfixadmin:8888 /ecloud/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') + POSTFIX_USER="{{ user_alternate_email_for_signup }}" + POSTFIX_PASSWORD="{{ ecloud_postfix_superadmin_password }}" + + echo "Your password for the SPAM filter mgmt UI ( https://$SPAM_UI ) is $RSPAMD_PASSWORD" + echo "Your admin credentials for nextcloud are ( https://$NEXTCLOUD_UI ) is $NEXTCLOUD_ADMIN_USER / $NEXTCLOUD_ADMIN_PASSWORD" + echo "Your credentials for postfix admin ( https://$POSTFIX_UI ) are $POSTFIX_USER / $POSTFIX_PASSWORD" + register: admininfo + +- name: "===============================<---Important! Admin Credentials for ecloud server--->====================================" + debug: + msg: "{{ admininfo.stdout.split('\n') }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/dkim_record.yml b/roles/ecloud-postinstall/tasks/dkim_record.yml new file mode 100644 index 0000000..e2aca16 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/dkim_record.yml @@ -0,0 +1,10 @@ +- name: Gathering DKIM record for domain + shell: | + # display DKIM DNS setup info/instructions to the user + echo "Please add the following records to your domain's DNS configuration:" + find /ecloud/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do DOMAIN=$(basename $line); echo " - DKIM record (TXT) for $DOMAIN:" && cat $line/public.key; done + register: dkimrecordinfo + +- name: "===============================< DKIM Record for Domain >====================================" + debug: + msg: "{{ dkimrecordinfo.stdout.split('\n') }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/generate_signup_link.yml b/roles/ecloud-postinstall/tasks/generate_signup_link.yml new file mode 100644 index 0000000..7e3c328 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/generate_signup_link.yml @@ -0,0 +1,18 @@ +- name: Generating new user signup link for ecloud server + shell: | + touch /ecloud/volumes/accounts/auth.file.done + ACCOUNTS_UID=$(docker exec --user www-data accounts id -u | tr -d '\r') + chown "$ACCOUNTS_UID:$ACCOUNTS_UID" /ecloud/volumes/accounts/auth.file.done + + AUTH_SECRET=$(tr -d -c "a-zA-Z0-9" < /dev/urandom | head -c 16) + echo "{{ new_user_email }}:$AUTH_SECRET" >> /ecloud/volumes/accounts/auth.file + SIGNUP_URL="https://welcome.{{ ecloud_domain }}/?authmail={{ new_user_email }}&authsecret=$AUTH_SECRET" + echo "The new user can sign up now at $SIGNUP_URL" + + #send mail to user with signup link + echo "You can now sign up for your {{ ecloud_domain }} account at $SIGNUP_URL" | docker exec -i mailserver sendmail -f "drive@{{ ecloud_domain }}" -t "{{ new_user_email }}" -s "Signup for {{ ecloud_domain }}" + register: newuserinfo + +- name: "===============================<---New User Sign Up Link--->====================================" + debug: + msg: "{{ newuserinfo.stdout.split('\n') }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/main.yml b/roles/ecloud-postinstall/tasks/main.yml new file mode 100644 index 0000000..3517133 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/main.yml @@ -0,0 +1,34 @@ +- import_tasks: "{{ role_path }}/tasks/nextcloud.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/rainloop.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/postfixadmin.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/dkim_record.yml" + tags: + - setup + - dkim_record + +- import_tasks: "{{ role_path }}/tasks/admin_credentials.yml" + tags: + - setup + - admin_credentials + +- import_tasks: "{{ role_path }}/tasks/generate_signup_link.yml" + vars: + new_user_email: "{{ user_alternate_email_for_signup }}" + tags: + - setup + - generate_signup_link + +- name: "===============================< Success!!! Important Instructions!! >====================================" + debug: + msg: "Please note the DKIM DNS record for domain, Admin Credentials for the ecloud server and New user Sign Up link from the output of the previous tasks. Click on the sign up link to create your first e-cloud account! Enjoy!" + tags: + - setup \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/nextcloud.yml b/roles/ecloud-postinstall/tasks/nextcloud.yml new file mode 100644 index 0000000..402d78c --- /dev/null +++ b/roles/ecloud-postinstall/tasks/nextcloud.yml @@ -0,0 +1,39 @@ +- name: Create Nextcloud mysql database and user + shell: | + docker exec mariadb mysql --user=root --password="{{ ecloud_mysql_root_password }}" \ + -e "CREATE USER '{{ ecloud_nextcloud_mysql_user }}'@'%' IDENTIFIED BY '{{ ecloud_nextcloud_mysql_password }}';" + docker exec mariadb mysql --user=root --password="{{ ecloud_mysql_root_password }}" \ + -e "CREATE DATABASE {{ ecloud_nextcloud_mysql_database }} DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;" + docker exec mariadb mysql --user=root --password="{{ ecloud_mysql_root_password }}" \ + -e "GRANT ALL PRIVILEGES ON {{ ecloud_nextcloud_mysql_database }}.* TO '{{ ecloud_nextcloud_mysql_user }}'@'%' WITH GRANT OPTION;" + +- name: Install Nextcloud + shell: | + docker exec --user www-data nextcloud php occ maintenance:install \ + --admin-user="{{ ecloud_nextcloud_admin_user }}" --admin-pass="{{ ecloud_nextcloud_admin_password }}" \ + --admin-email="{{ user_alternate_email_for_signup }}" --database="mysql" --database-pass="{{ ecloud_nextcloud_mysql_password }}" \ + --database-name="{{ ecloud_nextcloud_mysql_database }}" --database-host="mariadb" --database-user="{{ ecloud_nextcloud_mysql_user }}" \ + --database-port="3306" --database-table-prefix="" + +- name: Configure Nextcloud + shell: | + docker exec --user www-data nextcloud php occ db:convert-filecache-bigint --no-interaction + docker exec --user www-data nextcloud php occ config:system:set trusted_domains 0 --value="{{ ecloud_domain }}" + +- name: Install Nextcloud Plugins + shell: | + docker exec --user www-data nextcloud php /var/www/html/occ app:install calendar + docker exec --user www-data nextcloud php /var/www/html/occ app:install tasks + docker exec --user www-data nextcloud php /var/www/html/occ app:install notes + docker exec --user www-data nextcloud php /var/www/html/occ app:install user_backend_sql_raw + docker exec --user www-data nextcloud php /var/www/html/occ app:install rainloop + docker exec --user www-data nextcloud php /var/www/html/occ config:app:set rainloop rainloop-autologin --value 1 + +- name: Install Nextcloud theme + shell: | + wget "https://gitlab.e.foundation/api/v4/projects/315/repository/archive.tar.gz?private_token=qV5kExhz6mDY5QET8z56" -O "/tmp/nextcloud-theme.tar.gz" + tar -xzf "/tmp/nextcloud-theme.tar.gz" -C "/ecloud/volumes/nextcloud/html/themes/" --strip-components=1 + chown www-data:www-data "/ecloud/volumes/nextcloud/html/themes/" -R + rm "/tmp/nextcloud-theme.tar.gz" + docker exec --user www-data nextcloud php /var/www/html/occ config:system:set theme --value eelo + docker exec --user www-data nextcloud php occ maintenance:mode --off \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/postfixadmin.yml b/roles/ecloud-postinstall/tasks/postfixadmin.yml new file mode 100644 index 0000000..8bd3851 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/postfixadmin.yml @@ -0,0 +1,13 @@ +- name: Create postfix database schema + uri: + url: https://mail.