add initial mail config files

jobs/services/mail/autodiscover.hcl

@@ -0,0 +1,86 @@
+job "autodiscover" {
+  datacenters = ["aperture"]
+
+  type = "service"
+
+  meta {
+    tld  = "rb.dcu.ie"
+    mail = "mail.rb.dcu.ie"
+  }
+
+  group "autodiscover" {
+    count = 1
+
+    network {
+      port "http" {
+        to = 8000
+      }
+    }
+
+    service {
+      name = "autodiscover"
+      port = "http"
+
+      check {
+        type     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.autodiscover.rule=Host(`autoconfig.${NOMAD_META_tld}`) || Host(`autodiscover.${NOMAD_META_tld}`)",
+        "traefik.http.routers.autodiscover.entrypoints=web,websecure",
+        "traefik.http.routers.autodiscover.tls.certresolver=lets-encrypt",
+      ]
+    }
+
+    task "autodiscover" {
+      driver = "docker"
+
+      config {
+        image = "monogramm/autodiscover-email-settings:latest"
+        ports = ["http"]
+      }
+
+      template {
+        data        = <<EOF
+COMPANY_NAME=Redbrick
+SUPPORT_URL=https://autodiscover.{{ env "NOMAD_META_tld" }}
+DOMAIN={{ env "NOMAD_META_tld" }}
+# IMAP configuration (host mandatory to enable)
+IMAP_HOST={{ env "NOMAD_META_mail" }}
+IMAP_PORT=993
+IMAP_SOCKET=SSL
+# POP configuration (host mandatory to enable)
+POP_HOST={{ env "NOMAD_META_mail" }}
+POP_PORT=995
+POP_SOCKET=SSL
+# SMTP configuration (host mandatory to enable)
+SMTP_HOST={{ env "NOMAD_META_mail" }}
+SMTP_PORT=587
+SMTP_SOCKET=STARTTLS
+# MobileSync/ActiveSync configuration (url mandatory to enable)
+# MOBILESYNC_URL=https://sync.example.com
+# MOBILESYNC_NAME=sync.example.com
+# LDAP configuration (host mandatory to enable)
+# LDAP_HOST=ldap.example.com
+# LDAP_PORT=636
+# LDAP_SOCKET=SSL
+# LDAP_BASE=dc=ldap,dc=example,dc=com
+# LDAP_USER_FIELD=uid
+# LDAP_USER_BASE=ou=People,dc=ldap,dc=example,dc=com
+# LDAP_SEARCH=(|(objectClass=PostfixBookMailAccount))
+# Apple mobile config identifiers (identifier mandatory to enable)
+# PROFILE_IDENTIFIER=com.example.autodiscover
+# PROFILE_UUID=92943D26-CAB3-4086-897D-DC6C0D8B1E86
+# MAIL_UUID=7A981A9E-D5D0-4EF8-87FE-39FD6A506FAC
+# LDAP_UUID=6ECB6BA9-2208-4ABF-9E60-4E9F4CD7309E
+EOF
+        destination = "local/autodiscover.env"
+        env         = true
+      }
+    }
+  }
+}

