--- /dev/null
+scripts/build_dkim_text.py
\ No newline at end of file
--- /dev/null
+# DNS Configuration for SPF, DKIM, DMARC
+
+## SPF:
+
+| Domain | DNS Type | Contents | Comment |
+| ------ | -------- | -------- | ------- |
+| example.com | TXT | v=spf1 mx -all | deny other server
+| relayhost.example.com | TXT | v=spf1 a -all | |
+| example.com | TXT | v=spf1 ip4:2.234.54.2 mx ~all | allow other server |
+
+### Test
+```
+host -t txt example.com
+host -t txt relayhost.example.com
+
+## DKIM
+```
\ No newline at end of file
-../../ansknife/playbooks/i_10_basic.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_10_basic.yaml
\ No newline at end of file
-../../ansknife/playbooks/i_15_server_packages.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_15_server_packages.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/i_17_configuration.yaml
\ No newline at end of file
-../../ansknife/playbooks/i_20_nginx.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_20_nginx.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/i_21_nginx_sites.yaml
\ No newline at end of file
-../../ansknife/playbooks/i_30_mariadb.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_30_mariadb.yaml
\ No newline at end of file
-../../ansknife/playbooks/i_40_php8.2.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_40_php8.2.yaml
\ No newline at end of file
-../../ansknife/playbooks/i_50_git_server.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_50_git_server.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/i_60_postfix.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/i_62_postfix_dkim.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/i_70_webapps.yaml
\ No newline at end of file
-../../ansknife/playbooks/i_99_test.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_99_test.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/lets_create.yaml
\ No newline at end of file
-../../ansknife/playbooks/mysql_create_admin.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/mysql_create_admin.yaml
\ No newline at end of file
+++ /dev/null
-../../ansknife/playbooks/mysql_create_db_and_user.yaml
\ No newline at end of file
-../../ansknife/playbooks/mysql_create_db_and_user.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/mysql_create_db_and_user.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/nginx_create_site.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/ssl_create_certificate.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/webapp_backup.yaml
\ No newline at end of file
-../../ansknife/playbooks/webapp_create.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/webapp_create.yaml
\ No newline at end of file
-../../ansknife/playbooks/webapp_export.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/webapp_export.yaml
\ No newline at end of file
-../../ansknife/playbooks/webapp_import.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/webapp_import.yaml
\ No newline at end of file
-../../ansknife/scripts/CreatePlaybook
\ No newline at end of file
+../../ansknife/scripts.templates/CreatePlaybook
\ No newline at end of file
-../../ansknife/scripts/CreateTask
\ No newline at end of file
+../../ansknife/scripts.templates/CreateTask
\ No newline at end of file
--- /dev/null
+../../ansknife/scripts/build_dkim_text.py
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_copy_wildcard.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_dkim.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_dkim_dns.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_dkim_keys.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_dmarc.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_dmarc_dns.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_lets_create.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_link_wildcard.yaml
\ No newline at end of file
-../../ansknife/tasks/t_mysql_create_admin.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_mysql_create_admin.yaml
\ No newline at end of file
-../../ansknife/tasks/t_mysql_create_db_and_user.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_mysql_create_db_and_user.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_nginx_create_site.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_spf.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_ssl_create_certificate.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_webapp_backup.yaml
\ No newline at end of file
-../../ansknife/tasks/t_webapp_create.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_webapp_create.yaml
\ No newline at end of file
