add imap stuff

author: Cullum Smith <cullum@sacredheartsc.com> 2024-10-04 21:59:59 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-10-04 21:59:59 -0400
commit: 1e088983f6a80b6fd47543d0b4989e9ddb3234d5 (patch)
tree: 16af4205d84c9194257887e5e54653f79e96f987 /scripts
parent: a1bddcb1de1053994fb445267ca5d1ffaecb0fb5 (diff)
download: infrastructure-1e088983f6a80b6fd47543d0b4989e9ddb3234d5.tar.gz
5 files changed, 300 insertions, 5 deletions
diff --git a/scripts/hostclass/imap_server/10-solr b/scripts/hostclass/imap_server/10-solr
new file mode 100644
index 0000000..252a8c3
--- /dev/null
+++ b/scripts/hostclass/imap_server/10-solr
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+: ${solr_version:='9.7.0'}
+
+solr_uid=161
+solr_user=solr
+solr_data_dir=/var/db/solr
+solr_conf_dir=/usr/local/etc/solr
+solr_install_dir=/usr/local/solr
+solr_heap_size=2g
+solr_softcommit_ms=60000
+solr_url="https://dlcdn.apache.org/solr/solr/${solr_version}/solr-${solr_version}-slim.tgz"
+solr_port=8983
+
+# Install dependencies.
+pkg install -y \
+  curl \
+  openjdk21 \
+  bash
+
+# Add local solr user.
+add_user \
+  -u "$solr_uid" \
+  -c 'Apache Solr' \
+  -d "$solr_data_dir" \
+  -s /usr/sbin/nologin \
+  "$solr_user"
+
+# Create ZFS dataset for solr DB.
+create_dataset -o "mountpoint=${solr_data_dir}" "${state_dataset}/solr"
+
+# Set ownership on solr DB dir.
+install_directory -m 0770 -o "$solr_user" -g "$solr_user" "$solr_data_dir"
+
+# Create solr install/config directories.
+install_directory -m 0755 \
+  "$solr_install_dir" \
+  "$solr_conf_dir"
+
+# Download and extract the solr tarball.
+curl -fL "$solr_url" | tar xf - -C "$solr_install_dir" --strip-components 1
+
+# Copy solr rc script.
+install_file -m 0555 /usr/local/etc/rc.d/solr
+
+# Copy solr config files.
+install_file -m 0644 \
+  "${solr_conf_dir}/solrconfig.xml" \
+  "${solr_conf_dir}/log4j2.xml"
+
+# Copy the default solr config from the distribution.
+install -v -m 0644 -o "$solr_user" -g "$solr_user" \
+  "${solr_install_dir}/server/solr/solr.xml" \
+  "${solr_data_dir}/solr.xml"
+
+# Enable and start solr.
+sysrc -v \
+  solr_enable=YES \
+  solr_heap_size="$solr_heap_size"
+
+# Start solr.
+service solr restart
+
+# Create solr collection for dovecot.
+if ! [ -d "${solr_data_dir}/dovecot" ]; then
+  log "waiting a few seconds for solr to finish starting up"
+  sleep 3
+  JAVA_TOOL_OPTIONS='-Xmx64m' su -m "$solr_user" -c "${solr_install_dir}/bin/solr create --name dovecot --solr-url http://127.0.0.1:${solr_port}"
+fi
+
+# Copy solr configs for dovecot.
+install_file -m 0644 -o "$solr_user" -g "$solr_user" \
+  "${solr_data_dir}/dovecot/conf/schema.xml" \
+  "${solr_data_dir}/dovecot/conf/solrconfig.xml"
+rm -f "${solr_data_dir}/dovecot/conf/managed-schema.xml"
+
+# Restart solr.
+service solr restart
diff --git a/scripts/hostclass/imap_server/20-tika b/scripts/hostclass/imap_server/20-tika
new file mode 100644
index 0000000..3b4aa47
--- /dev/null
+++ b/scripts/hostclass/imap_server/20-tika
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+: ${tika_version:='2.9.2'}
+: ${tika_uid:='787'}
+
+tika_user=tika
+tika_conf_dir=/usr/local/etc/tika
+tika_install_dir=/usr/local/tika
+tika_heap_size=2g
+tika_port=9998
+tika_url="https://dlcdn.apache.org/tika/${tika_version}/tika-server-standard-${tika_version}.jar"
+
+# Add local tika user.
