From 89ff8aa84c088378bb7637caa83ba2670495df21 Mon Sep 17 00:00:00 2001
From: Ivan Reshetnikov <ordinarydev@protonmail.com>
Date: Mon, 14 Oct 2024 20:18:00 +0500
Subject: [PATCH] Set up mail server

---
 forgejo.yml                        |   2 +-
 mail.yml                           |   5 +
 mastodon.yml                       |   2 +-
 roles/mail/tasks/main.yml          |  71 ++++++++++
 roles/mail/templates/maddy.conf.j2 | 175 +++++++++++++++++++++++++
 roles/mail/vars/main.yml           |   1 +
 vaulted_vars.yml                   | 199 +++++++++++++++--------------
 7 files changed, 358 insertions(+), 97 deletions(-)
 create mode 100644 mail.yml
 create mode 100644 roles/mail/tasks/main.yml
 create mode 100644 roles/mail/templates/maddy.conf.j2
 create mode 100644 roles/mail/vars/main.yml

diff --git a/forgejo.yml b/forgejo.yml
index 289861b..3170126 100644
--- a/forgejo.yml
+++ b/forgejo.yml
@@ -3,7 +3,7 @@
   roles:
     - role: forgejo
       postgresql_password: "{{ forgejo_postgresql_password }}"
-      smtp_password: "{{ forgejo_smtp_password }}"
+      smtp_password: "{{ mail_users.forgejo@comfycamp.space }}"
       oauth2_jwt_secret: "{{ forgejo_oauth2_jwt_secret }}"
       internal_token: "{{ forgejo_internal_token }}"
       secret_key: "{{ forgejo_secret_key }}"
diff --git a/mail.yml b/mail.yml
new file mode 100644
index 0000000..b8ef645
--- /dev/null
+++ b/mail.yml
@@ -0,0 +1,5 @@
+---
+- hosts: webservers
+  roles:
+    - role: mail
+      users: "{{ mail_users }}"
diff --git a/mastodon.yml b/mastodon.yml
index 36ecbd2..8139c02 100644
--- a/mastodon.yml
+++ b/mastodon.yml
@@ -7,5 +7,5 @@
       db_pass: "{{ mastodon_postgresql_password }}"
       otp_secret: "{{ mastodon_otp_secret }}"
       secret_key_base: "{{ mastodon_secret_key_base }}"
-      smtp_password: "{{ mastodon_smtp_password }}"
+      smtp_password: "{{ mail_users.mastodon@comfycamp.space }}"
       aws_secret_access_key: "{{ mastodon_aws_secret_access_key }}"
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
new file mode 100644
index 0000000..9906cc7
--- /dev/null
+++ b/roles/mail/tasks/main.yml
@@ -0,0 +1,71 @@
+---
+- name: Create mail network
+  become: true
+  community.docker.docker_network:
+    name: mail
+- name: Create maddy volume
+  become: true
+  community.docker.docker_volume:
+    name: maddy
+- name: Copy maddy config
+  become: true
+  ansible.builtin.template:
+    src: maddy.conf.j2
+    dest: /var/lib/docker/volumes/maddy/_data/maddy.conf
+  register: maddy_conf
+- name: Run maddy
+  become: true
+  community.docker.docker_container:
+    name: maddy
+    image: foxcpp/maddy:0.7.1
+    networks:
+      - name: mail
+    env:
+      MADDY_HOSTNAME: mail.comfycamp.space
+      MADDY_DOMAIN: comfycamp.space
+    ports:
+      - 25:25
+      - 143:143
+      - 465:465
+      - 587:587
+      - 993:993
+    volumes:
+      - maddy:/data
+      - /etc/letsencrypt/live/comfycamp.space/fullchain.pem:/etc/tls/fullchain.pem:ro
+      - /etc/letsencrypt/live/comfycamp.space/privkey.pem:/etc/tls/privkey.pem:ro
+    recreate: "{{ maddy_conf.changed }}"
+- name: Get users
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["maddy", "creds", "list"]
+  register: maddy_users
+- name: Create users
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["sh", "-c", "echo '{{ item.value }}' | maddy creds create {{ item.key }}"]
+  when: not item.key in maddy_users.stdout
+  no_log: True
+  loop: "{{ users | dict2items }}"
+- name: Update passwords
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["sh", "-c", "echo '{{ item.value }}' | maddy creds password {{ item.key }}"]
