From 84543e02280881565d3250dc0efd4499d6cbaae5 Mon Sep 17 00:00:00 2001
From: Jakob Odersky <jakob@odersky.com>
Date: Sun, 9 Dec 2018 14:52:11 -0800
Subject: Add email module

---
 terraform/main.tf                                  |   9 +
 terraform/modules/email/main.tf                    | 268 +++++++++++++++++++++
 terraform/modules/email/postfix-master.cf          | 120 +++++++++
 .../rootfs/etc/nginx/conf.d/server_names.conf      |   1 +
 .../rootfs/etc/nginx/sites-enabled/www.conf        |  23 ++
 .../rootfs/usr/local/share/www/crashbox.svg        |  87 +++++++
 .../rootfs/usr/local/share/www/index.html          |  21 ++
 7 files changed, 529 insertions(+)
 create mode 100644 terraform/modules/email/main.tf
 create mode 100644 terraform/modules/email/postfix-master.cf
 create mode 100644 terraform/provision/rootfs/etc/nginx/conf.d/server_names.conf
 create mode 100644 terraform/provision/rootfs/etc/nginx/sites-enabled/www.conf
 create mode 100755 terraform/provision/rootfs/usr/local/share/www/crashbox.svg
 create mode 100644 terraform/provision/rootfs/usr/local/share/www/index.html

diff --git a/terraform/main.tf b/terraform/main.tf
index 9a4bbc7..6f9124c 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -150,3 +150,12 @@ resource "cloudflare_record" "record_keybase" {
   value  = "keybase-site-verification=useVUuHjr-ZoYdIDjzv1JngSiIoHYoGmXHy2BxJcYgE"
   type   = "TXT"
 }
+
+module "email" {
+  source                  = "./modules/email"
+  secret_cloudflare_token = "${var.secret_cloudflare_token}"
+  server_ipv4             = "${hcloud_server.peter.ipv4_address}"
+  server_ipv6             = "${hcloud_server.peter.ipv6_address}1"
+  server_id               = "${hcloud_server.peter.id}"
+  domain                  = "crashbox.io"
+}
diff --git a/terraform/modules/email/main.tf b/terraform/modules/email/main.tf
new file mode 100644
index 0000000..510994e
--- /dev/null
+++ b/terraform/modules/email/main.tf
@@ -0,0 +1,268 @@
+variable "secret_cloudflare_token" {}
+
+variable "domain" {
+  description = "Domain name of email addresses."
+}
+
+variable "server_ipv4" {
+  description = "IP address of primary mail server."
+}
+
+variable "server_ipv6" {
+  description = "IP address of primary mail server."
+}
+
+variable "server_id" {
+  description = "Unique server ID that will trigger this module, if changed."
+}
+
+resource "tls_private_key" "tls_mail" {
+  algorithm = "RSA"
+}
+
+resource "acme_registration" "tls_mail" {
+  account_key_pem = "${tls_private_key.tls_mail.private_key_pem}"
+  email_address   = "jakob@odersky.com"
+}
+
+resource "acme_certificate" "tls_mail" {
+  account_key_pem = "${acme_registration.tls_mail.account_key_pem}"
+  common_name     = "mail.${var.domain}"
+
+  dns_challenge {
+    provider = "cloudflare"
+
+    config {
+      CLOUDFLARE_EMAIL   = "jakob@odersky.com"
+      CLOUDFLARE_API_KEY = "${var.secret_cloudflare_token}"
+    }
+  }
+}
+
+resource "hcloud_rdns" "rdns4" {
+  server_id  = "${var.server_id}"
+  ip_address = "${var.server_ipv4}"
+  dns_ptr    = "mail.${var.domain}"
+}
+
+resource "hcloud_rdns" "rdns6" {
+  server_id  = "${var.server_id}"
+  ip_address = "${var.server_ipv6}"
+  dns_ptr    = "mail.${var.domain}"
+}
+
+resource "cloudflare_record" "record_a" {
+  type   = "A"
+  domain = "${var.domain}"
