feat: remove mail stack and Vaultwarden

Removed services:
- docker-mailserver (Postfix + Dovecot)
- SnappyMail webmail
- Vaultwarden password manager

Removed infrastructure:
- certbot + Cloudflare DNS-01 TLS for mx.csrx.ru
- UFW rules for ports 25/587/993/465
- mail-internal and webmail-internal Docker networks
- SMTP config from Outline env
- vault, mail Traefik routes
- All related vault secrets and variables

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

inventory/group_vars/all/main.yml

@@ -3,7 +3,6 @@
 domain_base: "csrx.ru"
 
 # Derived domains
-domain_vault:      "vault.{{ domain_base }}"
 domain_git:        "git.{{ domain_base }}"
 domain_plane:      "plane.{{ domain_base }}"
 domain_traefik:    "traefik.{{ domain_base }}"
@@ -12,8 +11,6 @@ domain_auth:       "auth.{{ domain_base }}"
 domain_status:     "status.{{ domain_base }}"
 domain_wiki:       "wiki.{{ domain_base }}"
 domain_n8n:        "n8n.{{ domain_base }}"
-domain_mail:       "mail.{{ domain_base }}"    # SnappyMail webmail (HTTPS via Traefik)
-domain_mx:         "mx.{{ domain_base }}"      # docker-mailserver FQDN (SMTP/IMAP direct)
 
 # Service paths
 services_root: /opt/services
@@ -22,7 +19,6 @@ deploy_group: deploy
 
 # Secrets (from vault)
 acme_email:                       "{{ vault_acme_email }}"
-vaultwarden_admin_token:          "{{ vault_vaultwarden_admin_token }}"
 forgejo_db_password:              "{{ vault_forgejo_db_password }}"
 plane_db_password:                "{{ vault_plane_db_password }}"
 plane_secret_key:                 "{{ vault_plane_secret_key }}"
@@ -46,10 +42,6 @@ outline_utils_secret:             "{{ vault_outline_utils_secret }}"
 outline_db_password:              "{{ vault_outline_db_password }}"
 n8n_encryption_key:               "{{ vault_n8n_encryption_key }}"
 n8n_jwt_secret:                   "{{ vault_n8n_jwt_secret }}"
-mailserver_noreply_password:      "{{ vault_mailserver_noreply_password }}"
-snappymail_admin_password:        "{{ vault_snappymail_admin_password }}"
-mailserver_admin_password:        "{{ vault_mailserver_admin_password }}"
-mailserver_jack_password:         "{{ vault_mailserver_jack_password }}"
 