+add_user \
+  -u "$tika_uid" \
+  -c 'Apache Tika' \
+  -d /nonexistent \
+  -s /usr/sbin/nologin \
+  "$tika_user"
+
+# Create tika install/config directories.
+install_directory -m 0755 \
+  "$tika_install_dir"     \
+  "$tika_conf_dir"
+
+# Download tika jar file.
+curl -fL -o "${tika_install_dir}/tika.jar" "$tika_url"
+
+# Copy tika rc script.
+install_file -m 0555 /usr/local/etc/rc.d/tika
+
+# Copy tika config files.
+install_template -m 0644 "${tika_conf_dir}/config.xml"
+install_file -m 0644 "${tika_conf_dir}/log4j2.xml"
+
+# Enable and start tika.
+sysrc -v tika_enable=YES
+service tika restart
diff --git a/scripts/hostclass/imap_server/30-dovecot b/scripts/hostclass/imap_server/30-dovecot
new file mode 100644
index 0000000..07c089e
--- /dev/null
+++ b/scripts/hostclass/imap_server/30-dovecot
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+: ${dovecot_recipient_delimiter:='+'}
+: ${dovecot_default_quota:='10G'}
+: ${dovecot_quota_grace_percent:='5'}
+: ${dovecot_quota_mail_from:="postmaster@${email_domain}"}
+: ${rspamd_host:='smtp'}
+
+dovecot_user=dovecot
+dovecot_login_user=dovenull
+dovecot_vmail_user=vmail
+dovecot_vmail_uid=793
+dovecot_vmail_dir=/var/db/vmail
+dovecot_conf_dir=/usr/local/etc/dovecot
+dovecot_script_dir=/usr/local/libexec/dovecot
+dovecot_sieve_before_dir="${dovecot_conf_dir}/sieve-before.d"
+dovecot_sieve_pipe_bin_dir="${dovecot_script_dir}/sieve-pipe"
+dovecot_keytab="${keytab_dir}/dovecot.keytab"
+dovecot_tls_cert="${dovecot_conf_dir}/dovecot.crt"
+dovecot_tls_key="${dovecot_conf_dir}/dovecot.key"
+dovecot_cipherlist='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'
+
+pkg install -y \
+  dovecot \
+  dovecot-pigeonhole \
+  rspamd
+
+# Add local vmail user.
+add_user \
+  -u "$dovecot_vmail_uid" \
+  -c 'Virtual Mail User' \
+  -d "$dovecot_vmail_dir" \
+  -s /usr/sbin/nologin \
+  "$dovecot_vmail_user"
+
+# Create ZFS dataset for virtual maildirs.
+create_dataset -o "mountpoint=${dovecot_vmail_dir}" "${state_dataset}/mailboxes"
+
+# Set ownership on vmail dir.
+install_directory -m 0770 -o "$dovecot_vmail_user" -g "$dovecot_vmail_user" "$dovecot_vmail_dir"
+
+# Create service principals and keytab.
+add_principal -nokey -x "containerdn=${services_basedn}" "imap/${fqdn}"
+add_principal -nokey -x "containerdn=${services_basedn}" "sieve/${fqdn}"
+
+ktadd -k "$dovecot_keytab" "imap/${fqdn}"
+ktadd -k "$dovecot_keytab" "sieve/${fqdn}"
+chgrp "$dovecot_user" "$dovecot_keytab"
+chmod 640 "$dovecot_keytab"
+
+dovecot_uid=$(id -u "$dovecot_user")
+install_directory -o "$dovecot_user" -m 0700 "/var/krb5/user/${dovecot_uid}"
+ln -snfv "$dovecot_keytab" "/var/krb5/user/${dovecot_uid}/keytab"
+ln -snfv "$dovecot_keytab" "/var/krb5/user/${dovecot_uid}/client.keytab"
+
+# Create dovecot directories.