{{ ecloud_domain }}/setup.php + follow_redirects: all + +- name: Configure postfixadmin for first use + shell: | + docker exec postfixadmin /postfixadmin/scripts/postfixadmin-cli admin add "{{ user_alternate_email_for_signup }}" --password "{{ ecloud_postfix_superadmin_password }}" --password2 "{{ ecloud_postfix_superadmin_password }}" --superadmin + # Adding domains to postfixadmin + echo "{{ ecloud_all_domains|join(',') }}" | tr "," "\n" | while read line; do docker exec -t postfixadmin /postfixadmin/scripts/postfixadmin-cli domain add $line; done + # Adding email accounts used by system senders (drive, welcome, ...) + docker exec postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add drive@"{{ ecloud_domain }}" --password "{{ ecloud_drive_smtp_password }}" --password2 "{{ ecloud_drive_smtp_password }}" --name "drive" --email-other "{{ user_alternate_email_for_signup }}" + docker exec postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add welcome@"{{ ecloud_domain }}" --password "{{ ecloud_smtp_password }}" --password2 "{{ ecloud_smtp_password }}" --name "welcome" --email-other "{{ user_alternate_email_for_signup }}" \ No newline at end of file diff --git a/roles/ecloud-postinstall/tasks/rainloop.yml b/roles/ecloud-postinstall/tasks/rainloop.yml new file mode 100644 index 0000000..b085771 --- /dev/null +++ b/roles/ecloud-postinstall/tasks/rainloop.yml @@ -0,0 +1,23 @@ +- name: Create necessary directories for rainloop + file: + path: /ecloud/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains + owner: www-data + group: www-data + state: directory + mode: '0755' + +- name: Copy rainloop configuration to server + copy: + src: "{{ role_path }}/files/domain-config.ini" + dest: "/ecloud/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/{{ item }}.ini" + owner: www-data + group: www-data + with_items: "{{ ecloud_all_domains }}" + +- name: Ensure nextcloud and rainloop has right permissiosn + file: + path: /ecloud/volumes/nextcloud + state: directory + recurse: yes + owner: www-data + group: www-data \ No newline at end of file diff --git a/roles/ecloud-webserver/defaults/main.yml b/roles/ecloud-webserver/defaults/main.yml new file mode 100644 index 0000000..23b2814 --- /dev/null +++ b/roles/ecloud-webserver/defaults/main.yml @@ -0,0 +1 @@ +docker_image_nginx: "registry.gitlab.e.foundation:5000/e/infra/docker-nginx:1.15" \ No newline at end of file diff --git a/config-static/nginx/params/headers_params b/roles/ecloud-webserver/files/params/headers_params similarity index 100% rename from config-static/nginx/params/headers_params rename to roles/ecloud-webserver/files/params/headers_params diff --git a/config-static/nginx/params/proxy_params b/roles/ecloud-webserver/files/params/proxy_params similarity index 100% rename from config-static/nginx/params/proxy_params rename to roles/ecloud-webserver/files/params/proxy_params diff --git a/config-static/nginx/params/ssl_params b/roles/ecloud-webserver/files/params/ssl_params similarity index 100% rename from config-static/nginx/params/ssl_params rename to roles/ecloud-webserver/files/params/ssl_params diff --git a/roles/ecloud-webserver/tasks/main.yml b/roles/ecloud-webserver/tasks/main.yml new file mode 100644 index 0000000..a6b41ee --- /dev/null +++ b/roles/ecloud-webserver/tasks/main.yml @@ -0,0 +1,12 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup + +- import_tasks: "{{ role_path }}/tasks/start.yml" + tags: + - setup + - start + +- import_tasks: "{{ role_path }}/tasks/stop.yml" + tags: + - stop \ No newline at end of file diff --git a/roles/ecloud-webserver/tasks/setup.yml b/roles/ecloud-webserver/tasks/setup.yml new file mode 100644 index 0000000..27c2a75 --- /dev/null +++ b/roles/ecloud-webserver/tasks/setup.yml @@ -0,0 +1,64 @@ +- name: Create necessary directories for nginx webserver container + file: + path: "{{ item }}" + owner: root + group: root + state: directory + mode: '0755' + with_items: + - /ecloud/config/nginx + - /ecloud/config/nginx/params + - /ecloud/config/nginx/passwds + - /ecloud/config/nginx/sites-enabled + +- name: Copy nginx configuration to server + copy: + src: "{{ role_path }}/files/params/" + dest: /ecloud/config/nginx/params + +- name: Copy autoconfig nginx configuration to server + template: + src: "{{ role_path }}/templates/autoconfig.j2" + dest: "/ecloud/config/nginx/sites-enabled/autoconfig.{{ item }}.conf" + owner: root + group: root + with_items: "{{ ecloud_all_domains }}" + +- name: Copy autodiscover nginx configuration to server + template: + src: "{{ role_path }}/templates/autodiscover.j2" + dest: "/ecloud/config/nginx/sites-enabled/autodiscover.