diff --git a/ansible-create_mailrelay.yml b/ansible-create_mailrelay.yml new file mode 100644 index 0000000..6bd9ee3 --- /dev/null +++ b/ansible-create_mailrelay.yml @@ -0,0 +1,242 @@ +--- +- name: Setup and Configure Mail Relay Docker Container + hosts: your_target_host + become: true + vars: + mail_relay_dir: /mnt/docker/mail-relay + conf_dir: "{{ mail_relay_dir }}/conf" + mail_relay_password: "{{ lookup('community.general.random_string', length=10, special=false) }}" + certificate_subject: "/C=DE/ST=Germany/L=NRW/O=Asmodee Group/OU=Mail-Relay/CN=localhost/name=Mail-Relay/emailAddress=it-admin@asmodee.de" + + tasks: + - name: Create necessary directories + file: + path: "{{ item }}" + state: directory + loop: + - "{{ mail_relay_dir }}" + - "{{ conf_dir }}" + - "{{ mail_relay_dir }}/spool" + - "{{ mail_relay_dir }}/sasl2" + + - name: Create Dockerfile for mail relay + copy: + dest: /mnt/docker/mail-relay/mail-relay.Dockerfile + content: | + FROM alpine:3.17 + RUN apk add --no-cache bash net-tools tzdata busybox-extras postfix cyrus-sasl cyrus-sasl-static cyrus-sasl-login + RUN echo 'saslauthd -a sasldb -V; postfix start-fg' | tee /start.sh; chmod 755 /start.sh + CMD /start.sh + + - name: Create Docker Compose file + copy: + dest: /mnt/docker/mail-relay/docker-compose.yaml + content: | + version: "3" + services: + mail-relay: + image: mail-relay-custom + build: + context: . + dockerfile: ./mail-relay.Dockerfile + container_name: mail-relay + restart: unless-stopped + healthcheck: + test: ( grep -qr "master" /proc/*/status && grep -qr "saslauthd" /proc/*/status ) || exit 1 + interval: 1m + timeout: 30s + retries: 3 + volumes: + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + - ./main.cf:/etc/postfix/main.cf:ro + - ./master.cf:/etc/postfix/master.cf:ro + - ./conf:/etc/postfix/conf + - ./spool:/var/spool/postfix + - ./sasl2:/etc/sasl2 + networks: + default: + name: build + external: true + + - name: Create main.cf Postfix configuration file + copy: + dest: "{{ conf_dir }}/main.cf" + content: | + # Global Postfix configuration file + alias_maps = lmdb:/etc/postfix/conf/aliases + alias_database = lmdb:/etc/postfix/conf/aliases + myhostname = mail-relay + mynetworks_style = host + inet_interfaces = all + inet_protocols = ipv4 + message_size_limit = 10240000 + soft_bounce = no + + # Queue Time + bounce_queue_lifetime = 10h + maximal_queue_lifetime = 12h + maximal_backoff_time = 15m + minimal_backoff_time = 5m + queue_run_delay = 5m + + # TLS for smtp + smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache + smtp_tls_loglevel = 1 + smtp_tls_security_level = secure + smtp_tls_mandatory_ciphers = high + smtp_tls_secure_cert_match = nexthop + smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt + + # Send over Smarthost (outgoing Emails) + smtp_connection_cache_on_demand = no + smtp_sender_dependent_authentication = yes + smtp_sasl_type = cyrus + smtp_sasl_auth_enable = yes + smtp_sasl_auth_soft_bounce = yes + smtp_sasl_security_options = noplaintext, noanonymous + smtp_sasl_tls_security_options = noanonymous + smtp_sasl_password_maps = lmdb:/etc/postfix/conf/smtp_sasl_password_maps + sender_dependent_relayhost_maps = lmdb:/etc/postfix/conf/sender_dependent_relayhost_maps + + # Cleanup the Header + smtp_header_checks = regexp:/etc/postfix/conf/smtp_header_checks + + # SASL authentication (incoming Emails) + broken_sasl_auth_clients = no + smtpd_tls_auth_only = no + smtpd_sasl_auth_enable = yes + smtpd_sasl_security_options = noanonymous + smtpd_sasl_tls_security_options = noanonymous + smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_destination + smtpd_relay_restrictions = $smtpd_sender_restrictions + + # TLS for smtpd + smtpd_tls_security_level = may + smtpd_tls_cert_file = /etc/postfix/conf/server.crt + smtpd_tls_key_file = /etc/postfix/conf/server.key + + # connection limits + smtpd_client_connection_rate_limit = 0 + smtpd_client_connection_count_limit = 0 + + # Logging for Docker Container + maillog_file = /dev/stdout + + - name: Create master.cf Postfix configuration file + copy: + dest: "{{ conf_dir }}/master.cf" + content: | + # Postfix master process configuration file + # + # ========================================================================== + # service type private unpriv chroot wakeup maxproc command + args + # (yes) (yes) (no) (never) (100) + # ========================================================================== + smtp inet n - n - - smtpd + -o syslog_name=postfix/smtp + submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_tls_auth_only=yes + smtps inet n - n - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + pickup unix n - n 60 1 pickup + cleanup unix n - n - 0 cleanup + qmgr unix n - n 300 1 qmgr + tlsmgr unix - - n 1000? 1 tlsmgr + rewrite unix - - n - - trivial-rewrite + bounce unix - - n - 0 bounce + defer unix - - n - 0 bounce + trace unix - - n - 0 bounce + verify unix - - n - 1 verify + flush unix n - n 1000? 0 flush + proxymap unix - - n - - proxymap + proxywrite unix - - n - 1 proxymap + smtp unix - - n - - smtp + relay unix - - n - - smtp + -o syslog_name=postfix/$service_name + showq unix n - n - - showq + error unix - - n - - error + retry unix - - n - - error + discard unix - - n - - discard + local unix - n n - - local + virtual unix - n n - - virtual + lmtp unix - - n - - lmtp + anvil unix - - n - 1 anvil + scache unix - - n - 1 scache + postlog unix-dgram n - n - 1 postlogd + + - name: Generate RSA private key + openssl_privatekey: + path: "{{ conf_dir }}/server.key" + size: 4096 + + - name: Generate a Self Signed OpenSSL certificate + openssl_certificate: + path: "{{ conf_dir }}/server.crt" + privatekey_path: "{{ conf_dir }}/server.key" + subject: "{{ certificate_subject }}" + provider: selfsigned + + - name: Set permissions for server.key + file: + path: "{{ conf_dir }}/server.key" + mode: '0644' + + - name: Create smtp_sasl_password_maps file + copy: + dest: "{{ conf_dir }}/smtp_sasl_password_maps" + content: "mail@notifications.asmodee.de apikey:{{ password }}" + mode: '0600' + + - name: Create sender_dependent_relayhost_maps file + copy: + dest: "{{ conf_dir }}/sender_dependent_relayhost_maps" + content: "mail@notifications.asmodee.de [smtp.sendgrid.net]:" + + - name: Create aliases file + file: + path: "{{ conf_dir }}/aliases" + state: touch + + - name: Create smtp_header_checks file + copy: + dest: "{{ conf_dir }}/smtp_header_checks" + content: | + /^Received:/ IGNORE + /^User-Agent:/ IGNORE + /^Message-ID:/ IGNORE + /^X-Originating-ip:/ IGNORE + /^X-Forward:/ IGNORE + /^X-Mailer:/ IGNORE + /^X-Virus-/ IGNORE + /^X-Spam-/ IGNORE + + - name: Start Docker container with Docker Compose + community.docker.docker_compose: + project_src: "{{ mail_relay_dir }}" + state: present + restarted: yes + + - name: Update Postfix maps and aliases + community.docker.docker_container_exec: + container: mail-relay + command: "{{ item }}" + loop: + - "postmap /etc/postfix/conf/smtp_sasl_password_maps" + - "postmap /etc/postfix/conf/sender_dependent_relayhost_maps" + - "postalias /etc/postfix/conf/aliases" + + - name: Configure SASL password and permissions + community.docker.docker_container_exec: + container: mail-relay + command: "sh -c 'echo {{ mail_relay_password }} | saslpasswd2 -c -p -u mail-relay relay-apikey; chmod 640 /etc/sasl2/sasldb2; chown root:postfix /etc/sasl2/sasldb2'" + + - name: List SASL users + community.docker.docker_container_exec: + container: mail-relay + command: "sasldblistusers2" diff --git a/ansible-create_unify.yml b/ansible-create_unify.yml new file mode 100644 index 0000000..41472f1 --- /dev/null +++ b/ansible-create_unify.yml @@ -0,0 +1,71 @@ +--- +- name: Setup UniFi Controller Docker Container + hosts: your_target_host + become: true + vars: + unifi_dir: /mnt/docker/unifi-controller + cert_dir: "{{ unifi_dir }}/data/cert" + cert_files: + - unifi-controller.asmodee.local.crt + - unifi-controller.asmodee.local.key + - root-ca.crt + + tasks: + - name: Create necessary directories + file: + path: "{{ item }}" + state: directory + loop: + - "{{ unifi_dir }}" + - "{{ cert_dir }}" + + - name: Create Docker Compose file for UniFi Controller + copy: + dest: "{{ unifi_dir }}/docker-compose.yaml" + content: | + version: "3" + services: + unifi-controller: + image: jacobalberty/unifi:latest + container_name: unifi-controller + restart: unless-stopped + healthcheck: + test: grep -qr "java" /proc/*/status || exit 1 + interval: 1m + timeout: 30s + retries: 3 + ports: + - 6789:6789 + - 8080:8080 + - 8443:8443 + - 8843:8843 + - 8880:8880 + - 3478:3478/udp + environment: + - RUNAS_UID0=false + volumes: + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + - ./data:/unifi + - ./run:/var/run/unifi + networks: + default: + name: build + external: true + + - name: Copy certificate files to UniFi directory + copy: + src: "{{ item }}" + dest: "{{ cert_dir }}/{{ item }}" + mode: '0600' + loop: "{{ cert_files }}" + + - name: Append certificate to chain file + command: + cmd: "cat {{ cert_dir }}/{{ cert_files[0] }} >> {{ cert_dir }}/chain.pem" + + - name: Start Docker container with Docker Compose + community.docker.docker_compose: + project_src: "{{ unifi_dir }}" + state: present + restarted: yes diff --git a/setups/install-ansible.sh b/setups/install-ansible.sh new file mode 100644 index 0000000..9ed788e --- /dev/null +++ b/setups/install-ansible.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# Ensure the script is run as root +if [ "$(id -u)" != "0" ]; then + echo "This script must be run as root" 1>&2 + exit 1 +fi + +# Update and Upgrade the System +apt update && apt upgrade -y + +# Install sudo and other necessary packages +apt install -y sudo openssh-server + +# Create the ansible user +useradd -m -s /bin/bash ansible + +# Set up SSH for the ansible user +mkdir -p /home/ansible/.ssh +chmod 700 /home/ansible/.ssh +touch /home/ansible/.ssh/authorized_keys +chmod 600 /home/ansible/.ssh/authorized_keys + +# Replace 'your_public_key' with the actual public key +echo 'your_public_key' > /home/ansible/.ssh/authorized_keys + +# Change ownership of the .ssh directory to the ansible user +chown -R ansible:ansible /home/ansible/.ssh + +# Configure sudo privileges +echo 'ansible ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ansible + +# Ensure the sudoers file is secure +chmod 0440 /etc/sudoers.d/ansible + +# Install Ansible +apt install -y ansible + +echo "Ansible and user setup complete."