In between commit, updated matrix and optimized mailu

2025-08-26 21:45:20 +02:00 · 2025-08-20 17:48:59 +02:00 · 2025-08-20 17:48:59 +02:00 · 7a6e273ea4
commit 7a6e273ea4
parent 384beae7c1
14 changed files with 77 additions and 14 deletions
--- a/group_vars/all/02_email.yml
+++ b/group_vars/all/02_email.yml
@ -5,4 +5,4 @@ DEFAULT_SYSTEM_EMAIL:
  PORT:      465
  TLS:       true   # true for TLS and false for SSL
  START_TLS: false
-  SMTP:      true  
+  SMTP:      true
--- a/roles/docker-compose/handlers/main.yml
+++ b/roles/docker-compose/handlers/main.yml
@ -10,6 +10,7 @@
    - docker compose up
    - docker compose restart
    - docker compose just up
+  when: MODE_ASSERT | bool

 - name: docker compose pull
  shell: |
--- a/roles/sys-svc-docker/tasks/03_cleanup.yml
+++ b/roles/sys-svc-docker/tasks/03_cleanup.yml
@ -4,4 +4,4 @@

 - name: Prune Docker resources
  become: true
-  ansible.builtin.command: docker system prune -f
+  ansible.builtin.command: docker system prune -f
--- a/roles/web-app-mailu/tasks/01_core.yml
+++ b/roles/web-app-mailu/tasks/01_core.yml
@ -8,6 +8,21 @@
    success_msg: "MAILU_HOSTNAMES is valid."
  when: MODE_ASSERT | bool

+- name: "load variables from {{ DOCKER_VARS_FILE }}"
+  include_vars: "{{ DOCKER_VARS_FILE }}"
+
+- name: Ensure Rspamd overrides directory exists (host)
+  file:
+    path: "{{ MAILU_RSPAMD_HOST_DIR }}"
+    state: directory
+    mode: "0755"
+
+- name: Render ratelimit.conf
+  template:
+    src: ratelimit.conf.j2
+    dest: "{{ MAILU_RSPAMD_HOST_FILE }}"
+    mode: "0644"
+
 - name: "Mailu Docker and Webserver Setup"
  block:
  - name: "load docker, db and proxy for {{ application_id }}"
--- a/roles/web-app-mailu/templates/docker-compose.yml.j2
+++ b/roles/web-app-mailu/templates/docker-compose.yml.j2
@ -97,7 +97,7 @@
    volumes:
      - "filter:/var/lib/rspamd"
      - "dkim:/dkim"
-      - "{{ docker_compose.directories.volumes }}overrides/rspamd:/overrides:ro"
+      - "{{ MAILU_RSPAMD_HOST_DIR }}:/overrides:ro"
    depends_on:
      - front
      - redis
--- a/roles/web-app-mailu/templates/ratelimit.conf.j2
+++ b/roles/web-app-mailu/templates/ratelimit.conf.j2
@ -0,0 +1,24 @@
+# AUTOGENERATED by Ansible – Rspamd ratelimits
+# Mount path in container: /overrides/ratelimit.conf  (read-only)
+
+rates {
+  {# Optional global defaults for authenticated SMTP senders #}
+  authenticated = {
+    bucket = [{
+      burst = {{ MAILU_RSPAMD_LIMITS_DEFAULTS.BURST | int }};
+      rate  = "{{ MAILU_RSPAMD_LIMITS_DEFAULTS.RATE }}";
+    }];
+  }
+
+  {# Per-user limits: require both .limits.rate and .limits.burst #}
+  {% for uname, u in users.items() %}
+    {% if (u.limits.rate | default(false) and u.limits.burst | default(false)) %}
+  "user={{ u.email }}" = {
+    bucket = [{
+      burst = {{ u.limits.burst | int }};
+      rate  = "{{ u.limits.rate }}";
+    }];
+  };
+    {% endif %}
+  {% endfor %}
+}
--- a/roles/web-app-mailu/vars/main.yml
+++ b/roles/web-app-mailu/vars/main.yml
@ -58,3 +58,10 @@ MAILU_DMARC_RUF:                      "{{ applications | get_app_conf(applicatio

 MAILU_DKIM_KEY_FILE:                  "{{ MAILU_DOMAIN }}.dkim.key"
 MAILU_DKIM_KEY_PATH:                  "/dkim/{{ MAILU_DKIM_KEY_FILE }}"
+
+## Rspamd
+MAILU_RSPAMD_HOST_DIR:                "{{ [ docker_compose.directories.volumes, 'overrides/rspamd' ] | path_join }}"
+MAILU_RSPAMD_HOST_FILE:               "{{ [ MAILU_RSPAMD_HOST_DIR,'ratelimit.conf' ] | path_join }}"
+MAILU_RSPAMD_LIMITS_DEFAULTS:
+  RATE:   "30 / 1min"
+  BURST:  50        
--- a/roles/web-app-matrix/templates/element.config.json.j2
+++ b/roles/web-app-matrix/templates/element.config.json.j2
@ -5,9 +5,10 @@
            "server_name": "{{ MATRIX_SYNAPSE_DOMAIN }}"
        },
        "m.identity_server": {
-            "base_url": "{{ WEB_PROTOCOL }}://{{ PRIMARY_DOMAIN }}"
+            "base_url": "{{ MATRIX_BASE_URL }}"
        }
    },
+    "logout_redirect_url": "{{ OIDC.CLIENT.LOGOUT_URL if MATRIX_OIDC_ENABLED else MATRIX_BASE_URL }}",
    "brand": "Element",
    "integrations_ui_url": "https://scalar.vector.im/",
    "integrations_rest_url": "https://scalar.vector.im/api",
--- a/roles/web-app-matrix/templates/nginx.conf.j2
+++ b/roles/web-app-matrix/templates/nginx.conf.j2
@ -3,8 +3,8 @@ server {
    {% include 'roles/srv-letsencrypt/templates/ssl_header.j2' %}
    