 # Server IPs (used for cross-server Traefik routing)
 ip_main:  "87.249.49.32"

inventory/group_vars/all/vault.yml

@@ -1,122 +1,106 @@
 $ANSIBLE_VAULT;1.1;AES256
-38623734633034386664333334383830336637343861383134323961363536333136346436363838
+62303439636364323266353466656530343431326238393630386234356163306338393062373837
-3836343032363036633735316362646165623030613161320a663961653037633132376166303635
+6631373736376131373162333431396461656139623566370a653734356261613164383139336335
-30653738383130393738383931323535633631303434343233663463346635376561313662336664
+36333863613661306239326634373162666361366630633265613266366562323337666537306363
-6434633432643536330a336635616262306632616332616361313738383239316135393735643063
+6465643139336636650a343230653364343262656436393563656466386530616130643764623832
-39336634306164363632373066313866366462653536313537396539363235626339303334353031
+33346463373263373135356365633063666631316563643132316262383637643833393230313565
-65663866626361383663343834333466376339383463366235343166323361366131643534383665
+31356431623762336438373839393938663864313262383230316630633566303638616634316136
-64663038316634376161633161366663376232636535356239333733303933396561373235363863
+36313135663963333139613036366264643130663332393163303664633636623765623536633562
-35366335313066343835663362313434363438313137643766323835393531306536346163313933
+35323737376661373835626134633035373830353637353964613061323463333739353933316336
-31343930316637623830623666633164343765663434396365366134306439336164333466316133
+33383934383235376563333239373833343462376133336439653736313561303866636166653439
-33346364613731623633346136313033333461623762313930323565313633346633396330646565
+31333366326236316266363966623332323535666439633232386634646362653433646563313265
-33386264663561666330356662366430383532316639373536356166383365343035623564623832
+64376662316537326133326236396137643635656564346466646334393535633464306633346462
-37353565303732316665363862363266343836393839663836666434333237326530613936376231
+39363931383066303766626165323561363562386363666134623662386465643237343738656439
-33613439633265626166383162646530653339313530353136643338666633393036663665663539
+36656363396464316235636339653966313563616166376239346431323433383462623462383737
-30333932343464636231323231353235623264316536386233353563623235373932316236356563
+30353464393365396138613638336464373862353730623836336365393932396165353339636139
-65653533383064646130366236303064396662623664326662353737623437653730363463646139
+61356365653966616430643261663864356466646136373236303764616531303061336162626435
-32333861663339343361383234383332623737626233323666343730626663363738333932643334
+36323732383736623239343835353265303165373865643966383234666334653231396437396433
-64353365643334323735623937396664393561333434663139363739613532386265656366316136
+36326536343135636135643135646538356465663861303564396330306536656162383032346233
-33303232663939353566376163366131393066646233333035396135653861643566633032656264
+62333037316439626638373564363033313632333330323939353863396539353534663931386166
-65353338373661663466613263343866643664353063656333346363373065303263373863326163
+66623762623330613530323136336630306538666663336134636439303433313430316137393163
-31386565396364353634636231306166393862326364373463393930373036373531323830346163
+61613630393637333762373163376663646561313064353932633263316634656361386432663865
-34333262333734356436313032356337356336343138643463343635643234653639346337336138
+39333131323837383065663038383362393239306463346338393634326663623538353037373866
-30333764333466356230626462353463316636636330383333646530623039316330313336656266
+65393736653432393463653339353166343233633635383437356233656634323637376632666362
-38366338346562613864663961633439656234313662663661303665303466393863623164346464
+35303265623538356464383736396165346234666663356334656436356431343162353337343465
-36333136303430313034653365343437343166643263356635636433613361663462396233336163
+66323230316636303432343664343236376535646564313434306564666434616663383233323839
-64316530633063666465396331393030313666333265626634313635613335383037363366353638
+34356635633030653865386264383836646165366238393330613231373939653565663265313165
-36366132356661316362643533336366326437326561393464366533656134633366643433653061
+31653638343631366562643731666262343532376464316164643262386166663132356330336464
-38343839643935376430323563373733623334323562653666356333613130336537643864393737
+35663064663532653738653065333864363434643764653466373138626630376330643064323334
-33353839313438306164666238313131353166316632623633326261393961613333336331643831
+37353033383861333230636565383831353332396239353765666630306664313061326135313732
-33356636626161613263366261653262633661613766323835366562333062343462623439663462
+37363066393763363939613466333839626563363264383430663238346463663235363732366332
-64306238386264626364303963376164626531356436353731383965306365386431356166336238
+32646639393036616239663237303430356563656563376133326565313761626331323139646430
-61323235373033323433306161663832366330646339303235386133323630363064383930336233
+33333832376638653334666531623634393331623663376134653437303438396437666134303635
-30636338656439376138363238323965653734336538363761633033626464313535653262363638
+62653165306436343732336437333837383562373263653764363931313163356439666664616430
-39663763623637636635396430623539666162373439643832303766323061383133343865366466
+61303733633135623564626230623932366633396538343636323530663636643738393032366663
-61653133343061366334343933623330313764666639313931636662383161613432366239613238
+35626134376535623934323565356465363835316466353937646163393966653966376137323535
-30373034343864383630316233616434646131643337303132313362323935313333323534343032
+65396330616333316231626162643462393662343063336639396166613834343030393435313338
-32666633616237353161363265376232346663343937393965343665396338613932363864303366
+38323332366235363733366637633635336666363831376339303466396234316462346539656639
-33613062383531666437306436636364636535323631626163636437396165313663366432343938
+39303836343638373365663539353239616638636639323738373930326237613033656162353133
