nikos/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initial commit

Browse source
This commit is contained in:
Nikos Papadakis 2023-08-03 20:24:07 +03:00
commit 06fef13c6b
Signed by untrusted user who does not match committer: nikos
GPG key ID: 78871F9905ADFF02
20 changed files with 1200 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
.gitea/workflows/test.yaml Normal file
View file

@ -0,0 +1,19 @@
name: Gitea Actions Demo
run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: ubuntu-latest
steps:
- run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."
- run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"
- run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}."
- name: Check out repository code
uses: actions/checkout@v3
- run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner."
- run: echo "🖥️ The workflow is now ready to test your code on the runner."
- name: List files in the repository
run: |
ls ${{ gitea.workspace }}
- run: echo "🍏 This job's status is ${{ job.status }}."

23
caddy_services.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: Caddy reverse proxy
hosts: ulna
tasks:
- name: Ensure Caddy is installed
ansible.builtin.apt:
name: caddy
state: present
become: true
- name: Reverse proxies for ulna
when: inventory_hostname in groups['ulna']
ansible.builtin.template:
src: templates/Caddyfile.ulna.j2
dest: /etc/caddy/Caddyfile
become: true
- name: Restart caddy
ansible.builtin.systemd:
state: restarted
name: caddy
become: true

24
docker_mailserver.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: docker-mailserver
hosts: ulna
tasks:
- name: Create docker-mailserver directory
ansible.builtin.file:
path: docker-mailserver
state: directory
- name: Copy docker-compose.yml
ansible.builtin.template:
src: templates/docker-mailserver/docker-compose.yml.j2
dest: docker-mailserver/docker-compose.yml
- name: Copy mailserver.env
ansible.builtin.template:
src: templates/docker-mailserver/mailserver.env.j2
dest: docker-mailserver/mailserver.env
- name: Start container
community.docker.docker_compose:
project_src: docker-mailserver
become: true

49
install_act_runner.yml Normal file
View file

@ -0,0 +1,49 @@
---
- name: Install act runner for gitea
hosts: ulna
tasks:
- name: Download the binary
become: true
ansible.builtin.get_url:
url: https://gitea.com/gitea/act_runner/releases/download/v0.2.0/act_runner-0.2.0-linux-arm64
dest: /usr/local/bin/act_runner
mode: '755'
- name: Create the runner user
become: true
ansible.builtin.user:
name: runner
group: docker
comment: Gitea runner
shell: /bin/bash
password: '!'
home: /home/runner
create_home: true
- name: Register the runner
ansible.builtin.command: act_runner register --no-interactive --instance https://{{ gitea_host }} --token {{ act_runner_token|quote }}
become: true
become_user: runner
args:
chdir: /home/runner
ignore_errors: true
- name: Service file
become: true
ansible.builtin.template:
src: templates/gitea/runner.service.j2
dest: /etc/systemd/system/runner.service
- name: Make sure docker is running
ansible.builtin.systemd:
state: started
name: docker
- name: Re(start) the systemd service
become: true
ansible.builtin.systemd:
state: restarted
name: runner
enabled: true
daemon_reload: true

29
install_docker.yml Normal file
View file

@ -0,0 +1,29 @@
---
- name: Install docker
hosts: ulna
tasks:
- name: Setup
ansible.builtin.command: dpkg --print-architecture
register: architecture
- name: Add Docker GPG key
become: true
ansible.builtin.shell: wget -O- https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/docker.gpg
- name: Add Docker repository
become: true
ansible.builtin.apt_repository:
repo: "deb [arch=\"{{ architecture.stdout_lines[0] }}\" signed-by=/etc/apt/trusted.gpg.d/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
state: present
- name: Install docker
become: true
ansible.builtin.apt:
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose
state: latest
update_cache: true

