Multiple misc changes
- Patch out hba changing at start for postgres - Add redis - Use host networking for development purposes - Fix logging for rspamd and dovecot - Make sasl socket inet - Use WORKDIR for nsd - Remove postgres pass entries
This commit is contained in:
parent
d60bd7fb98
commit
bfae593b4d
|
@ -24,11 +24,15 @@ daemons/nsd/${BUILD_ID_OUT}: daemons/nsd/% : \
|
|||
data/dns/%
|
||||
|
||||
daemons/postgres/${BUILD_ID_OUT}: daemons/postgres/% : \
|
||||
daemons/postgres/disable-hba-patcher.patch \
|
||||
daemons/postgres/pg_hba.conf \
|
||||
daemons/postgres/postgresql.conf \
|
||||
data/ca/% \
|
||||
data/postgres-cert/%
|
||||
|
||||
daemons/redis/${BUILD_ID_OUT}: daemons/redis/% : \
|
||||
daemons/redis/redis.conf
|
||||
|
||||
daemons/murmurd/${BUILD_ID_OUT}: daemons/murmurd/% : \
|
||||
daemons/murmurd/murmur.ini \
|
||||
daemons/murmurd/secrets/mregpass \
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman container create \
|
||||
--pod host \
|
||||
--pull missing \
|
||||
--image-volume tmpfs \
|
||||
--mount type=volume,src=dovecot-data,dst=/var/mail/ \
|
||||
oci-archive:daemons/dovecot/oci-archive.tar:redxen.eu/daemons/dovecot:latest
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman pod create \
|
||||
--userns=auto \
|
||||
--network=host \
|
||||
host
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman network create \
|
||||
--ipv6 \
|
||||
-d macvlan \
|
||||
--ipam-driver host-local \
|
||||
--subnet 172.20.254.192/30 \
|
||||
macvlan-br
|
||||
|
||||
podman pod create \
|
||||
--userns=auto \
|
||||
--dns='2606:4700:4700::1111' \
|
||||
--dns='2606:4700:4700::1001' \
|
||||
--dns='2001:4860:4860::8888' \
|
||||
--dns='2001:4860:4860::8844' \
|
||||
--dns='1.1.1.1' \
|
||||
--dns='1.0.0.1' \
|
||||
--dns='8.8.8.8' \
|
||||
--dns='8.8.4.4' \
|
||||
--network=macvlan-br \
|
||||
macvlan
|
|
@ -3,8 +3,8 @@
|
|||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman container create \
|
||||
--pod default \
|
||||
--pod macvlan \
|
||||
--pull missing \
|
||||
--image-volume tmpfs \
|
||||
--volume nsd-data:/var/lib/nsd:rw,nodev,noexec,nosuid \
|
||||
--mount type=volume,src=nsd-data,dst=/var/lib/nsd/ \
|
||||
oci-archive:daemons/nsd/oci-archive.tar:redxen.eu/daemons/nsd:latest
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman container create \
|
||||
--pod host \
|
||||
--pull missing \
|
||||
--image-volume tmpfs \
|
||||
oci-archive:daemons/opendkim/oci-archive.tar:redxen.eu/daemons/opendkim:latest
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman pod create \
|
||||
--userns=auto \
|
||||
--network=host \
|
||||
default
|
||||
|
||||
#podman pod create \
|
||||
# --userns=auto \
|
||||
# --dns='2606:4700:4700::1111' \
|
||||
# --dns='2606:4700:4700::1001' \
|
||||
# --dns='2001:4860:4860::8888' \
|
||||
# --dns='2001:4860:4860::8844' \
|
||||
# --dns='1.1.1.1' \
|
||||
# --dns='1.0.0.1' \
|
||||
# --dns='8.8.8.8' \
|
||||
# --dns='8.8.4.4' \
|
||||
# --network=standard:mac="$(randmac)" \
|
||||
# default
|
|
@ -3,8 +3,8 @@
|
|||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman container create \
|
||||
--pod default \
|
||||
--pod host \
|
||||
--pull missing \
|
||||
--image-volume tmpfs \
|
||||
--volume postfix-data:/var/lib/postfix:rw,nodev,noexec,nosuid \
|
||||
--mount type=volume,src=postfix-data,dst=/var/lib/postfix/ \
|
||||
oci-archive:daemons/postfix/oci-archive.tar:redxen.eu/daemons/postfix:latest
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman container create \
|
||||
--pod host \
|
||||
--pull missing \
|
||||
--image-volume tmpfs \
|
||||
--mount type=volume,src=postgres-data,dst=/var/lib/postgres/ \
|
||||
oci-archive:daemons/postgres/oci-archive.tar:redxen.eu/daemons/postgres:latest
|
|
@ -0,0 +1,10 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman container create \
|
||||
--pod host \
|
||||
--pull missing \
|
||||
--image-volume tmpfs \
|
||||
--mount type=volume,src=redis-data,dst=/var/lib/redis/ \
|
||||
oci-archive:daemons/redis/oci-archive.tar:redxen.eu/daemons/redis:latest
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
. "$(dirname $0)"/common.sh
|
||||
|
||||
podman container create \
|
||||
--pod host \
|
||||
--pull missing \
|
||||
--image-volume tmpfs \
|
||||
oci-archive:daemons/rspamd/oci-archive.tar:redxen.eu/daemons/rspamd:latest
|
|
@ -26,4 +26,4 @@ ADD dovecot.conf dovecot.conf
|
|||
# Check configuration
|
||||
RUN doveconf -c dovecot.conf -x
|
||||
|
||||
CMD dovecot -c dovecot.conf
|
||||
CMD dovecot -F -c dovecot.conf
|
||||
|
|
|
@ -29,6 +29,9 @@ last_valid_gid = 12
|
|||
lda_mailbox_autocreate = yes
|
||||
imap_capability = +SPECIAL-USE
|
||||
|
||||
# Log to container stderr
|
||||
log_path = /dev/stderr
|
||||
|
||||
# PostgreSQL UserDB
|
||||
userdb {
|
||||
driver = sql
|
||||
|
@ -69,11 +72,14 @@ protocol lmtp {
|
|||
}
|
||||
|
||||
service auth {
|
||||
unix_listener auth {
|
||||
mode = 0660
|
||||
user = dovecot
|
||||
group = mail
|
||||
inet_listener lmtp {
|
||||
port = 11666
|
||||
}
|
||||
# unix_listener auth {
|
||||
# mode = 0660
|
||||
# user = dovecot
|
||||
# group = mail
|
||||
# }
|
||||
user = root
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
connect = host=postgresql.routinginfo.internal port=7550 dbname=mail user=dovecot
|
||||
connect = host=localhost port=5432 dbname=mail user=dovecot
|
||||
driver = pgsql
|
||||
default_pass_scheme = ARGON2I
|
||||
user_query = SELECT '8' AS uid, '12' AS gid FROM users WHERE userid = '%u' AND active = '1'
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
FROM alpine:latest
|
||||
ARG CONFIG=/etc/redxen/nsd/nsd.conf
|
||||
|
||||
RUN --network=host apk add nsd
|
||||
|
||||
ADD nsd.conf $CONFIG
|
||||
WORKDIR /etc/redxen/nsd/
|
||||
|
||||
ADD nsd.conf nsd.conf
|
||||
COPY --from=redxen.eu/data/dns:latest /dns-zones/redxen.eu /etc/redxen/bindzone/redxen.eu
|
||||
|
||||
RUN nsd-checkconf $CONFIG
|
||||
RUN nsd-checkconf nsd.conf
|
||||
|
||||
ENV CONFIG $CONFIG
|
||||
CMD nsd -d -c $CONFIG
|
||||
CMD nsd -d -c nsd.conf
|
||||
|
|
|
@ -67,7 +67,7 @@ smtpd_helo_restrictions = reject_invalid_helo_hostname
|
|||
# Dovecot auth
|
||||
smtpd_sasl_auth_enable = yes
|
||||
smtpd_sasl_type = dovecot
|
||||
smtpd_sasl_path = /run/dovecot/auth
|
||||
smtpd_sasl_path = inet:localhost:11666
|
||||
smtpd_sasl_security_options = noanonymous
|
||||
smtpd_sasl_local_domain = $myorigin
|
||||
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
hosts = localhost:5432
|
||||
dbname = mail
|
||||
user = postfix
|
||||
password = POSTGRESQL_PASSWORD