{{ item }}.conf" + owner: root + group: root + with_items: "{{ ecloud_all_domains }}" + +- name: Copy onlyoffice nginx configuration to server + template: + src: "{{ role_path }}/templates/onlyoffice.j2" + dest: "/ecloud/config/nginx/sites-enabled/onlyoffice.conf" + owner: root + group: root + when: ecloud_install_onlyoffice|bool + +- name: Copy other nginx configuration to server + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "/ecloud/config/nginx/sites-enabled/{{ item }}.conf" + owner: root + group: root + with_items: + - nextcloud + - postfixadmin + - rspamd + - welcome + +- name: Log into e-foundation private docker repository + docker_login: + registry: "{{ ecloud_gitlab_docker_repo }}" + username: "{{ ecloud_gitlab_docker_repo_user }}" + password: "{{ ecloud_gitlab_docker_repo_password }}" + reauthorize: yes + +- name: Ensure nginx webserver Docker image is pulled + docker_image: + name: "{{ docker_image_nginx }}" \ No newline at end of file diff --git a/roles/ecloud-webserver/tasks/start.yml b/roles/ecloud-webserver/tasks/start.yml new file mode 100644 index 0000000..ed2e128 --- /dev/null +++ b/roles/ecloud-webserver/tasks/start.yml @@ -0,0 +1,18 @@ +- name: Starting nginx webserver container + docker_container: + image: "{{ docker_image_nginx }}" + name: nginx + restart_policy: always + restart: yes + state: started + networks: + - name: serverbase + ports: + - "80:8000" + - "443:4430" + volumes: + - /ecloud/config/nginx/sites-enabled:/etc/nginx/conf.d/ + - /ecloud/config/nginx/params:/etc/nginx/params/ + - /ecloud/config/nginx/passwds:/passwds + - /ecloud/config/letsencrypt/certstore:/certs + - /ecloud/config/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge \ No newline at end of file diff --git a/roles/ecloud-webserver/tasks/stop.yml b/roles/ecloud-webserver/tasks/stop.yml new file mode 100644 index 0000000..386487d --- /dev/null +++ b/roles/ecloud-webserver/tasks/stop.yml @@ -0,0 +1,4 @@ +- name: Stopping nginx container + docker_container: + name: nginx + state: stopped \ No newline at end of file diff --git a/templates/nginx/sites-enabled/autoconfig.conf b/roles/ecloud-webserver/templates/autoconfig.j2 similarity index 73% rename from templates/nginx/sites-enabled/autoconfig.conf rename to roles/ecloud-webserver/templates/autoconfig.j2 index b203a0b..bacd98c 100644 --- a/templates/nginx/sites-enabled/autoconfig.conf +++ b/roles/ecloud-webserver/templates/autoconfig.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name @@@SERVICE@@@.@@@DOMAIN@@@; + server_name autoconfig.{{ item }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name @@@SERVICE@@@.@@@DOMAIN@@@; + server_name autoconfig.{{ item }}; - ssl_certificate /certs/live/@@@SERVICE@@@.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@SERVICE@@@.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/autoconfig.{{ item }}/fullchain.pem; + ssl_certificate_key /certs/live/autoconfig.{{ item }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/roles/ecloud-webserver/templates/autodiscover.j2 b/roles/ecloud-webserver/templates/autodiscover.j2 new file mode 100644 index 0000000..3057b40 --- /dev/null +++ b/roles/ecloud-webserver/templates/autodiscover.j2 @@ -0,0 +1,32 @@ +server { + listen 8000; + server_name autodiscover.{{ item }}; + location /.well-known/acme-challenge/ { + alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; + } + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 4430 ssl http2; + server_name autodiscover.{{ item }}; + + ssl_certificate /certs/live/autodiscover.{{ item }}/fullchain.pem; + ssl_certificate_key /certs/live/autodiscover.{{ item }}/privkey.pem; + + include /etc/nginx/params/ssl_params; + include /etc/nginx/params/headers_params; + + #add_header Strict-Transport-Security "max-age=;"; + #client_max_body_size M; + + #auth_basic "Who's this?"; + #auth_basic_user_file /passwds/.htpasswd; + + location / { + proxy_pass http://automx:80; + include /etc/nginx/params/proxy_params; + } +} diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/roles/ecloud-webserver/templates/nextcloud.j2 similarity index 83% rename from templates/nginx/sites-enabled/nextcloud.conf rename to roles/ecloud-webserver/templates/nextcloud.j2 index 53a940d..27dcb69 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/roles/ecloud-webserver/templates/nextcloud.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name @@@DOMAIN@@@; + server_name {{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name @@@DOMAIN@@@; + server_name {{ ecloud_domain }}; - ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; # Nextcloud already sets these headers, the include would just duplicate them diff --git a/templates/nginx/sites-enabled/onlyoffice.conf b/roles/ecloud-webserver/templates/onlyoffice.j2 similarity index 84% rename from templates/nginx/sites-enabled/onlyoffice.conf rename to roles/ecloud-webserver/templates/onlyoffice.j2 index 25d7059..b9c7960 100644 --- a/templates/nginx/sites-enabled/onlyoffice.conf +++ b/roles/ecloud-webserver/templates/onlyoffice.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name office.@@@DOMAIN@@@; + server_name office.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name office.@@@DOMAIN@@@; + server_name office.{{ ecloud_domain }}; - ssl_certificate /certs/live/office.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/office.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/office.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/office.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/postfixadmin.conf b/roles/ecloud-webserver/templates/postfixadmin.j2 similarity index 74% rename from templates/nginx/sites-enabled/postfixadmin.conf rename to roles/ecloud-webserver/templates/postfixadmin.j2 index 714bef3..1251f75 100644 --- a/templates/nginx/sites-enabled/postfixadmin.conf +++ b/roles/ecloud-webserver/templates/postfixadmin.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name mail.@@@DOMAIN@@@; + server_name mail.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name mail.@@@DOMAIN@@@; + server_name mail.{{ ecloud_domain }}; - ssl_certificate /certs/live/mail.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/mail.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/mail.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/mail.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/rspamd.conf b/roles/ecloud-webserver/templates/rspamd.j2 similarity index 74% rename from templates/nginx/sites-enabled/rspamd.conf rename to roles/ecloud-webserver/templates/rspamd.j2 index fc722b9..4a9f85b 100644 --- a/templates/nginx/sites-enabled/rspamd.conf +++ b/roles/ecloud-webserver/templates/rspamd.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name spam.@@@DOMAIN@@@; + server_name spam.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name spam.@@@DOMAIN@@@; + server_name spam.{{ ecloud_domain }}; - ssl_certificate /certs/live/spam.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/spam.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/spam.