forwardemail
diff --git a/‎.env.defaults‎
Lines changed: 6 additions & 2 deletions b/‎.env.defaults‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎.env.schema‎
Lines changed: 5 additions & 1 deletion b/‎.env.schema‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎ansible/docs/DISASTER_RECOVERY.md‎
Lines changed: 18 additions & 8 deletions b/‎ansible/docs/DISASTER_RECOVERY.md‎
Lines changed: 18 additions & 8 deletions
diff --git a/‎ansible/docs/MONGODB_OPERATIONS_GUIDE.md‎
Lines changed: 2 additions & 1 deletion b/‎ansible/docs/MONGODB_OPERATIONS_GUIDE.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎ansible/docs/README.md‎
Lines changed: 257 additions & 0 deletions b/‎ansible/docs/README.md‎
Lines changed: 257 additions & 0 deletions
@@ -1,10 +1,15 @@
+# Postfix relay for server alerts
+POSTFIX_USERNAME=
+POSTFIX_PASSWORD=
+POSTFIX_RCPTS=
+
 SSL_CERT_PATH=
 SSL_KEY_PATH=
 SSL_CA_PATH=
 BACKUP_SECRET=
 MONGO_BACKUP_BUCKET=forwardemail-backups
 REDIS_BACKUP_BUCKET=forwardemail-backups
-REDIS_DATA_DIR=/var/lib/redis
+REDIS_DATA_DIR=/var/lib/valkey
 
 ###################################
 ## ignored self test domains     ##
@@ -270,7 +275,6 @@ EMAILS_MONGO_URI="mongodb://{{EMAILS_MONGO_HOST}}:{{EMAILS_MONGO_PORT}}/{{EMAILS
 REDIS_TLS=false
 REDIS_USERNAME=
 REDIS_PORT=6379
-REDIS_TLS_PORT=6380
 REDIS_HOST=localhost
 # Generate a 64-character random password (Redis can handle long passwords)
 # openssl rand -base64 48
 
@@ -1,3 +1,8 @@
+# Postfix relay for server alerts
+POSTFIX_USERNAME=
+POSTFIX_PASSWORD=
+POSTFIX_RCPTS=
+
 # MongoDB Configuration
 MONGO_HOST=
 MONGO_BACKUP_BUCKET=forwardemail-backups
@@ -282,7 +287,6 @@ EMAILS_MONGO_URI=
 REDIS_TLS=
 REDIS_USERNAME=
 REDIS_PORT=
-REDIS_TLS_PORT=
 REDIS_HOST=
 REDIS_PASSWORD=
 WEB_REDIS_TLS=
 
@@ -1,7 +1,10 @@
-# Disaster Recovery and Failover Guide
+# Disaster Recovery Guide
 
-This guide provides comprehensive procedures for recovering MongoDB and Redis databases from catastrophic failures and migrating to new servers with minimal downtime.
+> [!CAUTION]
+> This guide provides comprehensive procedures for recovering MongoDB and Redis databases from catastrophic failures and migrating to new servers with minimal downtime.
 
+> [!IMPORTANT]
+> Review and test these procedures regularly. Don't wait for an actual disaster!
 ## Table of Contents
 
 1. [DNS TTL Configuration](#dns-ttl-configuration)
@@ -53,14 +56,18 @@ redis.example.com    A      1.2.3.5      TTL: 300
 redis.example.com    AAAA   2001:db8::2  TTL: 300
 ```
 
-**Important:** Set these TTL values **before** an outage occurs. Changing TTL during an outage will not take effect until the old TTL expires.
+> [!WARNING]
+> **Important:** Set these TTL values **before** an outage occurs. Changing TTL during an outage will not take effect until the old TTL expires.
 
 ---
 
 ## MongoDB Disaster Recovery
 
 ### Scenario 1: Complete Server Failure
 
+> [!CAUTION]
+> **Critical scenario requiring immediate action**
+
 **Symptoms:**
 - MongoDB server is completely unreachable
 - Hardware failure, data center outage, or catastrophic software failure
@@ -203,6 +210,9 @@ db.adminCommand({ fsyncUnlock: 1 })
 
 ### Scenario 1: Complete Server Failure
 
+> [!CAUTION]
+> **Critical scenario requiring immediate action**
+
 **Symptoms:**
 - Redis server is completely unreachable
 - Hardware failure or data center outage
@@ -230,11 +240,11 @@ sudo systemctl stop redis-server
 
 # Restore encrypted backup
 aws s3 cp "s3://forwardemail-backups/${BACKUP_PATH}" - --endpoint-url="$AWS_ENDPOINT_URL" | \
-  gpg --decrypt --batch --yes --passphrase "$BACKUP_SECRET" > /var/lib/redis/dump.rdb
+  gpg --decrypt --batch --yes --passphrase "$BACKUP_SECRET" > /var/lib/valkey/dump.rdb
 
 # Set correct permissions
-sudo chown redis:redis /var/lib/redis/dump.rdb
-sudo chmod 640 /var/lib/redis/dump.rdb
+sudo chown redis:redis /var/lib/valkey/dump.rdb
+sudo chmod 640 /var/lib/valkey/dump.rdb
 
 # Start Redis
 sudo systemctl start redis-server
@@ -290,9 +300,9 @@ sudo systemctl stop redis-server
 
 aws s3 cp "s3://forwardemail-backups/redis/LATEST_BACKUP.rdb.gpg" - \
   --endpoint-url="$AWS_ENDPOINT_URL" | \
-  gpg --decrypt --batch --yes --passphrase "$BACKUP_SECRET" > /var/lib/redis/dump.rdb
+  gpg --decrypt --batch --yes --passphrase "$BACKUP_SECRET" > /var/lib/valkey/dump.rdb
 
-sudo chown redis:redis /var/lib/redis/dump.rdb
+sudo chown redis:redis /var/lib/valkey/dump.rdb
 sudo systemctl start redis-server
 ```
 