-../../ansknife/tasks/t_webapp_export.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_webapp_export.yaml
\ No newline at end of file
-../../ansknife/tasks/t_webapp_import.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_webapp_import.yaml
\ No newline at end of file
--- /dev/null
+../ansknife/templates.fix/
\ No newline at end of file
--- /dev/null
+# Ansible controlled: do not change on server manually
+127.0.0.1
+::1
+localhost
\ No newline at end of file
--- /dev/null
+# Ansible controlled: do not change on server manually
+UserID opendkim:opendkim
+UMask 002
+PidFile /var/run/opendkim/opendkim.pid
+SOCKET local:/var/spool/postfix/opendkim/opendkim.sock
+Mode sv
+Domain *
+#Selector mail
+Canonicalization relaxed/relaxed
+SignatureAlgorithm rsa-sha256
+OversignHeaders From
+AutoRestart yes
+AutoRestartRate 10/1h
+SigningTable refile:/etc/opendkim/signing.table
+KeyTable /etc/opendkim/key.table
+ExternalIgnoreList refile:/etc/opendkim/trusted.hosts
+InternalHosts refile:/etc/opendkim/trusted.hosts
+Syslog yes
+SyslogSuccess yes
+LogWhy yes
--- /dev/null
+# Ansible controlled: do not change on server manually
+AuthservID nest1.gemeinwohl-gesellschaft.de
+TrustedAuthservIDs nest1.gemeinwohl-gesellschaft.de
+UMask 0002
+UserID opendmarc
+AutoRestart true
+Socket local:/var/spool/postfix/opendmarc/opendmarc.sock
+RejectFailures true
+IgnoreMailFrom f-r-e-i.de
+IgnoreHosts /etc/opendmarc/ignore.hosts
+PublicSuffixList /etc/opendmarc/public_suffix_list.dat
+SoftwareHeader false
+FailureReports true
+FailureReportsSentBy no-reply.dmarc.reports@f-r-e-i.de
+#FailureReportsBcc
+BaseDirectory /var/run/opendmarc
+PidFile /var/run/opendmarc/opendmarc.pid
+HistoryFile /var/run/opendmarc/opendmarc.dat
+Syslog true
+SyslogFacility mail
\ No newline at end of file
--- /dev/null
+# Ansible controlled: do not change on server manually
+127.0.0.1
+::1
+localhost
\ No newline at end of file
--- /dev/null
+client_max_body_size 512M;
+## Detect when HTTPS is used
+map $scheme $fastcgi_https {
+ default off;
+ https on;
+}
+fastcgi_read_timeout 3600s;
+fastcgi_request_buffering off;
+error_log /var/log/nginx/error.log;
--- /dev/null
+# Ansible controlled. Do not change this file on the remote server manually.
+server {
+ listen 80;
+ listen [::]:80;
+ server_name nest1.gemeinwohl-gesellschaft.de hamatoma.de;
+ include snippets/letsencrypt.conf;
+ server_name nest1.gemeinwohl-gesellschaft.de;
+ root /srv/www/nest1.gemeinwohl-gesellschaft.de;
+ location / {
+ return 301 https://nest1.gemeinwohl-gesellschaft.de$request_uri;
+ }
+ }
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name nest1.gemeinwohl-gesellschaft.de;
+ access_log /var/log/nginx/a_nest1.log;
+ error_log /var/log/nginx/e_nest1.log;
+
+ ssl_certificate /etc/letsencrypt/live/nest1.gemeinwohl-gesellschaft.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/nest1.gemeinwohl-gesellschaft.de/privkey.pem;
+ #ssl_certificate /etc/ssl/certs/nest1.gemeinwohl-gesellschaft.de.pem;
+ #ssl_certificate_key /etc/ssl/private/nest1.gemeinwohl-gesellschaft.de.key;
+
+ # Path to the root of your installation
+ root /srv/www/nest1.gemeinwohl-gesellschaft.de;
+ autoindex off;
+ client_max_body_size 1m; # set max upload size
+ fastcgi_buffers 64 4K;
+
+ index index.html index.php;
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+ location / {
+ allow all;
+ }
+ # Optional: set long EXPIRES header on static assets
+ location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+ expires 30d;
+ # Optional: Don't log access to assets
+ access_log off;
+ }
+ location ~ ^(.+?\.php)(/.*)?$ {
+ try_files $1 = 404;
+
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$1;
+ fastcgi_param PATH_INFO $2;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+ }
+}
--- /dev/null
+server {
+ listen 80;
+ server_name wissen.gemeinwohl-gesellschaft.org;
+ include snippets/letsencrypt.conf;
+ root /srv/www/wissen.gemeinwohl-gesellschaft.org;
+ location / {
+ return 301 https://$server_name$request_uri; # enforce https
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ server_name wissen.gemeinwohl-gesellschaft.org;
+ access_log /var/log/nginx/a_gwg.log;
+ error_log /var/log/nginx/e_gwg.log;
+
+ ssl_certificate /etc/letsencrypt/live/wissen.gemeinwohl-gesellschaft.org/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/wissen.gemeinwohl-gesellschaft.org/privkey.pem;
+ #ssl_certificate /etc/ssl/certs/wissen.gemeinwohl-gesellschaft.org.pem;
+ #ssl_certificate_key /etc/ssl/private/wissen.gemeinwohl-gesellschaft.org.key;
+
+
+ # Path to the root of your installation
+ root /srv/www/wissen.gemeinwohl-gesellschaft.org;
+ autoindex on;
+ client_max_body_size 1G; # set max upload size
