jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/tools/templates/docker-compose.yml.j2
jack 644b5b74c1
Some checks failed
CI/CD / syntax-check (push) Successful in 1m35s
Details
CI/CD / deploy (push) Failing after 17m28s
Details
feat: add SnappyMail webmail and docker-mailserver with full send/receive 
- Add docker-mailserver (Postfix+Dovecot) with SSL via certbot+Cloudflare DNS-01
- Add SnappyMail webmail client at webmail.csrx.ru (port 8888)
- Open UFW ports 25/465/587/993 on tools server
- Create mail accounts: noreply@, admin@, jack@csrx.ru
- Generate DKIM key and print DNS instructions on first run
- Add Traefik route on main server proxying webmail → tools:8888
- Add all secrets to vault (mailserver passwords, snappymail admin)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 17:21:25 +07:00

199 lines
6 KiB
Django/Jinja
Raw Blame History

# Tools stack — generated by Ansible
# Do not edit manually; re-run ansible-playbook playbooks/tools.yml
networks:
# front — non-internal: needed for Docker port binding to work (expose ports to host)
# Docker does not create DNAT rules for containers only on internal networks
front:
driver: bridge
outline-internal:
driver: bridge
internal: true
n8n-internal:
driver: bridge
internal: true
mail-internal:
driver: bridge
internal: true
webmail-internal:
driver: bridge
internal: true
volumes:
outline_db_data:
outline_redis_data:
n8n_data:
services:
# ── Outline wiki ────────────────────────────────────────────────────────────
outline:
image: {{ outline_image }}
container_name: outline
restart: unless-stopped
env_file: .env
networks:
- outline-internal
- mail-internal # send mail via mailserver
- front # needed for host port binding
ports:
# Exposed only to main Traefik (access controlled by UFW)
- "{{ ip_tools }}:3000:3000"
depends_on:
outline-db:
condition: service_healthy
outline-redis:
condition: service_healthy
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000/_health"]
interval: 30s
timeout: 5s
retries: 3
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
outline-db:
image: {{ outline_db_image }}
container_name: outline-db
restart: unless-stopped
environment:
POSTGRES_DB: outline
POSTGRES_USER: outline
POSTGRES_PASSWORD: ${OUTLINE_DB_PASSWORD}
networks:
- outline-internal
volumes:
- outline_db_data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U outline"]
interval: 10s
timeout: 5s
retries: 5
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
outline-redis:
image: {{ outline_redis_image }}
container_name: outline-redis
restart: unless-stopped
networks:
- outline-internal
volumes:
- outline_redis_data:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
# ── n8n workflow automation ──────────────────────────────────────────────────
n8n:
image: {{ n8n_image }}
container_name: n8n
restart: unless-stopped
networks:
- n8n-internal
- front # needed for host port binding
ports:
# Exposed only to main Traefik (access controlled by UFW)
- "{{ ip_tools }}:5678:5678"
volumes:
- n8n_data:/home/node/.n8n
environment:
- N8N_HOST={{ domain_n8n }}
- N8N_PORT=5678
- N8N_PROTOCOL=https
- WEBHOOK_URL=https://{{ domain_n8n }}/
- N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
- N8N_USER_MANAGEMENT_JWT_SECRET=${N8N_JWT_SECRET}
- GENERIC_TIMEZONE=Europe/Moscow
- TZ=Europe/Moscow
- N8N_METRICS=false
- N8N_LOG_LEVEL=warn
- EXECUTIONS_DATA_PRUNE=true
- EXECUTIONS_DATA_MAX_AGE=336
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:5678/healthz"]
interval: 30s
timeout: 5s
retries: 3
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
# ── Mail server (Postfix + Dovecot — send & receive for @csrx.ru) ───────────
mailserver:
image: {{ mailserver_image }}
container_name: mailserver
hostname: mail
domainname: {{ domain_base }}
restart: unless-stopped
networks:
- mail-internal # Outline → mailserver (internal, port 25, no auth)
- front # inbound/outbound internet SMTP
ports:
- "{{ ip_tools }}:25:25" # SMTP inbound (MX delivery from internet)
- "{{ ip_tools }}:587:587" # SMTP submission (mail clients)
- "{{ ip_tools }}:993:993" # IMAPS (mail clients)
- "{{ ip_tools }}:465:465" # SMTPS (mail clients, alternative)
environment:
- ENABLE_RSPAMD=1 # spam filter for inbound mail
- ENABLE_CLAMAV=0 # no antivirus (saves RAM)
- ENABLE_FAIL2BAN=0 # host fail2ban already handles this
- POSTFIX_INET_PROTOCOLS=ipv4
- SSL_TYPE=letsencrypt # TLS via certbot cert at /etc/letsencrypt
- LOG_LEVEL=warn
- OVERRIDE_HOSTNAME=mail.{{ domain_base }}
- POSTMASTER_ADDRESS=admin@{{ domain_base }}
volumes:
- {{ tools_root }}/mailserver/mail-data:/var/mail
- {{ tools_root }}/mailserver/mail-state:/var/mail-state
- {{ tools_root }}/mailserver/mail-logs:/var/log/mail
- {{ tools_root }}/mailserver/config:/tmp/docker-mailserver
- /etc/letsencrypt:/etc/letsencrypt:ro # TLS certs from certbot
stop_grace_period: 1m
cap_add:
- NET_ADMIN
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
# ── SnappyMail webmail ───────────────────────────────────────────────────────
snappymail:
image: {{ snappymail_image }}
container_name: snappymail
restart: unless-stopped
networks:
- webmail-internal
- front
ports:
- "{{ ip_tools }}:8888:8888"
volumes:
- {{ tools_root }}/snappymail/data:/var/lib/snappymail
environment:
- SNAPPYMAIL_ADMIN_PASSWORD={{ snappymail_admin_password }}
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8888"]
interval: 30s
timeout: 5s
retries: 3
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
Reference in a new issue View git blame Copy permalink