anonaddy · Flash1232 · Feb 27, 2022
@@ -0,0 +1,3 @@
+MYSQL_DATABASE=anonaddy
+MYSQL_USER=anonaddy
+MYSQL_PASSWORD=anonaddy
@@ -0,0 +1,32 @@
+This is a strongly opinionated AnonAddy Docker + Traefik config template that provides *some* production quality features.
+**Note** that you must further tweak the configuration and then run Docker in Swarm mode to ensure e.g. encrypted network traffic and scaling for *serious* production usage.
+You should also use something like Hashicorp Vault to protect any secrets as Docker secret files are still stored in plain text on the filesystem as well as disable root user access in containers.
+
+## Features
+ - Automatic creation of ACME SSL Wildcard Certificates using DNS Challenge resolver
+ - [Tecnativa's Docker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy) (reduce risk of Docker socket exposure)
+ - Automatic Postfix TLS management using [traefik-certs-dumper](https://github.com/kereis/traefik-certs-dumper)
+   - Auto-dumping of Let's Encrypt certificates to Postfix cert directory
+   - Watch & restart AnonAddy container on certificate renewal
+ - Hardened TLS cipher configuration
+ - [Watchtower](https://github.com/containrrr/watchtower) for automatic AnonAddy container updates upon new release
+ - CrowdSec with Traefik bouncer for SPAM detection and mitigation. Please refer to the  
+   [CrowdSec documentation](https://docs.crowdsec.net/docs/getting_started/install_crowdsec) for initial setup instructions.
+ - Enabled Rspamd and exposed Web UI (also covered by CrowdSec bouncer) at [https://**spam**.example.com](https://spam.example.com)
+
+**Note**: This configuration does not ensure true Zero Downtime re-deploys!
+
+## Usage
+
+Make sure you have followed the steps described [here](https://github.com/anonaddy/docker#generate-dkim-privatepublic-keypair) to generate a DKIM keypair.  
+Use these files for full SMTP(D) TLS/ DKIM/ DMARC/ PGP signing functionalities.  
+
+```bash
+mkdir letsencrypt
+touch letsencrypt/acme.json
+chmod 600 letsencrypt/acme.json
+docker-compose up -d
+docker-compose logs -f
+```
+
+You will also need to create secret files containing the DNS Challenge provider credentials. For more information, please refer to the [Traefik Docs](https://doc.traefik.io/traefik/https/acme/#providers).
@@ -0,0 +1,43 @@
+TZ=Europe/Paris
+PUID=1000
+PGID=1000
+
+MEMORY_LIMIT=256M
+UPLOAD_MAX_SIZE=16M
+OPCACHE_MEM_SIZE=128
+REAL_IP_FROM=0.0.0.0/32
+REAL_IP_HEADER=X-Forwarded-For
+LOG_IP_VAR=http_x_forwarded_for
+#LISTEN_IPV6=false
+
+APP_KEY=
+APP_DEBUG=false
+APP_URL=https://anonaddy.example.com
+
+[email protected]
+ANONADDY_ADMIN_USERNAME=anonaddy
+ANONADDY_ENABLE_REGISTRATION=true
+ANONADDY_DOMAIN=example.com
+ANONADDY_ALL_DOMAINS=example.com
+ANONADDY_HOSTNAME=anonaddy.example.com
+ANONADDY_DNS_RESOLVER=127.0.0.1
+ANONADDY_SECRET=
+ANONADDY_LIMIT=200
+ANONADDY_BANDWIDTH_LIMIT=104857600
+ANONADDY_NEW_ALIAS_LIMIT=10
+ANONADDY_ADDITIONAL_USERNAME_LIMIT=3
+# See [Generate GPG key](https://github.com/anonaddy/docker#generate-gpg-key)
+#ANONADDY_SIGNING_KEY_FINGERPRINT=
+
+MAIL_FROM_NAME=AnonAddy
+[email protected]
+
+# See [Generate DKIM private/public keypair](https://github.com/anonaddy/docker#generate-dkim-privatepublic-keypair)
+RSPAMD_ENABLE=true
+RSPAMD_WEB_PASSWORD=<PASSWORD>
+
+POSTFIX_DEBUG=false
+POSTFIX_SMTPD_TLS=true
+POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/mydomain.com/cert.pem
+POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/mydomain.com/key.pem
+POSTFIX_SMTP_TLS=true
@@ -0,0 +1,16 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+    mintls13:
+      minVersion: VersionTLS13
+      sniStrict: true
@@ -0,0 +1,65 @@
+http:
+  routers:
+    anonaddy:
+      service: anonaddy
+      entrypoints:
+        - https
+      rule: "Host(`anonaddy.example.com`)"
+      middlewares:
+        - crowdsec-bouncer
+      tls:
+        certResolver: dnschallenge
+        domains:
+          - main: "example.com"
+            sans:
+              - "example.com"
+              - "anonaddy.example.com"
+              - "www.example.com"
+    rspamd:
+      service: rspamd
+      entrypoints:
+        - https
+      rule: "Host(`spam.example.com`)"
+      middlewares:
+        - crowdsec-bouncer
+      tls:
+        certResolver: dnschallenge
+        domains:
+          - main: "spam.example.com"
+            sans:
+              - "spam.example.com"
+  middlewares:
+    crowdsec-bouncer:
+      forwardAuth:
+        address: "http://bouncer:8080/api/v1/forwardAuth"
+    redirect-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    default-middlewares:
+      chain:
+        middlewares:
+          - default-headers-https@file
+          - default-compress@file
+    default-headers-https:
+      headers:
+        customBrowserXSSValue: "0"
+        contentTypeNosniff: true
+        customResponseHeaders:
+          Server: ""
+        forceSTSHeader: true
+        frameDeny: true
+        stsSeconds: 31536000
+        stsPreload: true
+        stsIncludeSubdomains: true
+    default-compress:
+      compress: {}
+  services:
+    anonaddy:
+      loadbalancer:
+        servers:
+          - url: http://172.21.0.8:8000
+    rspamd:
+      loadbalancer:
+        servers:
+          - url: http://172.21.0.8:11334