Mail Stack Deployment:
- playbooks/deploy_mail_stack.yml: Complete mail server with chasquid + dovecot + firewall
* Deploys chasquid SMTP server
* Deploys dovecot IMAP server
* Includes firewall configuration
* Email test with swaks
* Configurable domain, certificates, DKIM
- playbooks/deploy_mail_firewall.yml: Standalone firewall deployment
* Just the firewall role
* For servers that only need firewall rules
* Customizable via variables
Node.js Deployment:
- playbooks/deploy_nodejs_vhosts.yml: Node.js runtime for vhosts
* Installs Node.js 20.x from NodeSource
* Configurable version and packages
* Can install additional global npm packages
* Supports Yarn installation
Inventory:
- playbooks/inventory.ini: Updated inventory file
* Mail server and nodejs host groups
* Example configuration
Scripts:
- scripts/netcheck.sh: Network connectivity check script
All playbooks:
- Use become: yes for privilege escalation
- Include comprehensive variable documentation
- Support customization via vars
- Include security best practices
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Install Node.js 20.x LTS from official NodeSource repository
- Install latest npm and configure with save-exact
- Install Yarn package manager (optional, configurable)
- Idempotent installation with version checking
- Adds npm global bin to system PATH
- Configurable version (LTS, major, or specific version)
- GPG-signed packages from official sources
- Support for custom npm global prefix
- Optional global npm package installation
Features:
- Removes old NodeSource repos before upgrade
- Adds NodeSource GPG key securely via HTTPS
- Creates npm global directory with proper permissions
- Template for /etc/profile.d/npm_global.sh
- Verification output showing installed versions
Variables:
- nodejs_version: "20.x" (default, can be 18.x, 22.x, or specific version)
- install_yarn: true (can be disabled)
- add_npm_to_path: true (adds npm bin to PATH)
- npm_config_prefix: "/usr/local/lib/npm"
- global_npm_packages: [] (optional list of packages)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add dovecot user to mail group for proper permissions
- Install dovecot-core package (alongside dovecot-imapd)
- Maintains existing dovecot configuration via templates
- Idempotent user module for group management
Configuration:
- Existing templates for dovecot.conf, 10-mail.conf, 10-auth.conf, 10-ssl.conf, 10-master.conf
- Service management with systemd
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Install dovecot packages (dovecot-core, dovecot-imapd) alongside chasquid
- Create support user with secure home directory and nologin shell
- Add chasquid user to mail group for proper permissions
- Set cap_net_bind_service capability on chasquid binary
- Disable socket-based activation services (socket, smtp, submission, submission_tls)
- Disable IPv6 system-wide via sysctl
- Add custom systemd service template with security hardening:
* Standalone mode (Type=simple)
* CAP_NET_BIND_SERVICE for port binding
* ProtectSystem, ProtectHome, PrivateTmp, NoNewPrivileges
* Automatic restart on failure
- Convert systemd service to Jinja2 template for variable support
- Add email test configuration variables (domain, SMTP settings, test recipients)
- Add swaks email test task with variable-based configuration
- Create reboot handler for IPv6 changes
- Add reload systemd daemon handler
Security:
- Binary capabilities instead of running as root
- Comprehensive systemd security features
- NoNewPrivileges to prevent escalation
- Private temporary directory
Testing:
- Automated swaks email sending test
- Display DNS records with DKIM key information
- Configurable email credentials via variables
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