+  name   = "mail"
+  value  = "${var.server_ipv4}"
+}
+
+resource "cloudflare_record" "record_aaaa" {
+  type   = "AAAA"
+  domain = "${var.domain}"
+  name   = "mail"
+  value  = "${var.server_ipv6}"
+}
+
+resource "cloudflare_record" "record_mx" {
+  type   = "MX"
+  domain = "${var.domain}"
+  name   = "@"
+  value  = "mail.${var.domain}"
+}
+
+resource "cloudflare_record" "record_spf" {
+  type   = "TXT"
+  domain = "${var.domain}"
+  name   = "@"
+  value  = "v=spf1 a mx -all"
+}
+
+resource "cloudflare_record" "record_dmarc" {
+  type   = "TXT"
+  domain = "${var.domain}"
+  name   = "_dmarc"
+  value  = "v=DMARC1; p=quarantine; rua=mailto:postmaster@${var.domain}"
+}
+
+resource "tls_private_key" "dkim" {
+  algorithm = "RSA"
+}
+
+resource "cloudflare_record" "record_dkim_txt" {
+  type   = "TXT"
+  domain = "${var.domain}"
+  name   = "mail._domainkey"
+  value  = "v=DKIM1; k=rsa; p=${replace("${tls_private_key.dkim.public_key_pem}","/-----BEGIN PUBLIC KEY-----|-----END PUBLIC KEY-----|\n/","")};"
+}
+
+resource "null_resource" "config" {
+  triggers {
+    server_id        = "${var.server_id}"
+    domain           = "${var.domain}"
+    dkim_private_key = "${tls_private_key.dkim.private_key_pem}"
+    mail_key         = "${acme_certificate.tls_mail.private_key_pem}"
+    mail_cert        = "${acme_certificate.tls_mail.certificate_pem}"
+  }
+
+  connection {
+    host = "${var.server_ipv4}"
+  }
+
+  provisioner "remote-exec" {
+    inline = ["DEBIAN_FRONTEND=noninteractive apt-get install --yes postfix opendkim bsd-mailx dovecot-core dovecot-imapd"]
+  }
+
+  provisioner "file" {
+    content     = "${acme_certificate.tls_mail.private_key_pem}"
+    destination = "/etc/ssl/private/mail.key.pem"
+  }
+
+  provisioner "file" {
+    content     = "${acme_certificate.tls_mail.certificate_pem}"
+    destination = "/etc/ssl/mail.cert.pem"
+  }
+
+  provisioner "file" {
+    content     = "${var.domain}\n"
+    destination = "/etc/mailname"
+  }
+
+  provisioner "file" {
+    source      = "${path.module}/postfix-master.cf"
+    destination = "/etc/postfix/master.cf"
+  }
+
+  provisioner "file" {
+    content = <<EOF
+myhostname = mail.${var.domain}
+myorigin = /etc/mailname
+mydestination = $myhostname, ${var.domain}, localhost.localdomain, localhost
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/mail.cert.pem
+smtpd_tls_key_file=/etc/ssl/private/mail.key.pem
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:$${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:$${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+#home_mailbox = mail/
+
+smtpd_milters = inet:127.0.0.1:8891
+non_smtpd_milters = inet:127.0.0.1:8891
+EOF
+
+    destination = "/etc/postfix/main.cf"
+  }
+
+  provisioner "file" {
+    content     = "${tls_private_key.dkim.private_key_pem}"
+    destination = "/etc/dkimkeys/dkim.key"
+  }
+
+  provisioner "file" {
+    content = <<EOF
+Syslog			yes
+UMask			007
+Domain			${var.domain}
+KeyFile			/etc/dkimkeys/dkim.key
+# on Debian, directory permissions of /etc/dkimkeys already restrict access
+RequireSafeKeys         false
+Selector		mail
+Canonicalization	relaxed/simple
+Mode			s
+Socket			inet:8891@127.0.0.1
+PidFile                 /var/run/opendkim/opendkim.pid
+OversignHeaders		From
