myvemail/01-setup.sh

#!/usr/bin/env bash
# Exit on any error
set -e

# Fill in the following variables
appname=${appname}				# google
proxyurl=${proxyurl}			# http://webapps.kvm
proxyport=${proxyport}			# 4000
domain=${domain}				# www.google.com
mailver=${mailver}				# latest/stable

# Abort if variables are missing
for var in appname proxyurl proxyport domain
do
    if [ -z ${!var} ]
    then
        echo "Variable ${var} does not exist, aborting..."
        exit 1
    fi
done

# Check for subdomain
if [ $(echo ${domain} | awk -F . '{print $3}') ]
then
    _subdomain=$(echo ${domain} | awk -F . '{print $1}')
    _domain="$(echo ${domain} | awk -F . '{print $2}').$(echo ${domain} | awk -F . '{print $3}')"
else
    echo "Invalid \${domain} variable, exiting"
    exit 1
fi

# Figure out nginx conf directory
if grep -q 'include.*conf.d' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/conf.d
elif grep -q 'include.*sites-available' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/sites-available
    sudo ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/
else
    echo "Missing nginx directory, exiting..."
    exit 1
fi

# Virtual proxy
cat <<- 'proxy' | \
sed -e "s|{{domain}}|${domain}|" \
    -e "s|{{proxyurl}}|${proxyurl}|" \
    -e "s|{{proxyport}}|${proxyport}|" \
    -e "s|{{appname}}|${appname}|" | sudo tee ${nginxdir}/${appname}.conf >/dev/null
server {
    server_name {{domain}};

    location / {
        proxy_pass {{proxyurl}}:{{proxyport}};
        error_log  /var/log/nginx/{{appname}}_error.log;
        access_log /var/log/nginx/{{appname}}_access.log;

        # proxy_params;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;

        proxy_set_header Early-Data $ssl_early_data;
        proxy_buffering off;
        proxy_request_buffering off;

        proxy_next_upstream error timeout invalid_header http_500;
        proxy_next_upstream_timeout 3s;
        proxy_next_upstream_tries 2;

        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # http_upgrade
    # Security
    server_tokens off;
    add_header X-Frame-Options                   "SAMEORIGIN"               always;
    add_header X-Content-Type-Options            "nosniff"                  always;
    add_header X-XSS-Protection                  "1; mode=block"            always;
    add_header Referrer-Policy                   "no-referrer"              always;
    add_header X-Permitted-Cross-Domain-Policies "none"                     always;
    add_header X-Robots-Tag                      "noindex, nofollow"        always;

    # http2
    http2 on;

    # http3
    add_header Alt-Svc 'h3=":443"; ma=86400';
    quic_retry on;
    quic_gso on;
    http3_stream_buffer_size 512k;
    http3 on;

    # Certbot defaults
    add_header Strict-Transport-Security "max-age=31536000" always;
}

proxy

# Run certbot
sudo certbot --nginx --non-interactive --agree-tos --no-eff-email -m eff@${_domain} -d ${domain} \
    --hsts --no-redirect --renew-hook 'docker exec myvemail /bin/ash -c "dovecot reload; postfix reload"'

# Add http2 and http3 directives
sudo sed -e '/listen 80/d' \
    -e '/listen 443/a\
    listen 443 quic;\
    listen [::]:443 ssl;\
    listen [::]:443 quic;\n' -i ${nginxdir}/${appname}.conf
sudo tee -a ${nginxdir}/${appname}.conf >/dev/null <<- 'redirect'
server {
    listen 80;
    server_name {{domain}};
    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }
}
redirect
sudo systemctl reload nginx.service

# SSL
[ -d ./data/ssl/ ] || install --directory ./data/ssl/
sudo ln -s -f /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem
sudo ln -s -f /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key
[ -f ./data/ssl/dh.pem ] || touch ./data/ssl/dh.pem

# Postwhite
[ -f ./data/postwhite ] || touch ./data/postwhite

# Environment file
sed -e "s/{{MYVEMAIL_SUBDOMAIN}}/${_subdomain}/" \
    -e "s/{{MYVEMAIL_DOMAIN}}/${_domain}/" \
    -e "s/{{MYVEMAIL_PORT}}/${proxyport}/" \
    -e "s/{{MYVEMAIL_VERSION}}/${mailver:-latest}/" \
    -e "s/{{MYVEMAIL_ROUNDCUBE_DBPASS}}/$(openssl rand -hex 32)/" \
    -e "s/{{MYVEMAIL_POSTFIXADMIN_DBPASS}}/$(openssl rand -hex 32)/" \
    -i ./.env