|
||||
query = SELECT target FROM aliases WHERE alias = '%u' AND active = '1'
|
||||
domain = redxen.eu
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
hosts = localhost:5432
|
||||
dbname = mail
|
||||
user = postfix
|
||||
password = POSTGRESQL_PASSWORD
|
||||
query = SELECT userid FROM users WHERE userid = '%u' AND active = '1'
|
||||
domain = redxen.eu
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
FROM postgres:alpine
|
||||
|
||||
# FUCK YOU I PROVIDE MY OWN HBA EAT FUCKING SHIT
|
||||
RUN apk add patch
|
||||
ADD disable-hba-patcher.patch /tmp/disable-hba-patcher.patch
|
||||
RUN patch -p0 /usr/local/bin/docker-entrypoint.sh /tmp/disable-hba-patcher.patch
|
||||
|
||||
ADD postgresql.conf /etc/postgresql/postgresql.conf
|
||||
ADD pg_hba.conf /etc/postgresql/pg_hba.conf
|
||||
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
@@ -98,59 +98,6 @@
|
||||
fi
|
||||
}
|
||||
|
||||
-# print large warning if POSTGRES_PASSWORD is long
|
||||
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
|
||||
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
|
||||
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
|
||||
-docker_verify_minimum_env() {
|
||||
- # check password first so we can output the warning before postgres
|
||||
- # messes it up
|
||||
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
|
||||
- cat >&2 <<-'EOWARN'
|
||||
-
|
||||
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
|
||||
-
|
||||
- This will not work if used via PGPASSWORD with "psql".
|
||||
-
|
||||
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
|
||||
- https://github.com/docker-library/postgres/issues/507
|
||||
-
|
||||
- EOWARN
|
||||
- fi
|
||||
- if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
|
||||
- # The - option suppresses leading tabs but *not* spaces. :)
|
||||
- cat >&2 <<-'EOE'
|
||||
- Error: Database is uninitialized and superuser password is not specified.
|
||||
- You must specify POSTGRES_PASSWORD to a non-empty value for the
|
||||
- superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
|
||||
-
|
||||
- You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
|
||||
- connections without a password. This is *not* recommended.
|
||||
-
|
||||
- See PostgreSQL documentation about "trust":
|
||||
- https://www.postgresql.org/docs/current/auth-trust.html
|
||||
- EOE
|
||||
- exit 1
|
||||
- fi
|
||||
- if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
|
||||
- cat >&2 <<-'EOWARN'
|
||||
- ********************************************************************************
|
||||
- WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
|
||||
- anyone with access to the Postgres port to access your database without
|
||||
- a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
|
||||
- documentation about "trust":
|
||||
- https://www.postgresql.org/docs/current/auth-trust.html
|
||||
- In Docker's default configuration, this is effectively any other
|
||||
- container on the same system.
|
||||
-
|
||||
- It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
|
||||
- it with "-e POSTGRES_PASSWORD=password" instead to set a password in
|
||||
- "docker run".
|
||||
- ********************************************************************************