-36306332353739636439343130353464646432313761326231643962616166366536656139643963
+36316330353437616332336262643935396637653736363038306137303632653634343562313238
-36623134663364376237323639643930393664313866393338316135306666653733663930333266
+39616137666639633838666262326239323365643033666234633865626136373165363838343761
-33396662396339623839643936626465666665396137623731333265363931343137643237623435
+36653438333336613236613061316137333665386536663566623139313232383033303633333661
-39623132613435346231373632333135303666336533303363393530306533666566633565326466
+64633933303236363335383038346531663230396231653563386465323537613064393064353035
-35356362646335323861343634386531633035393730646463623337333435663365616163333863
+65396262636437336238366331316136386639333637663764613362306137366362363139316265
-37666132356463613064326438316132613564383234363134313739356134323236633636633237
+66353938353237303737343263336262656234663034653432613137326232303163656431323263
-39343236663039383230336463316663363564383638343736613665343238613736646234663366
+31613536643062343635623962653363343031666438636637333030323033303637383239353930
-35613364643164626364643034323766666266313561386539336437646337353730343363383434
+64353633373033646330343531356132636663336231363733356334633030656539616561373130
-61346361613637656336346131363830366539653264376330356661363464316139303963663833
+66373338386430613235323733643539653364343438343037366133316635663461353537396361
-63613632623934313366333965356630646237376636383138393731363564356131333838336538
+36663664663631303762616166303432643633356635306563393237663435393565653164613763
-36666362336239633665613734323536393630653433643337666166306230623161666366356336
+38663839323538623034323333393038633833303730333865643036663331383838373532316162
-32326161313432646465393365396265363634633633343065623762653438353139313839396163
+30343531666665373231653737386662633537663733386439653534353264616565653562656464
-30633764656636303965616434373235643231633336626133356363386333623339373234646664
+65383230656137316536653437316435353339633734616131643564383632373265303533616262
-66663066333063303465336338623165666164303531303332663964366461643931303863643061
+31346530376166356531663234636265306339356231313765373165643566656231366136323030
-30336461643662393036356536663335643536613335323664326234623834383932653263633733
+66313037336436373035386364613263353635353263383161646139353934326663623466653431
-36303864316361643766353439366230363532616562333062653632623737313931343064366433
+63343764313334613137393764623731633065663835393930336434333931643139336166383138
-36626634323135333764343339313634323734613765343264386632373733326430363137303030
+37393233323464316433636336326233313566303332633731363562633139616638383962366366
-66356637353930353539303062386564346166343237633239653037333561306365316635356131
+34613737636233306162666239396563323537626332643132383938623532323666626437363066
-38613331383131303233646331623035626661313233346561383938323164356536306332623136
+30666236353639633930616264393166356561346134333034336335636231333736346331316233
-38333765323836366535396464616332313665663166663161653330613764306630643665643739
+64333262323230613534646562613930643732323834643530353534613439373937313531623562
-31663866653666333130316136393861666236343935396133636538323938376330346339366162
+33333632623735613436626366373431613132316633363338343335656266636663326133376330
-62663137326339376136343230396462333966396235383331313566386664396137303663353437
+32626535306661623138623065366363616162373166303565613861366261316533373764376266
-35363139666263666232346661643766656362343339396539346631393330346236633163393633
+30383833383133373431316264373335323531303763653636306236396639306539663964623032
-36396165646231343364333662633639353437303634343065656461386563373531343234356131
+30613037633638346339613638353935383763623534306633623037643333306362653365336438
-63653865623039626130633731306439613435353265306262386564373765306539623939666361
+32396432376266346137323731643865636264613832366137393963396137333532393538303165
-38383131323061613362386438633866653131666261333838363134336138613462303939373062
+35343037613338353634656464306131616664323637643035336664363031333166313566316266
-34396532316535666331336330306463643662346339646565303532653364383730383239616237
+35653438313065373666303539396139386332373061373433333035653262613930303834306633
-62333832643038613837316538303931303537326663616564343531326461363536663033303133
+66666132383939636535353565626333616332346261346332373566346331646565653835643065
-31353238656537396234636133616666333364383730653733396631373038313966663631356238
+64336265613137366539613130336435343961663430666239343839633565633939393338373632
-33363636616336636166306234393538633133343535303166343766623136356162333163616135
+34653434646437393862313535643563623730333435333231343630623331343266623832313263
-64386635656438643132623430616435353636313739373634653530386461643136333533396633
+34353265656236326635353432643932373231653732616561663938653137373262376432323635
-34633561333963653036623632326131323664323938343735666138623534303136333165313763
+64643731343730623063313664613139613063616132653232336138363761353833306238663430
-34633565383935643738666335633633353534386166306631613536373830663733363063306138
+37616463363363333231636530653731663263383838383662616534356430356666653731303266
-34373637303438633330393037306665386131633964393137373963623438336232643439333261
+65346437383138666338613133336266393235373266643237386639323838306661373532366537
-35633831376533376333336235326234633231643036363430646364653330313461333534623065
+31343535633235376137346638316363346435663833326165613030336138663439316132663935
-31666131656366663962353230643839646661623165653530653533306563633166653839316633
+35336433366231653963333630643635346439616165396538616637303364663662643735326430
-35356138636134323333323961393961366231353736383463626132643031613165623630346334
+62306431643833323432646239383064636132363731626365636337333333666333366339356433
-32663464613230343839643166663538303734373263663061383031643538633634636632346531
+34336363353866353138663634363936363962646137636163663536333732653965306131636234