105
install_etebase.yml Normal file
View file

@ -0,0 +1,105 @@
---
- name: Install Etebase server
hosts: ulna
tasks:
- name: Python3 and virtualenv
ansible.builtin.apt:
name: python3-virtualenv
state: present
become: true
- name: Create etebase group
ansible.builtin.group:
name: etebase
state: present
become: true
- name: Create etebase user
ansible.builtin.user:
name: etebase
group: etebase
comment: Etebase user
password: '!'
system: true
home: "{{ etebase_home_dir }}"
state: present
become: true
- name: Clone etebase repo
ansible.builtin.git:
repo: "https://github.com/etesync/server.git"
dest: "{{ etebase_home_dir }}/etebase"
single_branch: true
force: true
become: true
become_user: etebase
- name: Install etebase python requirements
ansible.builtin.pip:
requirements: "{{ etebase_home_dir }}/etebase/requirements.txt"
virtualenv: "{{ etebase_home_dir }}/venv"
state: present
become: true
become_user: etebase
- name: Install uvicorn inside venv
ansible.builtin.pip:
name: "uvicorn[standard]"
virtualenv: "{{ etebase_home_dir }}/venv"
state: present
become: true
become_user: etebase
- name: Setup configuration
ansible.builtin.template:
src: "templates/etebase-server.ini.j2"
dest: "{{ etebase_home_dir }}/etebase/etebase-server.ini"
mode: "0640"
group: etebase
owner: etebase
become: true
become_user: etebase
- name: Create directories
ansible.builtin.file:
path: "{{ item.dir }}"
mode: "{{ item.mode }}"
owner: etebase
group: "{{ item.group | default('etebase') }}"
state: directory
loop:
- { dir: "{{ etebase_home_dir }}/media", mode: "0750" }
- { dir: "{{ etebase_home_dir }}/secret", mode: "0750" }
- { dir: "{{ etebase_home_dir }}/static", mode: "0750", group: "www-data" }
- { dir: "/var/run/etebase", mode: "0750", group: "www-data" }
become: true
- name: Run manage.py migrate
ansible.builtin.command:
cmd: "{{ etebase_home_dir }}/venv/bin/python3 ./manage.py migrate"
chdir: "{{ etebase_home_dir }}/etebase"
become: true
become_user: etebase
# FIXME: Stuck?
# - name: Run manage.py collectstatic
# ansible.builtin.command:
# cmd: "{{ etebase_home_dir }}/venv/bin/python3 ./manage.py collectstatic"
# chdir: "{{ etebase_home_dir }}/etebase"
# become: true
# become_user: etebase
- name: Setup systemd service
ansible.builtin.template:
src: "templates/etebase.service.j2"
dest: "/etc/systemd/system/etebase.service"
become: true
- name: (Re)start the systemd service
ansible.builtin.systemd:
state: restarted
name: etebase
enabled: true
daemon_reload: true
become: true

73
install_gitea.yml Normal file
View file

@ -0,0 +1,73 @@
---
- name: Install and deploy gitea
hosts: ulna
tasks:
- name: Ensure git is installed
ansible.builtin.apt:
name: git
state: present
become: true
- name: Create git group
ansible.builtin.group:
name: git
state: present
become: true
- name: Create git user
ansible.builtin.user:
name: git
comment: Git user
group: git
shell: /bin/bash
password: '!'
home: /home/git
create_home: true
become: true
- name: Create required directories
ansible.builtin.file:
path: "{{ item.dir }}"
mode: "{{ item.mode }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
state: directory
loop:
- { dir: "/opt/gitea", owner: "git", group: "git", mode: "0750" }
- { dir: "/var/lib/gitea/custom", owner: "git", group: "git", mode: "0750" }
- { dir: "/var/lib/gitea/data", owner: "git", group: "git", mode: "0750" }
- { dir: "/var/lib/gitea/log", owner: "git", group: "git", mode: "0750" }
- { dir: "/etc/gitea", owner: "root", group: "git", mode: "0770" }
become: true
- name: Download gitea
ansible.builtin.get_url:
url: https://github.com/go-gitea/gitea/releases/download/v1.20.0/gitea-1.20.0-linux-arm64
checksum: sha256:55f04ae775f9ff0e8547b112946e1721656721d123a78b90f1d4275536900a76
dest: /opt/gitea/gitea
mode: '775'
owner: git
group: git
become: true
- name: Service file
ansible.builtin.template:
src: templates/gitea/gitea.service.j2
dest: /etc/systemd/system/gitea.service
become: true
- name: robots.txt
ansible.builtin.template:
src: templates/gitea/robots.txt.j2
dest: /var/lib/gitea/custom/robots.txt
owner: git
become: true
- name: (Re)start the systemd service
ansible.builtin.systemd:
state: restarted
name: gitea
enabled: true
daemon_reload: true
become: true

48
install_syncthing.yml Normal file
View file

@ -0,0 +1,48 @@
---
- name: Install and deploy syncthing
hosts: ulna
tasks:
- name: Add PGP key
ansible.builtin.get_url:
url: https://syncthing.net/release-key.gpg
dest: /usr/share/keyrings/syncthing-archive-keyring.gpg
become: true
- name: Add APT repository
ansible.builtin.apt_repository:
repo: deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable
state: present
become: true
- name: Install syncthing
ansible.builtin.apt:
name: syncthing
state: present
update_cache: true
become: true
- name: Create syncthing group
ansible.builtin.group:
name: syncthing
state: present
become: true
- name: Create syncthing user
ansible.builtin.user:
name: syncthing
group: syncthing
comment: Syncthing user
shell: /bin/bash
password: '!'
home: /home/syncthing
create_home: true
become: true
- name: (Re)start the syncthing service
ansible.builtin.systemd:
state: restarted
name: syncthing@syncthing
enabled: true
become: true

