move mail from rx300 to carlene

groups/locations.py

@@ -22,7 +22,7 @@ groups['gce'] = {
             # It's fine to do this without authentificating to the relayhost.
             # These Systems are not supposed to send mail anywhere else
             # than our own domains.
-            'relayhost': '[rx300.kunbox.net]:2525',
+            'relayhost': '[mail.franzi.business]:2525',
         },
         'sysctl': {
             'options': {
@@ -90,7 +90,7 @@ groups['home'] = {
             # It's fine to do this without authentificating to the relayhost.
             # These Systems are not supposed to send mail anywhere else
             # than our own domains.
-            'relayhost': '[rx300.kunbox.net]:2525',
+            'relayhost': '[mail.franzi.business]:2525',
         },
     },
 }
@@ -102,7 +102,7 @@ groups['ovh'] = {
     'metadata': {
         'location': 'ovh',
         'postfix': {
-            'relayhost': '[rx300.kunbox.net]:2525',
+            'relayhost': '[mail.franzi.business]:2525',
         },
         'users': {
             'debian': {

nodes/carlene.toml

@@ -4,6 +4,8 @@ groups = [
     "webserver",
 ]
 bundles = [
+    "check-mail-received",
+    "dovecot",
     "element-web",
     "forgejo",
     "matrix-media-repo",
@@ -14,10 +16,12 @@ bundles = [
     "netbox",
     "nodejs",
     "ntfy",
-    "redis",
+    "php",
-    "smartd",
+    "postfixadmin",
-    "check-mail-received",
     "postgresql",
+    "redis",
+    "rspamd",
+    "smartd",
     "travelynx",
     "weechat",
     "zfs",
@@ -110,10 +114,13 @@ domain = "netbox.franzi.business"
 version = "v3.5.8"
 admins.kunsi = "hostmaster@kunbox.net"
 
+[metadata.nginx.'security.txt']
+contact = "mailto:security@kunsmann.eu"
+Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc"
+
 [metadata.nginx.vhosts.'gaenseblum.eu'.webroot_config]
 owner = "skye"
 
-
 [metadata.ntfy]
 domain = "ntfy.franzi.business"
 ratelimit-exempt-hosts = [
@@ -122,9 +129,71 @@ ratelimit-exempt-hosts = [
     "rx300",
 ]
 
+[metadata.php]
+version = "8.2"
+packages = [
+    'gd',
+    'imagick',
+    'imap',
+    'intl',
+    'mbstring',
+    'opcache',
+    'pgsql',
+    'readline',
+    'xml',
+    'yaml',
+]
+
+[metadata.postfix]
+message_size_limit_mb = 100
+myhostname = "mail.franzi.business"
+mynetworks = ["gce", "ovh"]
+
+[metadata.postfixadmin]
+domain = "postfixadmin.franzi.business"
+setup_password = "!decrypt:encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=="
+version = "3.3.13"
+
 [metadata.postgresql]
 version = 15
 
+[metadata.rspamd]
+ignore_spam_check_for_ips = [
+    # entropia
+    '45.140.180.32/27', # Entropia e. V.
+    '45.140.180.112/28', # MicroPOC
+    '2a0e:c5c0:0:201::/64', # Entropia e. V.
+    '2a0e:c5c0:0:307::/64', # MicroPOC
+
+    # c3kl
+    '116.202.19.236',
+    '2a01:4f8:1c17:cc52::/64',
+
+    # ccc
+    '212.12.55.65',
+    '212.12.55.67',
+    '2a00:14b0:4200:3000:23:55:0:65',
+
+    # IN-Berlin mailman
+    '130.133.8.35',
+    '192.109.42.28',
+    '192.109.42.122',
+    '193.29.188.9',
+    '217.197.80.23',
+    '217.197.80.134',
+    '2001:bf0:c000:a::2:134',
+
+    # c3voc
+    '185.106.84.32/26',
+    '2001:67c:20a0:e::/64',
+
+    # DENOG
+    '195.20.121.100',
+    '2001:1440:201:101::5',
+]
+password = "!bwpass:bw/rx300/rspamd"
+dkim = "uO4aNejDvVdw8BKne3KJIqAvCQMJ0416"
+
 [metadata.smartd]
 disks = [
     "/dev/nvme0",

nodes/rx300.py

@@ -8,7 +8,6 @@ nodes['rx300'] = {
     'hostname': '31.47.232.106',
     'bundles': {
         'check-mail-received',
-        'dovecot',
         'ipmitool',
         'jenkins-ci',
         'jugendhackt_tools',
@@ -18,11 +17,9 @@ nodes['rx300'] = {
         'nodejs',
         'oidentd',
         'php',
-        'postfixadmin',
         'postgresql',
         'radicale',
         'redis',
-        'rspamd',
         'smartd',
         'unbound',
         'vmhost',
@@ -213,18 +210,6 @@ nodes['rx300'] = {
                         'owner': 'kunsi',
                     },
                 },
-                'postfixadmin': {
-                    'domain': 'postfixadmin.franzi.business',
-                    'ssl': '_.franzi.business',
-                    'webroot': '/opt/postfixadmin/public/',
-                    'php': True,
-                    'locations': {
-                        '/rspamd/': {
-                            'target': 'http://localhost:11334/',
-                            'websockets': True,
-                        },
-                    }
-                },
                 'wiki.franzi.business': {
                     'ssl': '_.franzi.business',
                     'extras': True,
@@ -262,17 +247,6 @@ nodes['rx300'] = {
                 'yaml',
             },
         },
-        'postfix': {
-            'message_size_limit_mb': 75,
-            'mynetworks': {
-                'gce',
-                'ovh',
-            },
-        },
-        'postfixadmin': {
-            'version': '3.3.13',
-            'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='),
-        },
         'postgresql': {
             'version': '13',
             'max_connections': 500,
@@ -287,43 +261,6 @@ nodes['rx300'] = {
                 'kunsi': bwpass.password('radicale.franzi.business/kunsi'),
             },
         },
-        'rspamd': {
-            'ignore_spam_check_for_ips': {
-                # entropia
-                '45.140.180.32/27', # Entropia e. V.
-                '45.140.180.112/28', # MicroPOC
-                '2a0e:c5c0:0:201::/64', # Entropia e. V.
-                '2a0e:c5c0:0:307::/64', # MicroPOC
-
-                # c3kl
-                '116.202.19.236',
-                '2a01:4f8:1c17:cc52::/64',
-
-                # ccc
-                '212.12.55.65',
-                '212.12.55.67',
-                '2a00:14b0:4200:3000:23:55:0:65',
-
-                # IN-Berlin mailman
-                '130.133.8.35',
-                '192.109.42.28',
-                '192.109.42.122',
-                '193.29.188.9',
-                '217.197.80.23',
-                '217.197.80.134',
-                '2001:bf0:c000:a::2:134',
-
-                # c3voc
-                '185.106.84.32/26',
-                '2001:67c:20a0:e::/64',
-
-                # DENOG
-                '195.20.121.100',
-                '2001:1440:201:101::5',
-            },
-            'password': bwpass.password('bw/rx300/rspamd'),
-            'dkim': 'uO4aNejDvVdw8BKne3KJIqAvCQMJ0416',
-        },
         'smartd': {
             'disks': {
                 '/dev/nvme0',