jobs/services/mail/mailserver.hcl

@@ -0,0 +1,236 @@
+job "mailserver" {
+  datacenters = ["aperture"]
+
+  type = "service"
+
+  meta {
+    tld    = "rb.dcu.ie"
+    domain = "mail.rb.dcu.ie"
+  }
+
+  group "mail" {
+    network {
+      # mode = "bridge"
+      port "http" {
+        to = 80
+      }
+
+      port "smtp" {
+        to = 25
+      }
+
+      port "submissions" {
+        to = 465
+      }
+
+      port "submission" {
+        to = 587
+      }
+
+      port "imap" {
+        to = 143
+      }
+
+      port "imaps" {
+        to = 993
+      }
+
+      port "pop3" {
+        to = 110
+      }
+
+      port "pop3s" {
+        to = 995
+      }
+
+      port "managesieve" {
+        to = 4190
+      }
+    }
+
+    task "whoami" {
+      driver = "docker"
+
+      config {
+        image = "traefik/whoami"
+        ports = ["http"]
+      }
+
+      service {
+        name = "whoami"
+        port = "http"
+
+        check {
+          type     = "http"
+          path     = "/"
+          interval = "10s"
+          timeout  = "2s"
+        }
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.port=${NOMAD_PORT_http}",
+          "traefik.http.routers.mail-http.rule=Host(`${NOMAD_META_domain}`)",
+          "traefik.http.routers.mail-http.entrypoints=web,websecure",
+          "traefik.http.routers.mail-http.tls.certresolver=lets-encrypt",
+        ]
+      }
+    }
+
+    service {
+      name = "mail"
+      # port = "http"
+
+      tags = [
+        "traefik.enable=true",
+        # Explicit TLS (STARTTLS):
+        # SMTP
+        "traefik.tcp.routers.mail-smtp.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-smtp.entrypoints=smtp",
+        "traefik.tcp.routers.mail-smtp.service=mail-smtp",
+        "traefik.tcp.services.mail-smtp.loadbalancer.server.port=${NOMAD_HOST_PORT_smtp}",
+        "traefik.tcp.services.mail-smtp.loadbalancer.proxyProtocol.version=2",
+
+        # SMTP Submission
+        "traefik.tcp.routers.mail-submission.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-submission.entrypoints=submission",
+        "traefik.tcp.routers.mail-submission.service=mail-submission",
+        "traefik.tcp.services.mail-submission.loadbalancer.server.port=${NOMAD_HOST_PORT_submission}",
+        "traefik.tcp.services.mail-submission.loadbalancer.proxyProtocol.version=2",
+
+        # IMAP
+        "traefik.tcp.routers.mail-imap.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-imap.entrypoints=imap",
+        "traefik.tcp.routers.mail-imap.service=mail-imap",
+        "traefik.tcp.services.mail-imap.loadbalancer.server.port=${NOMAD_HOST_PORT_imap}",
+        "traefik.tcp.services.mail-imap.loadbalancer.proxyProtocol.version=2",
+
+        # POP3
+        "traefik.tcp.routers.mail-pop3.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-pop3.entrypoints=pop3",
+        "traefik.tcp.routers.mail-pop3.service=mail-pop3",
+        "traefik.tcp.services.mail-pop3.loadbalancer.server.port=${NOMAD_HOST_PORT_pop3}",
+        "traefik.tcp.services.mail-pop3.loadbalancer.proxyProtocol.version=2",
+
+        # ManageSieve
+        "traefik.tcp.routers.mail-managesieve.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-managesieve.entrypoints=managesieve",
+        "traefik.tcp.routers.mail-managesieve.service=mail-managesieve",
+        "traefik.tcp.services.mail-managesieve.loadbalancer.server.port=${NOMAD_HOST_PORT_managesieve}",
+        "traefik.tcp.services.mail-managesieve.loadbalancer.proxyProtocol.version=2",
+
+        # Implicit TLS is no different, except for optional HostSNI support:
+        # SMTP Submission Secure
+        # "traefik.tcp.routers.mail-submissions.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-submissions.entrypoints=submissions",
+        "traefik.tcp.routers.mail-submissions.service=mail-submissions",
+        "traefik.tcp.services.mail-submissions.loadbalancer.server.port=${NOMAD_HOST_PORT_submissions}",
+        "traefik.tcp.services.mail-submissions.loadbalancer.proxyProtocol.version=2",
+        # NOTE: Optionally match by SNI rule, this requires TLS passthrough (not compatible with STARTTLS):
+        "traefik.tcp.routers.mail-submissions.rule=HostSNI(`${NOMAD_META_domain}`)",
+        "traefik.tcp.routers.mail-submissions.tls.passthrough=true",
+
+        # IMAP Secure
+        # "traefik.tcp.routers.mail-imaps.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-imaps.entrypoints=imaps",
+        "traefik.tcp.routers.mail-imaps.service=mail-imaps",
+        "traefik.tcp.services.mail-imaps.loadbalancer.server.port=${NOMAD_HOST_PORT_imaps}",
+        "traefik.tcp.services.mail-imaps.loadbalancer.proxyProtocol.version=2",
+        # NOTE: Optionally match by SNI rule, this requires TLS passthrough (not compatible with STARTTLS):
+        "traefik.tcp.routers.mail-imaps.rule=HostSNI(`${NOMAD_META_domain}`)",
+        "traefik.tcp.routers.mail-imaps.tls.passthrough=true",
+
+        # POP3 Secure
+        # "traefik.tcp.routers.mail-pop3s.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.mail-pop3s.entrypoints=pop3s",
+        "traefik.tcp.routers.mail-pop3s.service=mail-pop3s",
+        "traefik.tcp.services.mail-pop3s.loadbalancer.server.port=${NOMAD_HOST_PORT_pop3s}",
+        "traefik.tcp.services.mail-pop3s.loadbalancer.proxyProtocol.version=2",
+        # NOTE: Optionally match by SNI rule, this requires TLS passthrough (not compatible with STARTTLS):
+        "traefik.tcp.routers.mail-pop3s.rule=HostSNI(`${NOMAD_META_domain}`)",
+        "traefik.tcp.routers.mail-pop3s.tls.passthrough=true",
+      ]
+    }
+
+    task "mail-server" {
+      driver = "docker"
+
+      config {
+        image    = "ghcr.io/docker-mailserver/docker-mailserver:latest"
+        ports    = ["smtp", "submissions", "submission", "imap", "imaps", "pop3", "pop3s", "managesieve"]
+        hostname = "${NOMAD_META_domain}"
+        volumes = [
+          "/storage/nomad/mail/data/:/var/mail/",
+          "/storage/nomad/mail/state/:/var/mail-state/",
+          "/storage/nomad/mail/logs/:/var/log/mail/",
+          "/storage/nomad/mail/config/:/tmp/docker-mailserver/",
+          # "local/postfix-virtual.cf:/tmp/docker-mailserver/postfix-virtual.cf",
+          "local/postfix-master.cf:/tmp/docker-mailserver/postfix-master.cf",
+          "local/dovecot.cf:/tmp/docker-mailserver/dovecot.cf",
+          "/etc/localtime:/etc/localtime:ro",
+          "/oldstorage/home:/home/:ro",
+          "/storage/nomad/traefik/acme/acme.json:/etc/letsencrypt/acme.json:ro",
+        ]
+      }
+      resources {
+        cpu    = 2000
+        memory = 5000
+      }
+
+      template {
+        data        = file("mailserver.env")
+        destination = "local/mailserver.env"
+        env         = true
+      }
+
+      template {
+        data        = file("postfix-virtual.cf")
+        destination = "local/postfix-virtual.cf"
+      }
+
+      template {
+        data        = <<EOF
+# Enable proxy protocol support for postfix
+smtp/inet/postscreen_upstream_proxy_protocol=haproxy
+submission/inet/smtpd_upstream_proxy_protocol=haproxy
+submissions/inet/smtpd_upstream_proxy_protocol=haproxy
+EOF
+        destination = "local/postfix-master.cf"
+      }
+
+      template {
+        data        = <<EOF
+# Enable proxy protocol support for dovecot
+haproxy_trusted_networks = 136.206.16.50
+
+service imap-login {
+  inet_listener imap {
+    haproxy = yes
+  }
+
+  inet_listener imaps {
+    haproxy = yes
+  }
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    haproxy = yes
+  }
+
+  inet_listener pop3s {
+    haproxy = yes
+  }
+}
+
+service managesieve-login {
+  inet_listener sieve {
+    haproxy = yes
+  }
+}
+EOF
+        destination = "local/dovecot.cf"
+      }
+    }
+  }
+}