47
install_woodpecker.yml Normal file
View file

@ -0,0 +1,47 @@
---
- name: Install Woodpecker CI
hosts: ulna
tasks:
- name: Ensure docker-compose is installed
ansible.builtin.apt:
name: docker-compose
state: present
become: true
- name: Start woodpecker with docker-compose
community.docker.docker_compose:
project_name: woodpecker
definition:
version: "3"
services:
woodpecker-server:
image: woodpeckerci/woodpecker-server:next
ports:
- "{{ woodpecker_port }}:8000"
volumes:
- woodpecker-server-data:/var/lib/woodpecker/
environment:
- WOODPECKER_OPEN=false
- WOODPECKER_HOST=https://{{ woodpecker_host }}
- WOODPECKER_AGENT_SECRET={{ woodpecker_agent_secret }}
- WOODPECKER_GITEA=true
- WOODPECKER_GITEA_URL=https://{{ gitea_host }}
- WOODPECKER_GITEA_CLIENT={{ woodpecker_client_id }}
- WOODPECKER_GITEA_SECRET={{ woodpecker_client_secret }}
woodpecker-agent:
image: woodpeckerci/woodpecker-agent:next
command: agent
restart: always
depends_on:
- woodpecker-server
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WOODPECKER_SERVER=woodpecker-server:9000
- WOODPECKER_AGENT_SECRET={{ woodpecker_agent_secret }}
volumes:
woodpecker-server-data:
register: output
become: true

10
inventory.yml Normal file
View file

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
34626236366363333963613532643239643331333637613664653238336431636338303537643936
3830343365336262633165616535363336313665383261310a383931623831326530313837346137
35663961343433396461653164613666363331396430393131393038393433346263653331653064
3162663361623439340a363865633661623563366330336666633766656531663033613131343466
39366463393839333963326531376436373038386239623937303839336264336462613236623431
37633635333738316665346463333361363234636465333764643464323830313636616165646365
39663235323764323564326135333631613665336338646565666362336666633337643065626362
66663631313434393636326531616261623132633730333439313534636165373635393465616531
66643663376238653164626364386338363863366661313235353966316664343039

20
templates/Caddyfile.ulna.j2 Normal file
View file

@ -0,0 +1,20 @@
{{ mail_host }} {
respond ""
}
{{ gitea_host }} {
reverse_proxy localhost:3000
}
{{ woodpecker_host }} {
reverse_proxy localhost:8000
}
{{ etebase_host }} {
route {
file_server /static/* {
root {{ etebase_home_dir }}
}
reverse_proxy unix/{{ etebase_socket_file }}
}
}

28
templates/docker-mailserver/docker-compose.yml.j2 Normal file
View file

@ -0,0 +1,28 @@
services:
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:latest
container_name: mailserver
hostname: {{ mail_host }}
env_file: mailserver.env
ports:
- "25:25" # SMTP (explicit TLS => STARTTLS)
- "143:143" # IMAP4 (explicit TLS => STARTTLS)
- "465:465" # ESMTP (implicit TLS)
- "587:587" # ESMTP (explicit TLS => STARTTLS)
- "993:993" # IMAP4 (implicit TLS)
volumes:
- ./docker-data/dms/mail-data/:/var/mail/
- ./docker-data/dms/mail-state/:/var/mail-state/
- ./docker-data/dms/mail-logs/:/var/log/mail/
- ./docker-data/dms/config/:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
- /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{ mail_host }}/{{ mail_host }}.crt:/etc/letsencrypt/live/{{ mail_host }}/fullchain.pem
- /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{{ mail_host }}/{{ mail_host }}.key:/etc/letsencrypt/live/{{ mail_host }}/privkey.pem
restart: always
stop_grace_period: 1m
# cap_add:
# - NET_ADMIN
healthcheck:
test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
timeout: 3s
retries: 0