+TrustAnchorFile         /usr/share/dns/root.key
+UserID                  opendkim
+EOF
+
+    destination = "/etc/opendkim.conf"
+  }
+
+  provisioner "file" {
+    content = <<EOF
+disable_plaintext_auth = no
+mail_privileged_group = mail
+mail_location = mbox:~/mail:INBOX=/var/mail/%u
+userdb {
+  driver = passwd
+}
+passdb {
+  driver = passwd-file
+  args = scheme=sha256-crypt username_format=%n /etc/imap.passwd
+}
+protocols = " imap"
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+}
+ssl=required
+ssl_cert = </etc/ssl/mail.cert.pem
+ssl_key = </etc/ssl/private/mail.key.pem
+EOF
+
+    destination = "/etc/dovecot/dovecot.conf"
+  }
+
+  provisioner "file" {
+    # content generated with
+    # echo "root:$(doveadm pw -s sha256-crypt -p "$(pass infra/root@crashbox.io)")"
+    content = "root:{SHA256-CRYPT}$5$Yymf6C.k4LgUaNla$UqKwSSIewxCyLV72zXNjfVI2s3xdicXmgCM99BwxWeB"
+
+    destination = "/etc/imap.passwd"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "usermod --append --groups ssl-cert postfix",
+      "usermod --append --groups ssl-cert dovecot",
+      "systemctl restart opendkim.service postfix.service dovecot.service",
+      "ufw allow 25",
+      "ufw allow 587",
+    ]
+  }
+
+  provisioner "remote-exec" {
+    when = "destroy"
+
+    inline = [
+      "DEBIAN_FRONTEND=noninteractive apt-get purge --yes postfix opendkim dovecot-core dovecot-imapd",
+      "rm -rf /etc/dkimkey/dkim.key",
+      "rm -f /etc/ssl/mail.cert.pem",
+      "rm -f /etc/ssl/private/mail.key.pem",
+      "ufw delete allow 25",
+      "ufw delete allow 587",
+    ]
+  }
+}
diff --git a/terraform/modules/email/postfix-master.cf b/terraform/modules/email/postfix-master.cf
new file mode 100644
index 0000000..d9d50eb
--- /dev/null
+++ b/terraform/modules/email/postfix-master.cf
@@ -0,0 +1,120 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+submission inet n       -       y       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_sasl_path=private/auth
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_tls_security_level=encrypt
+#smtps     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+
diff --git a/terraform/provision/rootfs/etc/nginx/conf.d/server_names.conf b/terraform/provision/rootfs/etc/nginx/conf.d/server_names.conf
new file mode 100644
index 0000000..9fdc6f1
--- /dev/null
+++ b/terraform/provision/rootfs/etc/nginx/conf.d/server_names.conf
@@ -0,0 +1 @@
+server_names_hash_bucket_size 64;
diff --git a/terraform/provision/rootfs/etc/nginx/sites-enabled/www.conf b/terraform/provision/rootfs/etc/nginx/sites-enabled/www.conf
new file mode 100644
index 0000000..d3118e6
--- /dev/null
+++ b/terraform/provision/rootfs/etc/nginx/sites-enabled/www.conf
@@ -0,0 +1,23 @@
+server {
+    server_name www.crashbox.io;
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    return 301 https://crashbox.io$request_uri;
+}
+
+server {
+    server_name crashbox.io;
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    root /usr/local/share/www;
+    index index.html;
+
+    location / {
+        try_files $uri =404;
+    }
+}
diff --git a/terraform/provision/rootfs/usr/local/share/www/crashbox.svg b/terraform/provision/rootfs/usr/local/share/www/crashbox.svg
new file mode 100755
index 0000000..40482ac
--- /dev/null
+++ b/terraform/provision/rootfs/usr/local/share/www/crashbox.svg