-39663464373439663264376162613464346666326137386163306132383763343337653062366162
+31383866623639636566363731343662346364313366613832313032393965613465303433383738
-33333431333133633438636633663133613138633732623833313264313766643131366634303234
+35343161316237613932643466366334663963623332633033303534323365386631633131656464
-65323831643661396330393439306437333438646130326462303964376632306139363661636336
+34636435643366353238633039353930326430336439623661636433663431626463396666343534
-36323738303436386431643332303862356634643464326130386662643833613835633335313635
+39643263353738313238356635303235353162376436313130613733623665613630336461363464
-33643365326138326638343539303437643933643733383930633236663839306636333332316132
+35613832393437653033306234333961343863643961363430316438383834636530343761656434
-65346531663265663439616332663964363639353061666531616164613139303265323137343062
+35623936356430363633386630663736356637343539393864393730616230396662613731313363
-36653332326338633661323463303637393338613534343835323638376231656334333530323034
+63396562623838306435363761323935656237653262623638346163346331343330633262383432
-34663036383261303463353232313431383837313162313061363265343431396337633731343365
+36316433373462343137356136323231666330333135343762646165643135643165336331386431
-64333661333637343564343432353031303538303165383566656537383863643564333336646535
+35396664643138383665366331306133646330633232333830353463353663613533306339343233
-34376533383766363131363664646635386133636263613532383137376233373130303264653231
+66393363363535656232333661346563623832626136353461663065653564343062643538366533
-61326363313365396631346565306166366164653530636434346132666537653637363133313866
+32383930646130643066373032393133646664626465653939343564643631326164333864386461
-34643130346539353736353936656139616230646637396264333839626339653638623839323361
+31323839653737396233646161316235666232613935356336653864636464663430313236613130
-39303639373732616338383930663236333464386638646664306430656333366531623466353866
+38363839626139366235626530616166383231333730356630616336646638666634396366383831
-36306333643336373330333661376333663964363964633364633731363831333536393064313566
+62353564343665393736383432633538366162303632656261383933656239383836306665623464
-37313439386664623832656230376334643535343336663261363230323662306134663961323131
+62303637306534636436386334356233663931633236376162363934636130356364326661663534
-37373630343164323839656237343861363633323865363532666438373936386531313532623938
+66616633646633336661306333343165363662336461393463643162653633353663633731343265
-36326631373635323664353463396438643264613135626463653037303739633762636537653661
+34613361643830376232616233643462336266643534326139653865346536366561393539636335
-64336236383631353766623536383063336636333566643434333237363635656634643437383838
+35663063313463353330653639326335336561663935353539366462306431353531626333633366
-34653166646332336135303732373365636366343236393633326430326339646239656561336136
+39316133323832363231346635623366323939653739393964643862373930613332663963623965
-38626162626236346162373335643964333136386438636234333238306264373663643963613339
+37616365363464666434326266656237623232633531386366633037343739343337636364383833
-33333831353263393739653964313837636161373231663830383538363163393833623837633832
+32613031383561313166643062353036373166633230646331366561383134313063623732333534
-35303061336632373630653634393633623533313561326639343934306231363265316163313137
+63383432393833313961646133656439656234353638336335373761396637613462646131363130
-34633962613165616239333061613332613531326564613963346634356561626639643735623836
+33613833326433643933316531396363313436366238636133633531626363396461313933386664
-63636333356536373239623034613331666230626638373233663937353036633936313333666164
+35363862346235633264386530376337313130376330626631353364363938653538363032633238
-66343933373164653937326635356436306165363761393330353334633765333633383639303133
+37363965353064373764363961343234626166336139303632633964363064373633393937626363
-32646534633762303232383332373932653866663035323666363039386632643062346562373035
+33643336373636613162373761343437626338343765313437323734626538643034636165383437
-31353737383538313036656333623630363234356136343533333539356533623566336430373961
+32636639313334306565343239653037643364396538653434373337336435623464613234633931
-65323738393466633930623334386365656163313836316165656138313936303364623763666266
+31363163323731363834323635643337633161363539626531626562343839323664636265306138
-32383130346139623966303061303765363537303664383433633638643032333031326232633538
+37313936323836386131376261346461343438356534616238386337313133663062316437326231
-34636636643031366335623362323062356534356163326663656530663835636165366430616564
+61613832663732653265633139353431356366363237333436393561623262613836
-37343462663230653830613862373732636636346262353436323037656535343436356133663464
-62316635353064646564626366396565326233376465343264356165323664623834373562323664
-33333636373834346635386331383037623933643036653364383932373637383766393738353762
-36356233383139366431363637376265383639323738643133653764663734666638363537303763
-65356535323365326337626464316138386464373566383866356639613961353130356233306630
-32306633393961336363346561376636346466613161643236353038313665626161383830313839
-35336632646462366235656236303362326262373130623166303833666430653563623764323230
-34616134386339373339386264626435666239363264356631653438323666613765626134353830
-37363930353833336337633861623264653163616565393962323839613063363537653634666439
-32663736333131663166303563376263353333303537346635383361306665653634653631626262
-65663165313036393437343332353937633538363533363165396136383261363234386236393962
-63333664656562623466366134373263366165623739326334386332653861353964343363386163
-33656365363131313535316262366666393936303366636439623032636131343537333438336562
-33336663373331643037306439363533643933313937346432636236633663393166386234333931
-32393166306461323631626561383630363561643830646239656330643837326635663438353665
-66363534356265386664376633363739373231663037643930653766373931333633