609
templates/docker-mailserver/mailserver.env.j2 Normal file
View file

@ -0,0 +1,609 @@
# -----------------------------------------------
# --- Mailserver Environment Variables ----------
# -----------------------------------------------
# DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER
# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/
# -----------------------------------------------
# --- General Section ---------------------------
# -----------------------------------------------
# empty => uses the `hostname` command to get the mail server's canonical hostname
# => Specify a fully-qualified domainname to serve mail for. This is used for many of the config features so if you can't set your hostname (e.g. you're in a container platform that doesn't let you) specify it in this environment variable.
OVERRIDE_HOSTNAME=
# REMOVED in version v11.0.0! Use LOG_LEVEL instead.
DMS_DEBUG=0
# Set the log level for DMS.
# This is mostly relevant for container startup scripts and change detection event feedback.
#
# Valid values (in order of increasing verbosity) are: `error`, `warn`, `info`, `debug` and `trace`.
# The default log level is `info`.
LOG_LEVEL=info
# critical => Only show critical messages
# error => Only show erroneous output
# **warn** => Show warnings
# info => Normal informational output
# debug => Also show debug messages
SUPERVISOR_LOGLEVEL=
# 0 => mail state in default directories
# 1 => consolidate all states into a single directory (`/var/mail-state`) to allow persistence using docker volumes
ONE_DIR=1
# **empty** => use FILE
# LDAP => use LDAP authentication
# OIDC => use OIDC authentication (not yet implemented)
# FILE => use local files (this is used as the default)
ACCOUNT_PROVISIONER=
# empty => postmaster@domain.com
# => Specify the postmaster address
POSTMASTER_ADDRESS=postmaster@papadakis.xyz
# Check for updates on container start and then once a day
# If an update is available, a mail is sent to POSTMASTER_ADDRESS
# 0 => Update check disabled
# 1 => Update check enabled
ENABLE_UPDATE_CHECK=1
# Customize the update check interval.
# Number + Suffix. Suffix must be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days.
UPDATE_CHECK_INTERVAL=1d
# Set different options for mynetworks option (can be overwrite in postfix-main.cf)
# **WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or
# `connected-networks` option, can create an open relay
# https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498
# The same can happen for rootless podman. To prevent this, set the value to "none" or configure slirp4netns
# https://github.com/docker-mailserver/docker-mailserver/issues/2377
#
# none => Explicitly force authentication
# container => Container IP address only
# host => Add docker container network (ipv4 only)
# network => Add all docker container networks (ipv4 only)
# connected-networks => Add all connected docker networks (ipv4 only)
PERMIT_DOCKER=none
# Set the timezone. If this variable is unset, the container runtime will try to detect the time using
# `/etc/localtime`, which you can alternatively mount into the container. The value of this variable
# must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`.
# You can lookup all available timezones here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
TZ=
# In case you network interface differs from 'eth0', e.g. when you are using HostNetworking in Kubernetes,
# you can set NETWORK_INTERFACE to whatever interface you want. This interface will then be used.
# - **empty** => eth0
NETWORK_INTERFACE=
# empty => modern
# modern => Enables TLSv1.2 and modern ciphers only. (default)
# intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
TLS_LEVEL=
# Configures the handling of creating mails with forged sender addresses.
#
# **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
# 1 => Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=1
# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation.
# - **0** => Disabled
# - 1 => Enabled
ENABLE_SRS=0
# Enables the OpenDKIM service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDKIM=0
# Enables the OpenDMARC service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDMARC=1
# Enabled `policyd-spf` in Postfix's configuration. You will likely want to set this
# to `0` in case you're using Rspamd (`ENABLE_RSPAMD=1`).
#
# - 0 => Disabled
# - **1** => Enabled
ENABLE_POLICYD_SPF=1
# 1 => Enables POP3 service
# empty => disables POP3
ENABLE_POP3=
# Enables ClamAV, and anti-virus scanner.
# 1 => Enabled
# **0** => Disabled
ENABLE_CLAMAV=0
# Enables Rspamd
# **0** => Disabled
# 1 => Enabled
ENABLE_RSPAMD=1
# When `ENABLE_RSPAMD=1`, an internal Redis instance is enabled implicitly.
# This setting provides an opt-out to allow using an external instance instead.
# 0 => Disabled
# 1 => Enabled
ENABLE_RSPAMD_REDIS=1
