diff --git a/.gitignore b/.gitignore index c393c8d255e59d9f109cddafe552b6eed58f8315..de762f8b52be5d5a09c9a6b14de1e74a711ff127 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,7 @@ *.iml # docker config files -docker-compose.yml +./docker-compose.yml .env # data for the local installation diff --git a/README.md b/README.md index 118713fd273326b06abecbba43bb8644a0e33599..45414330451befc988478fff83dcc8abdb7db4f9 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This way, a user can use [/e/OS](https://e.foundation/products/) on a smartphone 5. tasks 6. device configuration... -The setup, which is relying on NextCloud, OnlyOffice, Postfix, and other open source components, is very close to the one used on [ecloud.global](https://ecloud.global). +The setup, which is relying on NextCloud, Postfix, and other open source components, is very close to the one used on [ecloud.global](https://ecloud.global). Important note: this project is currently in beta. You should have some experience with Linux server administration if you want to use it. The current setup makes updates difficult, @@ -25,12 +25,6 @@ For the full setup, the following server hardware is recommended: - 4 GB RAM - 20 GB disk space -For the setup without OnlyOffice, requirements are a bit lower: - -- 1 core CPU (x86/x86-64 only, ARM not supported yet) -- 2 GB RAM -- 15 GB disk space - Disk space only refers to the basic installation. You will need additional space for any emails, documents and files you store on the server. @@ -46,7 +40,7 @@ Note about TLS certificates: a certificate will be added automatically during se ### Create an Ubuntu server instance -The project should work with any Ubuntu server (Virtual Private Server (VPS), dedicated server...) versions 18.04 (should work on 16.04). +The project should work with any Ubuntu server (Virtual Private Server (VPS), dedicated server...) version 20.04 Debian server should work as well, though it has not been tested yet. @@ -59,6 +53,10 @@ Hosting at home is also possible in principle, but you will probably have proble First, create your hosting server. Please follow your hoster documentation to create your server or VPS. +- Please run the following commands and then reboot your server before installation: + - `apt update` + - `apt upgrade` + ### Set your server with proper DNS settings 1. point your domain DNS entries to your server @@ -80,18 +78,21 @@ In the following text, `$DOMAIN` refers to the domain (`youdomain.com`) that you Login to the server via ssh as root (on Linux/macOS the ssh client is available out of the box, on Windows you need to use an ssh client like [Putty](https://www.putty.org/) for example). -Execute this command and follow its on-screen instructions: +- Please note that for Ubuntu 20.04+, you will have to add the repository for "SaltStack" using the [instructions](https://repo.saltproject.io/#ubuntu) + +Execute these commands and follow the on-screen instructions: ``` $ ssh root@$DOMAIN -# wget https://gitlab.e.foundation/e/infra/bootstrap/raw/master/bootstrap-generic.sh -# bash bootstrap-generic.sh https://gitlab.e.foundation/e/infra/ecloud-selfhosting +# git clone https://gitlab.e.foundation/e/infra/ecloud-selfhosting.git --single-branch --branch master /mnt/repo-base +# cd /mnt/repo-base +# bash scripts/bootstrap.sh ``` The setup script will ask you to input some details of your setup (like your domain name) and to setup additional DNS records (the two A records plus the PTR record were set already above). Example session for yourdomain.com: ``` -bash bootstrap-generic.sh https://gitlab.e.foundation/e/infra/ecloud-selfhosting +bash bootstrap.sh [...] Resolving deltas: 100% (681/681), done. System update and packages installation .. @@ -103,8 +104,6 @@ Optionally enter additional domain(s) (comma separated, no white spaces) to hand Enter alternative email: someone@example.org -Do you want to install OnlyOffice? [y/n] -n Your management domain is: yourdomain.com Your additional domains are: [N/A] Is this correct? (yes or no) yes @@ -139,8 +138,11 @@ A few services can't be configured automatically and need manual account creatio To change it, visit `https://$DOMAIN/apps/rainloop/app/?admin` and enter username: `admin` and password: `12345`. Go to the security tab to change the password. -**OnlyOffice**: Open `office.$DOMAIN`, then follow the instructions to add a new admin user. This -is only necessary if you chose to install OnlyOffice. +## Background job configuration + +- Many background jobs(e.g. jobs run when an account is deleted) need to run for eCloud to work correctly +- In this installation, background jobs are set to use system cron and crontab for this is added +- Please follow the instructions [here](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html) to change background job configuration ## Available Services @@ -158,13 +160,13 @@ Your credentials for postfix admin (https://mail.yourdomain.com) are: user/pass [rainloop](https://www.rainloop.net/) - `welcome.$DOMAIN`: Allows users to sign up for a new account (you can create signup links with `bash /mnt/repo-base/scripts/generate-signup-link.sh`, account creation with this "self service" is only possible when such a link is generated) -- `office.$DOMAIN`: Create and edit office documents ([OnlyOffice](https://www.onlyoffice.com/)) - (only when you answered yes to the question "Install OnlyOffice?" during setup obviously) ## Administration - `spam.$DOMAIN`: Email spam filter ([rspamd](https://www.rspamd.com/)) - `mail.$DOMAIN`: Administrate email and create accounts ([postfixadmin](http://postfixadmin.sourceforge.net/)) when not using the "self service" `welcome.$DOMAIN` - this requires you to set a intermediate password during account creation. +- Post installation, please navigate to https://$DOMAIN/settings/admin/overview to check if there are any configuration warnings related to your installation +- Please note that we have not used http2 protocol in nginx because of nextcloud's notably [slow performance](https://github.com/nextcloud/server/issues/25297) with http2 ## Setting up /e/ OS with /e/ selfhosting diff --git a/config-dynamic/nginx/sites-enabled/.keep b/config-dynamic/nginx/sites-enabled/.keep deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/config-static/mail/rspamd/whitelist.sender.domain.map b/config-static/mail/rspamd/whitelist.sender.domain.map deleted file mode 100644 index 883cb0f2746a5a295cd8dccf9daea0e9f96d39a6..0000000000000000000000000000000000000000 --- a/config-static/mail/rspamd/whitelist.sender.domain.map +++ /dev/null @@ -1 +0,0 @@ -e.email diff --git a/config-dynamic/automx/.keep b/config/automx/.keep similarity index 100% rename from config-dynamic/automx/.keep rename to config/automx/.keep diff --git a/config-dynamic/letsencrypt/autorenew/.keep b/config/letsencrypt/autorenew/.keep similarity index 100% rename from config-dynamic/letsencrypt/autorenew/.keep rename to config/letsencrypt/autorenew/.keep diff --git a/config/mail/clamav/freshclam.conf b/config/mail/clamav/freshclam.conf new file mode 100644 index 0000000000000000000000000000000000000000..f37ff2773717515f085eb1f9029c2021024a87ea --- /dev/null +++ b/config/mail/clamav/freshclam.conf @@ -0,0 +1,34 @@ +# Automatically created by the clamav-freshclam postinst +# Comments will get lost when you reconfigure the clamav-freshclam package + +DatabaseOwner clamav +UpdateLogFile /var/log/clamav/freshclam.log +LogVerbose false +LogSyslog true +LogFacility LOG_MAIL +LogFileMaxSize 0 +LogRotate true +LogTime true +Foreground true +Debug false +MaxAttempts 3 +DatabaseDirectory /var/lib/clamav +DNSDatabaseInfo current.cvd.clamav.net +ConnectTimeout 30 +ReceiveTimeout 0 +TestDatabases yes +ScriptedUpdates yes +CompressLocalDatabase no +SafeBrowsing false +Bytecode true +NotifyClamd /etc/clamav/clamd.conf +# Check for new database 4 times a day +# Spawns too many processes otherwise and causes server to run out of memory +Checks 4 +DatabaseMirror db.local.clamav.net +DatabaseMirror switch.clamav.net +DatabaseMirror clamav.easynet.fr +DatabaseMirror clamav.begi.net +DatabaseMirror clamav.univ-nantes.fr +DatabaseMirror db.fr.clamav.net + diff --git a/config-static/mail/dovecot/10-mail.conf b/config/mail/dovecot/10-mail.conf similarity index 100% rename from config-static/mail/dovecot/10-mail.conf rename to config/mail/dovecot/10-mail.conf diff --git a/config-static/mail/dovecot/90-quota.conf b/config/mail/dovecot/90-quota.conf similarity index 100% rename from config-static/mail/dovecot/90-quota.conf rename to config/mail/dovecot/90-quota.conf diff --git a/config-static/mail/dovecot/90-sieve.conf b/config/mail/dovecot/90-sieve.conf similarity index 100% rename from config-static/mail/dovecot/90-sieve.conf rename to config/mail/dovecot/90-sieve.conf diff --git a/config-static/mail/rspamd/multimap.conf b/config/mail/rspamd/multimap.conf similarity index 100% rename from config-static/mail/rspamd/multimap.conf rename to config/mail/rspamd/multimap.conf diff --git a/config-static/mail/rspamd/ratelimit.conf b/config/mail/rspamd/ratelimit.conf similarity index 100% rename from config-static/mail/rspamd/ratelimit.conf rename to config/mail/rspamd/ratelimit.conf diff --git a/config/mariadb/ecloud.cnf b/config/mariadb/ecloud.cnf new file mode 100644 index 0000000000000000000000000000000000000000..e1b9b82bb95cb7a3eea82a417990ef24f13a7465 --- /dev/null +++ b/config/mariadb/ecloud.cnf @@ -0,0 +1,26 @@ +[server] +performance_schema = on +skip_name_resolve = 1 + +innodb_buffer_pool_size=1G +innodb_buffer_pool_instances = 1 +innodb_buffer_pool_chunk_size = 1G +innodb_flush_log_at_trx_commit = 2 +innodb_log_buffer_size = 256M +innodb_max_dirty_pages_pct = 90 +innodb_io_capacity=4000 + +query_cache_type = 1 +query_cache_limit = 2M +query_cache_min_res_unit = 2k +query_cache_size = 64M +tmp_table_size= 64M +max_heap_table_size= 64M + + +[mysqld] +character_set_server = utf8mb4 +collation_server = utf8mb4_general_ci +innodb_file_per_table=1 +transaction_isolation = READ-COMMITTED +binlog_format = ROW diff --git a/templates/nextcloud/x-fpm-overloads.conf b/config/nextcloud/x-fpm-overloads.conf similarity index 100% rename from templates/nextcloud/x-fpm-overloads.conf rename to config/nextcloud/x-fpm-overloads.conf diff --git a/config/nextcloud/x-php-overloads.ini b/config/nextcloud/x-php-overloads.ini new file mode 100644 index 0000000000000000000000000000000000000000..459f5e8494abc573563099b0d2ec1f9a8065f6ab --- /dev/null +++ b/config/nextcloud/x-php-overloads.ini @@ -0,0 +1,8 @@ +[PHP] +opcache.enable=1 +opcache.interned_strings_buffer=8 +opcache.max_accelerated_files=10000 +opcache.memory_consumption=128 +opcache.save_comments=1 +opcache.revalidate_freq=1 +memory_limit = 512M diff --git a/config-static/nginx/params/headers_params b/config/nginx/params/headers_params similarity index 100% rename from config-static/nginx/params/headers_params rename to config/nginx/params/headers_params diff --git a/config-static/nginx/params/proxy_params b/config/nginx/params/proxy_params similarity index 91% rename from config-static/nginx/params/proxy_params rename to config/nginx/params/proxy_params index 7a40d4d1206d293b3dcadc36068f8ec1996c1a96..8107da66c0125073d11e3079196b61733e8de6ec 100644 --- a/config-static/nginx/params/proxy_params +++ b/config/nginx/params/proxy_params @@ -7,6 +7,8 @@ proxy_redirect off; proxy_headers_hash_max_size 1024; proxy_headers_hash_bucket_size 128; +proxy_http_version 1.1; +proxy_set_header Connection ""; # No compression for json to avoid BREACH attack. gzip on; diff --git a/config-static/nginx/params/ssl_params b/config/nginx/params/ssl_params similarity index 100% rename from config-static/nginx/params/ssl_params rename to config/nginx/params/ssl_params diff --git a/config-dynamic/nextcloud/.keep b/config/nginx/sites-enabled/.keep similarity index 100% rename from config-dynamic/nextcloud/.keep rename to config/nginx/sites-enabled/.keep diff --git a/deployment/questionnaire/questionnaire.dat b/deployment/questionnaire/questionnaire.dat index 74dff8e5000ecd226a76865801a2e5e04bf9213e..9e57c6154973c88eb0b1ef3af0d696322e4e6626 100644 --- a/deployment/questionnaire/questionnaire.dat +++ b/deployment/questionnaire/questionnaire.dat @@ -1,11 +1,10 @@ DOMAIN=Enter your mailserver (management) domain (e.g. domainA.com): ADD_DOMAINS=Optionally enter additional domain(s) (comma separated, no white spaces) to handle mail for (e.g. domainB.com,domainC.com) or just press enter if you need none: ALT_EMAIL=Enter alternative email: -INSTALL_ONLYOFFICE=Do you want to install OnlyOffice? [y/n]||||^[yY|nN]$;;;;Please enter 'y' or 'n' # Generate and display RSPAMD_PASSWORD=@@@generate@@@:20@ -NEXTCLOUD_ADMIN_USER=ncadmin_@@@generate@@@:4@ +NEXTCLOUD_ADMIN_USER=ncadmin_@@@generate@@@:l:4@ NEXTCLOUD_ADMIN_PASSWORD=@@@generate@@@:20@ @@ -26,6 +25,8 @@ PFA_SUPERADMIN_PASSWORD=1@@@generate@@@:16@2 WELCOME_SECRET=@@@generate@@@:20@ +NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=@@@generate@@@:15@ + # fixed defaults ENABLE_POP3=false;default DISABLE_RATELIMITING=false;default @@ -34,3 +35,4 @@ DISABLE_RATELIMITING=false;default #SMTP_FROM=welcome@domainA.com #VIRTUAL_HOST (for each domain two subdomains autoconfig/autodiscover) #VHOSTS_ACCOUNTS=welcome.domainA.com +#NC_HOST_IP \ No newline at end of file diff --git a/docs/delete-account.md b/docs/delete-account.md index 21cddbd7caf7e7038568a569c83fb74cf1628280..4727e5a3a2ac89cd4a292161df77e9655318b143 100644 --- a/docs/delete-account.md +++ b/docs/delete-account.md @@ -1,12 +1,7 @@ -Delete User Cccount +Delete User Account ------------------- 1. Delete email account, Nextcloud account and all data - `ssh user@$DOMAIN` - `cd /mnt/repo-base/` - `sudo ./scripts/delete-account $USER` - -2. onlyoffice data - - go to [https://office.$DOMAIN/products/people/#sortorder=ascending](https://office.$DOMAIN/products/people/#sortorder=ascending) - - search for the username - - click on the arrow at the far right and press "Delete profile" diff --git a/docs/env_file.md b/docs/env_file.md index 3d87655a4afaa5610ac6e5b2d41869c5a21f9d0d..171f828c9a39adda7c16f4c9ce7c23d048c36bf4 100644 --- a/docs/env_file.md +++ b/docs/env_file.md @@ -8,7 +8,6 @@ selfhosting (ie, the domain you entered during setup). DOMAIN=example.com # the main domain for your installation ADD_DOMAINS=example.com, example2.com # one or more domains that are used for email ALT_EMAIL=myname@some-other-domain.com # admin email address -INSTALL_ONLYOFFICE=n # y or n, whether Onlyoffice is installed ``` ## Nextcloud diff --git a/docs/update-from-old-selfhost.diff b/docs/update-from-old-selfhost.diff new file mode 100644 index 0000000000000000000000000000000000000000..803d2871b0cd1bc6584d998e00600b5b79db3ee2 --- /dev/null +++ b/docs/update-from-old-selfhost.diff @@ -0,0 +1,241 @@ +diff --git a/docker-compose-old.yml b/docker-compose.yml +index 279ec78..8eb51cb 100644 +--- a/docker-compose-old.yml ++++ b/docker-compose.yml +@@ -1,14 +1,14 @@ +-version: '2.1' ++version: '3' + + services: +- eelomailserver: +- image: hardware/mailserver:1.1-stable +- container_name: eelomailserver ++ mailserver: ++ image: mailserver2/mailserver:1.1.4 ++ container_name: mailserver + domainname: ${DOMAIN} # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. + hostname: mail + restart: always + networks: +- - serverbase ++ - default + ports: + - "25:25" # SMTP - Required + - "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients +@@ -28,42 +28,49 @@ services: + # Full list of options: https://github.com/hardware/mailserver#environment-variables + volumes: + - /mnt/repo-base/volumes/mail:/var/mail +- - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/etc/letsencrypt +- - /mnt/repo-base/config-static/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf +- - /mnt/repo-base/config-static/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf +- - /mnt/repo-base/config-static/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf +- - /mnt/repo-base/config-static/mail/rspamd/multimap.conf:/etc/rspamd/local.d/multimap.conf +- - /mnt/repo-base/config-static/mail/rspamd/whitelist.sender.domain.map:/etc/rspamd/local.d/whitelist.sender.domain.map +- - /mnt/repo-base/config-static/mail/rspamd/ratelimit.conf:/etc/rspamd/local.d/ratelimit.conf ++ - /mnt/repo-base/config/letsencrypt/certstore:/etc/letsencrypt ++ - /mnt/repo-base/config/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf ++ - /mnt/repo-base/config/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf ++ - /mnt/repo-base/config/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf ++ - /mnt/repo-base/config/mail/rspamd/multimap.conf:/etc/rspamd/local.d/multimap.conf ++ - /mnt/repo-base/config/mail/rspamd/whitelist.sender.domain.map:/etc/rspamd/local.d/whitelist.sender.domain.map ++ - /mnt/repo-base/config/mail/rspamd/ratelimit.conf:/etc/rspamd/local.d/ratelimit.conf ++ - /mnt/repo-base/config/mail/clamav/freshclam.conf:/etc/clamav/freshclam.conf + depends_on: + - mariadb + - redis + + postfixadmin: +- image: registry.gitlab.e.foundation:5000/e/infra/docker-postfixadmin:1.0.0 ++ image: registry.gitlab.e.foundation/e/infra/docker-postfixadmin:2.0.1 + container_name: postfixadmin + restart: always + networks: +- - serverbase ++ - default + environment: + - DBPASS=${DBPASS} ++ - DBHOST=mariadb + - DOMAIN=${DOMAIN} ++ - DRIVE_SMTP_PASSWORD=${DRIVE_SMTP_PASSWORD} + - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} +- - SMTPHOST=${SMTP_HOST} +- - ADMIN_SMTP_PASSWORD=${DRIVE_SMTP_PASSWORD} ++ - POSTFIXADMIN_DB_TYPE=mysqli ++ - POSTFIXADMIN_DB_HOST=mariadb ++ - POSTFIXADMIN_DB_USER=postfix ++ - POSTFIXADMIN_DB_NAME=postfix ++ - POSTFIXADMIN_DB_PASSWORD=${DBPASS} ++ - POSTFIXADMIN_SMTP_SERVER=mailserver ++ - POSTFIXADMIN_SMTP_PORT=587 + volumes: + - /mnt/repo-base/volumes/mail:/var/mail +- - /mnt/repo-base/scripts/postfixadmin-mailbox-postdeletion.sh:/usr/local/bin/postfixadmin-mailbox-postdeletion.sh + depends_on: +- - eelomailserver ++ - mailserver + - mariadb + + mariadb: +- image: mariadb:10.3.17 ++ image: mariadb:10.3 + container_name: mariadb + restart: always + networks: +- - serverbase ++ - default + environment: + # Note: These variables are only used for the first start. Later changes are ignored. + - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} +@@ -71,22 +78,21 @@ services: + - MYSQL_USER=${PFDB_USR} + - MYSQL_PASSWORD=${DBPASS} + volumes: +- - /mnt/repo-base/volumes/mysql/db:/var/lib/mysql +- - /mnt/repo-base/config-dynamic/nextcloud/database:/docker-entrypoint-initdb.d +- ++ - /mnt/repo-base/volumes/mysql/db/data:/var/lib/mysql ++ - /mnt/repo-base/config/mariadb/:/etc/mysql/conf.d/:ro + redis: +- image: redis:5.0-alpine ++ image: redis:6.0-alpine + container_name: redis + restart: always + networks: +- - serverbase ++ - default + command: redis-server --appendonly yes + volumes: + - /mnt/repo-base/volumes/redis/db:/data + - /mnt/repo-base/volumes/redis/tmp:/tmp/redis + + welcome: +- image: registry.gitlab.e.foundation:5000/e/infra/docker-welcome:1.1.0 ++ image: registry.gitlab.e.foundation/e/infra/docker-welcome:2.1.2 + container_name: welcome + environment: + - DOMAINS=${VHOSTS_ACCOUNTS} +@@ -102,34 +108,49 @@ services: + - SMTP_HOST=${SMTP_HOST} + - SMTP_FROM=${SMTP_FROM} + - SMTP_PW=${SMTP_PW} ++ - SMTP_PORT=587 ++ - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} ++ - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} ++ - NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=${NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET} + - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} + restart: always + networks: +- - serverbase ++ - default + volumes: + - /mnt/repo-base/volumes/accounts:/var/accounts + depends_on: + - mariadb ++ extra_hosts: ++ - "${DOMAIN}:${NC_HOST_IP}" + + nextcloud: +- image: nextcloud:16.0.5-fpm ++ image: registry.gitlab.e.foundation/e/infra/ecloud/nextcloud:316db4e0 + container_name: nextcloud + restart: always + networks: +- - serverbase ++ - default ++ environment: ++ - MYSQL_DATABASE=${MYSQL_DATABASE_NC} ++ - MYSQL_USER=${MYSQL_USER_NC} ++ - MYSQL_PASSWORD=${MYSQL_PASSWORD_NC} ++ - MYSQL_HOST=mariadb ++ - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} ++ # below ENV disabled so NC container do not start install ++ # - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} ++ - OVERWRITEPROTOCOL=https ++ - NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=${NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET} + volumes: + - /mnt/repo-base/volumes/nextcloud/html:/var/www/html/ +- - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ +- - /mnt/repo-base/volumes/nextcloud/config:/var/www/html/config/ +- - /mnt/repo-base/volumes/nextcloud/data:/var/www/html/data/ +- - /mnt/repo-base/config-dynamic/nextcloud/x-fpm-overloads.conf:/usr/local/etc/php-fpm.d/x-fpm-overloads.conf +- - /mnt/repo-base/config-dynamic/nextcloud/x-php-overloads.ini:/usr/local/etc/php/conf.d/x-php-overloads.ini +- - /mnt/repo-base/volumes/redis/tmp:/tmp/redis/ ++ - /mnt/repo-base/volumes/nextcloud/data:/var/www/data/ ++ - /mnt/repo-base/config/nextcloud/x-fpm-overloads.conf:/usr/local/etc/php-fpm.d/x-fpm-overloads.conf ++ - /mnt/repo-base/config/nextcloud/x-php-overloads.ini:/usr/local/etc/php/conf.d/x-php-overloads.ini ++ - /mnt/repo-base/volumes/nextcloud/log:/var/www/log/ ++ - /mnt/repo-base/volumes/redis/db:/tmp/redis + depends_on: + - mariadb + + automx: +- image: registry.gitlab.e.foundation:5000/e/infra/docker-mailstack:automx-0.1.0 ++ image: registry.gitlab.e.foundation/e/infra/docker-mailstack:automx-0.1.0 + container_name: automx + hostname: automx + environment: +@@ -138,52 +159,30 @@ services: + - HOSTNAME=automx + restart: always + networks: +- - serverbase ++ - default + volumes: +- - /mnt/repo-base/config-dynamic/automx/automx.conf:/etc/automx.conf +- +- create-account: +- image: registry.gitlab.e.foundation:5000/e/infra/docker-create-account:1.0.1 +- container_name: create-account +- restart: always +- environment: +- - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} +- - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} +- - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} +- - DOMAIN=${DOMAIN} +- - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} +- networks: +- - serverbase +- depends_on: +- - nextcloud +- - postfixadmin ++ - /mnt/repo-base/config/automx/automx.conf:/etc/automx.conf + + nginx: +- image: registry.gitlab.e.foundation:5000/e/infra/docker-nginx:1.17 ++ image: nginx:1.19-alpine + container_name: nginx +- restart: always ++ restart: unless-stopped + networks: +- - serverbase ++ - default + ports: + - "80:8000" + - "443:4430" + volumes: +- - /mnt/repo-base/config-dynamic/nginx/sites-enabled:/etc/nginx/conf.d/ +- - /mnt/repo-base/config-static/nginx/params:/etc/nginx/params/ +- - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs +- - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds +- - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge ++ - /mnt/repo-base/config/nginx/sites-enabled:/etc/nginx/conf.d/ ++ - /mnt/repo-base/config/nginx/params:/etc/nginx/params/ ++ - /mnt/repo-base/config/letsencrypt/certstore:/certs ++ - /mnt/repo-base/config/nginx/passwds:/passwds ++ - /mnt/repo-base/config/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge + - /mnt/repo-base/volumes/nextcloud/html:/var/www/html +- - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ + depends_on: + - nextcloud +- - create-account + - automx + - postfixadmin + - welcome +- - eelomailserver +- #- onlyoffice-community-server ++ - mailserver + +-networks: +- serverbase: +- driver: 'bridge' diff --git a/docs/update_onlyoffice.md b/docs/update_onlyoffice.md deleted file mode 100644 index b3bf922fdfc378d44b782679150f28bbad9134ec..0000000000000000000000000000000000000000 --- a/docs/update_onlyoffice.md +++ /dev/null @@ -1,53 +0,0 @@ -# UPDATE PROCEDURE (expect downtime) - -```shell -# this is knowingly not using compose functionality to stop/rm/pull - -# Stop containers -docker stop onlyoffice-community-server -docker stop onlyoffice-document-server -docker stop onlyoffice-mail-server - -#Create backup copy of files -cp -pR /mnt/docker/onlyoffice{,.bck} - -# Save image IDs of old images to a file -docker images | grep office > /somewhere/a-file.txt - - -docker rm onlyoffice-community-server -docker rm onlyoffice-document-server -docker rm onlyoffice-mail-server - -docker pull onlyoffice/documentserver -docker pull onlyoffice/communityserver -docker pull onlyoffice/mailserver - -# Start again -cd /mnt/docker/compose -docker-compose up -d -``` - -# ROLLBACK IN CASE OF ISSUE (expect downtime) - -```shell -# Stop and delete containers as above - -# Delete new images -docker rmi onlyoffice/documentserver -docker rmi onlyoffice/communityserver -docker rmi onlyoffice/mailserver - -# Retag the previous images version (see a-file.txt) IMAGE iDs to the correct name, e.g.: -docker tag 9a77d093202e onlyoffice/documentserver -docker tag 0e667b917252 onlyoffice/communityserver -dockr tag 6b2398f473ea onlyoffice/mailserver - -# Move current files to yet another location and move previous backup into original location -mv /mnt/docker/onlyoffice /mnt/docker/onlyoffice.bck.rolledback -mv /mnt/docker/onlyoffice.bck /mnt/docker/onlyoffice - -# Start again -cd /mnt/docker/compose -docker-compose up -d -``` \ No newline at end of file diff --git a/docs/upgrade-to-latest-selfhost-guide.md b/docs/upgrade-to-latest-selfhost-guide.md new file mode 100644 index 0000000000000000000000000000000000000000..f6d80cd7a65e8b4867e5b0af34f8a91c221f47c5 --- /dev/null +++ b/docs/upgrade-to-latest-selfhost-guide.md @@ -0,0 +1,81 @@ +## To migrate from old selfhost installation to the latest + +- You can use the [diff](update-from-old-selfhost.diff) to compare and update the `docker-compose.yml` configuration +- You can also follow the steps given below to update the configuration to the latest(Note that volume locations and service names are not changed but old ones are used in the steps given below) + +### Update your docker-compose.yml file and configuration files for your services +1. Run `docker-compose down` to stop all services before upgrading +1. Update `version` to '3' +1. Networking + - Remove the `serverbase` network entry as we move to using the `default` docker network` + - Replace `serverbase` with `default` in the `networks` entry for each service +1. `eelomailserver` + - Update image from `hardware/mailserver:1.1-stable` to `mailserver2/mailserver:1.1.4` + - Add freshclam configuration + - Add [freshclam.conf](../config/mail/clamav/freshclam.conf) to "config-static/mail/clamav/" + - Mount the file through an entry in "volumes" like `- /mnt/repo-base/config-static/mail/clamav/freshclam.conf:/etc/clamav/freshclam.conf` + - Update the `.conf` files in `config-static/mail/dovecot` directory according to the `.conf` files in the [repository](../config/mail/dovecot/) + - Update the `.conf` files in `config-static/mail/rspamd` directory according to the `.conf` files in the [repository](../config/mail/rspamd/) + +1. `postfixadmin` + - Update image to `registry.gitlab.e.foundation/e/infra/docker-postfixadmin:2.0.1` + - Ensure that the `DRIVE_SMTP_PASSWORD` and the `DBPASS` environment variables are set in the .env file + - Add the following environment variables to the service + ``` + - DBHOST=mariadb + - DRIVE_SMTP_PASSWORD=${DRIVE_SMTP_PASSWORD} + - POSTFIXADMIN_DB_TYPE=mysqli + - POSTFIXADMIN_DB_HOST=mariadb + - POSTFIXADMIN_DB_USER=postfix + - POSTFIXADMIN_DB_NAME=postfix + - POSTFIXADMIN_DB_PASSWORD=${DBPASS} + - POSTFIXADMIN_SMTP_SERVER=eelomailserver + - POSTFIXADMIN_SMTP_PORT=587 + ``` + - Remove the volume entry `- /mnt/repo-base/scripts/postfixadmin-mailbox-postdeletion.sh:/usr/local/bin/postfixadmin-mailbox-postdeletion.sh` as it is bundled in the image +1. `mariadb` + - Update image to `mariadb:10.3` + - Remove the volume entry `- /mnt/repo-base/config-dynamic/nextcloud/database:/docker-entrypoint-initdb.d` + - Add the [ecloud.cnf](../config/mariadb/ecloud.cnf) to `config-static/mariadb/` on your server + - Add the volume entry `- /mnt/repo-base/config-static/mariadb/:/etc/mysql/conf.d/:ro` +1. `redis` + - Update image to `redis:6.0-alpine` +1. `welcome` + - Update image to `registry.gitlab.e.foundation/e/infra/docker-welcome:2.1.2` + - Ensure that the `NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET` environment variable is set correctly in the .env file + - Ensure that the `NC_HOST_IP` environment variable is set to point to your server's IP address in the .env file + - Add the following environment variables: + ``` + - SMTP_PORT=587 + - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} + - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} + - NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=${NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET} + ``` + - Add