+  no_log: True
+  loop: "{{ users | dict2items }}"
+- name: Get imap accounts
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["maddy", "imap-acct", "list"]
+  register: maddy_imap_accounts
+- name: Create imap accounts
+  become: true
+  community.docker.docker_container_exec:
+    container: maddy
+    argv: ["maddy", "imap-acct", "create", "{{ item.key }}"]
+  when: not item.key in maddy_imap_accounts.stdout
+  no_log: True
+  loop: "{{ users | dict2items }}"
diff --git a/roles/mail/templates/maddy.conf.j2 b/roles/mail/templates/maddy.conf.j2
new file mode 100644
index 0000000..ebfecae
--- /dev/null
+++ b/roles/mail/templates/maddy.conf.j2
@@ -0,0 +1,175 @@
+## Maddy Mail Server
+
+# Base variables
+
+$(hostname) = {env:MADDY_HOSTNAME}
+$(primary_domain) = {env:MADDY_DOMAIN}
+$(local_domains) = $(primary_domain)
+
+#        public                 private
+tls file /etc/tls/fullchain.pem /etc/tls/privkey.pem
+
+# Local storage & authentication
+
+# pass_table provides local hashed passwords storage for authentication of
+# users. It can be configured to use any "table" module, in default
+# configuration a table in SQLite DB is used.
+# Table can be replaced to use e.g. a file for passwords. Or pass_table module
+# can be replaced altogether to use some external source of credentials (e.g.
+# PAM, /etc/shadow file).
+#
+# If table module supports it (sql_table does) - credentials can be managed
+# using 'maddy creds' command.
+
+auth.pass_table local_authdb {
+    table sql_table {
+        driver sqlite3
+        dsn credentials.db
+        table_name passwords
+    }
+}
+
+# imapsql module stores all indexes and metadata necessary for IMAP using a
+# relational database. It is used by IMAP endpoint for mailbox access and
+# also by SMTP & Submission endpoints for delivery of local messages.
+#
+# IMAP accounts, mailboxes and all message metadata can be inspected using
+# imap-* subcommands of maddy.
+
+storage.imapsql local_mailboxes {
+    driver sqlite3
+    dsn imapsql.db
+}
+
+# ----------------------------------------------------------------------------
+# SMTP endpoints + message routing
+
+hostname $(hostname)
+
+table.chain local_rewrites {
+    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+    optional_step static {
+        entry postmaster postmaster@$(primary_domain)
+    }
+    optional_step file /etc/maddy/aliases
+}
+
+msgpipeline local_routing {
+    # Insert handling for special-purpose local domains here.
+    # e.g.
+    # destination lists.example.org {
+    #     deliver_to lmtp tcp://127.0.0.1:8024
+    # }
+
+    destination postmaster $(local_domains) {
+        modify {
+            replace_rcpt &local_rewrites
+        }
+
+        deliver_to &local_mailboxes
+    }
+
+    default_destination {
+        reject 550 5.1.1 "User doesn't exist"
+    }
+}
+
+smtp tcp://0.0.0.0:25 {
+    limits {
+        # Up to 20 msgs/sec across max. 10 SMTP connections.
+        all rate 20 1s
+        all concurrency 10
+    }
+
+    dmarc yes
+    check {
+        require_mx_record
+        dkim
+        spf
+    }
+
+    source $(local_domains) {
+        reject 501 5.1.8 "Use Submission for outgoing SMTP"
+    }
+    default_source {
+        destination postmaster $(local_domains) {
+            deliver_to &local_routing
+        }
+        default_destination {
+            reject 550 5.1.1 "User doesn't exist"
+        }
+    }
+}
+
+submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+    limits {
+        # Up to 50 msgs/sec across any amount of SMTP connections.