+ fastcgi_buffers 64 4K;
+
+ rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
+ rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
+ rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
+
+ index index.php;
+ error_page 403 /core/templates/403.php;
+ error_page 404 /core/templates/404.php;
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+
+ location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+ deny all;
+ }
+
+ location / {
+ # The following 2 rules are only needed with webfinger
+ rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+ rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+ rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
+ rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
+
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+
+ try_files $uri $uri/ index.php;
+ }
+
+ location ~ ^(.+?\.php)(/.*)?$ {
+ try_files $1 = 404;
+
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$1;
+ fastcgi_param PATH_INFO $2;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+ }
+
+ # Optional: set long EXPIRES header on static assets
+ location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+ expires 30d;
+ # Optional: Don't log access to assets
+ access_log off;
+ }
+ location ~ /.well-known {
+ allow all;
+ }
+}
--- /dev/null
+server{
+ listen 80;
+ #listen [::]:80;
+ server_name zentrum.gemeinwohl-gesellschaft.org;
+ include snippets/letsencrypt.conf;
+ root /srv/www/zentrum.gemeinwohl-gesellschaft.org;
+ location / {
+ return 301 https://$server_name$request_uri; # enforce https
+ }
+}
+server {
+ listen 443 ssl http2;
+ #listen [::]:443 ssl http2;
+ server_name zentrum.gemeinwohl-gesellschaft.org;
+ root /srv/www/zentrum.gemeinwohl-gesellschaft.org/public;
+
+ ssl_certificate /etc/letsencrypt/live/zentrum.gemeinwohl-gesellschaft.org/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/zentrum.gemeinwohl-gesellschaft.org/privkey.pem;
+ #ssl_certificate /etc/ssl/certs/zentrum.gemeinwohl-gesellschaft.org.pem;
+ #ssl_certificate_key /etc/ssl/private/zentrum.gemeinwohl-gesellschaft.org.key;
+ client_max_body_size 1G;
+ access_log /var/log/nginx/a_zentrum.log;
+ error_log /var/log/nginx/e_zentrum.log;
+
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-Content-Type-Options "nosniff";
+
+ index index.php;
+
+ charset utf-8;
+
+ location / {
+ try_files $uri $uri/ /index.php?$query_string;
+ }
+
+ location = /favicon.ico { access_log off; log_not_found off; }
+ location = /robots.txt { access_log off; log_not_found off; }
+
+ error_page 404 /index.php;
+
+ location ~ \.php$ {
+ fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ client_max_body_size 512M;
+ include fastcgi_params;
+ }
+
+ location ~ /\.(?!well-known).* {
+ deny all;
+ }
+}
--- /dev/null
+# Ansible controlled: do not change on remote server manually
+#
+postmaster: root
+devnull: /dev/null
+mailer-daemon: root
+webmaster: root
+www: root
+security: root
+root: root.nest1@hamatoma.de
--- /dev/null
+myorigin = /etc/mailname
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+#delay_warning_time = 4h
+readme_directory = no
+compatibility_level = 3.6
+
+
+#smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem
+#smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+smtpd_use_tls=yes
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+myhostname = nest1.gemeinwohl-gesellschaft.de
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+
+virtual_alias_maps = hash:/etc/postfix/virtual
+virtual_alias_domains = f-r-e-i.de
+
+myorigin = /etc/mailname
+mydestination = $myhostname, localhost.{{ postfix_domain }}, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
--- /dev/null
+# Ansible controlled: do not change on remote server manually
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - y - - smtpd
+#smtp inet n - y - 1 postscreen
+#smtpd pass - - y - - smtpd
+#dnsblog unix - - y - 0 dnsblog
+#tlsproxy unix - - y - 0 tlsproxy
+# Choose one: enable submission for loopback clients only, or for any client.
+#127.0.0.1:submission inet n - y - - smtpd
+#submission inet n - y - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# Instead of specifying complex smtpd_<xxx>_restrictions here,
+# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+# here, and specify mua_<xxx>_restrictions in main.cf (where
+# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+# -o smtpd_client_restrictions=
+# -o smtpd_helo_restrictions=
+# -o smtpd_sender_restrictions=
+# -o smtpd_relay_restrictions=
+# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+# Choose one: enable submissions for loopback clients only, or for any client.