the following `extra_hosts` entry: + ``` + extra_hosts: + - "${DOMAIN}:${NC_HOST_IP}" + ``` +1. `nextcloud` + - Update image to `registry.gitlab.e.foundation/e/infra/ecloud/nextcloud:316db4e0` + - Add the following environment variables: + ``` + - MYSQL_DATABASE=${MYSQL_DATABASE_NC} + - MYSQL_USER=${MYSQL_USER_NC} + - MYSQL_PASSWORD=${MYSQL_PASSWORD_NC} + - MYSQL_HOST=mariadb + - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} + - OVERWRITEPROTOCOL=https + - NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=${NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET} + ``` + - Update the `x-fpm-overloads.conf` and `x-php-overloads.ini` files in `config-static/nextcloud/` using the files in [config/nextcloud](../config/nextcloud/) as reference +1. `create-account`: Remove the `create-account` service as it is no longer used +1. `nginx` + - Update image to `nginx:1.19-alpine` + - Set `restart` value to `unless-stopped` + - Remove `create-account` from the `depends_on` entry + - Update the files in `config-static/nginx/params` using the files in [config/nginx/params](../config/nginx/params/) for reference + - Update the configs in `config-dynamic/nginx/sites-enabled/` using the configs in [templates/nginx/sites-enabled](../templates/nginx/sites-enabled/) in repository for reference +1. Pull and update the latest versions + - Run `docker-compose pull` + - Run `docker-compose up --force-recreate -d` \ No newline at end of file diff --git a/scripts/base.sh b/scripts/base.sh index be318b29972149029fd99aa1f413229807ea2859..3675432dd1e25511bd1b243c24b42da9ca8adfa6 100755 --- a/scripts/base.sh +++ b/scripts/base.sh @@ -21,7 +21,6 @@ MYSQL_USER_NC=$(grep ^MYSQL_USER_NC= "$ENVFILE" | awk -F= '{ print $NF }') MYSQL_PASSWORD_NC=$(grep ^MYSQL_PASSWORD_NC= "$ENVFILE" | awk -F= '{ print $NF }') MYSQL_ROOT_PASSWORD=$(grep ^MYSQL_ROOT_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') -INSTALL_ONLYOFFICE=$(grep ^INSTALL_ONLYOFFICE= "$ENVFILE" | awk -F= '{ print $NF }') DRIVE_SMTP_PASSWORD=$(grep ^DRIVE_SMTP_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') diff --git a/scripts/bootstrap-commons.sh b/scripts/bootstrap-commons.sh new file mode 100644 index 0000000000000000000000000000000000000000..69950ac1a5956bf12ac6a35ca4f05498b3ae138b --- /dev/null +++ b/scripts/bootstrap-commons.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash + +function getRandomString { + LENGTH=$1 + CHARACTERS=$2 + cat /dev/urandom | tr -dc $CHARACTERS | fold -w $LENGTH | head -n 1 +} + +function replaceTokensWithRandomStrings { + INPUT="$1" + TOBEREPLACED=$(echo "$INPUT" | grep -o -e '@@@generate@@@:[u|l]:[0-9]\+@' -e '@@@generate@@@:[0-9]\+@') + LOWERCASED=$(echo "$TOBEREPLACED" | grep -o ':l') + UPPERCASED=$(echo "$TOBEREPLACED" | grep -o ':u') + REPLACEMENT_LENGTH=$(echo "$TOBEREPLACED" | awk -F: '{ print $NF }' | sed 's/@$//g') + if [ ! -z "$LOWERCASED" ] + then + RANDOMPART=$(getRandomString $REPLACEMENT_LENGTH 'a-z0-9') + elif [ ! -z "$UPPERCASED" ] + then + RANDOMPART=$(getRandomString $REPLACEMENT_LENGTH 'A-Z0-9') + else + RANDOMPART=$(getRandomString $REPLACEMENT_LENGTH 'a-zA-Z0-9') + fi + echo "$INPUT" | sed "s/$TOBEREPLACED/$RANDOMPART/g" +} + +function doReplacementIfNecessary { + VALUE="$1" + echo "$VALUE" | grep -q "@@@generate@@@" && replaceTokensWithRandomStrings "$VALUE" || echo "$VALUE" +} + +function getValidationPattern { + INPUT="$1" + echo "$INPUT" | sed 's/^.*||||//g' | sed 's/;;;;.*$//g' +} + +function getInputDirectionMessage { + INPUT="$1" + echo "$INPUT" | sed 's/^.*;;;;//g' +} + +function getQuestion { + INPUT="$1" + echo "$INPUT" | sed 's/||||.*$//g' +} + +function generateEnvFile { + QUESTFILE="$1" + ANSWERFILE="$2" + ENVFILE="$3" + while read KEY VALUE; do + PREVVALUE="$VALUE" + VALUE=$(doReplacementIfNecessary "$VALUE") + if [[ "$PREVVALUE" = "$VALUE" ]] + then + if [[ "$#" -ne 1 ]] + then + DEFVAL=$(echo "$PREVVALUE" | grep -q ";default$" && echo "$PREVVALUE" | sed 's/;default$//g' || echo 0) + if [[ "$DEFVAL" = "0" ]] + then + PATTERN=$(getValidationPattern "$VALUE") + INPUT_DIRECTION=$(getInputDirectionMessage "$VALUE") + QUESTION=$(getQuestion "$VALUE") + echo "$QUESTION" + if [[ "$PATTERN$INPUT_DIRECTION" = "$VALUE$VALUE" ]] + then + read INPUT < /dev/tty + else + FIRST=1 + while [[ $(echo "$INPUT" | grep -q -P "$PATTERN" && echo ok || echo nok) = "nok" ]]; do + if [[ ${FIRST} != "1" ]] + then + echo "$INPUT_DIRECTION" + else + FIRST=0 + fi + read INPUT < /dev/tty + :; done + fi + echo "$KEY=$INPUT" >> "$ENVFILE" + else + echo "$KEY=$DEFVAL" >> "$ENVFILE" + fi + else + VALUE=$(grep "^$KEY=" "$ANSWERFILE" | awk -F= '{ print $NF }') + echo "$KEY=$VALUE" >> "$ENVFILE" + fi + else + echo "$KEY=$VALUE" >> "$ENVFILE" + fi + :;done <<< "$(grep -v \# ${QUESTFILE} | sed '/^$/d'| sed 's/=/ /g')" +} diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh new file mode 100644 index 0000000000000000000000000000000000000000..e6a4ac10fa9bbabadfeb50b6a7bd9bff79efb15b --- /dev/null +++ b/scripts/bootstrap.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +################################################################################ +apt-get update && apt install -y --asume-yes true git salt-minion +################################################################################ + + +# Init salt-minion (masterless) +cp /mnt/repo-base/deployment/salt/init-config/masterless.conf /etc/salt/minion.d/ + +# Run repo init (might run a few minutes) +echo "System update and packages installation .." +salt-call state.apply docker-compose + + +# init repo +bash /mnt/repo-base/scripts/init-repo.sh $ENVIRONMENT diff --git a/scripts/delete-account.sh b/scripts/delete-account.sh index c4d42af50b3138cab9c41a22f7d1b0f9b6e27310..47875876cde3e665406b7a24ef0d0d4b19f72106 100755 --- a/scripts/delete-account.sh +++ b/scripts/delete-account.sh @@ -19,5 +19,4 @@ if [[ $response =~ ^([yY][eE][sS]|[yY])$ ]]; then echo "Deleting email account" docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox delete "$ACCOUNT" - # TODO: delete onlyoffice account??? fi diff --git a/scripts/generate-signup-link.sh b/scripts/generate-signup-link.sh index bbe839a4f3a26541b412b86b8639b90314ed4f80..3704879a27872687ad3ce8fe7018a11440932529 100755 --- a/scripts/generate-signup-link.sh +++ b/scripts/generate-signup-link.sh @@ -29,4 +29,4 @@ echo -e "to:$EMAIL from:drive@$DOMAIN subject:Signup for $DOMAIN You can now sign up for your $DOMAIN account at $SIGNUP_URL" | \ - docker exec -i $(docker-compose ps -q eelomailserver) sendmail -t + docker exec -i $(docker-compose ps -q mailserver) sendmail -t diff --git a/scripts/init-repo.sh b/scripts/init-repo.sh index d5ca69d267236780b5fd11089516d1276c653151..1e9571e363adaa0c9213b28deb1f7cd48f2767d4 100755 --- a/scripts/init-repo.sh +++ b/scripts/init-repo.sh @@ -6,7 +6,7 @@ function validateDomains { (INPUT=$(echo "$INPUT"| sed 's@;@,@g' | sed 's@ @,@g'); IFS=','; for DOMAIN in $INPUT; do echo "$DOMAIN" | xargs; done) | while read line; do echo "$line"; done | sort -u | while read line; do echo $line | grep -P '(?=^.{4,253}$)(^(?:[a-zA-Z0-9](?:(?:[a-zA-Z0-9\-]){0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$)'; done | tr "\n" "," | sed 's@,$@@g' } -source <(curl -s https://gitlab.e.foundation/e/infra/bootstrap/raw/master/bootstrap-commons.sh) +source /mnt/repo-base/scripts/bootstrap-commons.sh cd "/mnt/repo-base/" ENVFILE="/mnt/repo-base/.env" @@ -57,19 +57,8 @@ echo "WEBSITE_SECRET=not_defined" >> "$ENVFILE" source /mnt/repo-base/scripts/base.sh DC_DIR="templates/docker-compose/" -case $INSTALL_ONLYOFFICE in - [Yy]* ) - cat "${DC_DIR}docker-compose-base.yml" "${DC_DIR}docker-compose-onlyoffice.yml" "${DC_DIR}docker-compose-networks.yml" > docker-compose.yml; - cat "templates/nginx/sites-enabled/onlyoffice.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/onlyoffice.conf" - OFFICE_DOMAIN=",office.$DOMAIN" - OFFICE_LETSENCRYPT_KEY="config-dynamic/letsencrypt/certstore/live/office.$DOMAIN/privkey.pem" - NUM_CERTIFICATES="4" - ;; - [Nn]* ) - cat "${DC_DIR}docker-compose-base.yml" "${DC_DIR}docker-compose-networks.yml" > docker-compose.yml - NUM_CERTIFICATES="3" - ;; -esac +cat "${DC_DIR}docker-compose.yml" > docker-compose.yml +NUM_CERTIFICATES="3" # To be constructed repo specific echo "VHOSTS_ACCOUNTS=welcome.$DOMAIN" >> "$ENVFILE" @@ -83,32 +72,32 @@ echo "VIRTUAL_HOST=$VIRTUAL_HOST" >> "$ENVFILE" # finished .env file generation # fill autorenew config -rm -f "/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat" -echo "$DOMAIN,$VIRTUAL_HOST,mail.$DOMAIN,spam.$DOMAIN,welcome.$DOMAIN$OFFICE_DOMAIN" | tr "," "\n" | while read CURDOMAIN; do - echo "$CURDOMAIN" >> config-dynamic/letsencrypt/autorenew/ssl-domains.dat +rm -f "/mnt/repo-base/config/letsencrypt/autorenew/ssl-domains.dat" +echo "$DOMAIN,$VIRTUAL_HOST,mail.$DOMAIN,spam.$DOMAIN,welcome.$DOMAIN" | tr "," "\n" | while read CURDOMAIN; do + echo "$CURDOMAIN" >> config/letsencrypt/autorenew/ssl-domains.dat :; done # Configure automx -cat templates/automx/automx.conf | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/automx/automx.conf" -chown www-data:www-data "config-dynamic/automx/automx.conf" +cat templates/automx/automx.conf | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/automx/automx.conf" +chown www-data:www-data "config/automx/automx.conf" + +# Configure rspamd whitelist +cat templates/mail/rspamd/whitelist.sender.domain.map | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/mail/rspamd/whitelist.sender.domain.map" # Configure nginx vhost # automx echo "$DOMAIN,$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do - cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autoconfig/g" > "config-dynamic/nginx/sites-enabled/autoconfig.