# When enabled,
#
# 1. the "[autolearning][rspamd-autolearn]" feature is turned on;
# 2. the Bayes classifier will be trained when moving mails from or to the Junk folder (with the help of Sieve scripts).
#
# **0** => disabled
# 1 => enabled
RSPAMD_LEARN=1
# Controls whether the Rspamd Greylisting module is enabled.
# This module can further assist in avoiding spam emails by greylisting
# e-mails with a certain spam score.
#
# **0** => disabled
# 1 => enabled
RSPAMD_GREYLISTING=0
# Can be used to enable or disable the Hfilter group module.
#
# - 0 => Disabled
# - **1** => Enabled
RSPAMD_HFILTER=1
# Can be used to control the score when the HFILTER_HOSTNAME_UNKNOWN symbol applies. A higher score is more punishing. Setting it to 15 is equivalent to rejecting the email when the check fails.
#
# Default: 6
RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
# Amavis content filter (used for ClamAV & SpamAssassin)
# 0 => Disabled
# 1 => Enabled
ENABLE_AMAVIS=1
# -1/-2/-3 => Only show errors
# **0** => Show warnings
# 1/2 => Show default informational output
# 3/4/5 => log debug information (very verbose)
AMAVIS_LOGLEVEL=0
# This enables DNS block lists in Postscreen.
# Note: Emails will be rejected, if they don't pass the block list checks!
# **0** => DNS block lists are disabled
# 1 => DNS block lists are enabled
ENABLE_DNSBL=0
# If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
# cap_add:
# - NET_ADMIN
# Otherwise, `nftables` won't be able to ban IPs.
ENABLE_FAIL2BAN=0
# Fail2Ban blocktype
# drop => drop packet (send NO reply)
# reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop
# 1 => Enables Managesieve on port 4190
# empty => disables Managesieve
ENABLE_MANAGESIEVE=
# **enforce** => Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
# drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
# ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
POSTSCREEN_ACTION=enforce
# empty => all daemons start
# 1 => only launch postfix smtp
SMTP_ONLY=
# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl) for more information.
#
# empty => SSL disabled
# letsencrypt => Enables Let's Encrypt certificates
# custom => Enables custom certificates
# manual => Let's you manually specify locations of your SSL certificates for non-standard cases
# self-signed => Enables self-signed certificates
SSL_TYPE=letsencrypt
# These are only supported with `SSL_TYPE=manual`.
# Provide the path to your cert and key files that you've mounted access to within the container.
SSL_CERT_PATH=
SSL_KEY_PATH=
# Optional: A 2nd certificate can be supported as fallback (dual cert support), eg ECDSA with an RSA fallback.
# Useful for additional compatibility with older MTA and MUA (eg pre-2015).
SSL_ALT_CERT_PATH=
SSL_ALT_KEY_PATH=
# Set how many days a virusmail will stay on the server before being deleted
# empty => 7 days
VIRUSMAILS_DELETE_DELAY=
# Configure Postfix `virtual_transport` to deliver mail to a different LMTP client (default is a dovecot socket).
# Provide any valid URI. Examples:
#
# empty => `lmtp:unix:/var/run/dovecot/lmtp` (default, configured in Postfix main.cf)
# `lmtp:unix:private/dovecot-lmtp` (use socket)
# `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
# `lmtp:<kopano-host>:2003` (use kopano as mailstore)
POSTFIX_DAGENT=
# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default).
#
# empty => 0
POSTFIX_MAILBOX_SIZE_LIMIT=
# See https://docker-mailserver.github.io/docker-mailserver/edge/config/user-management/accounts/#notes
# 0 => Dovecot quota is disabled
# 1 => Dovecot quota is enabled
ENABLE_QUOTAS=1
# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!)
#
# empty => 10240000 (~10 MB)
POSTFIX_MESSAGE_SIZE_LIMIT=
# Mails larger than this limit won't be scanned.
# ClamAV must be enabled (ENABLE_CLAMAV=1) for this.
#
# empty => 25M (25 MB)
CLAMAV_MESSAGE_SIZE_LIMIT=
# Enables regular pflogsumm mail reports.
# This is a new option. The old REPORT options are still supported for backwards compatibility. If this is not set and reports are enabled with the old options, logrotate will be used.
#
# not set => No report
# daily_cron => Daily report for the previous day
# logrotate => Full report based on the mail log when it is rotated
PFLOGSUMM_TRIGGER=
# Recipient address for pflogsumm reports.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
PFLOGSUMM_RECIPIENT=
# Sender address (`FROM`) for pflogsumm reports if pflogsumm reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
PFLOGSUMM_SENDER=
# Interval for logwatch report.
#
# none => No report is generated
# daily => Send a daily report
# weekly => Send a report every week
LOGWATCH_INTERVAL=
# Recipient address for logwatch reports if they are enabled.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
LOGWATCH_RECIPIENT=