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="500"
+   height="500"
+   viewBox="0 0 132.29166 132.29167"
+   version="1.1"
+   id="svg8"
+   inkscape:version="0.92.3 (2405546, 2018-03-11)"
+   sodipodi:docname="crashbox.svg"
+   inkscape:export-filename="/home/jodersky/.background.png"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96">
+  <defs
+     id="defs2" />
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1.0181818"
+     inkscape:cx="281.65068"
+     inkscape:cy="311.71929"
+     inkscape:document-units="mm"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     inkscape:snap-global="true"
+     inkscape:snap-bbox="true"
+     inkscape:bbox-nodes="true"
+     inkscape:object-paths="true"
+     inkscape:window-width="958"
+     inkscape:window-height="1056"
+     inkscape:window-x="960"
+     inkscape:window-y="22"
+     inkscape:window-maximized="0"
+     inkscape:snap-bbox-edge-midpoints="true"
+     inkscape:snap-object-midpoints="true"
+     inkscape:snap-smooth-nodes="true"
+     units="px"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     fit-margin-bottom="0" />
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-15.076923,-23.286345)">
+    <g
+       id="g885"
+       transform="matrix(0,4.7908009,-4.7908009,0,1323.6881,-237.29388)"
+       style="fill:#cccccc">
+      <path
+         id="path871"
+         d="m 54.447016,259.34398 c 0,-0.41251 6.51827,-11.70207 6.87555,-11.90832 0.35728,-0.20625 13.39434,-0.20626 13.75161,0 0.35728,0.20626 6.87607,11.4958 6.87607,11.90832 10e-6,0.41251 -6.51879,11.70206 -6.87607,11.90832 -0.35727,0.20626 -13.39433,0.20625 -13.75161,-10e-6 -0.35728,-0.20625 -6.87555,-11.4958 -6.87555,-11.90831 z m 0.86868,1e-5 c 0,0.38642 6.10676,10.96216 6.44147,11.15537 0.33471,0.19322 12.54822,0.19323 12.88293,0 0.33471,-0.19321 6.44147,-10.76895 6.44147,-11.15538 0,-0.38643 -6.10676,-10.96217 -6.44147,-11.1554 -0.33471,-0.1932 -12.54822,-0.19321 -12.88293,0 -0.33471,0.19322 -6.44147,10.76896 -6.44147,11.15541 z"
+         style="fill:#cccccc;fill-opacity:1;stroke:none;stroke-width:0.15927917;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0" />
+      <path
+         id="path873"
+         d="m 68.986516,259.38836 c 0,-0.34087 5.34873,-9.60935 5.70206,-9.88448 0.53173,0.60355 5.66767,9.50847 5.66765,9.84278 10e-6,0.3409 -5.35009,9.61103 -5.70248,9.88449 -0.53273,-0.60539 -5.66719,-9.50851 -5.66723,-9.84275 z"
+         style="fill:#cccccc;fill-opacity:1;stroke:none;stroke-width:0.15927917;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0" />
+    </g>
+  </g>
+</svg>
diff --git a/terraform/provision/rootfs/usr/local/share/www/index.html b/terraform/provision/rootfs/usr/local/share/www/index.html
new file mode 100644
index 0000000..57d2c0c
--- /dev/null
+++ b/terraform/provision/rootfs/usr/local/share/www/index.html
@@ -0,0 +1,21 @@
+<html>
+    <head>
+	<title>crashbox</title>
+	<style>
+	 html, body {
+	     height: 100vh;
+	     display: flex;
+	     flex-direction: column;
+	     align-items: center;
+	     justify-content: center;
+	 }
+	</style>
+    </head>
+    <body>
+	<div>
+	    <a href="https://dl.crashbox.io">dl</a>
+	    <a href="https://git.crashbox.io">git</a>
+	    <a href="https://ip.crashbox.io">ip</a>
+	</div>
+    </body>
+</html>
-- 
cgit v1.2.3