+install_directory -m 0755 \
+  "${dovecot_conf_dir}/conf.d" \
+  "$dovecot_sieve_before_dir" \
+  "$dovecot_sieve_pipe_bin_dir"
+
+# Generate dovecot configuration.
+install_template -m 0644 \
+  "${dovecot_conf_dir}/dovecot.conf" \
+  "${dovecot_conf_dir}/dovecot-ldap-userdb.conf.ext" \
+  "${dovecot_conf_dir}/dovecot-ldap-passdb.conf.ext" \
+  "${dovecot_conf_dir}/conf.d/10-auth.conf" \
+  "${dovecot_conf_dir}/conf.d/10-mail.conf" \
+  "${dovecot_conf_dir}/conf.d/10-master.conf" \
+  "${dovecot_conf_dir}/conf.d/10-ssl.conf" \
+  "${dovecot_conf_dir}/conf.d/15-lda.conf" \
+  "${dovecot_conf_dir}/conf.d/90-fts.conf" \
+  "${dovecot_conf_dir}/conf.d/90-quota.conf" \
+  "${dovecot_conf_dir}/conf.d/90-sieve.conf" \
+  "${dovecot_conf_dir}/conf.d/90-sieve-extprograms.conf" \
+  "${dovecot_conf_dir}/conf.d/auth-ldap.conf.ext"
+
+install_template -m 0550 -o root -g "$dovecot_user" \
+  "${dovecot_sieve_pipe_bin_dir}/report-spam.sh" \
+  "${dovecot_sieve_pipe_bin_dir}/report-ham.sh" \
+
+install_file -m 0555 \
+  "${dovecot_script_dir}/quota-warning.sh"
+
+install_file -m 0644 \
+  "${dovecot_conf_dir}/conf.d/15-mailboxes.conf" \
+  "${dovecot_conf_dir}/conf.d/20-imap.conf" \
+  "${dovecot_conf_dir}/conf.d/20-lmtp.conf" \
+  "${dovecot_conf_dir}/conf.d/20-managesieve.conf" \
+  "${dovecot_conf_dir}/report-ham.sieve" \
+  "${dovecot_conf_dir}/report-spam.sieve" \
+  "${dovecot_sieve_before_dir}/10-rspamd.sieve"
+
+# Compile sieve scripts.
+sievec "${dovecot_conf_dir}/report-ham.sieve"
+sievec "${dovecot_conf_dir}/report-spam.sieve"
+sievec "${dovecot_sieve_before_dir}/10-rspamd.sieve"
+
+# Copy TLS certificate for dovecot.
+install_certificate     -m 0644 -o root -g "$dovecot_user" dovecot "$dovecot_tls_cert"
+install_certificate_key -m 0640 -o root -g "$dovecot_user" dovecot "$dovecot_tls_key"
+
+# Enable and start dovecot and dependencies.
+sysrc -v dovecot_enable=YES
+service dovecot restart
+
+# Disable rspamd log rotation (we don't actually run rspamd here).
+echo '# intentionally empty' >  /usr/local/etc/newsyslog.conf.d/rspamd.newsyslog.conf
diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix
index 0d4830f..e224e9b 100644
--- a/scripts/hostclass/smtp_server/20-postfix
+++ b/scripts/hostclass/smtp_server/20-postfix
@@ -7,12 +7,8 @@
 : ${postfix_recipient_delimiter:='+'}
 : ${postfix_message_size_limit:='67108864'} # 64 MB
 : ${postfix_virtual_domains:="$email_domain"}
-: ${postfix_lmtp_port:='24'}
-: ${postfix_quota_port:='10993'}
 
 : ${imap_host='imap'}
-: ${lmtp_port='25'}
-: ${quota_status_port='10993'}
 
 postfix_conf_dir=/usr/local/etc/postfix
 postfix_user=postfix
@@ -57,7 +53,7 @@ install_certificate_key -m 0640 -o root -g "$postfix_user" postfix "$postfix_loc
