Modify mail service configuration to allow for retrieval of certificate from proxy server, also move haproxy configuration within the service folder itself

.gitignore

@@ -1,4 +1,10 @@
 **/*.enc
-/hosts
-/prox-server-firewall-setup.yml
-/prox-server-setup.yml
+hosts
+prox-server-firewall-setup.yml
+prox-server-setup.yml
+prox-deploy-service.yml
+
+!**/ansible_resources/*
+
+!.gitkeep
+**/certbot/certs/*

services/service_mail/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True

services/service_mail/ansible_resources/hosts

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+all:
+  hosts:
+    {{ proxy_server_hostname }}:
+    {{ proxy_server_hostname }}-defaultport:

services/service_mail/ansible_resources/prox-deploy-service.yml

@@ -0,0 +1,41 @@
+# Ansible managed
+
+- hosts: {{ proxy_server_hostname }}
+  become: 'yes'
+  vars:
+    ansible_become_method: doas
+  tasks:
+    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
+      replace:
+        path: /etc/doas.conf
+        regexp: 'persist'
+        replace: 'nopass'
+
+    - name: Copy haproxy reverse proxy configuration to proxy 
+      ansible.builtin.template:
+        src: "proxy_resources/etc/haproxy/haproxy.cfg"
+        dest: "/etc/haproxy/haproxy.cfg"
+        owner: cspark-dev
+        group: cspark-dev
+    - name: Enable HAProxy
+      ansible.builtin.systemd:
+        name: haproxy
+        state: started
+
+    - name: Fetch SSL certificates
+      become: yes
+      synchronize:
+        src: /etc/letsencrypt/
+        dest: "data/certbot/certs"
+        mode: pull
+        rsync_path: doas rsync
+
+    - name: Switch back to doas persist 
+      replace:
+        path: /etc/doas.conf
+        regexp: 'nopass'
+        replace: 'persist'
+
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!

services/service_mail/certbot-docker-compose-initrenew.yml

@@ -4,6 +4,8 @@
 # Do not run this and mailserver at same time (Uses the same VPN config and hostname)
 # TODO: Would be nice at some point to be able to use a different port exposed on mail.{{ domain_name }} for privacy aside from the default port 80. Could not get it working though, certbot has issues even when proxying from one port to port 80. Seems to be an issue with Gluetun and Certbot being only able to bind to ipv6 port 80.
 
+# WE ARE NOW HANDLING SSL CERTIFICATE RENWEAL ON PROXY, USE PROVIDED SCRIPT IN DIR TO COPY CERTS FROM PROXY TO HERE
+
 services:
   # Gluetun is used to connect container to VPN
   certbot-gluetun:

services/service_mail/data/config/user-patches.sh

@@ -20,7 +20,7 @@ echo 'patching /etc/dovecot/conf.d/10-master.conf'
 cp -f /tmp/docker-mailserver/dovecot-masteroverride.conf /etc/dovecot/conf.d/10-master.conf
 
 echo 'patching /etc/dovecot/dovecot.conf'
-echo -e 'haproxy_trusted_networks = {{ vpn_server_ip }}\nhaproxy_timeout = 3s' >> /etc/dovecot/dovecot.conf
+echo -e 'haproxy_trusted_networks = {{ proxy_server_ip }}\nhaproxy_timeout = 3s' >> /etc/dovecot/dovecot.conf
 
 #echo 'patching /etc/postfix/master.cf'
 #cp -f /tmp/docker-mailserver/postfix-masteroverride.cf /etc/postfix/master.cf

services/service_mail/deploy-service.yml

@@ -3,6 +3,12 @@
   vars:
     ansible_become_method: doas
   tasks:
+    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
+      replace:
+        path: /etc/doas.conf
+        regexp: 'persist'
+        replace: 'nopass'
+
     - name: Create necessary directories
       ansible.builtin.file:
         path: "{{ item }}" 
@@ -17,7 +23,6 @@
         - "{{ services_directory }}/service_mail/data/config"
         - "{{ services_directory }}/service_mail/data/config/rspamd/"
         - "{{ services_directory }}/service_mail/data/config/rspamd/override.d/"
-        - "{{ services_directory }}/service_mail/data/certbot/certs"
         - "{{ services_directory }}/service_mail/data/certbot/logs"
     - name: Copy configuration files
       ansible.builtin.template:
@@ -42,6 +47,19 @@
         - certbot-docker-compose-initrenew.yml 
         - myconfig.org
 
+    - name: Copy SSL certificates
+      ansible.builtin.copy:
+        src: data/certbot/certs
+        dest: "{{ services_directory }}/service_mail/data/certbot"
+        owner: service_mail
+        group: service_mail
+
+    - name: Switch back to doas persist 
+      replace:
+        path: /etc/doas.conf
+        regexp: 'nopass'
+        replace: 'persist'
+
     - name: Debug Finish message
       debug:
         msg: Ansible playbook has finished!

services/service_mail/docker-compose.yml

@@ -32,7 +32,7 @@ services:
       - ./data/mail-state/:/var/mail-state/
       - ./data/mail-logs/:/var/log/mail/
       - ./data/config/:/tmp/docker-mailserver/
-      - ./data/certbot/certs/:/etc/letsencrypt
+      - ./data/certbot/certs:/etc/letsencrypt
       - /etc/localtime:/etc/localtime:ro
     environment:
       - OVERRIDE_HOSTNAME=mail.{{ domain_name }}
@@ -42,8 +42,8 @@ services:
         #      - SSL_TYPE=letsencrypt
       - SSL_TYPE=manual
       # Values should match the file paths inside the container:
-      - SSL_CERT_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem
-      - SSL_KEY_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem
+      - SSL_CERT_PATH=/etc/letsencrypt/live/{{ domain_name }}/fullchain.pem
+      - SSL_KEY_PATH=/etc/letsencrypt/live/{{ domain_name }}/privkey.pem
 
       - ENABLE_SASLAUTHD=1
       - ENABLE_FAIL2BAN=1

services/service_mail/prox-server-ansible-playbooks-generate.yml

@@ -0,0 +1,13 @@
+- hosts: localhost
+  tasks:
+    - name: Generate proxy server playbooks
+      template:
+        src: "ansible_resources/{{ item }}"
+        dest: "{{ item }}"
+        mode: '0777'
+      loop:
+        - hosts
+        - prox-deploy-service.yml
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!