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/spam.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/templates/nginx/sites-enabled/welcome.conf b/roles/ecloud-webserver/templates/welcome.j2 similarity index 73% rename from templates/nginx/sites-enabled/welcome.conf rename to roles/ecloud-webserver/templates/welcome.j2 index 832adb8..68bf2e5 100644 --- a/templates/nginx/sites-enabled/welcome.conf +++ b/roles/ecloud-webserver/templates/welcome.j2 @@ -1,6 +1,6 @@ server { listen 8000; - server_name welcome.@@@DOMAIN@@@; + server_name welcome.{{ ecloud_domain }}; location /.well-known/acme-challenge/ { alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; } @@ -11,10 +11,10 @@ server { server { listen 4430 ssl http2; - server_name welcome.@@@DOMAIN@@@; + server_name welcome.{{ ecloud_domain }}; - ssl_certificate /certs/live/welcome.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/welcome.@@@DOMAIN@@@/privkey.pem; + ssl_certificate /certs/live/welcome.{{ ecloud_domain }}/fullchain.pem; + ssl_certificate_key /certs/live/welcome.{{ ecloud_domain }}/privkey.pem; include /etc/nginx/params/ssl_params; include /etc/nginx/params/headers_params; diff --git a/scripts/base.sh b/scripts/base.sh deleted file mode 100755 index f447bb8..0000000 --- a/scripts/base.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -# No set -e, because that would close the ssh connection if we source base.sh -# into an interactive shell. - -cd "/mnt/repo-base/" - -ENVFILE="/mnt/repo-base/.env" - -DOMAIN=$(grep ^DOMAIN= "$ENVFILE" | awk -F= '{ print $NF }') -ADD_DOMAINS=$(grep ^ADD_DOMAINS= "$ENVFILE" | awk -F= '{ print $NF }') -ALT_EMAIL=$(grep ^ALT_EMAIL= "$ENVFILE" | awk -F= '{ print $NF }') - -DBA_USER=$(grep ^DBA_USER= "$ENVFILE" | awk -F= '{ print $NF }') -DBA_PASSWORD=$(grep ^DBA_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') -NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -MYSQL_DATABASE_NC=$(grep ^MYSQL_DATABASE_NC= "$ENVFILE" | awk -F= '{ print $NF }') -MYSQL_USER_NC=$(grep ^MYSQL_USER_NC= "$ENVFILE" | awk -F= '{ print $NF }') -MYSQL_PASSWORD_NC=$(grep ^MYSQL_PASSWORD_NC= "$ENVFILE" | awk -F= '{ print $NF }') -MYSQL_ROOT_PASSWORD=$(grep ^MYSQL_ROOT_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -INSTALL_ONLYOFFICE=$(grep ^INSTALL_ONLYOFFICE= "$ENVFILE" | awk -F= '{ print $NF }') - -DRIVE_SMTP_PASSWORD=$(grep ^DRIVE_SMTP_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -PFA_SUPERADMIN_PASSWORD=$(grep ^PFA_SUPERADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -PFDB_DB=$(grep ^PFDB_DB= "$ENVFILE" | awk -F= '{ print $NF }') -PFDB_USR=$(grep ^PFDB_USR= "$ENVFILE" | awk -F= '{ print $NF }') -PFDB_DBPASS=$(grep ^DBPASS= "$ENVFILE" | awk -F= '{ print $NF }') - -SMTP_FROM=$(grep ^SMTP_FROM= "$ENVFILE" | awk -F= '{ print $NF }') -SMTP_PW=$(grep ^SMTP_PW= "$ENVFILE" | awk -F= '{ print $NF }') - -SMTP_HOST=$(grep ^SMTP_HOST= "$ENVFILE" | awk -F= '{ print $NF }') - - -# the encoding/decoding is taken from here: https://stackoverflow.com/questions/296536/how-to-urlencode-data-for-curl-command/10660730#10660730 -urlencode() { - local string="${1}" - local strlen=${#string} - local encoded="" - local pos c o - - for (( pos=0 ; pos "$CURRENT_VERSION_DATE" ]] -then - echo "New version $LATEST_TAG is available!" - if [ "$LATEST_TAG" != "$(cat $KNOWN_VERSION_FILE)" ] - then - echo "$LATEST_TAG" > "$KNOWN_VERSION_FILE" - cat "templates/mail/update-notification.txt" | \ - sed "s/@@@DOMAIN@@@/$DOMAIN/g" | \ - docker-compose exec -T eelomailserver sendmail -f "drive@$DOMAIN" -t "$ALT_EMAIL" - fi -else - echo "No update available" -fi diff --git a/scripts/generate-signup-link.sh b/scripts/generate-signup-link.sh deleted file mode 100755 index 359d6b3..0000000 --- a/scripts/generate-signup-link.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -set -e - -source /mnt/repo-base/scripts/base.sh - -if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then - echo "Usage: `basename $0` -- Creates a new signup link - options: - --user-email Pass the email address for the new user, so there is no need to prompt for it - --help Show this help" - exit 0 -fi - -if [[ "$1" == "--user-email" ]]; then - EMAIL="$2" -else - echo "What is the new user's current email address?" - read EMAIL -fi - - -AUTH_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) -echo "$EMAIL:$AUTH_SECRET" >> /mnt/repo-base/volumes/accounts/auth.file -SIGNUP_URL="https://welcome.$DOMAIN/?authmail=$(urlencode "$EMAIL")&authsecret=$AUTH_SECRET" -echo "The new user can sign up now at $SIGNUP_URL" - -echo -e "Subject:Signup for $DOMAIN -You can now sign up for your $DOMAIN account at $SIGNUP_URL" | \ -docker-compose exec -T eelomailserver sendmail -f "drive@$DOMAIN" -t "$EMAIL" diff --git a/scripts/init-repo.sh b/scripts/init-repo.sh deleted file mode 100755 index 9a7c091..0000000 --- a/scripts/init-repo.sh +++ /dev/null @@ -1,205 +0,0 @@ -#!/bin/bash -set -e - -function validateDomains { - INPUT="$1" - (INPUT=$(echo "$INPUT"| sed 's@;@,@g' | sed 's@ @,@g'); IFS=','; for DOMAIN in $INPUT; do echo "$DOMAIN" | xargs; done) | while read line; do echo "$line"; done | sort -u | while read line; do echo $line | grep -P '(?=^.{4,253}$)(^(?:[a-zA-Z0-9](?:(?:[a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$)'; done | tr "\n" "," | sed 's@,$@@g' -} - -source <(curl -s https://gitlab.e.foundation/e/infra/bootstrap/raw/master/bootstrap-commons.sh) - -cd "/mnt/repo-base/" -ENVFILE="/mnt/repo-base/.env" - -while true; -do - rm -f "$ENVFILE" - # Create .env file - generateEnvFile deployment/questionnaire/questionnaire.dat deployment/questionnaire/answers.dat "$ENVFILE" - source /mnt/repo-base/scripts/base.sh - - VALIDATED_DOMAIN=$(validateDomains "$DOMAIN") - - echo "$VALIDATED_DOMAIN" | grep -q "," && (echo "Error: You can specify only a single management domain, use the additional domains question for more domains - try again") && continue - - if [ -z "$VALIDATED_DOMAIN" ]; then - echo "Error : Entering at least the managemnt domain is mandatory - try again" - continue - fi - - VALIDATED_ADD_DOMAINS=$(validateDomains "$(echo $ADD_DOMAINS | sed "s@$VALIDATED_DOMAIN@@g")") - - if [ -z "$VALIDATED_ADD_DOMAINS" ]; then - VALIDATED_ADD_DOMAINS="[N/A]" - fi - - echo "Your management domain is: $VALIDATED_DOMAIN" - echo "Your additional domains are: $VALIDATED_ADD_DOMAINS" - read -r -p "Is this correct? (yes or no) " response - if [[ $response =~ ^([yY][eE][sS]|[yY])$ ]]; then - break - fi -done - -sed -i '/DOMAIN/d' "$ENVFILE" -echo "DOMAIN=$VALIDATED_DOMAIN" >> "$ENVFILE" -if [ "$VALIDATED_ADD_DOMAINS" == "[N/A]" ]; then - sed -i '/ADD_DOMAINS/d' "$ENVFILE" - echo "ADD_DOMAINS=$VALIDATED_DOMAIN" >> "$ENVFILE" -elif ! echo "$VALIDATED_ADD_DOMAINS" | grep -q "$VALIDATED_DOMAIN" ; then - sed -i '/ADD_DOMAINS/d' "$ENVFILE" - echo "ADD_DOMAINS=$VALIDATED_ADD_DOMAINS,$VALIDATED_DOMAIN" >> "$ENVFILE" -fi -source /mnt/repo-base/scripts/base.sh - -DC_DIR="templates/docker-compose/" -case $INSTALL_ONLYOFFICE in - [Yy]* ) - cat "${DC_DIR}docker-compose-base.yml" "${DC_DIR}docker-compose-onlyoffice.yml" "${DC_DIR}docker-compose-networks.yml" > docker-compose.yml; - cat "templates/nginx/sites-enabled/onlyoffice.