 if [ "$postfix_public_fqdn" != "$fqdn" ]; then
   # Acquire public TLS certificate.
   install_file /usr/local/etc/sudoers.d/acme
-  get_acme_certificate \
+  acme_install_certificate \
     -c "$postfix_public_tls_cert" \
     -k "$postfix_public_tls_key" \
     -g "$postfix_user" \
diff --git a/scripts/os/freebsd/60-acme b/scripts/os/freebsd/60-acme
new file mode 100644
index 0000000..902e674
--- /dev/null
+++ b/scripts/os/freebsd/60-acme
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+[ "${acme:-}" = true ] || return 0
+
+: ${acme_email:="root@${email_domain}"}
+: ${acme_keylength:='ec-256'}
+
+acme_cert_dir=/usr/local/etc/ssl/acme
+acme_standalone_port=9080
+acme_user=acme
+acme_home=/var/db/acme
+acme_webroot=/usr/local/www/acme
+
+pkg install -y acme.sh
+
+install_directory -m 0775 -o root -g "$acme_user" "$acme_cert_dir"
+install_template -m 0644 /etc/cron.d/acme
+
+if [ -n "${acme_eab_kid:-}" ]; then
+  su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --eab-kid ${acme_eab_kid} --eab-hmac-key ${acme_eab_hmac_key}"
+else
+  su -m "$acme_user" -c "acme.sh --home ${acme_home} --register-account --email ${acme_email}"
+fi
+
+acme_install_certificate(){
+  _aic_group=0
+  _aic_cert_path=
+  _aic_key_path=
+  _aic_reload_cmd=
+
+  while getopts c:g:k:r: _aic_opt; do
+    case $_aic_opt in
+      c) _aic_cert_path=$OPTARG ;;
+      g) _aic_group=$OPTARG ;;
+      k) _aic_key_path=$OPTARG ;;
+      r) _aic_reload_cmd=$OPTARG ;;
+    esac
+  done
+
+  shift $((OPTIND - 1))
+  _aic_name=$1
+
+  # Acquire the certificate via HTTP ACME challenge.
+  _aic_domain_args=''
+  for _aic_domain; do
+    _aic_domain_args="${_aic_domain_args} -d ${_aic_domain}"
+  done
+
+  if [ -n "${acme_standalone:-}" ]; then
+     su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} --standalone --httport ${acme_standalone_port} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$?
+  else
+    install_directory -o root -g "$acme_user" -m 0775 "$acme_webroot"
+    su -m "$acme_user" -c "acme.sh --home ${acme_home} --issue --keylength ${acme_keylength} -w ${acme_webroot} ${_aic_domain_args}" && _aic_rc=$? || _aic_rc=$?
+  fi
+
+  case $_aic_rc in
+    0) ;; # New cert was issued.
+    2) ;; # Cert was unchanged.
+    *) die "failed to issue ACME certificate for: $*" ;;
+  esac
+
+  # Install the certificate to the requested location.
+  if [ -f "$_aic_key_path" ]; then
+    chmod 640 "$_aic_key_path"
+    chown "${acme_user}:${_aic_group}" "$_aic_key_path"
+  else
+    install -o "$acme_user" -g "$_aic_group" -m 0640 /dev/null "$_aic_key_path"
+  fi
+
+  if [ -n "$_aic_reload_cmd" ]; then
+    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path} --reloadcmd '${_aic_reload_cmd}'"
+  else
+    su -m "$acme_user" -c "acme.sh --home ${acme_home} --install-cert --domain ${_aic_name} --key-file ${_aic_key_path} --fullchain-file ${_aic_cert_path}"
+  fi
+}
author	Cullum Smith <cullum@sacredheartsc.com>	2024-10-04 21:59:59 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-10-04 21:59:59 -0400
commit	1e088983f6a80b6fd47543d0b4989e9ddb3234d5 (patch)
tree	16af4205d84c9194257887e5e54653f79e96f987 /scripts
parent	a1bddcb1de1053994fb445267ca5d1ffaecb0fb5 (diff)
download	infrastructure-1e088983f6a80b6fd47543d0b4989e9ddb3234d5.tar.gz