+        all rate 50 1s
+    }
+
+    auth &local_authdb
+
+    source $(local_domains) {
+        check {
+            authorize_sender {
+                prepare_email &local_rewrites
+                user_to_email identity
+            }
+        }
+
+        destination postmaster $(local_domains) {
+            deliver_to &local_routing
+        }
+        default_destination {
+            modify {
+                dkim $(primary_domain) $(local_domains) default
+            }
+            deliver_to &remote_queue
+        }
+    }
+    default_source {
+        reject 501 5.1.8 "Non-local sender domain"
+    }
+}
+
+target.remote outbound_delivery {
+    limits {
+        # Up to 20 msgs/sec across max. 10 SMTP connections
+        # for each recipient domain.
+        destination rate 20 1s
+        destination concurrency 10
+    }
+    mx_auth {
+        dane
+        mtasts {
+            cache fs
+            fs_dir mtasts_cache/
+        }
+        local_policy {
+            min_tls_level encrypted
+            min_mx_level none
+        }
+    }
+}
+
+target.queue remote_queue {
+    target &outbound_delivery
+
+    autogenerated_msg_domain $(primary_domain)
+    bounce {
+        destination postmaster $(local_domains) {
+            deliver_to &local_routing
+        }
+        default_destination {
+            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+        }
+    }
+}
+
+# ----------------------------------------------------------------------------
+# IMAP endpoints
+
+imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+    auth &local_authdb
+    storage &local_mailboxes
+}
diff --git a/roles/mail/vars/main.yml b/roles/mail/vars/main.yml
new file mode 100644
index 0000000..bf82e98
--- /dev/null
+++ b/roles/mail/vars/main.yml
@@ -0,0 +1 @@
+users: {}
diff --git a/vaulted_vars.yml b/vaulted_vars.yml
index 7122171..f982271 100644
--- a/vaulted_vars.yml
+++ b/vaulted_vars.yml
@@ -1,96 +1,105 @@
 $ANSIBLE_VAULT;1.1;AES256
-63343761613930653938356262623436643464393561623536613262636539373936393535616432
-6237316564613462613061353465613939666134633961640a316436353566353339626266373161
-63666530323933613361613033623134383433336634343661303537316336366632316337356430
-3164303839376564320a356664363932383965303564616264646633643162616330346538336433
-32313039616332363966393730653738306433323730656434653335356265316233633261616534
-39323439353562343631336430646238336232663062373965636266353862323230363563636634
-39376363376431326362386561393234656462653363383962363862376430636462306161656338
-37396338356138383334396664666238613834633861656533356631643338323937656462313761
-64316363653366613165646337336537336132333631396439356262323034353265663334353033
-66663939323533373836343365643762383737306566396430323762373235663765623238356231
-61336232636663353764336139653931343064623566373435653836396434316431303065373332
-65353838333265666431643130313939323331643064393662663739363430363636356231643838
-35613336383334326533616637613839656161303664313761356533373538303964396231386430
-62306364646337356265666432323464343265613233343162313031353665306332306437656437
-33613834643839353639646637646433326665366530616362386130613734383937303933653463
-33333336316534616266663035363834336430303965623936653363373465663332393333646135
-61643766626339616632343739376633393335383535313463313434333336323134376437366637
-66656336663634316631616233663964646263626337626261373032386131363330653035373034
-63303035333434343839666534343563653761353064343035323634646564663236363365313366
-66336434313866633432393030656235383466376435373061616663663863306239656235653037
-65366361616366326163383733623666613065316463353863663365653530636432303932313235
-35656432333833363934666164326634646631346137663731613737313564333836393632323839
-36386563666465616561343961376266623533316461366431366433663330363932656231373434
-64623530373164323436393636383862373936633938646565616536383865616165623132383635
-30393262386438343634313937313865643832353939316539646662383166323966336231653139
-30363535323363353263613633373231623866646338656538383163613731643631623061366363
-32656332616433383463373334356538613365383632336532333939333863633033333339333265
-30336135373539353633393532363965663765353734366665336537393435616233306533373430
-34666236386430613831643836626136396233306634383561316664633831336535653562326338
-34666336343963616666343937653665666634653332353839373531383231393863316130353365
-61383465326564646333303861616337656636643032623732383565396331663430356139323835