# Cleanup
rm -r ${0} ./build/ -f

# Myvemail initial setup
docker compose pull
docker compose run --rm -it myvemail setup

# Startup
if [ -d ./data/sql/mysql/ ] && [ -d ./data/sql/postfixadmin/ ]
then
    docker compose up --detach
    [ -s ./data/ssl/dh.pem ] || openssl dhparam -out ./data/ssl/dh.pem 4096 &
    docker compose logs --follow
fi
First commit 2024-08-09 12:50:33 +00:00			`#!/usr/bin/env bash`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`# Exit on any error`
			`set -e`

Moved whitelist ahead of policyd-spf check 2025-03-18 00:16:45 +00:00			`# Fill in the following variables`
			`appname=${appname} # google`
			`proxyurl=${proxyurl} # http://webapps.kvm`
			`proxyport=${proxyport} # 4000`
			`domain=${domain} # www.google.com`
			`mailver=${mailver} # latest/stable`

			`# Abort if variables are missing`
			`for var in appname proxyurl proxyport domain`
			`do`
			`if [ -z ${!var} ]`
			`then`
			`echo "Variable ${var} does not exist, aborting..."`
			`exit 1`
			`fi`
			`done`

renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`# Check for subdomain`
			`if [ $(echo ${domain} \| awk -F . '{print $3}') ]`
First commit 2024-08-09 12:50:33 +00:00			`then`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`_subdomain=$(echo ${domain} \| awk -F . '{print $1}')`
modified: 01-setup.sh 2024-08-20 00:22:47 +00:00			`_domain="$(echo ${domain} \| awk -F . '{print $2}').$(echo ${domain} \| awk -F . '{print $3}')"`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`else`
			`echo "Invalid \${domain} variable, exiting"`
First commit 2024-08-09 12:50:33 +00:00			`exit 1`
			`fi`

			`# Figure out nginx conf directory`
			`if grep -q 'include.*conf.d' /etc/nginx/nginx.conf`
			`then`
			`nginxdir=/etc/nginx/conf.d`
			`elif grep -q 'include.*sites-available' /etc/nginx/nginx.conf`
			`then`
			`nginxdir=/etc/nginx/sites-available`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`sudo ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/`
First commit 2024-08-09 12:50:33 +00:00			`else`
			`echo "Missing nginx directory, exiting..."`
			`exit 1`
			`fi`

			`# Virtual proxy`
			`cat <<- 'proxy' \| \`
			`sed -e "s\|{{domain}}\|${domain}\|" \`
			`-e "s\|{{proxyurl}}\|${proxyurl}\|" \`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`-e "s\|{{proxyport}}\|${proxyport}\|" \`
			`-e "s\|{{appname}}\|${appname}\|" \| sudo tee ${nginxdir}/${appname}.conf >/dev/null`
First commit 2024-08-09 12:50:33 +00:00			`server {`
			`server_name {{domain}};`

			`location / {`
modified: 01-setup.sh 2024-08-20 00:13:25 +00:00			`proxy_pass {{proxyurl}}:{{proxyport}};`
First commit 2024-08-09 12:50:33 +00:00			`error_log /var/log/nginx/{{appname}}_error.log;`
			`access_log /var/log/nginx/{{appname}}_access.log;`

			`# proxy_params;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Forwarded-Port $server_port;`
			`proxy_set_header X-Forwarded-Scheme $scheme;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Accept-Encoding "";`
			`proxy_set_header Host $host;`

Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00			`proxy_set_header Early-Data $ssl_early_data;`
			`proxy_buffering off;`
			`proxy_request_buffering off;`

			`proxy_next_upstream error timeout invalid_header http_500;`
			`proxy_next_upstream_timeout 3s;`
			`proxy_next_upstream_tries 2;`

First commit 2024-08-09 12:50:33 +00:00			`client_body_buffer_size 512k;`
			`proxy_read_timeout 86400s;`
			`client_max_body_size 0;`

			`# Websocket`
			`proxy_http_version 1.1;`
			`proxy_cache_bypass $http_upgrade;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`}`

			`# http_upgrade`
			`# Security`
			`server_tokens off;`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header Referrer-Policy "no-referrer" always;`
			`add_header X-Permitted-Cross-Domain-Policies "none" always;`
			`add_header X-Robots-Tag "noindex, nofollow" always;`
First commit 2024-08-09 12:50:33 +00:00
			`# http2`
			`http2 on;`