roles/services/defaults/main.yml

@@ -5,7 +5,6 @@ services_root: /opt/services
 # IMPORTANT: pin each image to a specific version tag.
 # Check Docker Hub for the latest stable release before updating.
 traefik_image: "traefik:v3.3"                                    # https://hub.docker.com/_/traefik/tags
-vaultwarden_image: "vaultwarden/server:1.32.7"                   # https://hub.docker.com/r/vaultwarden/server/tags
 forgejo_image: "codeberg.org/forgejo/forgejo:9"
 forgejo_db_image: "postgres:16-alpine"
 plane_frontend_image: "makeplane/plane-frontend:stable"          # https://hub.docker.com/r/makeplane/plane-frontend/tags

roles/services/templates/docker-compose.yml.j2

@@ -31,7 +31,6 @@ networks:
     internal: true
 
 volumes:
-  vaultwarden_data:
   forgejo_data:
   forgejo_db_data:
   plane_pgdata:
@@ -80,31 +79,6 @@ services:
       timeout: 5s
       retries: 3
 
-  # ── Vaultwarden ────────────────────────────────────────────────────────────
-  vaultwarden:
-    image: {{ vaultwarden_image }}
-    container_name: vaultwarden
-    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    networks:
-      - backend
-    volumes:
-      - vaultwarden_data:/data
-    environment:
-      - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
-      - DOMAIN=https://{{ domain_vault }}
-      - SIGNUPS_ALLOWED=false
-      - INVITATIONS_ALLOWED=true
-      - LOG_LEVEL=warn
-      - EXTENDED_LOGGING=true
-      - TZ=UTC
-    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:80/"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-
   # ── Forgejo ────────────────────────────────────────────────────────────────
   forgejo:
     image: {{ forgejo_image }}

roles/services/templates/traefik/dynamic/routes.yml.j2

@@ -23,14 +23,6 @@ http:
       service: api@internal
       middlewares: [authelia@docker, rate-limit-strict]
 
-    vaultwarden:
-      rule: "Host(`{{ domain_vault }}`)"
-      entrypoints: [websecure]
-      tls:
-        certresolver: letsencrypt
-      service: vaultwarden
-      middlewares: [rate-limit-default]
-
     forgejo:
       rule: "Host(`{{ domain_git }}`)"
       entrypoints: [websecure]
@@ -114,20 +106,7 @@ http:
       service: n8n
       middlewares: [rate-limit-strict]
 
-    mail:
-      rule: "Host(`{{ domain_mail }}`)"
-      entrypoints: [websecure]
-      tls:
-        certresolver: letsencrypt
-      service: mail
-      middlewares: [rate-limit-default]
-
   services:
-    vaultwarden:
-      loadBalancer:
-        servers:
-          - url: "http://vaultwarden:80"
-
     forgejo:
       loadBalancer:
         servers:
@@ -179,11 +158,6 @@ http:
         servers:
           - url: "http://{{ ip_tools }}:5678"
 
-    mail:
-      loadBalancer:
-        servers:
-          - url: "http://{{ ip_tools }}:8888"
-
   middlewares:
     # ── Security Headers (applied globally via entrypoint) ─────────────────
     security-headers:

roles/tools/defaults/main.yml

@@ -4,5 +4,3 @@ outline_image: "outlinewiki/outline:0.80.2"
 outline_db_image: "postgres:15-alpine"
 outline_redis_image: "redis:7-alpine"
 n8n_image: "n8nio/n8n:1.89.2"              # https://hub.docker.com/r/n8nio/n8n/tags
-mailserver_image: "ghcr.io/docker-mailserver/docker-mailserver:14"  # https://github.com/docker-mailserver/docker-mailserver/releases
-snappymail_image: "djmaze/snappymail:latest"                          # https://hub.docker.com/r/djmaze/snappymail/tags

roles/tools/tasks/main.yml

@@ -7,111 +7,6 @@
     group: "{{ deploy_group }}"
     mode: "0750"
 