-65396333666436643236353531353732373537306365323566366437653331616661316463393064
-32653736333037313438653432666237336435646565343239613434643437396535646532356538
-62643962353637313363376665376634346136633036366662303434613437326233613634373463
-65336266343631663639343031653761323665353734346565303065656132653265383634386665
-31666634303565363963336266653561343166333634383835383839616438363434373765396462
-34656364663564346430323436623636663034613936613831393634346262356137646364633537
-62643634366639663763613030653339626633373433346437613833643337303831613738356665
-34653237393231636665666233663833656436356163393163316439373532313664326336386563
-30383661616433663264613065343430393230373037363966383866353636316337656166373034
-33316232393834326163613230653830383064653831633936303939643331396535373633646532
-31303232626132353830316261353131636637343538363662343530396339646535653231343038
-34393333393839356538343838663330323961656233663466326132326363396131393964633639
-34306534653766343039363862373366613731303137613533636230306463366434663862633938
-37353334313562646563366339386330333462646533666561613536653434306135616464383436
-30633735636665346233623361373133623663663836323536396561346333383530386564613663
-30376639653330636161616462376462336238613235363762356232623863666638316561383034
-63323330626331623032363035646263396438336466356265656430366338336266663463616334
-61626163656133613562373432393066323839303333343261616564343761303130303064373265
-39633862656139383966636333613632376261323364633264343434353765346331313761356533
-66346662656261623161356332393733313862666330663666326463366230653435373032393461
-36333935393236343164323862346265303630373561613164663038653665313265613133303638
-31353038386537313064623838346262363266313763636661626535663337393235333635366462
-35663565666661373131323138393034613236373530333034636330353364623536643635626137
-39376634643230353466383664626565333137616330393030663338633931646535343266636537
-30363937396133333862396130393338306133626133663436303933313661356566323861316239
-33653433643438303565663263326362633039656433663333623565313235303630383466353862
-37303937646430626163353634323861613437336137346335636666633939396637633864353261
-65343831373735326435633461346436613732346639363338306133343332336239376539626137
-30633332353238323335363832643630373737613964666632333431366133663761316134303238
-31363165366637363933393835666636623430303832356563653738316364316635313434643434
-31336539323833386165343365383833383634643830323435393062373636646337333737323063
-30663435656165393331633166633738373963346161323137333035363766393539343635306330
-62323638636663373134313064623564656332386531396663653832316435633665316235616438
-31323766326164663736626333633031653865626566616464396231366639303338633835363163
-30353032353237363966363836653839393833373361383266666631356561303762356362613266
-39386161313236323431303237646164663431663730343164363766386433383631303230613462
-61613063653661396662313734383431303039393566306533376531363164653231316234623236
-32373333346332383663383433353234663565386361356333656634643539616230623162323939
-36646163303130323932326237346664346433623466396661323437626263353437336665636334
-35376633386532313830346661666365623566376161316430613139333430363732396665666437
-30356362613638366138326431643332386534653963316362656538363739653036356535353763
-38643635333136386536613663653133623339613330666263636362623165356339383735393162
-38633234333932343234613565373264363839323130363730323436306638306634356266653731
-30333238313361616338666334656130656639393830383633363035393131343863373162336464
-35386134656339306266633438636333333439336535306238393962376134633064376637383064
-32633565646230346533636339653466396338663936313734626265373232306230346434626533
-38613539646334303661633365643562613266303735666663356366383539666564616231366264
-66323533613131646631333864343238316166643631323633623339313861306163623363663034
-30656530316639646662653438636131393338323931386533313163393530633835623663353861
-30396665326539333964333333313833663762373463313930623033386362376135623732663330
-64323232613338353237303932623637353963633735636131356238623130616537366233303932
-34626565353963386533393936333636666337323737623738663537616464333032373930363761
-31303035623636633537633739316135396661326330653366666562633835326565663563653662
-66643634346263336530303936393030313063623962306664613465636630613265363834613766
-39383130313031636437343662393932633033393638323664376265343765666465326238616634
-38366433306232313461346661396230636164383932383031653631663164383462633132363330