$CURDOMAIN.conf" - cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autodiscover/g" > "config-dynamic/nginx/sites-enabled/autodiscover.$CURDOMAIN.conf" + cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autoconfig/g" > "config/nginx/sites-enabled/autoconfig.$CURDOMAIN.conf" + cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autodiscover/g" > "config/nginx/sites-enabled/autodiscover.$CURDOMAIN.conf" :; done # other hosts -cat "templates/nginx/sites-enabled/nextcloud.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/nextcloud.conf" -cat "templates/nginx/sites-enabled/postfixadmin.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/postfixadmin.conf" -cat "templates/nginx/sites-enabled/rspamd.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/rspamd.conf" -cat "templates/nginx/sites-enabled/welcome.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config-dynamic/nginx/sites-enabled/welcome.conf" - -cp "templates/nextcloud/x-fpm-overloads.conf" "config-dynamic/nextcloud/x-fpm-overloads.conf" -cp "templates/nextcloud/x-php-overloads.ini" "config-dynamic/nextcloud/x-php-overloads.ini" +cat "templates/nginx/sites-enabled/nextcloud.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/nextcloud.conf" +cat "templates/nginx/sites-enabled/postfixadmin.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/postfixadmin.conf" +cat "templates/nginx/sites-enabled/rspamd.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/rspamd.conf" +cat "templates/nginx/sites-enabled/welcome.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/welcome.conf" # confirm DNS is ready echo "" @@ -128,7 +117,7 @@ echo "$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do :; done echo "PTR(For reverse DNS),|,,|,mail.$DOMAIN,|,-" >> "$tempfile" echo "" -echo "$VIRTUAL_HOST,spam.$DOMAIN,welcome.$DOMAIN$OFFICE_DOMAIN" | tr "," "\n" | while read CURDOMAIN; do +echo "$VIRTUAL_HOST,spam.$DOMAIN,welcome.$DOMAIN" | tr "," "\n" | while read CURDOMAIN; do echo "CNAME,|,$CURDOMAIN,|,mail.$DOMAIN,|,-" >> "$tempfile" :; done column "$tempfile" -t -s "," @@ -160,12 +149,15 @@ then exit 1 fi +# Add NC_HOST_IP env variable to .env +echo "NC_HOST_IP=$IP" >> "$ENVFILE" + # Run LE cert request bash scripts/ssl-renew.sh # verify LE status -CTR_LE=$(find config-dynamic/letsencrypt/certstore/live/mail.$DOMAIN/privkey.pem config-dynamic/letsencrypt/certstore/live/spam.$DOMAIN/privkey.pem config-dynamic/letsencrypt/certstore/live/welcome.$DOMAIN/privkey.pem $OFFICE_LETSENCRYPT_KEY 2>/dev/null| wc -l) -CTR_AC_LE=$(echo "$VIRTUAL_HOST" | tr "," "\n" | while read CURDOMAIN; do find config-dynamic/letsencrypt/certstore/live/$CURDOMAIN/privkey.pem 2>/dev/null | grep $CURDOMAIN && echo found || echo missing; done | grep missing | wc -l) +CTR_LE=$(find config/letsencrypt/certstore/live/mail.$DOMAIN/privkey.pem config/letsencrypt/certstore/live/spam.$DOMAIN/privkey.pem config/letsencrypt/certstore/live/welcome.$DOMAIN/privkey.pem 2>/dev/null| wc -l) +CTR_AC_LE=$(echo "$VIRTUAL_HOST" | tr "," "\n" | while read CURDOMAIN; do find config/letsencrypt/certstore/live/$CURDOMAIN/privkey.pem 2>/dev/null | grep $CURDOMAIN && echo found || echo missing; done | grep missing | wc -l) if [ "$CTR_LE$CTR_AC_LE" = "${NUM_CERTIFICATES}0" ] then @@ -178,12 +170,13 @@ else fi # create nextcloud config -mkdir -p "/mnt/repo-base/volumes/nextcloud/config/" +mkdir -p /mnt/repo-base/volumes/nextcloud/{html,data,log} +mkdir "/mnt/repo-base/volumes/nextcloud/html/config/" cat /mnt/repo-base/templates/nextcloud/config.php | sed "s/@@@DOMAIN@@@/$DOMAIN/g" | \ sed "s/@@@DRIVE_SMTP_PASSWORD@@@/$DRIVE_SMTP_PASSWORD/g" | sed "s/@@@PFDB_DB@@@/$PFDB_DB/g" | \ sed "s/@@@PFDB_USR@@@/$PFDB_USR/g" | sed "s/@@@DBPASS@@@/$PFDB_DBPASS/g" > \ - "/mnt/repo-base/volumes/nextcloud/config/config.php" -chown www-data:www-data "/mnt/repo-base/volumes/nextcloud/" -R + "/mnt/repo-base/volumes/nextcloud/html/config/config.php" +chown -R www-data: "/mnt/repo-base/volumes/nextcloud/" docker-compose up -d diff --git a/scripts/postfixadmin-mailbox-postdeletion.sh b/scripts/postfixadmin-mailbox-postdeletion.sh index f3c47815adee157af774defc611531e1752905cd..e89e9e3871306e764c747da753f9d85670d6cc04 100755 --- a/scripts/postfixadmin-mailbox-postdeletion.sh +++ b/scripts/postfixadmin-mailbox-postdeletion.sh @@ -7,7 +7,7 @@ # the script is actually run by the pfexec user -# the script handles deletion in a bind-mounted dir shared with eelomailserver +# the script handles deletion in a bind-mounted dir shared with mailserver # so pfexec user has no right over it. it needs a specific sudo perm #to be able to only run this script # the /etc/sudoers line added to the container during install : diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh index 78c204d047736b695830e7c25fc962ef17dfb0a6..3c3370acc8231c23b7dfe2633a1f59c42a8c9898 100755 --- a/scripts/postinstall.sh +++ b/scripts/postinstall.sh @@ -18,38 +18,52 @@ docker-compose exec -T --user www-data nextcloud php occ maintenance:install \ --admin-user="$NEXTCLOUD_ADMIN_USER" --admin-pass="$NEXTCLOUD_ADMIN_PASSWORD" \ --admin-email="$ALT_EMAIL" --database="mysql" --database-pass="$MYSQL_PASSWORD_NC" \ --database-name="$MYSQL_DATABASE_NC" --database-host="mariadb" --database-user="$MYSQL_USER_NC" \ - --database-port="3306" --database-table-prefix="" + --database-port="3306" --data-dir="/var/www/data" docker-compose exec -T --user www-data nextcloud php occ db:convert-filecache-bigint --no-interaction # Nextcloud resets trusted_domains to localhost during installation, so we have to set it again docker-compose exec -T --user www-data nextcloud php occ config:system:set trusted_domains 0 --value="$DOMAIN" - -echo "Installing nextcloud plugins" -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install calendar -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install tasks -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install notes -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install user_backend_sql_raw -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install rainloop +docker-compose exec -T --user www-data nextcloud php occ app:disable theming + +# Set background jobs to use system cron +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ background:cron + +# add crontab on the server to run cron.php every 5 minutes +crontab -l | { + cat + echo "*/5 * * * * cd /mnt/repo-base && /usr/bin/docker-compose exec -T -u www-data nextcloud php -f /var/www/html/cron.php 2>&1 | /usr/bin/logger -t NC_CRON" +} | crontab - + +# Update theme +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ maintenance:theme:update + +echo "Enabling nextcloud apps" +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable calendar +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable notes +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable user_backend_sql_raw +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable rainloop +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable quota_warning +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable contacts +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable news +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable email-recovery +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable ecloud_drop_account +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable ecloud-theme-helper +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable ecloud-launcher +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:disable firstrunwizard docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:app:set rainloop rainloop-autologin --value 1 -git clone --single-branch https://framagit.org/tcit/drop_user.git volumes/nextcloud/custom_apps/drop_account -docker-compose exec -T --user www-data nextcloud php occ app:enable drop_account +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install tasks +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install drop_account + +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set integrity.check.disabled --value='true' --type=boolean echo "Installing custom ecloud drop account plugin" # Add WELCOME_SECRET from .env file as a system config value, to be used by our ecloud_drop_account plugin docker-compose exec -T --user www-data nextcloud php occ config:system:set e_welcome_secret --value="$WELCOME_SECRET" # Add VHOST_ACCOUNTS from .env file as a system config value, to be used by our ecloud_drop_account plugin docker-compose exec -T --user www-data nextcloud php occ config:system:set e_welcome_domain --value="welcome.$DOMAIN" -git clone --single-branch https://gitlab.e.foundation/e/infra/selfhost/nextcloud-apps/ecloud-drop-account.git volumes/nextcloud/custom_apps/ecloud_drop_account -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable ecloud_drop_account - -echo "Installing Nextcloud theme" -wget "https://gitlab.e.foundation/api/v4/projects/315/repository/archive.tar.gz" -O "/tmp/nextcloud-theme.tar.gz" -tar -xzf "/tmp/nextcloud-theme.tar.gz" -C "volumes/nextcloud/html/themes/" --strip-components=1 -chown www-data:www-data "volumes/nextcloud/html/themes/" -R -rm "/tmp/nextcloud-theme.tar.gz" - -docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set theme --value eelo +# Add missing indices +docker-compose exec -T --user www-data nextcloud php /var/www/html/occ db:add-missing-indices docker-compose exec -T --user www-data nextcloud php occ maintenance:mode --off @@ -64,15 +78,10 @@ done chown www-data:www-data /mnt/repo-base/volumes/nextcloud/ -R echo "Creating postfix database schema" -curl --silent -L https://mail.