-- name: Create mailserver directories
-  ansible.builtin.file:
-    path: "{{ tools_root }}/mailserver/{{ item }}"
-    state: directory
-    owner: root
-    group: root
-    mode: "0755"
-  loop:
-    - mail-data
-    - mail-state
-    - mail-logs
-    - config
-
-- name: Create snappymail data directory
-  ansible.builtin.file:
-    path: "{{ tools_root }}/snappymail/data"
-    state: directory
-    owner: "82"    # www-data uid in Alpine (SnappyMail container user)
-    group: "82"
-    mode: "0755"
-
-# ── TLS certificate for mail.csrx.ru (via certbot + Cloudflare DNS-01) ───────
-- name: Install certbot and Cloudflare DNS plugin
-  ansible.builtin.apt:
-    name:
-      - certbot
-      - python3-certbot-dns-cloudflare
-    state: present
-    update_cache: false
-
-- name: Deploy Cloudflare credentials for certbot
-  ansible.builtin.copy:
-    content: |
-      dns_cloudflare_api_token = {{ cloudflare_dns_api_token }}
-    dest: /etc/letsencrypt/cloudflare.ini
-    mode: "0600"
-    owner: root
-    group: root
-
-- name: Obtain TLS certificate for mx.{{ domain_base }}
-  ansible.builtin.command: >
-    certbot certonly
-    --dns-cloudflare
-    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
-    --email {{ acme_email }}
-    --agree-tos --no-eff-email
-    -d mx.{{ domain_base }}
-    --non-interactive
-  register: certbot_result
-  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
-  failed_when:
-    - certbot_result.rc != 0
-    - "'Certificate not yet due for renewal' not in certbot_result.stdout"
-    - "'Certificate not yet due for renewal' not in certbot_result.stderr"
-
-- name: Deploy certbot renewal deploy-hook (reload mailserver after cert renewal)
-  ansible.builtin.copy:
-    dest: /etc/letsencrypt/renewal-hooks/deploy/reload-mailserver.sh
-    mode: "0750"
-    owner: root
-    group: root
-    content: |
-      #!/usr/bin/env bash
-      # Triggered by certbot after successful cert renewal
-      # Reloads Postfix + Dovecot TLS without full restart
-      set -euo pipefail
-      if docker ps --format '{{ '{{' }}.Names{{ '}}' }}' | grep -q '^mailserver$'; then
-        docker exec mailserver supervisorctl restart postfix dovecot
-        echo "[$(date)] mailserver TLS reloaded after cert renewal"
-      fi
-
-- name: Schedule certbot auto-renewal (twice daily, certbot renews only when needed)
-  ansible.builtin.cron:
-    name: "certbot renew"
-    minute: "15"
-    hour: "3,15"
-    job: "certbot renew --quiet --deploy-hooks 2>&1 | logger -t certbot"
-    user: root
-    state: present
-
-# ── Open mail ports in UFW ────────────────────────────────────────────────────
-- name: Allow SMTP inbound (port 25)
-  community.general.ufw:
-    rule: allow
-    port: "25"
-    proto: tcp
-
-- name: Allow SMTP submission (port 587)
-  community.general.ufw:
-    rule: allow
-    port: "587"
-    proto: tcp
-
-- name: Allow IMAPS (port 993)
-  community.general.ufw:
-    rule: allow
-    port: "993"
-    proto: tcp
-
-- name: Allow SMTPS (port 465)
-  community.general.ufw:
-    rule: allow
-    port: "465"
-    proto: tcp
-
 # ── Deploy configs and start stack ────────────────────────────────────────────
 - name: Deploy docker-compose.yml
   ansible.builtin.template:
@@ -138,203 +33,9 @@
     - "{{ outline_db_image }}"
     - "{{ outline_redis_image }}"
     - "{{ n8n_image }}"
-    - "{{ mailserver_image }}"
-    - "{{ snappymail_image }}"
 