-30333237383435346566336463353439663932653036323736316630366465323734616435343737
-66613935323434306334323733313838356635396166616133633036343330656665333535373030
-36306632346239333832616434373361303465663232393732636338663764386666356335663734
-64376230666339363763373637333033663232323466356538653738393931316337653566336664
-61653931626464623935663630613262366633383934393535303565343239383139386461613237
-34363735306136323338643731316336343866373032343964376630663765383334653262333532
-62313136326562353463623161353538336436663330303361333763353365623333383830353736
-353834646363363865643138663131653333
+65306365306665646137323736343038393135373664636564396535393833366537633965343865
+6162663664383133633730353734383065376331616364300a643466646539336233353261613461
+37303636393134613839663533383332633631643637663430336432343666393166303165306137
+6361623630366339320a653635353338623863666631633561383534343935336362383830346365
+61346566316165613938323863633534643835623561386439313862633035313933363938646165
+34386264353163303238313431343864373537363635643439356239306438656437373835343837
+30613933646130393739626435633861626665306633386234316261313233363363336531346262
+33396235323039646264393961396163343434623864653464343635346534366135363962356364
+30353239376435366563346361646437366437616530653066396266306236646137366265313263
+66323235356131653964643738646565346139383565346162373762663761306163636564333137
+39643835646166626265373966316639323836643738373534303339373631303932623236383530
+65316462336131653764633166363234373462323561326662366632356633623639306162633236
+31356231373266376264356137623230333664353166613637643636653165333737613538323063
+36306137303566616235323135363366303938643535323833303634393532353763323035306136
+39313834363231633934663137656639363064353763663565373265396632323065306133316335
+35323039333662323931396130656134653162303666316431393534633666656161626365316130
+63333435316165373535646535623530386133386532396361393936323764316265393838333830
+36323762616263326334316465633062626538336630336564353730373866316337333839396230
+32613539653662663131626235626434643934356338323762616538393136323237343831653339
+64623464356466306331653064646364386332333235616363373163613763643135373430316130
+35613735356436363664333538333535663963613533646334346466666638336662353961366432
+38313738663133373165643038326438343762663238656238373462366337336466353031313630
+63343537333161373835333632353137623434306134386365373230653035306535343433623133
+66313736303939643934666363663233613738393061656239323731663762613238303161656333
+65623365353239393039356563326539396536646332343037663237373364333731343030306435
+63303234626334633039663930636364383861323139326661323832313339656565393562353736
+31353938303862656564663032623164383331313431333337363561326539653163373530396635
+61373563353938303361636531633737623139613266306464613661343836356338333566363238
+30326262333139643066316335663033383137626562666163376437616433396533363962333731
+38623631393335396236306265666537313039393266633139636665393866666362656265313137
+64363231353064353734393939623330393437323361383931616338396434303361376164313562
+31326539653962613731643538646632353834623536333364373633363665303039613764353330
+32323432636266326239383032303139376539383932353937323433616235323037353235323637
+64653633613736306134313532666661663831333965353730643332623564343932636433663761
+39663431376362303162633862643664343665303364393764306166633131653563383636336138
+31623636333863353733666164656430306230633530373061356261323966333932653663663430
+66656462656139626135326330386231356263643964316266633064363362383766643930666132
+61323662653037326138613836326235333039376461636631396462393438646466653830343563
+62353762653264393663653930623839373665376630366261376133386132303363323463623365
+34353433303762383933313634643636373063396234656335346662383665353262323730656435
+34653139383162373936336638353734626530666534663039366137613139396439373261653365
+38346361386266383535353438356362363138663838343166346564633632643937616532653637
+64366466623161663361393238333366366335613431326539383733613366303739383963623863
+64313039316265303330393037363565336537326539643230356639353061616365353336396133
+35386438653064373166383733353538633761653833336135333864633330306664633439346530
+31356266343461666231376233656530616162373931666231343630343335666136663161333565
+61386461386131386439303031643236303761333039613930633763326635393533656230303936
+32363664326138363532313532383237336335333933336131306236323862343933303335326533