|
||||
- EOWARN
|
||||
- fi
|
||||
-}
|
||||
-
|
||||
# usage: docker_process_init_files [file [file [...]]]
|
||||
# ie: docker_process_init_files /always-initdb.d/*
|
||||
# process initializer files, based on file extensions and permissions
|
||||
@@ -310,8 +257,6 @@
|
||||
|
||||
# only run initialization on an empty data directory
|
||||
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
|
||||
- docker_verify_minimum_env
|
||||
-
|
||||
# check dir permissions to reduce likelihood of half-initialized database
|
||||
ls /docker-entrypoint-initdb.d/ > /dev/null
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
FROM redis:alpine
|
||||
|
||||
WORKDIR /etc/redxen/redis/
|
||||
|
||||
ADD redis.conf redis.conf
|
||||
|
||||
CMD redis-server redis.conf --daemonize no
|
|
@ -0,0 +1,91 @@
|
|||
bind 0.0.0.0 ::0
|
||||
protected-mode no
|
||||
port 6379
|
||||
tcp-backlog 511
|
||||
timeout 0
|
||||
tcp-keepalive 300
|
||||
|
||||
#tls-port 6379
|
||||
#tls-cert-file /etc/redxen/selfsigned/public.pem
|
||||
#tls-key-file /etc/redxen/selfsigned/private.key
|
||||
#tls-ca-cert-dir /etc/ssl/certs
|
||||
#tls-auth-clients optional
|
||||
#tls-protocols "TLSv1.2 TLSv1.3"
|
||||
|
||||
supervised no
|
||||
|
||||
loglevel notice
|
||||
#syslog-enabled yes
|
||||
#syslog-ident redis
|
||||
#syslog-facility local0
|
||||
|
||||
databases 16
|
||||
always-show-logo no
|
||||
|
||||
save 900 1
|
||||
save 300 10
|
||||
save 60 10000
|
||||
|
||||
stop-writes-on-bgsave-error yes
|
||||
rdbcompression yes
|
||||
rdbchecksum yes
|
||||
dbfilename dump.rdb
|
||||
rdb-del-sync-files no
|
||||
dir /var/lib/redis
|
||||
|
||||
replica-serve-stale-data yes
|
||||
replica-read-only yes
|
||||
repl-diskless-sync no
|
||||
repl-diskless-sync-delay 5
|
||||
repl-diskless-load disabled
|
||||
repl-disable-tcp-nodelay no
|
||||
replica-priority 100
|
||||
|
||||
acllog-max-len 128
|
||||
|
||||
lazyfree-lazy-eviction no
|
||||
lazyfree-lazy-expire no
|
||||
lazyfree-lazy-server-del no
|
||||
replica-lazy-flush no
|
||||
lazyfree-lazy-user-del no
|
||||
|
||||
oom-score-adj no
|
||||
oom-score-adj-values 0 200 800
|
||||
|
||||
appendonly no
|
||||
appendfilename "appendonly.aof"
|
||||
appendfsync everysec
|
||||
# appendfsync no
|
||||
no-appendfsync-on-rewrite no
|
||||
auto-aof-rewrite-percentage 100
|
||||
auto-aof-rewrite-min-size 64mb
|
||||
aof-load-truncated yes
|
||||
aof-use-rdb-preamble yes
|
||||
lua-time-limit 5000
|
||||
|
||||
slowlog-log-slower-than 10000
|
||||
slowlog-max-len 128
|
||||
latency-monitor-threshold 0
|
||||
|
||||
notify-keyspace-events ""
|
||||
hash-max-ziplist-entries 512
|
||||
hash-max-ziplist-value 64
|
||||
list-max-ziplist-size -2
|
||||
list-compress-depth 0
|
||||
set-max-intset-entries 512
|
||||
zset-max-ziplist-entries 128
|
||||
zset-max-ziplist-value 64
|
||||
hll-sparse-max-bytes 3000
|
||||
stream-node-max-bytes 4096
|
||||
stream-node-max-entries 100
|
||||
activerehashing yes
|
||||
|
||||
client-output-buffer-limit normal 0 0 0
|
||||
client-output-buffer-limit replica 256mb 64mb 60
|
||||
client-output-buffer-limit pubsub 32mb 8mb 60
|
||||
|
||||
hz 10
|
||||
dynamic-hz yes
|
||||
aof-rewrite-incremental-fsync yes
|
||||
rdb-save-incremental-fsync yes
|
||||
jemalloc-bg-thread yes
|
|
@ -1,7 +1,6 @@
|
|||
logging {
|
||||
type = "syslog";
|
||||
facility = "mail";
|
||||
level = "info";
|
||||
type = "console";
|
||||
level = "debug";
|
||||
color = false;
|
||||
log_usec = false;
|
||||
debug_modules = []
|
||||
|
|
|
@ -45,7 +45,7 @@ options {
|
|||
words_decay = 600;
|
||||
|
||||
# Local networks
|
||||
local_addrs = [127.0.0.0/8, 10.0.0.0/8];
|
||||
local_addrs = [127.0.0.0/8];
|
||||
hs_cache_dir = "${DBDIR}/";
|
||||
|
||||
# Timeout for messages processing (must be larger than any internal timeout used)
|
||||
|
|
Loading…
Reference in New Issue