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/onlyoffice.conf" - OFFICE_DOMAIN=",office.$DOMAIN" - OFFICE_LETSENCRYPT_KEY="config-dynamic/letsencrypt/certstore/live/office.$DOMAIN/privkey.pem" - NUM_CERTIFICATES="4" - ;; - [Nn]* ) - cat "${DC_DIR}docker-compose-base.yml" "${DC_DIR}docker-compose-networks.yml" > docker-compose.yml - NUM_CERTIFICATES="3" - ;; -esac - -# To be constructed repo specific -echo "VHOSTS_ACCOUNTS=welcome.$DOMAIN" >> "$ENVFILE" -echo "SMTP_FROM=welcome@$DOMAIN" >> "$ENVFILE" -echo "SMTP_HOST=mail.$DOMAIN" >> "$ENVFILE" - -VIRTUAL_HOST=$(echo "$ADD_DOMAINS" | tr "," "\n" | while read line; do echo "autoconfig.$line,autodiscover.$line"; done | tr "\n" "," | sed 's/.$//g') - -echo "VIRTUAL_HOST=$VIRTUAL_HOST" >> "$ENVFILE" - -# finished .env file generation - -# fill autorenew config -rm -f "/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat" -echo "$DOMAIN,$VIRTUAL_HOST,mail.$DOMAIN,spam.$DOMAIN,welcome.$DOMAIN$OFFICE_DOMAIN" | tr "," "\n" | while read CURDOMAIN; do - echo "$CURDOMAIN" >> config-dynamic/letsencrypt/autorenew/ssl-domains.dat -:; done - - -# Configure automx -cat templates/automx/automx.conf | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/automx/automx.conf" -chown www-data:www-data "config-dynamic/automx/automx.conf" - -# Configure nginx vhost - -# automx -echo "$DOMAIN,$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do - cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autoconfig/g" > "config-dynamic/nginx/sites-enabled/autoconfig.$CURDOMAIN.conf" - cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autodiscover/g" > "config-dynamic/nginx/sites-enabled/autodiscover.$CURDOMAIN.conf" -:; done - -# other hosts -cat "templates/nginx/sites-enabled/nextcloud.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/nextcloud.conf" -cat "templates/nginx/sites-enabled/postfixadmin.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/postfixadmin.conf" -cat "templates/nginx/sites-enabled/rspamd.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/rspamd.conf" -cat "templates/nginx/sites-enabled/welcome.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/welcome.conf" - -# confirm DNS is ready -echo "" -echo "" -echo "=================================================================================================================================" -echo "Please setup the following DNS records for your domains before you proceed (subsequent steps will fail if a record is missing):" -echo "=================================================================================================================================" -tempfile=$(mktemp /tmp/ecloud.dns.XXXXXX) -echo "RECORD,|,HOST,|,VALUE,|,Priority" >> "$tempfile" -echo "------,|,----,|,-----,|,--------" >> "$tempfile" -echo "A,|,mail.$DOMAIN,|,,|,-" >> "$tempfile" -echo "$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do - echo "A,|,$CURDOMAIN,|,,|,-" >> "$tempfile" -:; done -echo "$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do - echo "MX,|,$CURDOMAIN,|,mail.$DOMAIN,|,10" >> "$tempfile" -:; done -echo "PTR(For reverse DNS),|,,|,mail.$DOMAIN,|,-" >> "$tempfile" -echo "" -echo "$VIRTUAL_HOST,spam.$DOMAIN,welcome.$DOMAIN$OFFICE_DOMAIN" | tr "," "\n" | while read CURDOMAIN; do - echo "CNAME,|,$CURDOMAIN,|,mail.$DOMAIN,|,-" >> "$tempfile" -:; done -column "$tempfile" -t -s "," -rm "$tempfile" -echo "=================================================================================================================================" -echo "=================================================================================================================================" -echo "" - -echo "Type 'yes' and hit ENTER to confirm that you have setup DNS properly before we continue:" -read CONFIRM -while [ "$CONFIRM" != "yes" ] -do - read CONFIRM -done - -# Verify DOMAIN lookup forward and reverse (very important) -IP=$(dig mail.$DOMAIN| grep mail.$DOMAIN | grep -v '^;' | awk '{ print $NF }') - -if [ -z "$IP" ] -then - echo "mail.$DOMAIN not resolving to IP" - exit 1 -fi -PTR=$(nslookup $IP | grep "name = mail.$DOMAIN" | wc -l) - -if [ "1" != "$PTR" ] -then - echo "$IP not resolving to mail.$DOMAIN (PTR record missing or wrong.." - exit 1 -fi - -# Run LE cert request -bash scripts/ssl-renew.sh - -# verify LE status -CTR_LE=$(find config-dynamic/letsencrypt/certstore/live/mail.$DOMAIN/privkey.pem config-dynamic/letsencrypt/certstore/live/spam.$DOMAIN/privkey.pem config-dynamic/letsencrypt/certstore/live/welcome.