+33313535343337313537623665366438303665353339653738323533386663633263343561613563
+35326239343537666363643264623362356134313534646639393266303066306439316632313762
+37333433313436646430363930623961663064386331383866613065383065346330386631323464
+36383465633435386233396132646138623363383238383531326166323965313434613136663538
+32616366303035393438333438663834613539313530356165626362343139373764653338623033
+61353464323766613635363735353037393064666263396631373466313633333362396130396462
+61333237663932343330343363626639326138343134383235313863346265346438663839306364
+65373533643032366234323436343033316365323037623639353462373233633835316664366334
+66666365343465616236316235663537633432623630643538626165363431316439626162326436
+33363038393538366439623463393931333130383431373765636238373937653234366265386532
+35646138653330376462633564393265386230313766323365663837323135376434326666636634
+32623662616336326464623235356265393339363734373837343061663733633262376634363931
+35633335336265383433346238373231303731646164323330336162653866656437636431663461
+36303136666538613164386134363961393735396661373763663565333932633063666162313533
+63386430353165303965383938623562313064666263613561613465393038383963643162386164
+63363539313863396566343333623533646433383863366435383665373434393534366139356336
+64396539653264623834616439626636373432353535313930326138653738613361373036646138
+33636566306664356464333964636666613937393432336235333136376531353461393832663231
+38646633386537353936643431386161663833666139393439636334626537396264653233636366
+39333337353864653862613062313438643165346638393265393530333236353732626265383864
+65376665646464363333623861313438643136386639373666383061353266633037346335363364
+61616462353566316538663366346135363366393666653031646161316232626432616131333063
+36353063633465616166333364666366366637636134366532396132653062306238346362303436
+63316530666338393465346539353434376137353637666462383430306535383536396633656236
+63663065623062366632303532636361613532393636363161656134643361616435336365633534
+62386134353261356137353364363333626366633661663230316335396363336333646661643066
+30613335636362653638313434373831336334353733313561303431663234313062376165653037
+64326138313434616264356338396365646166393931323938363963373138343534363832376330
+35643435353363326333363033616338323932626535376639626636656136643334346332653935
+38636464663634353838303430663930613734633861333166626564383965373937323166663134
+33646665393035333534666537303362616338356131383963306461633761636534336437376435
+31306630373164343666346535353632343062396665346562653633366230333938616337326231
+31363064333466316565316534663766623464623263333239336637356233636664646361326465
+66613637663832656537356463643937656132306238323364386136313830373139336161616333
+66376537386238626338376133363337343838396634616238336337633439393937653661323466
+65363665313861663763663533653033366632333065396633303237383865613030623031613438
+36343464636435303662346232386234623565323064393035396532303131376235316636316433
+31633734633465343636366464623362396130313035653235613131646334643631316639353363
+33376334326466383534653465623139343966383439636263663365336238653338373361346463
+63653632326463643334653764643637393732336438323163343766656630656439336662376466
+31393036303165366562373433663730656538366135396338383965383937383164313531393236
+37353036663935393133643937646634643061643137633335363736333265336363643838663662
+31393765373336333861656430323032663266353266373130636664343830353266616236346262
+66366434356538616539316666366333626532663730356432333731326431633532316334326661
+61316163386465356466666433363031363333343262333463306631613364653931336265363565
+35393838643639383034353030303362306337363263393637336336663138373062383634303937
+38663533326566363437613935323338336234626365613564313236353966616439343463336233
+61626361633961626532373363323634313936636536613961346339343964353233626666386237
+30663037356230383533393065633066656331373964343536373335613039366538623661656565
+32303037333066393732613934626439396364306564343636656637633762396266393339356334
+37383063643339396233346230323765656437373265316431373863663934376365333630366338
+31353965386133393961333733363861636666666634343632373665643533666630303936386232
+34623831373733356238386430363736393963393433323363353766366532663563306339623361
+65643533663563323763643337396231343266643831363239313361646635626665653731343663
+36396361623863366362626136306439383636663762633430383435383362626430646261326165
+63616538633363616530