			`# http3`
			`add_header Alt-Svc 'h3=":443"; ma=86400';`
			`quic_retry on;`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00			`quic_gso on;`
			`http3_stream_buffer_size 512k;`
First commit 2024-08-09 12:50:33 +00:00			`http3 on;`

			`# Certbot defaults`
			`add_header Strict-Transport-Security "max-age=31536000" always;`
			`}`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00
First commit 2024-08-09 12:50:33 +00:00			`proxy`

			`# Run certbot`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00			`sudo certbot --nginx --non-interactive --agree-tos --no-eff-email -m eff@${_domain} -d ${domain} \`
Remove OCSP 2025-06-12 16:35:21 +00:00			`--hsts --no-redirect --renew-hook 'docker exec myvemail /bin/ash -c "dovecot reload; postfix reload"'`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00
			`# Add http2 and http3 directives`
			`sudo sed -e '/listen 80/d' \`
			`-e '/listen 443/a\`
			`listen 443 quic;\`
			`listen [::]:443 ssl;\`
			`listen [::]:443 quic;\n' -i ${nginxdir}/${appname}.conf`
			`sudo tee -a ${nginxdir}/${appname}.conf >/dev/null <<- 'redirect'`
			`server {`
			`listen 80;`
			`server_name {{domain}};`
			`if ($scheme = "http") {`
			`return 301 https://$host$request_uri;`
			`}`
			`}`
			`redirect`
			`sudo systemctl reload nginx.service`
First commit 2024-08-09 12:50:33 +00:00
modified: 01-nginx-setup.sh 2024-08-19 23:49:49 +00:00			`# SSL`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`[ -d ./data/ssl/ ] \|\| install --directory ./data/ssl/`
modified: 01-setup.sh 2024-08-20 00:19:40 +00:00			`sudo ln -s -f /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem`
			`sudo ln -s -f /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00			`[ -f ./data/ssl/dh.pem ] \|\| touch ./data/ssl/dh.pem`
renamed: nginx-setup.sh -> 01-nginx-setup.sh renamed: generate-env.sh -> 02-generate-env.sh 2024-08-11 00:04:19 +00:00
modified: 01-nginx-setup.sh 2024-08-19 23:49:49 +00:00			`# Postwhite`
			`[ -f ./data/postwhite ] \|\| touch ./data/postwhite`
renamed: nginx-setup.sh -> 01-nginx-setup.sh renamed: generate-env.sh -> 02-generate-env.sh 2024-08-11 00:04:19 +00:00
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00			`# Environment file`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00			`sed -e "s/{{MYVEMAIL_SUBDOMAIN}}/${_subdomain}/" \`
			`-e "s/{{MYVEMAIL_DOMAIN}}/${_domain}/" \`
			`-e "s/{{MYVEMAIL_PORT}}/${proxyport}/" \`
			`-e "s/{{MYVEMAIL_VERSION}}/${mailver:-latest}/" \`
			`-e "s/{{MYVEMAIL_ROUNDCUBE_DBPASS}}/$(openssl rand -hex 32)/" \`
			`-e "s/{{MYVEMAIL_POSTFIXADMIN_DBPASS}}/$(openssl rand -hex 32)/" \`
			`-i ./.env`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00
modified: 01-nginx-setup.sh 2024-08-19 23:49:49 +00:00			`# Cleanup`
modified: 01-setup.sh 2024-08-20 01:01:00 +00:00			`rm -r ${0} ./build/ -f`
renamed: 01-nginx-setup.sh -> 01-setup.sh deleted: 02-generate-env.sh 2024-08-20 00:12:33 +00:00
			`# Myvemail initial setup`
			`docker compose pull`
			`docker compose run --rm -it myvemail setup`
modified: 01-setup.sh 2024-08-20 00:33:23 +00:00
			`# Startup`
			`if [ -d ./data/sql/mysql/ ] && [ -d ./data/sql/postfixadmin/ ]`
			`then`
modified: 01-setup.sh 2024-08-20 01:01:00 +00:00			`docker compose up --detach`
Fixes for 01-setup.sh and gave .env its own file 2025-03-18 02:27:28 +00:00			`[ -s ./data/ssl/dh.pem ] \|\| openssl dhparam -out ./data/ssl/dh.pem 4096 &`
modified: 01-setup.sh 2024-08-20 01:01:00 +00:00			`docker compose logs --follow`
modified: 01-setup.sh 2024-08-20 00:33:23 +00:00			`fi`