 - name: Start tools stack
   community.docker.docker_compose_v2:
     project_src: "{{ tools_root }}"
     state: present
     pull: missing
-
-# ── SnappyMail admin password — write bcrypt hash directly to application.ini ──
-# djmaze/snappymail does not reliably apply SNAPPYMAIL_ADMIN_PASSWORD env var;
-# instead we verify and update the hash in the config file on every deploy.
-- name: Ensure SnappyMail admin password is set correctly
-  ansible.builtin.shell: |
-    python3 << 'PYEOF'
-    import subprocess, re, sys
-
-    config_path = "{{ tools_root }}/snappymail/data/_data_/_default_/configs/application.ini"
-    password = "{{ snappymail_admin_password }}"
-
-    try:
-        with open(config_path) as f:
-            content = f.read()
-    except FileNotFoundError:
-        print("CONFIG_NOT_FOUND")
-        sys.exit(1)
-
-    # Extract current hash (bcrypt hashes start with $2y$)
-    m = re.search(r'^admin_password\s*=\s*"?(\$2y\$[^"\n]+)', content, re.M)
-    current_hash = m.group(1).strip() if m else ""
-
-    if current_hash:
-        r = subprocess.run(
-            ["docker", "exec", "snappymail", "php", "-r",
-             f"echo password_verify('{password}', '{current_hash}') ? 'yes' : 'no';"],
-            capture_output=True, text=True
-        )
-        if r.stdout.strip() == "yes":
-            print("ALREADY_SET")
-            sys.exit(0)
-
-    # Generate a new bcrypt hash using PHP inside the container
-    r = subprocess.run(
-        ["docker", "exec", "snappymail", "php", "-r",
-         f"echo password_hash('{password}', PASSWORD_BCRYPT);"],
-        capture_output=True, text=True
-    )
-    new_hash = r.stdout.strip()
-    if not new_hash.startswith("$2y$"):
-        print(f"HASH_ERROR: {r.stderr}")
-        sys.exit(1)
-
-    new_content = re.sub(
-        r'^admin_password\s*=.*$',
-        f'admin_password = "{new_hash}"',
-        content, flags=re.M
-    )
-    with open(config_path, "w") as f:
-        f.write(new_content)
-    print("UPDATED")
-    PYEOF
-  register: snappymail_pw_result
-  changed_when: "'UPDATED' in snappymail_pw_result.stdout"
-  failed_when: >
-    snappymail_pw_result.rc != 0 or
-    'CONFIG_NOT_FOUND' in snappymail_pw_result.stdout or
-    'HASH_ERROR' in snappymail_pw_result.stdout
-
-- name: Restart SnappyMail after password update
-  ansible.builtin.command: docker restart snappymail
-  when: snappymail_pw_result.changed
-  changed_when: true
-
-# ── SnappyMail domain config for csrx.ru ─────────────────────────────────────
-# Points IMAP/SMTP to the mailserver container (shared `front` Docker network).
-# type: 0=plain, 1=SSL, 2=STARTTLS
-- name: Deploy SnappyMail domain config for {{ domain_base }}
-  ansible.builtin.copy:
-    content: |
-      {
-          "IMAP": {
-              "host": "mailserver",
-              "port": 993,
-              "type": 1,
-              "timeout": 300,
-              "shortLogin": false,
-              "lowerLogin": true,
-              "sasl": ["PLAIN", "LOGIN"],
-              "ssl": {
-                  "verify_peer": false,
-                  "verify_peer_name": false,
-                  "allow_self_signed": true,
-                  "SNI_enabled": true,
-                  "disable_compression": true,
-                  "security_level": 0
-              },
-              "disabled_capabilities": [],
-              "use_expunge_all_on_delete": false,
-              "fast_simple_search": true,
-              "force_select": false,
-              "message_all_headers": false,
-              "message_list_limit": 10000,
-              "search_filter": ""
-          },
-          "SMTP": {
-              "host": "mailserver",
-              "port": 587,
-              "type": 2,
-              "timeout": 60,
-              "shortLogin": false,
-              "lowerLogin": true,
-              "sasl": ["PLAIN", "LOGIN"],
-              "ssl": {
-                  "verify_peer": false,
-                  "verify_peer_name": false,
-                  "allow_self_signed": true,
-                  "SNI_enabled": true,
-                  "disable_compression": true,
-                  "security_level": 0
-              },
-              "useAuth": true,
-              "setSender": true,
-              "usePhpMail": false
-          },
-          "Sieve": {
-              "enabled": false,
-              "host": "mailserver",
-              "port": 4190,
-              "type": 0,
-              "timeout": 10,
-              "shortLogin": false,
-              "lowerLogin": true,
-              "sasl": ["PLAIN"],
-              "ssl": {
-                  "verify_peer": false,
-                  "verify_peer_name": false,
-                  "allow_self_signed": true
-              }
-          },
-          "whiteList": ""
-      }
-    dest: "{{ tools_root }}/snappymail/data/_data_/_default_/domains/{{ domain_base }}.json"
-    owner: "82"
-    group: "82"
-    mode: "0640"
-  register: snappymail_domain_result
-
-- name: Restart SnappyMail after domain config update
-  ansible.builtin.command: docker restart snappymail
-  when: snappymail_domain_result.changed
-  changed_when: true
-
-# ── Mail accounts (idempotent: check host-side config file) ──────────────────
-- name: Wait for mailserver to be ready
-  ansible.builtin.command: docker exec mailserver postfix status
-  register: postfix_status
-  changed_when: false
-  retries: 18
-  delay: 10
-  until: postfix_status.rc == 0
-
-- name: Create mail accounts
-  ansible.builtin.command: >
-    docker exec mailserver setup email add {{ item.address }} {{ item.password }}
-  loop:
-    - { address: "noreply@{{ domain_base }}", password: "{{ mailserver_noreply_password }}" }
-    - { address: "admin@{{ domain_base }}",   password: "{{ mailserver_admin_password }}" }
-    - { address: "jack@{{ domain_base }}",    password: "{{ mailserver_jack_password }}" }
-  register: mail_account_result
-  changed_when: mail_account_result.rc == 0
-  failed_when: >
-    mail_account_result.rc != 0 and
-    'already exists' not in mail_account_result.stderr
-
-# ── DKIM ─────────────────────────────────────────────────────────────────────
-- name: Check if DKIM key exists
-  ansible.builtin.stat:
-    path: "{{ tools_root }}/mailserver/config/opendkim/keys/{{ domain_base }}/mail.private"
-  register: dkim_key
-
-- name: Generate DKIM key
-  ansible.builtin.command: >
-    docker exec mailserver setup config dkim domain {{ domain_base }}
-  when: not dkim_key.stat.exists
-  register: dkim_generated
-
-- name: Read DKIM DNS record
-  ansible.builtin.command: >
-    cat {{ tools_root }}/mailserver/config/opendkim/keys/{{ domain_base }}/mail.txt
-  when: dkim_generated is changed
-  register: dkim_record
-
-- name: Print DKIM DNS instructions
-  ansible.builtin.debug:
-    msg: |
-      ══════════════════════════════════════════════════════════════════
-      DKIM key generated! Add this TXT record to Cloudflare DNS:
-      {{ dkim_record.stdout }}
-      ══════════════════════════════════════════════════════════════════
-  when: dkim_generated is changed