    # For the federation port
-    listen {{ FEDERATION_PORT }} ssl default_server;
-    listen [::]:{{ FEDERATION_PORT }} ssl default_server;
+    listen {{ MATRIX_FEDERATION_PORT }} ssl default_server;
+    listen [::]:{{ MATRIX_FEDERATION_PORT }} ssl default_server;

    {% include 'roles/sys-srv-web-inj-compose/templates/server.conf.j2'%}

--- a/roles/web-app-matrix/vars/main.yml
+++ b/roles/web-app-matrix/vars/main.yml
@ -17,7 +17,9 @@ MATRIX_WELL_KNOWN_FILE:               "{{ MATRIX_WELL_KNOWN_DIRECTORY }}server"
 MATRIX_PROJECT:                       "{{ application_id | get_entity_name }}"
 MATRIX_REGISTRATION_FILE_FOLDER:      "/data/"
 MATRIX_REGISTRATION_SHARED_SECRET:    "{{ applications | get_app_conf(application_id, 'credentials.registration_shared_secret') }}"
-FEDERATION_PORT:                      "{{ ports.public.federation['web-app-matrix_synapse'] }}"
+MATRIX_FEDERATION_PORT:               "{{ ports.public.federation['web-app-matrix_synapse'] }}"
+MATRIX_OIDC_ENABLED:                  "{{ applications | get_app_conf(application_id, 'features.oidc', False) }}"
+MATRIX_BASE_URL:                      "{{ WEB_PROTOCOL }}://{{ PRIMARY_DOMAIN }}"

 ## Synapse
 MATRIX_SYNAPSE_VERSION:               "{{ applications | get_app_conf(application_id, 'docker.services.synapse.version') }}"
@ -38,4 +40,4 @@ MATRIX_ELEMENT_IMAGE:                 "{{ applications | get_app_conf(applicatio
 MATRIX_ELEMENT_NAME:                  "{{ applications | get_app_conf(application_id, 'docker.services.element.name') }}"
 MATRIX_ELEMENT_DOMAIN:                "{{ domains[application_id].element }}"
 MATRIX_ELEMENT_PORT:                  "{{ ports.localhost.http['web-app-matrix_element'] }}"
-MATRIX_ELEMENT_CONFIG_PATH_HOST:      "{{ docker_compose.directories.config }}element-config.json"
+MATRIX_ELEMENT_CONFIG_PATH_HOST:      "{{ docker_compose.directories.config }}element-config.json"
--- a/roles/web-app-nextcloud/templates/nginx/host.conf.j2
+++ b/roles/web-app-nextcloud/templates/nginx/host.conf.j2
@ -1,5 +1,3 @@
-{# This is the nginx configuration file for the proxy server #}
-
 server
 {
  server_name {{ domain }};
--- a/roles/web-app-nextcloud/users/main.yml
+++ b/roles/web-app-nextcloud/users/main.yml
@ -1,7 +1,17 @@
 users:      
  administrator:
-    username:               "administrator"
+    username:     "administrator"
  no-reply:
-    username:               "no-reply"
+    username:     "no-reply"
    roles:
-      - mail-bot
+      - mail-bot
+    limits:
+      rate:  "60 / 1min"
+      burst: 3600
+  test12345:
+    username:     "treset12345"
+    roles:
+      - mail-bot
+    limits:
+      rate:  "60 / 1min"
+      burst: 3600
--- a/roles/web-app-syncope/templates/proxy.conf
+++ b/roles/web-app-syncope/templates/proxy.conf
@ -1,6 +1,8 @@
 server
 {
  server_name {{ domain }};
+  {# Include buffers for OIDC #}
+  {% include 'roles/srv-proxy-core/templates/headers/buffers.conf.j2' %}

  {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
    {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
--- a/templates/roles/web-app/users/main.yml
+++ b/templates/roles/web-app/users/main.yml
@ -4,4 +4,7 @@ users:
    username: demo
    email: "demo@{{ PRIMARY_DOMAIN }}"
    roles: []
-    description: Demo User
+    description: Demo User
+    limits:
+      rate:  "60 / 1min"   # token fill rate (N per window)
+      burst: 3600          # max immediate tokens