$DOMAIN/privkey.pem $OFFICE_LETSENCRYPT_KEY 2>/dev/null| wc -l) -CTR_AC_LE=$(echo "$VIRTUAL_HOST" | tr "," "\n" | while read CURDOMAIN; do find config-dynamic/letsencrypt/certstore/live/$CURDOMAIN/privkey.pem 2>/dev/null | grep $CURDOMAIN && echo found || echo missing; done | grep missing | wc -l) - -if [ "$CTR_LE$CTR_AC_LE" = "${NUM_CERTIFICATES}0" ] -then - echo "All LE certs present." -else - echo "Verification of LE status failed. Some expected certificates are missing" - echo "$CTR_LE of $NUM_CERTIFICATES certifcates found." - echo "$CTR_AC_LE autoconfig/autodiscovery certificates are missing." - exit 1 -fi - -# create nextcloud config -mkdir -p "/mnt/repo-base/volumes/nextcloud/config/" -cat /mnt/repo-base/templates/nextcloud/config.php | sed "s/@@@DOMAIN@@@/$DOMAIN/g" | \ - sed "s/@@@DRIVE_SMTP_PASSWORD@@@/$DRIVE_SMTP_PASSWORD/g" | sed "s/@@@MYSQL_PASSWORD_NC@@@/$MYSQL_PASSWORD_NC/g" | \ - sed "s/@@@MYSQL_DATABASE_NC@@@/$MYSQL_DATABASE_NC/g" | sed "s/@@@MYSQL_USER_NC@@@/$MYSQL_USER_NC/g" | \ - sed "s/@@@PFDB_DBPASS@@@/$PFDB_DBPASS/g" > \ - "/mnt/repo-base/volumes/nextcloud/config/config.php" -chown www-data:www-data "/mnt/repo-base/volumes/nextcloud/" -R - -# Login to /e/ registry | not necessary when going public -echo "Please login with your gitlab.e.foundation username and password" -docker login registry.gitlab.e.foundation:5000 - -docker-compose up -d - -echo -e "\nHack: restart everything to ensure that database and nextcloud are initialized" -docker-compose restart - -# needed to store created accounts, and needs to be writable by welcome -touch /mnt/repo-base/volumes/accounts/auth.file.done -ACCOUNTS_UID=$(docker-compose exec --user www-data accounts id -u | tr -d '\r') -chown "$ACCOUNTS_UID:$ACCOUNTS_UID" /mnt/repo-base/volumes/accounts/auth.file.done - - -printf "$(date): Waiting for Nextcloud to finish installation" -# sleep for 300 seconds -for i in {0..300}; do - sleep 1 - printf "." -done - - -bash scripts/postinstall.sh diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh deleted file mode 100755 index c19f86c..0000000 --- a/scripts/postinstall.sh +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env bash -set -e - -source /mnt/repo-base/scripts/base.sh - -# Create Nextcloud mysql database and user -docker-compose exec -T mariadb mysql --user=root --password="$MYSQL_ROOT_PASSWORD" \ - -e "CREATE USER '$MYSQL_USER_NC'@'%' IDENTIFIED BY '$MYSQL_PASSWORD_NC';" -docker-compose exec -T mariadb mysql --user=root --password="$MYSQL_ROOT_PASSWORD" \ - -e "CREATE DATABASE $MYSQL_DATABASE_NC DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;" -docker-compose exec -T mariadb mysql --user=root --password="$MYSQL_ROOT_PASSWORD" \ - -e "GRANT ALL PRIVILEGES ON $MYSQL_DATABASE_NC.* TO '$MYSQL_USER_NC'@'%' WITH GRANT OPTION;" - -# The maintenance:install command does not support environment variables for -# database configuration. -# https://github.com/nextcloud/server/issues/6185 -docker-compose exec -T --user www-data nextcloud php occ maintenance:install \ - --admin-user="$NEXTCLOUD_ADMIN_USER" --admin-pass="$NEXTCLOUD_ADMIN_PASSWORD" \ - --admin-email="$ALT_EMAIL" --database="mysql" --database-pass="$MYSQL_PASSWORD_NC" \ - --database-name="$MYSQL_DATABASE_NC" --database-host="mariadb" --database-user="$MYSQL_USER_NC" \ - --database-port="3306" --database-table-prefix="" -docker-compose exec -T --user www-data nextcloud php occ db:convert-filecache-bigint --no-interaction - -# Nextcloud resets trusted_domains to localhost during installation, so we have to set it again -docker-compose exec -T --user www-data nextcloud php occ config:system:set trusted_domains 0 --value="$DOMAIN" - -echo "Installing nextcloud plugins" -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install calendar -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install tasks -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install notes -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install user_backend_sql_raw -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install rainloop -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:app:set rainloop rainloop-autologin --value 1 - -echo "Installing Nextcloud theme" -wget "https://gitlab.e.foundation/api/v4/projects/315/repository/archive.tar.gz?private_token=qV5kExhz6mDY5QET8z56" -O "/tmp/nextcloud-theme.tar.gz" -tar -xzf "/tmp/nextcloud-theme.tar.gz" -C "volumes/nextcloud/html/themes/" --strip-components=1 -chown www-data:www-data "volumes/nextcloud/html/themes/" -R -rm "/tmp/nextcloud-theme.tar.gz" - -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set theme --value eelo - -docker-compose exec -T --user www-data nextcloud php occ maintenance:mode --off - -echo "Restarting Nextcloud container" -docker-compose restart nextcloud - -echo "Configuring Rainloop" -mkdir -p "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/" -echo "$ADD_DOMAINS" | tr "," "\n" | while read add_domain; do - cp "templates/rainloop/domain-config.ini" "/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains/$add_domain.ini" -done -chown www-data:www-data /mnt/repo-base/volumes/nextcloud/ -R - -echo "Creating postfix database schema" -curl --silent -L https://mail.$DOMAIN/setup.php > /dev/null - -echo "Adding Postfix admin superadmin account" -docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli admin add $ALT_EMAIL --password $PFA_SUPERADMIN_PASSWORD --password2 $PFA_SUPERADMIN_PASSWORD --superadmin - -# Adding domains to postfix is done by docker exec instead of docker-compose exec on purpose. Reason: with compose the loop aborts after the first item for an unknown reason -echo "Adding domains to Postfix" -echo "$ADD_DOMAINS" | tr "," "\n" | while read line; do docker exec -t postfixadmin /postfixadmin/scripts/postfixadmin-cli domain add $line; done - -echo "Adding email accounts used by system senders (drive, ...)" -docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add drive@$DOMAIN --password $DRIVE_SMTP_PASSWORD --password2 $DRIVE_SMTP_PASSWORD --name "drive" --email-other $ALT_EMAIL -docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add $SMTP_FROM --password $SMTP_PW --password2 $SMTP_PW --name "welcome" --email-other $ALT_EMAIL - -# display DKIM DNS setup info/instructions to the user -echo -e "\n\n\n" -echo -e "Please add the following records to your domain's DNS configuration:\n" -find /mnt/repo-base/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do DOMAIN=$(basename $line); echo " - DKIM record (TXT) for $DOMAIN:" && cat $line/public.key; done - -echo "=================================================================================================================================" -echo "=================================================================================================================================" -echo "Your logins:" -bash scripts/show-info.sh - -echo "=================================================================================================================================" -echo "Your signup link:" -bash scripts/generate-signup-link.sh --user-email $ALT_EMAIL - -echo "Please reboot the server now" diff --git a/scripts/show-info.sh b/scripts/show-info.sh deleted file mode 100755 index fbbe684..0000000 --- a/scripts/show-info.