From 12be7a5f8dd9d48ddea3994a57d8ee3601b09b1e Mon Sep 17 00:00:00 2001 From: lhahn Date: Mon, 29 Jul 2024 18:52:15 +0200 Subject: [PATCH] Adopt floating --- defaults/main.yml | 5 ++ templates/opt/mailcow/mailcow.conf.j2 | 75 ++++++++++++++++++++++----- 2 files changed, 68 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index df726a9..b802ff9 100755 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,11 @@ cloud_stage: prod cloud_update: false domain_external: "my-domain.tld" +floating_ips: [] +# - ipv4: 10.11.12.13 +# ipv6: 2001:0db8:85a3:08d3::1/64 +# - ipv4: 192.168.0.2 +# ipv6: 2001:0db8:bca2:98d6::1/64 mailcow_instance: "{{ domain_external.split('.')[:-1] | join('') | regex_replace('[^a-zA-Z0-9]+','') }}" diff --git a/templates/opt/mailcow/mailcow.conf.j2 b/templates/opt/mailcow/mailcow.conf.j2 index a97a96d..db4cbf1 100755 --- a/templates/opt/mailcow/mailcow.conf.j2 +++ b/templates/opt/mailcow/mailcow.conf.j2 @@ -9,7 +9,7 @@ MAILCOW_HOSTNAME=mail.{{ domain_external }} # Password hash algorithm # Only certain password hash algorithm are supported. For a fully list of supported schemes, -# see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/ +# see https://docs.mailcow.email/models/model-passwd/ MAILCOW_PASS_SCHEME=BLF-CRYPT # ------------------------------ @@ -34,8 +34,8 @@ DBROOT={{ mailcow_db_root_pass }} # Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT # IMPORTANT: Do not use port 8081, 9081 or 65510! # Example: HTTP_BIND=1.2.3.4 -# For IPv4 and IPv6 leave it empty: HTTP_BIND= & HTTPS_PORT= -# For IPv6 see https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ip_bindings/ +# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT= +# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/ HTTP_PORT={{ mailcow_http }} HTTP_BIND= @@ -64,7 +64,7 @@ REDIS_PORT={{ mailcow_redis_target }} # Your timezone # See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones -# Use the row named 'TZ database name' + pay attention for 'Notes' row +# Use the column named 'TZ identifier' + pay attention for the column named 'Notes' TZ={{ mailcow_timezone }} @@ -72,6 +72,13 @@ TZ={{ mailcow_timezone }} # Please use lowercase letters only COMPOSE_PROJECT_NAME={{ mailcow_instance }} +# Used Docker Compose version +# Switch here between native (compose plugin) and standalone +# For more informations take a look at the mailcow docs regarding the configuration options. +# Normally this should be untouched but if you decided to use either of those you can switch it manually here. +# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail. + +DOCKER_COMPOSE_VERSION=native # Set this to "allow" to enable the anyone pseudo user. Disabled by default. # When enabled, ACL can be created, that apply to "All authenticated users" @@ -91,7 +98,7 @@ MAILDIR_GC_TIME={{ mailcow_gc_time }} # You can use wildcard records to create specific names for every domain you add to mailcow. # Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like: #ADDITIONAL_SAN=imap.*,smtp.* -# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net" +# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net" # plus every domain you add in the future. # # You can also just add static names... @@ -102,6 +109,13 @@ MAILDIR_GC_TIME={{ mailcow_gc_time }} ADDITIONAL_SAN= +# Obtain certificates for autodiscover.* and autoconfig.* domains. +# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those. +# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs +# between services. So acme-mailcow obtains for maildomains and all web-things get handled +# in the reverse proxy. +AUTODISCOVER_SAN=y + # Additional server names for mailcow UI # # Specify alternative addresses for the mailcow UI to respond to @@ -114,11 +128,11 @@ ADDITIONAL_SERVER_NAMES= # Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n -SKIP_LETS_ENCRYPT={{ 'n' if (mailcow_use_letsencrypt | default('true') | bool) else 'y' }} +SKIP_LETS_ENCRYPT={{ 'n' if (mailcow_use_letsencrypt | default('false') | bool) else 'y' }} # Create seperate certificates for all domains - y/n # this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames -# see https://wiki.dovecot.org/SSL/SNIClientSupport +# see https://doc.dovecot.org/admin_manual/ssl/sni_support ENABLE_SSL_SNI=n # Skip IPv4 check in ACME container - y/n @@ -129,6 +143,10 @@ SKIP_IP_CHECK={{ 'n' if (mailcow_ip_check | default('true') | bool) else 'y' }} SKIP_HTTP_VERIFICATION={{ 'n' if (mailcow_http_check | default('true') | bool) else 'y' }} +# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n + +SKIP_UNBOUND_HEALTHCHECK={{ 'n' if (mailcow_unbound_check | default('true') | bool) else 'y' }} + # Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n SKIP_CLAMD={{ 'n' if (mailcow_use_clamav | default('true') | bool) else 'y' }} @@ -164,9 +182,19 @@ USE_WATCHDOG=y #WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com #WATCHDOG_NOTIFY_EMAIL= +# Send notifications to a webhook URL that receives a POST request with the content type "application/json". +# You can use this to send notifications to services like Discord, Slack and others. +#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +# JSON body included in the webhook POST request. Needs to be in single quotes. +# Following variables are available: SUBJECT, BODY +#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "****\n"}' + # Notify about banned IP (includes whois lookup) WATCHDOG_NOTIFY_BAN=n +# Send a notification when the watchdog is started. +WATCHDOG_NOTIFY_START=y + # Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message. #WATCHDOG_SUBJECT= @@ -177,6 +205,9 @@ WATCHDOG_NOTIFY_BAN=n # Will only work with unmodified mailcow setups. WATCHDOG_EXTERNAL_CHECKS=n +# Enable watchdog verbose logging +WATCHDOG_VERBOSE=n + # Max log lines per service to keep in Redis logs LOG_LINES={{ mailcow_redis_log_count }} @@ -192,13 +223,17 @@ IPV4_NETWORK={{ mailcow_docker_ipv4_cidr }} IPV6_NETWORK={{ mailcow_docker_ipv6_cidr }} # Use this IPv4 for outgoing connections (SNAT) - +{% if floating_ips | length > 0 and 'ipv4' in floating_ips[0] %} +SNAT_TO_SOURCE={{ floating_ips[0].ipv4 }} +{% else %} #SNAT_TO_SOURCE= - +{% endif %} # Use this IPv6 for outgoing connections (SNAT) - +{% if floating_ips | length > 0 and 'ipv6' in floating_ips[0] %} +SNAT6_TO_SOURCE={{ floating_ips[0].ipv6 }} +{% else %} #SNAT6_TO_SOURCE= - +{% endif %} # Create or override an API key for the web UI # You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs # An API key defined as API_KEY has read-write access @@ -228,9 +263,25 @@ DOVECOT_MASTER_PASS= # Optional: Leave empty for none # This value is only used on first order! # Setting it at a later point will require the following steps: -# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/ +# https://docs.mailcow.email/troubleshooting/debug-reset_tls/ ACME_CONTACT= +# WebAuthn device manufacturer verification +# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed +# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates +WEBAUTHN_ONLY_TRUSTED_VENDORS=n + +# Spamhaus Data Query Service Key +# Optional: Leave empty for none +# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist. +# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS. +# Otherwise it will work normally. +SPAMHAUS_DQS_KEY= + +# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n +# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost +DISABLE_NETFILTER_ISOLATION_RULE=n + {% for config_line in mailcow_other_configs %} {{ config_line }} {% endfor %} \ No newline at end of file