# Sender address (`FROM`) for logwatch reports if logwatch reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
LOGWATCH_SENDER=
# Defines who receives reports if they are enabled.
# **empty** => ${POSTMASTER_ADDRESS}
# => Specify the recipient address
REPORT_RECIPIENT=
# Defines who sends reports if they are enabled.
# **empty** => mailserver-report@${DOMAINNAME}
# => Specify the sender address
REPORT_SENDER=
# Changes the interval in which log files are rotated
# **weekly** => Rotate log files weekly
# daily => Rotate log files daily
# monthly => Rotate log files monthly
#
# Note: This Variable actually controls logrotate inside the container
# and rotates the log files depending on this setting. The main log output is
# still available in its entirety via `docker logs mail` (Or your
# respective container name). If you want to control logrotation for
# the Docker-generated logfile see:
# https://docs.docker.com/config/containers/logging/configure/
#
# Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger).
LOGROTATE_INTERVAL=weekly
# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration.
#
# - **0** => Disabled
# - 1 => Enabled
POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
# Choose TCP/IP protocols for postfix to use
# **all** => All possible protocols.
# ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
# ipv6 => Use only IPv6 traffic.
#
# Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
POSTFIX_INET_PROTOCOLS=all
# Choose TCP/IP protocols for dovecot to use
# **all** => Listen on all interfaces
# ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
# ipv6 => Listen only on IPv6 interfaces.
#
# Note: More information at https://dovecot.org/doc/dovecot-example.conf
DOVECOT_INET_PROTOCOLS=all
# -----------------------------------------------
# --- SpamAssassin Section ----------------------
# -----------------------------------------------
ENABLE_SPAMASSASSIN=0
# deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT)
SPAMASSASSIN_SPAM_TO_INBOX=1
# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
# - **0** => KAM disabled
# - 1 => KAM enabled
#
# Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
ENABLE_SPAMASSASSIN_KAM=0
# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
MOVE_SPAM_TO_JUNK=1
# add spam info headers if at, or above that level:
SA_TAG=2.0
# add 'spam detected' headers at that level
SA_TAG2=6.31
# triggers spam evasive actions
SA_KILL=10.0
# add tag to subject if spam detected
SA_SPAM_SUBJECT=***SPAM*****
# -----------------------------------------------
# --- Fetchmail Section -------------------------
# -----------------------------------------------
ENABLE_FETCHMAIL=0
# The interval to fetch mail in seconds
FETCHMAIL_POLL=300
# Enable or disable `getmail`.
#
# - **0** => Disabled
# - 1 => Enabled
ENABLE_GETMAIL=0
# The number of minutes for the interval. Min: 1; Max: 30.
GETMAIL_POLL=5
# -----------------------------------------------
# --- LDAP Section ------------------------------
# -----------------------------------------------
# A second container for the ldap service is necessary (i.e. https://github.com/osixia/docker-openldap)
# with the :edge tag, use ACCOUNT_PROVISIONER=LDAP
# empty => LDAP authentication is disabled
# 1 => LDAP authentication is enabled
ENABLE_LDAP=
# empty => no
# yes => LDAP over TLS enabled for Postfix
LDAP_START_TLS=
# If you going to use the mailserver in combination with Docker Compose you can set the service name here
# empty => mail.domain.com
# Specify the dns-name/ip-address where the ldap-server
LDAP_SERVER_HOST=
# empty => ou=people,dc=domain,dc=com
# => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local
LDAP_SEARCH_BASE=
# empty => cn=admin,dc=domain,dc=com
# => take a look at examples of SASL_LDAP_BIND_DN
LDAP_BIND_DN=
# empty** => admin
# => Specify the password to bind against ldap
LDAP_BIND_PW=
# e.g. `"(&(mail=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for users
LDAP_QUERY_FILTER_USER=
# e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for groups
LDAP_QUERY_FILTER_GROUP=
# e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for aliases
LDAP_QUERY_FILTER_ALIAS=
# e.g. `"(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for domains
LDAP_QUERY_FILTER_DOMAIN=
# -----------------------------------------------
# --- Dovecot Section ---------------------------
# -----------------------------------------------
# empty => no
# yes => LDAP over TLS enabled for Dovecot
DOVECOT_TLS=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_USER_FILTER=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_PASS_FILTER=
# Define the mailbox format to be used
# default is maildir, supported values are: sdbox, mdbox, maildir
DOVECOT_MAILBOX_FORMAT=maildir
# empty => no
# yes => Allow bind authentication for LDAP
# https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
DOVECOT_AUTH_BIND=