jobs/services/mail/roundcube.hcl

@@ -0,0 +1,91 @@
+job "roundcube" {
+  datacenters = ["aperture"]
+
+  type = "service"
+
+  group "roundcube" {
+    count = 1
+
+    network {
+      port "http" {
+        to = 80
+      }
+      port "db" {
+        to = 5432
+      }
+    }
+
+    service {
+      name = "roundcube-web"
+      port = "http"
+
+      check {
+        type     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.roundcube.rule=Host(`webmail.rb.dcu.ie`)",
+        "traefik.http.routers.roundcube.entrypoints=web,websecure",
+        "traefik.http.routers.roundcube.tls.certresolver=lets-encrypt",
+      ]
+    }
+
+    task "roundcube" {
+      driver = "docker"
+
+      config {
+        image = "roundcube/roundcubemail:latest"
+        ports = ["http"]
+        hostname = "webmail.rb.dcu.ie"
+
+        volumes = [
+          "/storage/nomad/roundcube/www:/var/www/html",
+        ]
+      }
+      template {
+        destination = "local/.env"
+        env         = true
+        change_mode = "restart"
+        data        = <<EOH
+ROUNDCUBEMAIL_DB_TYPE=pgsql
+ROUNDCUBEMAIL_DB_HOST={{ env "NOMAD_IP_db" }}
+ROUNDCUBEMAIL_DB_PORT={{ env "NOMAD_HOST_PORT_db" }}
+ROUNDCUBEMAIL_DB_NAME={{ key "roundcube/db/name" }}
+ROUNDCUBEMAIL_DB_USER={{ key "roundcube/db/user" }}
+ROUNDCUBEMAIL_DB_PASSWORD={{ key "roundcube/db/password" }}
+ROUNDCUBEMAIL_SKIN=elastic
+ROUNDCUBEMAIL_DEFAULT_HOST={{ key "roundcube/imap/host" }}
+ROUNDCUBEMAIL_DEFAULT_PORT={{ key "roundcube/imap/port" }}
+ROUNDCUBEMAIL_SMTP_SERVER={{ key "roundcube/smtp/host" }}
+ROUNDCUBEMAIL_SMTP_PORT={{ key "roundcube/smtp/port" }}
+EOH
+      }
+    }
+    task "roundcube-db" {
+      driver = "docker"
+
+      config {
+        image = "postgres:17-alpine"
+        ports = ["db"]
+
+        volumes = [
+          "/storage/nomad/roundcube/db:/var/lib/postgresql/data"
+        ]
+      }
+
+      template {
+        data        = <<EOH
+POSTGRES_PASSWORD={{ key "roundcube/db/password" }}
+POSTGRES_USER={{ key "roundcube/db/user" }}
+POSTGRES_NAME={{ key "roundcube/db/name" }}
+EOH
+        destination = "local/db.env"
+        env         = true
+      }
+    }
+  }
+}