+#127.0.0.1:submissions inet n - y - - smtpd
+#submissions inet n - y - - smtpd
+# -o syslog_name=postfix/submissions
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# Instead of specifying complex smtpd_<xxx>_restrictions here,
+# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+# here, and specify mua_<xxx>_restrictions in main.cf (where
+# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+# -o smtpd_client_restrictions=
+# -o smtpd_helo_restrictions=
+# -o smtpd_sender_restrictions=
+# -o smtpd_relay_restrictions=
+# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - y - - qmqpd
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - y - - smtp
+relay unix - - y - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe
+ flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
--- /dev/null
+myorigin = /etc/mailname
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+#delay_warning_time = 4h
+readme_directory = no
+compatibility_level = 3.6
+
+
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem
+#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = nest1.gemeinwohl-gesellschaft.de
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = $myhostname, localhost.{{ postfix_domain }}, , localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
--- /dev/null
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - y - - smtpd
+#smtp inet n - y - 1 postscreen
+#smtpd pass - - y - - smtpd
+#dnsblog unix - - y - 0 dnsblog
+#tlsproxy unix - - y - 0 tlsproxy
+# Choose one: enable submission for loopback clients only, or for any client.
+#127.0.0.1:submission inet n - y - - smtpd
+#submission inet n - y - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# Instead of specifying complex smtpd_<xxx>_restrictions here,
+# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+# here, and specify mua_<xxx>_restrictions in main.cf (where
+# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+# -o smtpd_client_restrictions=
+# -o smtpd_helo_restrictions=
+# -o smtpd_sender_restrictions=
+# -o smtpd_relay_restrictions=
+# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+# Choose one: enable submissions for loopback clients only, or for any client.
+#127.0.0.1:submissions inet n - y - - smtpd
+#submissions inet n - y - - smtpd
+# -o syslog_name=postfix/submissions
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# Instead of specifying complex smtpd_<xxx>_restrictions here,
+# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+# here, and specify mua_<xxx>_restrictions in main.cf (where
+# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+# -o smtpd_client_restrictions=
+# -o smtpd_helo_restrictions=
+# -o smtpd_sender_restrictions=
+# -o smtpd_relay_restrictions=
+# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - y - - qmqpd
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - y - - smtp
+relay unix - - y - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe
+ flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
--- /dev/null
+# Ansible controlled: do not change on remote server manually
+root mail.nest1@hamatoma.de
+webmaster mail.nest1@hamatoma.de
+postmaster mail.nest1@hamatoma.de
+
+t-online@f-r-e-i.de dragon.lx@t-online.de
+gmx@f-r-e-i.de hamatoma@gmx.de
+mail@f-r-e-i.de hamatoma@mail.de
+@f-r-e-i.de hamatoma@mail.de
+
--- /dev/null
+Objective: This directory contains templates that are specific to the project and must be adapted for each project.
+Therefore, the files may only be copied into the project, not linked.
+++ /dev/null
-client_max_body_size 512M;
-## Detect when HTTPS is used
-map $scheme $fastcgi_https {
- default off;
- https on;
-}
-fastcgi_read_timeout 3600s;
-fastcgi_request_buffering off;
-error_log /var/log/nginx/error.log;
+++ /dev/null
-<html>
-<body>
-<h1>Welcome to {{hostname}}!</h1>
-</body
-</html>
\ No newline at end of file
+++ /dev/null
-<?php
-phpinfo();
\ No newline at end of file
+++ /dev/null
-location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /home/www/letsencrypt;
-}
-# Hide /acme-challenge subdirectory and return 404 on all requests.
-# It is somewhat more secure than letting Nginx return 403.
-# Ending slash is important!
