From 76765164dc1de4bf3a269965a7621dd92d31a212 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Wed, 18 Oct 2023 15:15:24 +0000
Subject: [PATCH] Deploy nginx and autoconfig XML

---
 .../src/deploy_chatmail/__init__.py           | 43 ++++++++++++++++-
 .../src/deploy_chatmail/acmetool/__init__.py  | 15 ++----
 .../acmetool/acmetool-redirector.service      | 11 -----
 .../deploy_chatmail/acmetool/target.yaml.j2   |  7 +++
 .../src/deploy_chatmail/autoconfig.xml.j2     | 37 +++++++++++++++
 .../src/deploy_chatmail/nginx.conf.j2         | 47 +++++++++++++++++++
 6 files changed, 136 insertions(+), 24 deletions(-)
 delete mode 100644 deploy-chatmail/src/deploy_chatmail/acmetool/acmetool-redirector.service
 create mode 100644 deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2
 create mode 100644 deploy-chatmail/src/deploy_chatmail/autoconfig.xml.j2
 create mode 100644 deploy-chatmail/src/deploy_chatmail/nginx.conf.j2

diff --git a/deploy-chatmail/src/deploy_chatmail/__init__.py b/deploy-chatmail/src/deploy_chatmail/__init__.py
index 7001b628..80df1844 100644
--- a/deploy-chatmail/src/deploy_chatmail/__init__.py
+++ b/deploy-chatmail/src/deploy_chatmail/__init__.py
@@ -173,6 +173,33 @@ def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
     return need_restart
 
 
+def _configure_nginx(domain: str, debug: bool = False) -> bool:
+    """Configures nginx HTTP server."""
+    need_restart = False
+
+    main_config = files.template(
+        src=importlib.resources.files(__package__).joinpath("nginx.conf.j2"),
+        dest="/etc/nginx/nginx.conf",
+        user="root",
+        group="root",
+        mode="644",
+        config={"domain_name": domain},
+    )
+    need_restart |= main_config.changed
+
+    autoconfig = files.template(
+        src=importlib.resources.files(__package__).joinpath("autoconfig.xml.j2"),
+        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
+        user="root",
+        group="root",
+        mode="644",
+        config={"domain_name": domain},
+    )
+    need_restart |= autoconfig.changed
+
+    return need_restart
+
+
 def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> None:
     """Deploy a chat-mail instance.
 
@@ -194,7 +221,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
     )
 
     # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(domains=[mail_server])
+    deploy_acmetool(nginx_hook=True, domains=[mail_server])
 
     apt.packages(
         name="Install Postfix",
@@ -214,11 +241,17 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
         ],
     )
 
+    apt.packages(
+        name="Install nginx",
+        packages=["nginx"],
+    )
+
     _install_chatmaild()
     debug = False
     dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
     postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
     opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
+    nginx_need_restart = _configure_nginx(mail_domain)
 
     systemd.service(
         name="Start and enable OpenDKIM",
@@ -244,6 +277,14 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
         restarted=dovecot_need_restart,
     )
 
+    systemd.service(
+        name="Start and enable nginx",
+        service="nginx.service",
+        running=True,
+        enabled=True,
+        restarted=nginx_need_restart,
+    )
+
     # This file is used by auth proxy.
     # https://wiki.debian.org/EtcMailName
     server.shell(
diff --git a/deploy-chatmail/src/deploy_chatmail/acmetool/__init__.py b/deploy-chatmail/src/deploy_chatmail/acmetool/__init__.py
index 37e45f59..84a43d81 100644
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/__init__.py
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/__init__.py
@@ -38,22 +38,13 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
         email=email,
     )
 
-    service_file = files.put(
-        src=importlib.resources.files(__package__)
-        .joinpath("acmetool-redirector.service")
-        .open("rb"),
-        dest="/etc/systemd/system/acmetool-redirector.service",
+    files.template(
+        src=importlib.resources.files(__package__).joinpath("target.yaml.j2"),
+        dest="/var/lib/acme/conf/target",
         user="root",
         group="root",
         mode="644",
     )
-    systemd.service(
-        name="Setup acmetool-redirector service",
-        service="acmetool-redirector.service",
-        running=False,
-        enabled=False,
-        restarted=service_file.changed,
-    )
 
     for domain in domains:
         server.shell(
diff --git a/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool-redirector.service b/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool-redirector.service
deleted file mode 100644
index 2e434b9b..00000000
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool-redirector.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=acmetool HTTP redirector
-
-[Service]
-Type=notify
-ExecStart=/usr/bin/acmetool redirector --service.uid=daemon
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=multi-user.target
diff --git a/deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2 b/deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2
new file mode 100644
index 00000000..97163c4f
--- /dev/null
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2
@@ -0,0 +1,7 @@
+request:
+  provider: https://acme-v02.api.letsencrypt.org/directory
+  key:
+    type: rsa
+  challenge:
+    webroot-paths:
+    - /var/www/html/.well-known/acme-challenge
diff --git a/deploy-chatmail/src/deploy_chatmail/autoconfig.xml.j2 b/deploy-chatmail/src/deploy_chatmail/autoconfig.xml.j2
new file mode 100644
index 00000000..bf4bd8e7
--- /dev/null
+++ b/deploy-chatmail/src/deploy_chatmail/autoconfig.xml.j2
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<clientConfig version="1.1">
+  <emailProvider id="{{ config.domain_name }}">
+    <domain>{{ config.domain_name }}</domain>
+    <displayName>{{ config.domain_name }} chatmail</displayName>
+    <displayShortName>{{ config.domain_name }}</displayShortName>
+    <incomingServer type="imap">
+      <hostname>{{ config.domain_name }}</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+    <incomingServer type="imap">
+      <hostname>{{ config.domain_name }}</hostname>
+      <port>143</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+    <outgoingServer type="smtp">
+      <hostname>{{ config.domain_name }}</hostname>
+      <port>465</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </outgoingServer>
+    <outgoingServer type="smtp">
+      <hostname>{{ config.domain_name }}</hostname>
+      <port>587</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </outgoingServer>
+  </emailProvider>
+</clientConfig>
diff --git a/deploy-chatmail/src/deploy_chatmail/nginx.conf.j2 b/deploy-chatmail/src/deploy_chatmail/nginx.conf.j2
new file mode 100644
index 00000000..7484d339
--- /dev/null
+++ b/deploy-chatmail/src/deploy_chatmail/nginx.conf.j2
@@ -0,0 +1,47 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	sendfile on;
+	tcp_nopush on;
+
+	# Do not emit nginx version on error pages.
+	server_tokens off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
+	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
+
+	gzip on;
+
+	server {
+		listen 80 default_server;
+		listen [::]:80 default_server;
+		listen 443 ssl default_server;
+		listen [::]:443 ssl default_server;
+
+		root /var/www/html;
+
+		index index.html index.htm;
+
+		server_name _;
+
+		location / {
+			# First attempt to serve request as file, then
+			# as directory, then fall back to displaying a 404.
+			try_files $uri $uri/ =404;
+		}
+	}
+}
+