$DOMAIN/setup.php > /dev/null +curl --silent -L https://mail.$DOMAIN/setup.php >/dev/null echo "Adding Postfix admin superadmin account" -docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli admin add $ALT_EMAIL --password $PFA_SUPERADMIN_PASSWORD --password2 $PFA_SUPERADMIN_PASSWORD --superadmin - -# adding sudo to postfixadmin container -docker-compose exec -T postfixadmin apk add sudo -# giving pfexec user a specific sudo perm ONLY for launching the bind-mounted mailbox-postdeletion script -docker-compose exec -T postfixadmin bash -c 'echo "" >> /etc/sudoers && echo "#pfexec single command perm" >> /etc/sudoers && echo "pfexec ALL=(root) NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh" >> /etc/sudoers' +docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli admin add $ALT_EMAIL --password $PFA_SUPERADMIN_PASSWORD --password2 $PFA_SUPERADMIN_PASSWORD --superadmin 1 # Adding domains to postfix is done by docker exec instead of docker-compose exec on purpose. Reason: with compose the loop aborts after the first item for an unknown reason echo "Adding domains to Postfix" @@ -84,10 +93,19 @@ echo "Adding email accounts used by system senders (drive, ...)" docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add drive@$DOMAIN --password $DRIVE_SMTP_PASSWORD --password2 $DRIVE_SMTP_PASSWORD --name "drive" --email-other $ALT_EMAIL docker-compose exec -T postfixadmin /postfixadmin/scripts/postfixadmin-cli mailbox add $SMTP_FROM --password $SMTP_PW --password2 $SMTP_PW --name "welcome" --email-other $ALT_EMAIL + +echo "Setting the right domain in welcome templates" +docker-compose exec -T welcome find /var/www/html/invite_template/ -type f -exec sed -i "s/ecloud.global/$DOMAIN/g" {} \; +docker-compose exec -T welcome find /var/www/html/invite_template/ -type f -exec sed -i "s/e.email/$DOMAIN/g" {} \; +docker-compose exec -T welcome find /var/www/html/ -type f -name '*.html' -exec sed -i "s/e.email/$DOMAIN/g" {} \; + # display DKIM DNS setup info/instructions to the user echo -e "\n\n\n" echo -e "Please add the following records to your domain's DNS configuration:\n" -find /mnt/repo-base/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do DOMAIN=$(basename $line); echo " - DKIM record (TXT) for $DOMAIN:" && cat $line/public.key; done +find /mnt/repo-base/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while read line; do + DOMAIN=$(basename $line) + echo " - DKIM record (TXT) for $DOMAIN:" && cat $line/mail.public.key +done echo "=================================================================================================================================" echo "=================================================================================================================================" diff --git a/scripts/show-info.sh b/scripts/show-info.sh index e25eb5f0a9ee8a444440de3b933065acb6297bd0..8a642433ec2e705eb2f9b7ffb1de866f7e889536 100755 --- a/scripts/show-info.sh +++ b/scripts/show-info.sh @@ -3,14 +3,14 @@ set -e source /mnt/repo-base/scripts/base.sh -SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') +SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') RSPAMD_PASSWORD=$(grep ^RSPAMD_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') -NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:9000 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') +NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:9000 /mnt/repo-base/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') -POSTFIX_UI=$(grep server_name $(grep -l postfixadmin:8888 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') +POSTFIX_UI=$(grep server_name $(grep -l postfixadmin /mnt/repo-base/config/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') POSTFIX_USER=$(grep ALT_EMAIL= "$ENVFILE" | awk -F= '{ print $NF }') POSTFIX_PASSWORD=$(grep PFA_SUPERADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') diff --git a/scripts/ssl-renew.sh b/scripts/ssl-renew.sh index 0dfb204d13594e4e0fecb9eee409b9bc421ce0a4..2fd4cab81382c5add96f1fb624588daec6698bc8 100755 --- a/scripts/ssl-renew.sh +++ b/scripts/ssl-renew.sh @@ -3,8 +3,8 @@ source /mnt/repo-base/scripts/base.sh -CONFIG=/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat -CONFIG_DIR=/mnt/repo-base/config-dynamic/letsencrypt/certstore +CONFIG=/mnt/repo-base/config/letsencrypt/autorenew/ssl-domains.dat +CONFIG_DIR=/mnt/repo-base/config/letsencrypt/certstore LIVE_DIR=$CONFIG_DIR/live cat "$CONFIG" | while read DOMAIN; do @@ -16,7 +16,7 @@ cat "$CONFIG" | while read DOMAIN; do else CERT_UPDATED_FILE="$LIVE_DIR/$DOMAIN/cert-updated" certbot certonly -d "$DOMAIN" --non-interactive -m "$ALT_EMAIL" --agree-tos \ - --webroot --webroot-path='/mnt/repo-base/config-dynamic/letsencrypt/acme-challenge/' \ + --webroot --webroot-path='/mnt/repo-base/config/letsencrypt/acme-challenge/' \ --config-dir="$CONFIG_DIR" \ --deploy-hook "touch $CERT_UPDATED_FILE" # add the following parameters to test renewal (will install invalid certificates) @@ -27,7 +27,7 @@ cat "$CONFIG" | while read DOMAIN; do echo "Certificate for $DOMAIN renewed and is valid until: $VALID_UNTIL" docker-compose exec -T nginx nginx -s reload if [ "$DOMAIN" = "$MAILHOST" ]; then - docker-compose restart eelomailserver + docker-compose restart mailserver fi fi fi diff --git a/templates/docker-compose/docker-compose-base.yml b/templates/docker-compose/docker-compose-base.yml deleted file mode 100644 index dc1873e6e476829a20a882e9233ca2a73e83c04f..0000000000000000000000000000000000000000 --- a/templates/docker-compose/docker-compose-base.yml +++ /dev/null @@ -1,159 +0,0 @@ -version: '2.1' - -services: - eelomailserver: - image: hardware/mailserver:1.1-stable - container_name: eelomailserver - domainname: ${DOMAIN} # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. - hostname: mail - restart: always - networks: - - serverbase - ports: - - "25:25" # SMTP - Required - - "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients - - "143:143" # IMAP STARTTLS - Optional - For webmails/desktop clients - # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled - - "587:587" # Submission STARTTLS - Optional - For webmails/desktop clients - - "993:993" # IMAPS SSL/TLS - Optional - For webmails/desktop clients - - "995:995" # POP3S SSL/TLS - Optional - For webmails/desktop clients - - "4190:4190" # SIEVE STARTTLS - Optional - Recommended for mail filtering - environment: - - DBPASS=${DBPASS} - - RSPAMD_PASSWORD=${RSPAMD_PASSWORD} - - ADD_DOMAINS=${ADD_DOMAINS} - - ENABLE_POP3=${ENABLE_POP3} - - DISABLE_RATELIMITING=${DISABLE_RATELIMITING} - - RELAY_NETWORKS=172.16.0.0/12 - # Full list of options: https://github.com/hardware/mailserver#environment-variables - volumes: - - /mnt/repo-base/volumes/mail:/var/mail - - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/etc/letsencrypt - - /mnt/repo-base/config-static/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf - - /mnt/repo-base/config-static/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf - - /mnt/repo-base/config-static/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf - - /mnt/repo-base/config-static/mail/rspamd/multimap.conf:/etc/rspamd/local.d/multimap.conf - - /mnt/repo-base/config-static/mail/rspamd/whitelist.sender.domain.map:/etc/rspamd/local.d/whitelist.sender.domain.map - - /mnt/repo-base/config-static/mail/rspamd/ratelimit.conf:/etc/rspamd/local.d/ratelimit.conf - depends_on: - - mariadb - - redis - - postfixadmin: - image: registry.gitlab.e.foundation:5000/e/infra/docker-postfixadmin:1.0.0 - container_name: postfixadmin - restart: always - networks: - - serverbase - environment: - - DBPASS=${DBPASS} - - DOMAIN=${DOMAIN} - - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} - - SMTPHOST=${SMTP_HOST} - - ADMIN_SMTP_PASSWORD=${DRIVE_SMTP_PASSWORD} - volumes: - - /mnt/repo-base/volumes/mail:/var/mail - - /mnt/repo-base/scripts/postfixadmin-mailbox-postdeletion.sh:/usr/local/bin/postfixadmin-mailbox-postdeletion.sh - depends_on: - - eelomailserver - - mariadb - - mariadb: - image: mariadb:10.3.17 - container_name: mariadb - restart: always - networks: - - serverbase - environment: - # Note: These variables are only used for the first start. Later changes are ignored. - - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - - MYSQL_DATABASE=${PFDB_DB} - - MYSQL_USER=${PFDB_USR} - - MYSQL_PASSWORD=${DBPASS} - volumes: - - /mnt/repo-base/volumes/mysql/db:/var/lib/mysql - - /mnt/repo-base/config-dynamic/nextcloud/database:/docker-entrypoint-initdb.d - - redis: - image: redis:5.0-alpine - container_name: redis - restart: always - networks: - - serverbase - command: redis-server --appendonly yes - volumes: - - /mnt/repo-base/volumes/redis/db:/data - - /mnt/repo-base/volumes/redis/tmp:/tmp/redis - - welcome: - image: registry.gitlab.e.foundation:5000/e/infra/docker-welcome:1.1.0 - container_name: welcome - environment: - - DOMAINS=${VHOSTS_ACCOUNTS} - - DOMAIN=${DOMAIN} - - IS_WELCOME=true - - PFDB_HOST=mariadb - - PFDB_DB=${PFDB_DB} - - PFDB_USR=${PFDB_USR} - - PFDB_PW=${DBPASS} - - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} - - WELCOME_SECRET_SHA=${WELCOME_SECRET_SHA} - - WEBSITE_SECRET=${WEBSITE_SECRET} - - SMTP_HOST=${SMTP_HOST} - - SMTP_FROM=${SMTP_FROM} - - SMTP_PW=${SMTP_PW} - - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/accounts:/var/accounts - depends_on: - - mariadb - - nextcloud: - image: nextcloud:16.0.5-fpm - container_name: nextcloud - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/nextcloud/html:/var/www/html/ - - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ - - /mnt/repo-base/volumes/nextcloud/config:/var/www/html/config/ - - /mnt/repo-base/volumes/nextcloud/data:/var/www/html/data/ - - /mnt/repo-base/config-dynamic/nextcloud/x-fpm-overloads.conf:/usr/local/etc/php-fpm.d/x-fpm-overloads.conf - - /mnt/repo-base/config-dynamic/nextcloud/x-php-overloads.ini:/usr/local/etc/php/conf.d/x-php-overloads.ini - - /mnt/repo-base/volumes/redis/tmp:/tmp/redis/ - depends_on: - - mariadb - - automx: - image: registry.gitlab.e.foundation:5000/e/infra/docker-mailstack:automx-0.1.0 - container_name: automx - hostname: automx - environment: - - VIRTUAL_HOST=${VIRTUAL_HOST} - - DOMAIN=${DOMAIN} - - HOSTNAME=automx - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/config-dynamic/automx/automx.conf:/etc/automx.conf - - create-account: - image: registry.gitlab.e.foundation:5000/e/infra/docker-create-account:1.0.1 - container_name: create-account - restart: always - environment: - - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} - - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} - - DOMAIN=${DOMAIN} - - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} - networks: - - serverbase - depends_on: - - nextcloud - - postfixadmin diff --git a/templates/docker-compose/docker-compose-networks.yml b/templates/docker-compose/docker-compose-networks.yml deleted file mode 100644 index 84840ecf676efd1ddb7a7563d85e84a8c2392e26..0000000000000000000000000000000000000000 --- a/templates/docker-compose/docker-compose-networks.yml +++ /dev/null @@ -1,30 +0,0 @@ - - nginx: - image: registry.gitlab.e.foundation:5000/e/infra/docker-nginx:1.17 - container_name: nginx - restart: always - networks: - - serverbase - ports: - - "80:8000" - - "443:4430" - volumes: - - /mnt/repo-base/config-dynamic/nginx/sites-enabled:/etc/nginx/conf.d/ - - /mnt/repo-base/config-static/nginx/params:/etc/nginx/params/ - - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs - - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge - - /mnt/repo-base/volumes/nextcloud/html:/var/www/html - - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ - depends_on: - - nextcloud - - create-account - - automx - - postfixadmin - - welcome - - eelomailserver - #- onlyoffice-community-server - -networks: - serverbase: - driver: 'bridge' diff --git a/templates/docker-compose/docker-compose-onlyoffice.yml b/templates/docker-compose/docker-compose-onlyoffice.yml deleted file mode 100644 index 81b83fc42323ee02c6dc83e792f1be25d49c3fab..0000000000000000000000000000000000000000 --- a/templates/docker-compose/docker-compose-onlyoffice.yml +++ /dev/null @@ -1,43 +0,0 @@ - - onlyoffice-documentserver: - image: onlyoffice/documentserver:5.2.6.3 - container_name: onlyoffice-documentserver - stdin_open: true - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/logs:/var/log/onlyoffice - onlyoffice-mail-server: - image: onlyoffice/mailserver:1.6.35 - container_name: onlyoffice-mail-server - stdin_open: true - hostname: onlyoffice.${DOMAIN} - restart: always - networks: - - serverbase - volumes: - - /mnt/repo-base/volumes/onlyoffice/MailServer/data:/var/vmail - - /mnt/repo-base/volumes/onlyoffice/MailServer/data/certs:/etc/pki/tls/mailserver - - /mnt/repo-base/volumes/onlyoffice/MailServer/logs:/var/log - - /mnt/repo-base/volumes/onlyoffice/MailServer/mysql:/var/lib/mysql - onlyoffice-community-server: - image: onlyoffice/communityserver:9.6.5.771 - container_name: onlyoffice-community-server - restart: always - networks: - - serverbase - ports: - - 5222:5222 - environment: - - DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server - - MAIL_SERVER_DB_HOST=onlyoffice-mail-server - volumes: - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/mysql:/var/lib/mysql - - /mnt/repo-base/volumes/onlyoffice/CommunityServer/logs:/var/log/onlyoffice - - /mnt/repo-base/volumes/onlyoffice/DocumentServer/data:/var/www/onlyoffice/DocumentServerData - depends_on: - - onlyoffice-documentserver - - onlyoffice-mail-server diff --git a/templates/docker-compose/docker-compose.yml b/templates/docker-compose/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..7a03729f2a07f53cc59f830a42212fb6c04e0c39 --- /dev/null +++ b/templates/docker-compose/docker-compose.yml @@ -0,0 +1,188 @@ +version: '3' + +services: + mailserver: + image: mailserver2/mailserver:1.1.4 + container_name: mailserver + domainname: ${DOMAIN} # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}. + hostname: mail + restart: always + networks: + - default + ports: + - "25:25" # SMTP - Required + - "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients + - "143:143" # IMAP STARTTLS - Optional - For webmails/desktop clients + # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled + - "587:587" # Submission STARTTLS - Optional - For webmails/desktop clients + - "993:993" # IMAPS SSL/TLS - Optional - For webmails/desktop clients + - "995:995" # POP3S SSL/TLS - Optional - For webmails/desktop clients + - "4190:4190" # SIEVE STARTTLS - Optional - Recommended for mail filtering + environment: + - DBPASS=${DBPASS} + - RSPAMD_PASSWORD=${RSPAMD_PASSWORD} + - ADD_DOMAINS=${ADD_DOMAINS} + - ENABLE_POP3=${ENABLE_POP3} + - DISABLE_RATELIMITING=${DISABLE_RATELIMITING} + - RELAY_NETWORKS=172.16.0.0/12 + # Full list of options: https://github.com/hardware/mailserver#environment-variables + volumes: + - /mnt/repo-base/volumes/mail:/var/mail + - /mnt/repo-base/config/letsencrypt/certstore:/etc/letsencrypt + - /mnt/repo-base/config/mail/dovecot/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf + - /mnt/repo-base/config/mail/dovecot/90-quota.conf:/etc/dovecot/conf.d/90-quota.conf + - /mnt/repo-base/config/mail/dovecot/90-sieve.conf:/etc/dovecot/conf.d/90-sieve.conf + - /mnt/repo-base/config/mail/rspamd/multimap.conf:/etc/rspamd/local.d/multimap.conf + - /mnt/repo-base/config/mail/rspamd/whitelist.sender.domain.map:/etc/rspamd/local.d/whitelist.sender.domain.map + - /mnt/repo-base/config/mail/rspamd/ratelimit.conf:/etc/rspamd/local.d/ratelimit.conf + - /mnt/repo-base/config/mail/clamav/freshclam.conf:/etc/clamav/freshclam.conf + depends_on: + - mariadb + - redis + + postfixadmin: + image: registry.gitlab.e.foundation/e/infra/docker-postfixadmin:2.0.1 + container_name: postfixadmin + restart: always + networks: + - default + environment: + - DBPASS=${DBPASS} + - DBHOST=mariadb + - DOMAIN=${DOMAIN} + - DRIVE_SMTP_PASSWORD=${DRIVE_SMTP_PASSWORD} + - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} + - POSTFIXADMIN_DB_TYPE=mysqli + - POSTFIXADMIN_DB_HOST=mariadb + - POSTFIXADMIN_DB_USER=postfix + - POSTFIXADMIN_DB_NAME=postfix + - POSTFIXADMIN_DB_PASSWORD=${DBPASS} + - POSTFIXADMIN_SMTP_SERVER=mail.${DOMAIN} + - POSTFIXADMIN_SMTP_PORT=587 + volumes: + - /mnt/repo-base/volumes/mail:/var/mail + depends_on: + - mailserver + - mariadb + + mariadb: + image: mariadb:10.3 + container_name: mariadb + restart: always + networks: + - default + environment: + # Note: These variables are only used for the first start. Later changes are ignored. + - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} + - MYSQL_DATABASE=${PFDB_DB} + - MYSQL_USER=${PFDB_USR} + - MYSQL_PASSWORD=${DBPASS} + volumes: + - /mnt/repo-base/volumes/mysql/db/data:/var/lib/mysql + - /mnt/repo-base/config/mariadb/:/etc/mysql/conf.d/:ro + redis: + image: redis:6.0-alpine + container_name: redis + restart: always + networks: + - default + command: redis-server --appendonly yes + volumes: + - /mnt/repo-base/volumes/redis/db:/data + - /mnt/repo-base/volumes/redis/tmp:/tmp/redis + + welcome: + image: registry.gitlab.e.foundation/e/infra/docker-welcome:2.1.2 + container_name: welcome + environment: + - DOMAINS=${VHOSTS_ACCOUNTS} + - DOMAIN=${DOMAIN} + - IS_WELCOME=true + - PFDB_HOST=mariadb + - PFDB_DB=${PFDB_DB} + - PFDB_USR=${PFDB_USR} + - PFDB_PW=${DBPASS} + - POSTFIXADMIN_SSH_PASSWORD=${POSTFIXADMIN_SSH_PASSWORD} + - WELCOME_SECRET_SHA=${WELCOME_SECRET_SHA} + - WEBSITE_SECRET=${WEBSITE_SECRET} + - SMTP_HOST=${SMTP_HOST} + - SMTP_FROM=${SMTP_FROM} + - SMTP_PW=${SMTP_PW} + - SMTP_PORT=587 + - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} + - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} + - NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=${NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET} + - CREATE_ACCOUNT_PASSWORD=${CREATE_ACCOUNT_PASSWORD} + restart: always + networks: + - default + volumes: + - /mnt/repo-base/volumes/accounts:/var/accounts + depends_on: + - mariadb + extra_hosts: + - "${DOMAIN}:${NC_HOST_IP}" + + nextcloud: + image: registry.gitlab.e.foundation/e/infra/ecloud/nextcloud:316db4e0 + container_name: nextcloud + restart: always + networks: + - default + environment: + - MYSQL_DATABASE=${MYSQL_DATABASE_NC} + - MYSQL_USER=${MYSQL_USER_NC} + - MYSQL_PASSWORD=${MYSQL_PASSWORD_NC} + - MYSQL_HOST=mariadb + - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} + # below ENV disabled so NC container do not start install + # - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} + - OVERWRITEPROTOCOL=https + - NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=${NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET} + volumes: + - /mnt/repo-base/volumes/nextcloud/html:/var/www/html/ + - /mnt/repo-base/volumes/nextcloud/data:/var/www/data/ + - /mnt/repo-base/config/nextcloud/x-fpm-overloads.conf:/usr/local/etc/php-fpm.d/x-fpm-overloads.conf + - /mnt/repo-base/config/nextcloud/x-php-overloads.ini:/usr/local/etc/php/conf.d/x-php-overloads.ini + - /mnt/repo-base/volumes/nextcloud/log:/var/www/log/ + - /mnt/repo-base/volumes/redis/db:/tmp/redis + depends_on: + - mariadb + + automx: + image: registry.gitlab.e.foundation/e/infra/docker-mailstack:automx-0.1.0 + container_name: automx + hostname: automx + environment: + - VIRTUAL_HOST=${VIRTUAL_HOST} + - DOMAIN=${DOMAIN} + - HOSTNAME=automx + restart: always + networks: + - default + volumes: + - /mnt/repo-base/config/automx/automx.conf:/etc/automx.conf + + nginx: + image: nginx:1.19-alpine + container_name: nginx + restart: unless-stopped + networks: + - default + ports: + - "80:8000" + - "443:4430" + volumes: + - /mnt/repo-base/config/nginx/sites-enabled:/etc/nginx/conf.d/ + - /mnt/repo-base/config/nginx/params:/etc/nginx/params/ + - /mnt/repo-base/config/letsencrypt/certstore:/certs + - /mnt/repo-base/config/nginx/passwds:/passwds + - /mnt/repo-base/config/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge + - /mnt/repo-base/volumes/nextcloud/html:/var/www/html + depends_on: + - nextcloud + - automx + - postfixadmin + - welcome + - mailserver + diff --git a/templates/mail/rspamd/whitelist.sender.domain.map b/templates/mail/rspamd/whitelist.sender.domain.map new file mode 100644 index 0000000000000000000000000000000000000000..2eb784dff7a7dad8882c6b71107a4f65cfd985a9 --- /dev/null +++ b/templates/mail/rspamd/whitelist.sender.domain.map @@ -0,0 +1 @@ +@@@DOMAIN@@@ \ No newline at end of file diff --git a/templates/nextcloud/config.php b/templates/nextcloud/config.php index c3311a758060ba62235ff9f2eb85415ab0fb9137..70d568970e4c7d41350fa271810062d997753aa5 100644 --- a/templates/nextcloud/config.php +++ b/templates/nextcloud/config.php @@ -1,8 +1,8 @@ 'https://mail.@@@DOMAIN@@@/users/password-recover.php', 'htaccess.RewriteBase' => '/', 'memcache.local' => '\OC\Memcache\APCu', + 'memcache.distributed' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => [ 'host' => 'redis', @@ -27,7 +27,7 @@ $CONFIG = array ( array ( 0 => '@@@DOMAIN@@@', ), - 'datadirectory' => '/var/www/html/data', + 'datadirectory' => '/var/www/data', 'overwrite.cli.url' => 'https://@@@DOMAIN@@@', 'overwriteprotocol' => 'https', 'mysql.utf8mb4' => true, @@ -65,9 +65,13 @@ $CONFIG = array ( ), 'hash_algorithm_for_new_passwords' => 'sha512', ), - 'theme' => 'eelo', + 'theme' => 'eCloud', 'loglevel' => 2, + 'logfile' => '/var/www/log/nextcloud.log', + 'filelocking.enabled' => true, + 'cron_log' => true, 'preview_max_x' => 1024, 'preview_max_y' => 1024, + 'skeletondirectory' => '/var/www/skeleton/', ); ?> diff --git a/templates/nextcloud/x-php-overloads.ini b/templates/nextcloud/x-php-overloads.ini deleted file mode 100644 index e1ff11059d7acb38543f41a0fd11186822f00439..0000000000000000000000000000000000000000 --- a/templates/nextcloud/x-php-overloads.ini +++ /dev/null @@ -1,2 +0,0 @@ -[PHP] -memory_limit = 512M diff --git a/templates/nginx/sites-enabled/autoconfig.conf b/templates/nginx/sites-enabled/autoconfig.conf index b203a0bf75ad079972f3cac9563a53b3c7b0552a..9be565284f780649651260925c1d3097bb9a81c3 100644 --- a/templates/nginx/sites-enabled/autoconfig.conf +++ b/templates/nginx/sites-enabled/autoconfig.conf @@ -10,7 +10,7 @@ server { } server { - listen 4430 ssl http2; + listen 4430 ssl; server_name @@@SERVICE@@@.@@@DOMAIN@@@; ssl_certificate /certs/live/@@@SERVICE@@@.@@@DOMAIN@@@/fullchain.pem; diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index f8aebf5c55f6c2204460141d2eb52ad52f261217..0f40745fd1ca4b7e772c3c279ab2530ca145bbb8 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -14,28 +14,42 @@ server { } server { - listen 4430 ssl http2; + listen 4430 ssl; server_name @@@DOMAIN@@@; + root /var/www/html; + ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; include /etc/nginx/params/ssl_params; # We include these headers directly because some are already set by Nextcloud. #include /etc/nginx/params/headers_params; - add_header X-Content-Type-Options nosniff; + add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000"; - add_header Referrer-Policy "same-origin"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy "no-referrer" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Robots-Tag "none" always; + add_header X-Download-Options "noopen" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; fastcgi_hide_header X-Powered-By; server_tokens off; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + client_max_body_size 4096M; fastcgi_buffers 64 4K; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 600; + fastcgi_read_timeout 600; + # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; @@ -45,9 +59,8 @@ server { # Enable compression for JS/CSS/HTML bundle, for improved client load times. # It might be nice to compress JSON, but leaving that out to protect against potential # compression+encryption information leak attacks like BREACH. - gzip_types application/atom+xml application/javascript application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - root /var/www/html; location / { rewrite ^ /index.php; @@ -60,13 +73,13 @@ server { deny all; } - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+\.php)(/.*)$; + location ~ ^/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - # fastcgi_param HTTPS on; + fastcgi_param PATH_INFO $path_info; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; @@ -75,21 +88,42 @@ server { fastcgi_request_buffering off; } - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; } - location ~ (\.(?:css|js|woff2?|svg|gif|png|jpg|ico)$|^/core/img/background.png$) { + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets access_log off; } } diff --git a/templates/nginx/sites-enabled/onlyoffice.conf b/templates/nginx/sites-enabled/onlyoffice.conf deleted file mode 100644 index 25d70591d2a506f02773b96cc17446bcb991186c..0000000000000000000000000000000000000000 --- a/templates/nginx/sites-enabled/onlyoffice.conf +++ /dev/null @@ -1,46 +0,0 @@ -server { - listen 8000; - server_name office.@@@DOMAIN@@@; - location /.well-known/acme-challenge/ { - alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; - } - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 4430 ssl http2; - server_name office.@@@DOMAIN@@@; - - ssl_certificate /certs/live/office.@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/office.@@@DOMAIN@@@/privkey.pem; - - include /etc/nginx/params/ssl_params; - include /etc/nginx/params/headers_params; - - add_header Strict-Transport-Security "max-age=31536000;"; - client_max_body_size 1024M; - - #auth_basic "Who's this?"; - #auth_basic_user_file /passwds/.htpasswd; - - location / { - # Fix OnlyOffice mixed content problem with ChunkedUploader - add_header Content-Security-Policy upgrade-insecure-requests always; - add_header "Access-Control-Allow-Origin" "*" always; - add_header "Access-Control-Allow-Methods" "POST, GET, OPTIONS" always; - add_header "Access-Control-Allow-Headers" "Content-Type, Accept, Authorization, Origin, Content-Range, Content-Disposition" always; - proxy_hide_header Access-Control-Allow-Origin; - proxy_read_timeout 300s; - client_max_body_size 4096M; - if ($request_method = "OPTIONS") { - return 204; - } - proxy_pass http://onlyoffice-community-server:80; - include /etc/nginx/params/proxy_params; - - # hide this version header for better security - proxy_set_header x-aspnet-verion ""; - } -} diff --git a/templates/nginx/sites-enabled/postfixadmin.conf b/templates/nginx/sites-enabled/postfixadmin.conf index 714bef3fa2d8d17dd1dccfe8f2c3a15c5f41ce54..ae735613038c3f3eda8ed3ed9d451b674fe4dfa8 100644 --- a/templates/nginx/sites-enabled/postfixadmin.conf +++ b/templates/nginx/sites-enabled/postfixadmin.conf @@ -10,7 +10,7 @@ server { } server { - listen 4430 ssl http2; + listen 4430 ssl; server_name mail.@@@DOMAIN@@@; ssl_certificate /certs/live/mail.@@@DOMAIN@@@/fullchain.pem; @@ -26,7 +26,7 @@ server { #auth_basic_user_file /passwds/.htpasswd; location / { - proxy_pass http://postfixadmin:8888; + proxy_pass http://postfixadmin:80; include /etc/nginx/params/proxy_params; } } diff --git a/templates/nginx/sites-enabled/rspamd.conf b/templates/nginx/sites-enabled/rspamd.conf index 067b466a7dd628bbfaa1af1e817a981c5ee76f48..69e6dd718bd1715e33d881d303bfbaa3e18abd73 100644 --- a/templates/nginx/sites-enabled/rspamd.conf +++ b/templates/nginx/sites-enabled/rspamd.conf @@ -10,7 +10,7 @@ server { } server { - listen 4430 ssl http2; + listen 4430 ssl; server_name spam.@@@DOMAIN@@@; ssl_certificate /certs/live/spam.@@@DOMAIN@@@/fullchain.pem; @@ -26,7 +26,7 @@ server { #auth_basic_user_file /passwds/.htpasswd; location / { - proxy_pass http://eelomailserver:11334; + proxy_pass http://mailserver:11334; include /etc/nginx/params/proxy_params; } } diff --git a/templates/nginx/sites-enabled/welcome.conf b/templates/nginx/sites-enabled/welcome.conf index 25baf3f9981a56ee79ab3cf5a507fb4e6333ac93..bcbd5f300efd85c07d882476ce95e236fe06c685 100644 --- a/templates/nginx/sites-enabled/welcome.conf +++ b/templates/nginx/sites-enabled/welcome.conf @@ -10,7 +10,7 @@ server { } server { - listen 4430 ssl http2; + listen 4430 ssl; server_name welcome.@@@DOMAIN@@@; ssl_certificate /certs/live/welcome.@@@DOMAIN@@@/fullchain.pem; diff --git a/templates/rainloop/domain-config.ini b/templates/rainloop/domain-config.ini index 06299c9ea08e510b1adfb93c4b8484b70efb93fc..179cbc3bf63fc8a5bcbcef3370c9c94d9b518f31 100644 --- a/templates/rainloop/domain-config.ini +++ b/templates/rainloop/domain-config.ini @@ -1,13 +1,13 @@ -imap_host = "eelomailserver" +imap_host = "mailserver" imap_port = 993 imap_secure = "SSL" imap_short_login = Off sieve_use = Off sieve_allow_raw = Off -sieve_host = "eelomailserver" +sieve_host = "mailserver" sieve_port = 4190 sieve_secure = "TLS" -smtp_host = "eelomailserver" +smtp_host = "mailserver" smtp_port = 587 smtp_secure = "TLS" smtp_short_login = Off