diff --git a/services/mail-archiver/.env b/services/mail-archiver/.env new file mode 100644 index 0000000..6fe0958 --- /dev/null +++ b/services/mail-archiver/.env @@ -0,0 +1,36 @@ +#version=1.1 +#URL=https://github.com/tailscale-dev/ScaleTail +#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. + +# Service Configuration +SERVICE=MailArchiver # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). +IMAGE_URL=s1t5/mailarchiver:latest # Docker image URL from container registry (e.g., adguard/adguard-home). + +# Network Configuration +SERVICEPORT=5000 # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. + +# Tailscale Configuration +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. + +# Optional Service variables +# PUID=1000 + +#Time Zone setting for containers +TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones + +# Any Container environment variables are declared below. See https://docs.docker.com/compose/how-tos/environment-variables/ + +# Defines the first admin user +APP_USER= +APP_PW= + +# Defines the DB user +DB_USER= +DB_PW= + +#OAuth connectivity +OAUTH_SETUP=false # overwrite to 'true' if you want to use OAuth +OAUTH_URL= +OAUTH_CLIENTID= +OAUTH_SECRET= diff --git a/services/mail-archiver/README.md b/services/mail-archiver/README.md new file mode 100644 index 0000000..1a140b4 --- /dev/null +++ b/services/mail-archiver/README.md @@ -0,0 +1,13 @@ +# Mail Archiver with Tailscale Sidecar Configuration + +This Docker Compose configuration sets up [Mail Archiver](https://mail-archiver.org/) with Tailscale as a sidecar container to keep the app reachable over your Tailnet. + +## Mail Archiver + +[Mail Archiver](https://mail-archiver.org/) is an open-source and self hosted email archiver with powerful features, including a wide array of email sources (IMAP, M365, import files), a powerful search feature scanning email metadata and content and the ability to sync all your mailboxes to your account. +This configuration leverages Tailscale to securely connect to your Mail Archiver instance, ensuring that your email archiving interface is protected from unauthorized access and that your instance is accessible only via your private Tailscale network. + + +## Configuration Overview + +In this setup, the `tailscale-mailarchive-app` service runs Tailscale, which manages secure networking for Mail Archiver. The `mailarchive-app` service utilizes the Tailscale network stack via Docker's `network_mode: service:` configuration. This keeps the app Tailnet-only unless you intentionally expose ports. diff --git a/services/mail-archiver/compose.yaml b/services/mail-archiver/compose.yaml new file mode 100644 index 0000000..056a545 --- /dev/null +++ b/services/mail-archiver/compose.yaml @@ -0,0 +1,114 @@ +configs: + ts-serve: + content: | + {"TCP":{"443":{"HTTPS":true}}, + "Web":{"$${TS_CERT_DOMAIN}:443": + {"Handlers":{"/": + {"Proxy":"http://127.0.0.1:5000"}}}}, + "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}} + +services: + # Make sure you have updated/checked the .env file with the correct variables. + # All the ${ xx } need to be defined there. + # Tailscale Sidecar Configuration + tailscale: + image: tailscale/tailscale:latest # Image to be used + container_name: tailscale-${SERVICE} # Name for local container management + hostname: tailscale-${SERVICE} # Name used within your Tailscale environment + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_EXTRA_ARGS=--advertise-tags=tag:container + - TS_STATE_DIR=/var/lib/tailscale + - TS_SERVE_CONFIG=/config/serve-config.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required + - TS_USERSPACE=false + - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" + - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The : for the healthz endpoint + #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS + - TS_AUTH_ONCE=true + configs: + - source: ts-serve + target: /config/serve.json + volumes: + - ./config:/config # Config folder used to store Tailscale files - you may need to change the path + - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path + devices: + - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work + cap_add: + - net_admin # Tailscale requirement + networks: + - postgres + #ports: + # - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required + # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below + #dns: + # - ${DNS_SERVER} + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 10s # Time to wait before starting health checks + restart: always + + application: + image: ${IMAGE_URL} + container_name: ${SERVICE}-app + restart: always + network_mode: service:tailscale + environment: + # Database Connection + - ConnectionStrings__DefaultConnection=Host=postgres;Database=${SERVICE};Username=${DB_USER};Password=${DB_PW}; + + # Authentication Settings + - Authentication__Username=${APP_USER} + - Authentication__Password=${APP_PW} + + # TimeZone Settings + - TZ=Europe/Amsterdam + + # OIDC Configuration + - OAuth__Enabled=${OAUTH_SETUP} + - OAuth__Authority=${OAUTH_URL} + - OAuth__ClientId=${OAUTH_CLIENTID} + - OAuth__ClientSecret=${OAUTH_SECRET} + - OAuth__DisplayName=PocketID SSO + - OAuth__ClientScopes__0=openid + - OAuth__ClientScopes__1=profile + - OAuth__ClientScopes__2=email + - OAuth__DisablePasswordLogin=false + - OAuth__AutoApproveUsers=false + + volumes: + - ./data-protection-keys:/app/DataProtection-Keys + depends_on: + tailscale: + condition: service_healthy + postgres: + condition: service_healthy + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:5000"] + interval: 5s + timeout: 3s + retries: 10 + start_period: 15s + + postgres: + image: postgres:17-alpine + restart: always + environment: + POSTGRES_DB: ${SERVICE} + POSTGRES_USER: ${DB_USER} + POSTGRES_PASSWORD: ${DB_PW} + volumes: + - ./postgres-data:/var/lib/postgresql/data + networks: + - postgres + healthcheck: + test: ["CMD-SHELL", "pg_isready -U ${DB_USER} -d ${SERVICE}"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 10s + +networks: + postgres: