docker/mailu
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move all directories per theme

Browse Source
This commit is contained in:
kaiyou
2017-11-01 12:11:04 +01:00
parent 26da4f306d
commit 689be5f2d9
210 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/nginx/Dockerfile Normal file
View File

@@ -0,0 +1,8 @@
FROM alpine:edge
RUN apk add --no-cache nginx nginx-mod-mail python py-jinja2 certbot openssl
COPY conf /conf
COPY *.py /
CMD /start.py

171
core/nginx/conf/nginx.conf Normal file
View File

@@ -0,0 +1,171 @@
# Basic configuration
user nginx;
worker_processes 4;
error_log /dev/stderr info;
pid /var/run/nginx.pid;
load_module "modules/ngx_mail_module.so";
events {
worker_connections 1024;
}
http {
# Standard HTTP configuration with slight hardening
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
sendfile on;
keepalive_timeout 65;
server_tokens off;
absolute_redirect off;
# Main HTTP server
server {
# Always listen over HTTP
listen 80;
listen [::]:80;
# Only enable HTTPS if TLS is enabled with no error
{% if TLS and not TLS_ERROR %}
listen 443 ssl;
listen [::]:443 ssl;
include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLHTTP:50m;
add_header Strict-Transport-Security max-age=15768000;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
{% endif %}
# In any case, enable the proxy for certbot if the flavor is letsencrypt
{% if TLS_FLAVOR == 'letsencrypt' %}
location ^~ /.well-known/acme-challenge/ {
proxy_pass http://localhost:8000;
}
{% endif %}
# If TLS is failing, prevent access to anything except certbot
{% if TLS_ERROR %}
location / {
return 403;
}
{% else %}
# Actual logic
{% if WEBMAIL != 'none' %}
location / {
return 301 $scheme://$host/webmail/;
}
location {{ WEB_WEBMAIL }} {
rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
proxy_pass http://webmail;
}
{% endif %}
{% if ADMIN == 'true' %}
location {{ WEB_ADMIN }} {
return 301 {{ WEB_ADMIN }}/ui;
}
location ~ {{ WEB_ADMIN }}/(ui|static) {
rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
proxy_pass http://admin;
}
{% endif %}
{% if WEBDAV != 'none' %}
location /webdav {
rewrite ^/webdav/(.*) /$1 break;
proxy_pass http://webdav:5232;
}
{% endif %}
{% endif %}
}
# Forwarding authentication server
server {
listen 127.0.0.1:8000;
location / {
proxy_pass http://admin/internal/;
}
}
}
mail {
server_name {{ HOSTNAMES.split(",")[0] }};
auth_http http://127.0.0.1:8000/auth/email;
proxy_pass_error_message on;
{% if TLS and not TLS_ERROR %}
include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLMAIL:50m;
{% endif %}
# Default SMTP server for the webmail (no encryption, but authentication)
server {
listen 10025;
protocol smtp;
smtp_auth plain;
}
# Default IMAP server for the webmail (no encryption, but authentication)
server {
listen 10143;
protocol imap;
smtp_auth plain;
}
# SMTP is always enabled, to avoid losing emails when TLS is failing
server {
listen 25;
listen [::]:25;
{% if TLS and not TLS_ERROR %}
starttls on;
{% endif %}
protocol smtp;
smtp_auth none;
}
# All other protocols are disabled if TLS is failing
{% if not TLS_ERROR %}
server {
listen 143;
listen [::]:143;
{% if TLS %}
starttls only;
{% endif %}
protocol imap;
imap_auth plain;
}
server {
listen 587;
listen [::]:587;
{% if TLS %}
starttls only;
{% endif %}
protocol smtp;
smtp_auth plain;
}
{% if TLS %}
server {
listen 465 ssl;
listen [::]:465 ssl;
protocol smtp;
smtp_auth plain;
}
server {
listen 993 ssl;
listen [::]:993 ssl;
protocol imap;
imap_auth plain;
}
{% endif %}
{% endif %}
}

7
core/nginx/conf/tls.conf Normal file
View File

@@ -0,0 +1,7 @@
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_certificate {{ TLS[0] }};
ssl_certificate_key {{ TLS[1] }};

24
core/nginx/config.py Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/python
import jinja2
import os
convert = lambda src, dst, args: open(dst, "w").write(jinja2.Template(open(src).read()).render(**args))
args = os.environ.copy()
args["TLS"] = {
"cert": ("/certs/cert.pem", "/certs/key.pem"),
"letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
"/certs/letsencrypt/live/mailu/privkey.pem"),
"notls": None
}[args["TLS_FLAVOR"]]
if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"]):
print("Missing cert or key file, disabling TLS")
args["TLS_ERROR"] = "yes"
convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args)
os.system("nginx -s reload")

29
core/nginx/letsencrypt.py Executable file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/python
import os
import time
import subprocess
command = [
"certbot",
"-n", "--agree-tos", # non-interactive
"-d", os.environ["HOSTNAMES"],
"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
"certonly", "--standalone",
"--cert-name", "mailu",
"--preferred-challenges", "http", "--http-01-port", "8000",
"--keep-until-expiring",
"--rsa-key-size", "4096",
"--config-dir", "/certs/letsencrypt",
"--post-hook", "/config.py"
]
# Wait for nginx to start
time.sleep(5)
# Run certbot every hour
while True:
subprocess.call(command)
time.sleep(3600)

15
core/nginx/start.py Executable file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/python
import os
import subprocess
# Actual startup script
if not os.path.exists("/certs/dhparam.pem") and os.environ["TLS_FLAVOR"] != "notls":
os.system("openssl dhparam -out /certs/dhparam.pem 4096")
if os.environ["TLS_FLAVOR"] == "letsencrypt":
subprocess.Popen(["/letsencrypt.py"])
subprocess.call(["/config.py"])
os.execv("/usr/sbin/nginx", ["nginx", "-g", "daemon off;"])