-location = /.well-known/acme-challenge/ {
- return 404;
-}
-
+++ /dev/null
-server {
- listen 80;
- listen [::]:80;
- server_name {{hostname}} hamatoma.de;
- include snippets/letsencrypt.conf;
- server_name {{hostname}};
- root /srv/www/{{hostname}};
- location / {
- return 301 https://{{hostname}}$request_uri; # enforce https
- }
- }
-
-server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name {{hostname}};
- access_log /var/log/nginx/a_{{log_name}}.log;
- error_log /var/log/nginx/e_{{log_name}}.log;
-
- #ssl_certificate /etc/letsencrypt/live/latest/fullchain.pem;
- #ssl_certificate_key /etc/letsencrypt/live/latest/privkey.pem;
- ssl_certificate /etc/ssl/certs/{{hostname}}.pem;
- ssl_certificate_key /etc/ssl/private/{{hostname}}.key;
-
- # Path to the root of your installation
- root /home/www/{{hostname}};
- autoindex off;
- client_max_body_size 1m; # set max upload size
- fastcgi_buffers 64 4K;
-
- index index.html;
-
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
- location / {
- allow all;
- }
- # Optional: set long EXPIRES header on static assets
- location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
- expires 30d;
- # Optional: Don't log access to assets
- access_log off;
- }
- location ~ ^(.+?\.php)(/.*)?$ {
- try_files $1 = 404;
-
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$1;
- fastcgi_param PATH_INFO $2;
- fastcgi_param HTTPS on;
- fastcgi_pass unix:/run/php/php8.3-fpm.sock;
- }
-}
-
\ No newline at end of file
--- /dev/null
+# Ansible controlled: do not change on server
+dkim_domains: ["f-r-e-i.de"]
+dkim_opendkim_config_dir: /etc/opendkim
+dkim_config_file: /etc/opendkim.conf
+dkim_selector: "20250419"
+dkim_user: opendkim
+dkim_group: opendkim
+dkim_rsa_keylen: 2048
+dkim_socket_port: 12301
+
+dmarc_config_file: /etc/opendmarc.conf
+dmarc_config_dir: /etc/opendmarc
+dmarc_email_report: report.dmarc@hamatoma.de
+dmarc_user: opendmarc
+dmarc_group: opendmarc
configuration_directory: /etc/ansknife
remote_webapps_directory: "{{ configuration_directory }}/webapps.d"
-local_webapps_directory: "../webapps"
\ No newline at end of file
+local_webapps_directory: "../webapps"
+remote_www_directory: "/home/www"
+systemd_journal_system_max_use: 200M
+systemd_journal_system_max_file_size: 50M
+postfix_host: "nest1.gemeinwohl-gesellschaft.de"
+postfix_domain: "gemeinwohl-gesellschaft.de"
+postfix_receipient_email: "nest1.mail@hamatoma.de"
+postfix_mode: email_forwarding
+webmaster_email: "nest1@hamatoma.de"
---
# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}"
-SSL_COUNTRY: DE
-SSL_STATE: Bavaria
-SSL_LOCALITY: Kempten
-SSL_ORGANIZATION: IT
-
+ssl_country: DE
+ssl_state: Bavaria
+ssl_locality: Kempten
+ssl_organization: 'Gemeinwohl-Gesellschaft e.V.'
+ssl_lifetime: 365
+ssl_rsa_key_size: 2048
-vault_dba_password: Sekret.Top
\ No newline at end of file
+vault_dba_password: {{ vault_state_infeos_net_db_password }}
\ No newline at end of file
--- /dev/null
+- vault_state_infeos_net_db_password: Sekret.Top
\ No newline at end of file
webapps_list:
- - webapp_name: myapp5.example.com
- db_name: dbdummy5
- db_user: dummy5
- db_password: NeverKnown5
- directory: /srv/www/myapp5.example.com
- - webapp_name: 'app7.example.com'
- db_name: 'dbapp7'
- db_user: 'appusr7'
- db_password: 'Unknown7'
- directory: '/srv/www/app7.example.com'
+ - webapp_name: 'nest1.gemeinwohl-gesellschaft.de'
+ db_name: ''
+ db_user: ''
+ db_password: ''
+ directory: '/srv/www/nest1.gemeinwohl-gesellschaft.de'
+ - webapp_name: 'wissen.gemeinwohl-gesellschaft.org'
+ db_name: 'mwwissen'
+ db_user: 'wissen'
+ db_password: 'NobodyKennts'
+ directory: '/srv/www/wissen.gemeinwohl-gesellschaft.org'
+ - webapp_name: 'zentrum.gemeinwohl-gesellschaft.org'
+ db_name: 'lrvzentrum'
+ db_user: 'lrvzentrum'
+ db_password: 'TopSecret'
+ directory: '/srv/www/zentrum.gemeinwohl-gesellschaft.org'
projects / nest_ansible.git / commitdiff