# -----------------------------------------------
# --- Postgrey Section --------------------------
# -----------------------------------------------
ENABLE_POSTGREY=0
# greylist for N seconds
POSTGREY_DELAY=300
# delete entries older than N days since the last time that they have been seen
POSTGREY_MAX_AGE=35
# response when a mail is greylisted
POSTGREY_TEXT="Delayed by Postgrey"
# whitelist host after N successful deliveries (N=0 to disable whitelisting)
POSTGREY_AUTO_WHITELIST_CLIENTS=5
# -----------------------------------------------
# --- SASL Section ------------------------------
# -----------------------------------------------
ENABLE_SASLAUTHD=0
# empty => pam
# `ldap` => authenticate against ldap server
# `shadow` => authenticate against local user db
# `mysql` => authenticate against mysql db
# `rimap` => authenticate against imap server
# Note: can be a list of mechanisms like pam ldap shadow
SASLAUTHD_MECHANISMS=
# empty => None
# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
SASLAUTHD_MECH_OPTIONS=
# empty => Use value of LDAP_SERVER_HOST
# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
SASLAUTHD_LDAP_SERVER=
# empty => Use value of LDAP_BIND_DN
# specify an object with privileges to search the directory tree
# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
SASLAUTHD_LDAP_BIND_DN=
# empty => Use value of LDAP_BIND_PW
SASLAUTHD_LDAP_PASSWORD=
# empty => Use value of LDAP_SEARCH_BASE
# specify the search base
SASLAUTHD_LDAP_SEARCH_BASE=
# empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
# e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
# e.g. for openldap: `(&(uid=%U)(objectClass=person))`
SASLAUTHD_LDAP_FILTER=
# empty => no
# yes => LDAP over TLS enabled for SASL
# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
SASLAUTHD_LDAP_START_TLS=
# empty => no
# yes => Require and verify server certificate
# If yes you must/could specify SASLAUTHD_LDAP_TLS_CACERT_FILE or SASLAUTHD_LDAP_TLS_CACERT_DIR.
SASLAUTHD_LDAP_TLS_CHECK_PEER=
# File containing CA (Certificate Authority) certificate(s).
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_file` option
SASLAUTHD_LDAP_TLS_CACERT_FILE=
# Path to directory with CA (Certificate Authority) certificates.
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_dir` option
SASLAUTHD_LDAP_TLS_CACERT_DIR=
# Specify what password attribute to use for password verification.
# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default.
# Any value => Fills the `ldap_password_attr` option
SASLAUTHD_LDAP_PASSWORD_ATTR=
# empty => `bind` will be used as a default value
# `fastbind` => The fastbind method is used
# `custom` => The custom method uses userPassword attribute to verify the password
SASLAUTHD_LDAP_AUTH_METHOD=
# Specify the authentication mechanism for SASL bind
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_mech` option
SASLAUTHD_LDAP_MECH=
# -----------------------------------------------
# --- SRS Section -------------------------------
# -----------------------------------------------
# envelope_sender => Rewrite only envelope sender address (default)
# header_sender => Rewrite only header sender (not recommended)
# envelope_sender,header_sender => Rewrite both senders
# An email has an "envelope" sender (indicating the sending server) and a
# "header" sender (indicating who sent it). More strict SPF policies may require
# you to replace both instead of just the envelope sender.
SRS_SENDER_CLASSES=envelope_sender
# empty => Envelope sender will be rewritten for all domains
# provide comma separated list of domains to exclude from rewriting
SRS_EXCLUDE_DOMAINS=
# empty => generated when the image is built
# provide a secret to use in base64
# you may specify multiple keys, comma separated. the first one is used for
# signing and the remaining will be used for verification. this is how you
# rotate and expire keys
SRS_SECRET=
# -----------------------------------------------
# --- Default Relay Host Section ----------------
# -----------------------------------------------
# Setup relaying all mail through a default relay host
#
# empty => don't configure default relay host
# default host and optional port to relay all mail through
DEFAULT_RELAY_HOST=
# -----------------------------------------------
# --- Multi-Domain Relay Section ----------------
# -----------------------------------------------
# Setup relaying for multiple domains based on the domain name of the sender
# optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf
#
# empty => don't configure relay host
# default host to relay mail through
RELAY_HOST=
# empty => 25
# default port to relay mail
RELAY_PORT=25
# empty => no default
# default relay username (if no specific entry exists in postfix-sasl-password.cf)
RELAY_USER=
# empty => no default
# password for default relay user
RELAY_PASSWORD=