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env bash -set -e - -source /mnt/repo-base/scripts/base.sh - -SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') -RSPAMD_PASSWORD=$(grep ^RSPAMD_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') -NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') -NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - -POSTFIX_UI=$(grep server_name $(grep -l postfixadmin:8888 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') -POSTFIX_USER=$(grep ALT_EMAIL= "$ENVFILE" | awk -F= '{ print $NF }') -POSTFIX_PASSWORD=$(grep PFA_SUPERADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') - - -echo "Your password for the SPAM filter mgmt UI (https://$SPAM_UI) is: $RSPAMD_PASSWORD" -echo "Your admin credentials for nextcloud are (https://$NEXTCLOUD_UI) is: $NEXTCLOUD_ADMIN_USER / $NEXTCLOUD_ADMIN_PASSWORD" -echo "Your credentials for postfix admin (https://$POSTFIX_UI) are: $POSTFIX_USER / $POSTFIX_PASSWORD" - diff --git a/scripts/ssl-renew.sh b/scripts/ssl-renew.sh deleted file mode 100755 index 5768b96..0000000 --- a/scripts/ssl-renew.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash -set -e - -source /mnt/repo-base/scripts/base.sh - -if [ "$(whoami)" != "root" ] -then - exit 1 -fi - -MAILHOST="mail.$DOMAIN" -CONFIG=/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat -OPENSSLBIN=/usr/bin/openssl -CERTSTOREBASE=/mnt/repo-base/config-dynamic/letsencrypt/certstore -CERTSTORE=$CERTSTOREBASE/live -SERVERADMIN="admin@$DOMAIN" -PUBIP=0.0.0.0 -CERTBOT_IMAGE="certbot/certbot:v0.33.1" - -cat "$CONFIG" | while read DOMAIN; do - # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. - if [ ! -f "$CERTSTORE/$DOMAIN/fullchain.pem" ] - then - docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt \ - -p $PUBIP:80:80 -p $PUBIP:443:443 \ - "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $SERVERADMIN -d $DOMAIN \ - --standalone - else - docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt \ - -v /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge \ - "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $SERVERADMIN -d $DOMAIN \ - --webroot -w /etc/letsencrypt/acme-challenge \ - --post-hook "touch /etc/letsencrypt/live/$DOMAIN/cert-updated" - CERT_UPDATED_FILE="$CERTSTORE/$DOMAIN/cert-updated" - if [ -f "$CERT_UPDATED_FILE" ] - then - echo "Reloading SSL certificates" - rm "$CERT_UPDATED_FILE" - docker exec nginx nginx -s reload - NVALIDTHRU=$($OPENSSLBIN x509 -enddate -noout -in $CERTSTORE/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') - echo "Certificate for $DOMAIN renewed and is valid until: $NVALIDTHRU" - if [ "$DOMAIN" = "$MAILHOST" ] - then - cd /mnt/repo-base/ - docker-compose restart eelomailserver - fi - fi - fi -:;done diff --git a/scripts/update.sh b/scripts/update.sh deleted file mode 100755 index 30a4de0..0000000 --- a/scripts/update.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -set -e - -source /mnt/repo-base/scripts/base.sh - -CURRENT_VERSION_DATE=$(git show -s --format=%ci HEAD) -git fetch --tags -LATEST_TAG=$(git tag --sort=creatordate | tail -n 1) -LATEST_VERSION_DATE=$(git show -s --format=%ci "$LATEST_TAG") - -if [[ ! "$CURRENT_VERSION_DATE" < "$LATEST_VERSION_DATE" ]] -then - echo "No update available" - exit -fi - -echo "New version is $LATEST_TAG -Changelog: https://gitlab.e.foundation/e/priv/infra/compose/tags/$LATEST_TAG -Do you want to upgrade? [y/N]" -read answer - -# https://stackoverflow.com/a/27875395 -if [ "$answer" == "${answer#[Yy]}" ] ;then - echo "aborted" - exit -fi - -echo -e "\n\nUpdating git repository to latest version" -git checkout "$LATEST_TAG" - -echo -e "\n\nUpdating Docker images" -docker-compose pull -docker-compose up -d - -echo -e "\n\nUpdate complete. Consider running 'docker image prune --all' to reclaim space from old images" diff --git a/templates/docker-compose/docker-compose-base.yml b/templates/docker-compose/docker-compose-base.yml deleted file mode 100644 index ba6e9d6..0000000 --- a/templates/docker-compose/docker-compose-base.yml +++ /dev/null @@ -1,152 +0,0 @@ -version: '2.1' - -services: - eelomailserver: - image: hardware/mailserver:1.1-stable - container_name: mailserver - domainname: ${DOMAIN} # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. - hostname: mail - restart: always - networks: - - serverbase - ports: - - "25:25" # SMTP - Required - - "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients - - "143:143" # IMAP STARTTLS - Optional - For webmails/desktop clients - # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled - - "587:587" # Submission STARTTLS - Optional - For webmails/desktop clients - - "993:993" # IMAPS SSL/TLS - Optional - For webmails/desktop clients - - "995:995" # POP3S SSL/TLS - Optional - For webmails/desktop clients - - "4190:4190" # SIEVE STARTTLS - Optional - Recommended for mail filtering - environment: - - DBPASS=${DBPASS} - - RSPAMD_PASSWORD=${RSPAMD_PASSWORD} - - ADD_DOMAINS=${ADD_DOMAINS} - - ENABLE_POP3=${ENABLE_POP3} - - DISABLE_RATELIMITING=${DISABLE_RATELIMITING} - - RELAY_NETWORKS=172.16.0.0/12 - # Full list of options: https://github.com/hardware/mailserver#environment-variables - volumes: - - /mnt/repo-base/volumes/mail:/var/mail - - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/etc/letsencrypt - - /mnt/repo-base/config-static/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf - - /mnt/repo-base/config-static/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf - - /mnt/repo-base/config-static/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf - depends_on: - - mariadb - - redis - - postfixadmin: - image: registry.gitlab.e.foundation:5000/e/infra/docker-postfixadmin:0.1.2 - container_name: postfixadmin - domainname: ${DOMAIN} - hostname: mail - restart: always - networks: - - serverbase - environment: - - DBPASS=${DBPASS} - - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} - depends_on: - - eelomailserver - - mariadb - - mariadb: - image: mariadb:10.3 - container_name: mariadb - restart: always - networks: - - serverbase - environment: - # Note: These variables are only used for the first start. Later changes are ignored. - - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - - MYSQL_DATABASE=${PFDB_DB} - - MYSQL_USER=${PFDB_USR} - - MYSQL_PASSWORD=${DBPASS} - volumes: - - /mnt/repo-base/volumes/mysql/db:/var/lib/mysql - - /mnt/repo-base/config-dynamic/nextcloud/database:/docker-entrypoint-initdb.d - - redis: - image: redis:4.0-alpine - container_name: redis - restart: always - networks: - - serverbase - command: redis-server --appendonly yes - volumes: - - /mnt/repo-base/volumes/redis/db:/data - - accounts: - image: registry.gitlab.e.foundation:5000/e/infra/docker-welcome:0.2.2 - container_name: accounts - environment: - - DOMAINS=${VHOSTS_ACCOUNTS} - - DOMAIN=${DOMAIN} - - IS_WELCOME=true - - PFDB_HOST=mariadb - - PFDB_DB=${PFDB_DB} - - PFDB_USR=${PFDB_USR} - - PFDB_PW=${DBPASS} - - SMTP_HOST=${SMTP_HOST} - - SMTP_FROM=${SMTP_FROM} - - SMTP_PW=${SMTP_PW} - - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/accounts:/var/accounts - depends_on: - - mariadb - - nextcloud: - image: nextcloud:15.0.8 - container_name: nextcloud - environment: - - MYSQL_DATABASE=${MYSQL_DATABASE_NC} - - MYSQL_USER=${MYSQL_USER_NC} - - MYSQL_PASSWORD=${MYSQL_PASSWORD_NC} - - MYSQL_HOST=mariadb - - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/nextcloud/html:/var/www/html/ - - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ - - /mnt/repo-base/volumes/nextcloud/config:/var/www/html/config/ - - /mnt/repo-base/volumes/nextcloud/data:/var/www/html/data/ - depends_on: - - mariadb - - automx: - image: registry.gitlab.e.foundation:5000/e/infra/docker-mailstack:automx-0.1.0 - container_name: automx - hostname: automx - environment: - - VIRTUAL_HOST=${VIRTUAL_HOST} - - DOMAIN=${DOMAIN} - - HOSTNAME=automx - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/config-dynamic/automx/automx.conf:/etc/automx.conf - - create-account: - image: registry.gitlab.e.foundation:5000/e/infra/docker-create-account:0.1.6 - container_name: create-account - restart: always - environment: - - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} - - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} - - DOMAIN=${DOMAIN} - - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} - networks: - - serverbase - depends_on: - - nextcloud - - postfixadmin diff --git a/templates/docker-compose/docker-compose-networks.yml b/templates/docker-compose/docker-compose-networks.yml deleted file mode 100644 index 02e7b59..0000000 --- a/templates/docker-compose/docker-compose-networks.yml +++ /dev/null @@ -1,28 +0,0 @@ - - nginx: - image: registry.gitlab.e.foundation:5000/e/infra/docker-nginx:1.15 - container_name: nginx - restart: always - networks: - - serverbase - ports: - - "80:8000" - - "443:4430" - volumes: - - /mnt/repo-base/config-dynamic/nginx/sites-enabled:/etc/nginx/conf.d/ - - /mnt/repo-base/config-static/nginx/params:/etc/nginx/params/ - - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs - - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge - depends_on: - - nextcloud - - create-account - - automx - - postfixadmin - - accounts - - eelomailserver - #- onlyoffice-community-server - -networks: - serverbase: - driver: 'bridge' diff --git a/templates/docker-compose/docker-compose-onlyoffice.yml b/templates/docker-compose/docker-compose-onlyoffice.yml deleted file mode 100644 index 9387ad7..0000000 --- a/templates/docker-compose/docker-compose-onlyoffice.yml +++ /dev/null @@ -1,43 +0,0 @@ - - onlyoffice-documentserver: - image: onlyoffice/documentserver:5.2.6.3 - container_name: onlyoffice-document-server - stdin_open: true - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/logs:/var/log/onlyoffice - onlyoffice-mail-server: - image: onlyoffice/mailserver:1.6.35 - container_name: onlyoffice-mail-server - hostname: cleus.eu - stdin_open: true - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/onlyoffice/MailServer/data:/var/vmail - - /mnt/repo-base/volumes/onlyoffice/MailServer/data/certs:/etc/pki/tls/mailserver - - /mnt/repo-base/volumes/onlyoffice/MailServer/logs:/var/log - - /mnt/repo-base/volumes/onlyoffice/MailServer/mysql:/var/lib/mysql - onlyoffice-community-server: - image: onlyoffice/communityserver:9.6.5.771 - container_name: onlyoffice-community-server - restart: always - networks: - - serverbase - ports: - - 5222:5222 - environment: - - DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server - - MAIL_SERVER_DB_HOST=onlyoffice-mail-server - volumes: - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/mysql:/var/lib/mysql - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/logs:/var/log/onlyoffice - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/DocumentServerData - depends_on: - - onlyoffice-documentserver - - onlyoffice-mail-server diff --git a/templates/mail/update-notification.txt b/templates/mail/update-notification.txt deleted file mode 100644 index 04d42f8..0000000 --- a/templates/mail/update-notification.txt +++ /dev/null @@ -1,5 +0,0 @@ -Subject:Update available for @@@DOMAIN@@@ -A new update is available. Please login via ssh and run the following -command: - -bash /mnt/repo-base/scripts/update.sh diff --git a/templates/nextcloud/plugin-config/user_sql_raw_config.conf b/templates/nextcloud/plugin-config/user_sql_raw_config.conf deleted file mode 100644 index 08b54a8..0000000 --- a/templates/nextcloud/plugin-config/user_sql_raw_config.conf +++ /dev/null @@ -1,21 +0,0 @@ - 'user_backend_sql_raw' => - array ( - 'db_type' => 'mariadb', - 'db_host' => 'mariadb', - 'db_port' => '3306', - 'db_name' => '@@@DBNAME@@@', - 'db_user' => '@@@DBUSER@@@', - 'db_password' => '@@@DBPW@@@', - 'queries' => - array ( - 'get_password_hash_for_user' => 'SELECT substr(password,15,3000) AS password_hash FROM mailbox WHERE username = BINARY :username', - 'user_exists' => 'SELECT EXISTS(SELECT 1 FROM mailbox WHERE username = :username)', - 'get_users' => 'select username as fqda from mailbox where username like :search or name like :search', - 'set_password_hash_for_user' => 'UPDATE mailbox SET password = CONCAT(\'{SHA512-CRYPT}\',:new_password_hash) WHERE username = BINARY :username', - 'get_display_name' => 'SELECT name FROM mailbox where username = BINARY :username', - 'set_display_name' => 'UPDATE mailbox SET name = :new_display_name WHERE username = BINARY :username', - 'count_users' => 'SELECT COUNT(*) FROM mailbox', - ), - 'hash_algorithm_for_new_passwords' => 'sha512', - ) -); -- GitLab