roles/tools/templates/docker-compose.yml.j2

@@ -12,9 +12,6 @@ networks:
   n8n-internal:
     driver: bridge
     internal: true
-  mail-internal:
-    driver: bridge
-    internal: true
 
 volumes:
   outline_db_data:
@@ -31,7 +28,6 @@ services:
     env_file: .env
     networks:
       - outline-internal
-      - mail-internal  # send mail via mailserver
       - front    # needed for host port binding
     ports:
       # Exposed only to main Traefik (access controlled by UFW)
@@ -130,68 +126,3 @@ services:
       options:
         max-size: "10m"
         max-file: "3"
-
-  # ── Mail server (Postfix + Dovecot — send & receive for @csrx.ru) ───────────
-  mailserver:
-    image: {{ mailserver_image }}
-    container_name: mailserver
-    hostname: mx
-    domainname: {{ domain_base }}
-    restart: unless-stopped
-    networks:
-      - mail-internal   # Outline → mailserver (internal, port 587 with auth)
-      - front           # inbound/outbound internet SMTP
-    ports:
-      - "{{ ip_tools }}:25:25"    # SMTP inbound (MX delivery from internet)
-      - "{{ ip_tools }}:587:587"  # SMTP submission (mail clients, STARTTLS)
-      - "{{ ip_tools }}:993:993"  # IMAPS (mail clients, TLS)
-      - "{{ ip_tools }}:465:465"  # SMTPS (mail clients, implicit TLS)
-    environment:
-      - ENABLE_RSPAMD=1          # spam filter + DKIM signing
-      - ENABLE_CLAMAV=0          # no antivirus (saves RAM)
-      - ENABLE_FAIL2BAN=0        # host fail2ban already handles this
-      - POSTFIX_INET_PROTOCOLS=ipv4
-      - SSL_TYPE=letsencrypt     # TLS certs from /etc/letsencrypt/live/mx.csrx.ru/
-      - LOG_LEVEL=warn
-      - OVERRIDE_HOSTNAME=mx.{{ domain_base }}
-      - POSTMASTER_ADDRESS=admin@{{ domain_base }}
-      - POSTFIX_MESSAGE_SIZE_LIMIT=26214400  # 25 MB max message size
-    volumes:
-      - {{ tools_root }}/mailserver/mail-data:/var/mail
-      - {{ tools_root }}/mailserver/mail-state:/var/mail-state
-      - {{ tools_root }}/mailserver/mail-logs:/var/log/mail
-      - {{ tools_root }}/mailserver/config:/tmp/docker-mailserver
-      - /etc/letsencrypt:/etc/letsencrypt:ro   # TLS certs from certbot
-    stop_grace_period: 1m
-    cap_add:
-      - NET_ADMIN
-    logging:
-      driver: json-file
-      options:
-        max-size: "10m"
-        max-file: "3"
-
-  # ── SnappyMail webmail ───────────────────────────────────────────────────────
-  snappymail:
-    image: {{ snappymail_image }}
-    container_name: snappymail
-    restart: unless-stopped
-    networks:
-      - mail-internal   # reach mailserver for IMAP/SMTP
-      - front           # expose port 8888 to host
-    ports:
-      - "{{ ip_tools }}:8888:8888"
-    volumes:
-      - {{ tools_root }}/snappymail/data:/var/lib/snappymail
-    environment:
-      - SNAPPYMAIL_ADMIN_PASSWORD={{ snappymail_admin_password }}
-    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8888"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-    logging:
-      driver: json-file
-      options:
-        max-size: "10m"
-        max-file: "3"

roles/tools/templates/env.j2

@@ -27,14 +27,6 @@ FILE_STORAGE=s3
 # Auth — local accounts (can add OIDC/Authelia later)
 AUTH_PROVIDERS=email
 
-# SMTP — local docker-mailserver container (same Docker network, port 587 with auth)
-SMTP_HOST=mailserver
-SMTP_PORT=587
-SMTP_USERNAME=noreply@{{ domain_base }}
-SMTP_PASSWORD={{ mailserver_noreply_password }}
-SMTP_FROM_EMAIL=noreply@{{ domain_base }}
-SMTP_SECURE=false
-
 # Outline DB password (used in docker-compose)
 OUTLINE_DB_PASSWORD={{ outline_db_password }}