36
templates/etebase-server.ini.j2 Normal file
View file

@ -0,0 +1,36 @@
[global]
secret_file = {{ home_dir }}/secret/secret.txt
debug = false
;Set the paths where data will be stored at
static_root = {{ home_dir }}/static
media_root = {{ home_dir }}/media
;Advanced options, only uncomment if you know what you're doing:
;static_url = /static/
;media_url = /user-media/
;language_code = en-us
;time_zone = UTC
;redis_uri = redis://localhost:6379
[allowed_hosts]
allowed_host1 = {{ etebase_host }}
[database]
engine = django.db.backends.sqlite3
name = {{ home_dir }}/secret/db.sqlite3
[database-options]
; Add engine-specific options here, such as postgresql parameter key words
;[ldap]
;server = <The URL to your LDAP server>
;search_base = <Your search base>
;filter = <Your LDAP filter query. '%%s' will be substituted for the username>
; In case a cache TTL of 1 hour is too short for you, set `cache_ttl` to the preferred
; amount of hours a cache entry should be viewed as valid:
;cache_ttl = 5
;bind_dn = <Your LDAP "user" to bind as. Must be a bind user>
; Either specify the password directly, or provide a password file
;bind_pw = <The password to authenticate as your bind user>
;bind_pw_file = /path/to/the/file.txt

13
templates/etebase.service.j2 Normal file
View file

@ -0,0 +1,13 @@
[Unit]
Description=Etebase Server
[Service]
Type=simple
WorkingDirectory={{ etebase_home_dir }}/etebase
ExecStart={{ etebase_home_dir }}/venv/bin/uvicorn etebase_server.asgi:application --uds {{ etebase_socket_file }}
User=etebase
Group=etebase
Restart=always
[Install]
WantedBy=multi-user.target

19
templates/gitea/gitea.service.j2 Normal file
View file

@ -0,0 +1,19 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
[Service]
# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
# LimitNOFILE=524288:524288
RestartSec=2s
Type=notify
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
ExecStart=/opt/gitea/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
[Install]
WantedBy=multi-user.target

2
templates/gitea/robots.txt.j2 Normal file
View file

@ -0,0 +1,2 @@
User-agent: *
Disallow: /

14
templates/gitea/runner.service.j2 Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=Act Runner (Gitea runner)
After=syslog.target
After=network.target
[Service]
Type=simple
User=runner
WorkingDirectory=/home/runner
ExecStart=/usr/local/bin/act_runner daemon
Restart=always
[Install]
WantedBy=multi-user.target

6
vars.yml Normal file
View file

@ -0,0 +1,6 @@
# Etebase
etebase_home_dir: "/home/etebase"
etebase_socket_file: "/var/run/etebase/etebase.sock"
# Woodpecker-CI
woodpecker_port: 8000

26
vaulted_vars.yml Normal file
View file

@ -0,0 +1,26 @@
$ANSIBLE_VAULT;1.1;AES256
36356136316362333433633437376461633266386632623033363063356333626563383137633537
6639396663356664333066363439373563356135303233300a623032663363383034376332333161
35623832326631363336626230373463323364643835633239316236663764303535313036623935
3061363462386231620a666635323634653263326366666135383164343035303364333462306361
33396164313631643861633936633839303463343033313634633037383737303234336339333563
37303035623337383333373365396133366232636436613434666462633630393530373063643965
38623739306437383364393265633065306564346365373665656265366335616334646634653362
37396633643763646639316466356634313739323261313832393132313132653139376539626164
61376339373239613839333038333831396433353733666237303939613465343739306331666632
37326638643533333433393135646439666363393034353539353938623035373937383262303834
65663538396639383663613462336361623765373165643965323031663663313037633534393466
65393534656564353839356534666633646430613363653334386238323436663137653662356636
32626634646262393963366463303330613864613339356432303931653564333466366333666530
38643534383164666664343864303366616562306364623164313035653332623363353438363933
38656662623033316631393065393563636439373562333137656538313363376461613731393566
62366262353430316330393431366632306439386533313030353662663131633334623034613466
65376561616364663434313531316565643734363766333065636166613733393030306464626238
65626234363232643063626561313133363638383935306463656461383461666363633637663237
65316665393364303133656662373166306261306663303437306537363938373638633330376438
33323461353933303265386636643631663035336138613331363563326534336431353532356438
31373865393935306462346462396661656438336232613233623437313261633232616534636661
31336366373739353632386530356435343163656135323866326361356334636663393464333661
64346230323162636561323930663735666531373765363538383165366632306566343662313438
66613264643532646130663733376362323364656536303930323035363065643330323166666364
63376131316533396232336335653836376666346638643930623365356530333264