 
@@ -1,6 +1,7 @@
 # MongoDB Operations Guide
 
-This guide covers advanced MongoDB operations including version upgrades, migrations, performance analysis, troubleshooting, and index optimization.
+> [!NOTE]
+> This guide covers advanced MongoDB operations including version upgrades, migrations, performance analysis, troubleshooting, and index optimization.
 
 ## Table of Contents
 
 
@@ -0,0 +1,257 @@
+# Ansible Documentation
+
+> [!NOTE]
+> This directory contains comprehensive documentation for deploying and managing the Forward Email infrastructure using Ansible.
+
+## 📚 Table of Contents
+
+- [Getting Started](#getting-started)
+- [Deployment Guides](#deployment-guides)
+- [Operations & Maintenance](#operations--maintenance)
+- [Performance Tuning](#performance-tuning)
+- [Disaster Recovery](#disaster-recovery)
+- [Security & Auditing](#security--auditing)
+
+---
+
+## 🚀 Getting Started
+
+> [!IMPORTANT]
+> Before deploying any services, ensure you have:
+> - Ansible 2.9+ installed
+> - SSH access to target servers
+> - Required environment variables configured
+> - SSL/TLS certificates ready
+
+### Quick Start
+
+```bash
+# 1. Install Ansible dependencies
+ansible-galaxy install -r ansible/requirements.yml
+
+# 2. Configure environment variables
+export [email protected]
+export POSTFIX_PASSWORD=<secure_password>
+export [email protected]
+
+# 3. Deploy security baseline
+ansible-playbook ansible/playbooks/security.yml -i hosts.yml
+
+# 4. Deploy your services
+ansible-playbook ansible/playbooks/node.yml -i hosts.yml
+```
+
+---
+
+## 📖 Deployment Guides
+
+### Database Deployment
+
+**[MongoDB & Redis/Valkey Deployment Guide](README_MONGO_REDIS.md)**
+
+Complete guide for deploying MongoDB v6 and Valkey (Redis fork) with:
+- ✅ SSL/TLS encryption
+- ✅ UFW firewall configuration
+- ✅ Automated backups to Cloudflare R2
+- ✅ Email alerting system
+- ✅ Security hardening
+
+> [!TIP]
+> Start here if you're deploying database services for the first time.
+
+### Mail Server Deployment
+
+**[Mail Server Deployment Guide](MAIL_DEPLOYMENT.md)**
+
+Step-by-step guide for deploying SMTP, IMAP, POP3, and other mail services:
+- 📧 SMTP server configuration (ports 25, 587, 465, 2525, 2587, 2465, 2455, 2555)
+- 📬 IMAP server setup (ports 993, 2993)
+- 📮 POP3 server setup (ports 995, 2995)
+- 🔐 TLS/SSL certificate management
+- 🛡️ Security best practices
+
+> [!WARNING]
+> Mail servers require proper DNS configuration (MX, SPF, DKIM, DMARC) before deployment.
+
+---
+
+## 🔧 Operations & Maintenance
+
+### MongoDB Operations
+
+**[MongoDB Operations Guide](MONGODB_OPERATIONS_GUIDE.md)**
+
+Comprehensive operational procedures including:
+- 🔄 Backup and restore procedures
+- 📊 Monitoring and health checks
+- 🔍 Query optimization
+- 🗄️ Index management
+- 📈 Capacity planning
+- 🚨 Troubleshooting common issues
+
+> [!NOTE]
+> This guide covers day-to-day MongoDB administration tasks.
+
+### Service User Management
+
+**[Service User Audit](SERVICE_USER_AUDIT.md)**
+
+Documentation of service users and their permissions:
+- 👤 User roles and responsibilities
+- 🔑 Permission matrices
+- 📁 File ownership guidelines
+- 🔒 Security considerations
+
+---
+
+## ⚡ Performance Tuning
+
+### MongoDB Performance
+
+**[MongoDB Performance Tuning Guide](MONGODB_PERFORMANCE_TUNING.md)**
+
+Optimize MongoDB for production workloads:
+- 🎯 WiredTiger cache configuration
+- 💾 Memory allocation strategies
+- 🔄 Connection pool tuning
+- 📊 Query performance optimization
+- 🗂️ Index strategies
+- 💿 Storage engine tuning
+
+> [!TIP]
+> Apply these optimizations after initial deployment and load testing.
+
+### Redis/Valkey Performance
+
+**[Redis Performance Tuning Guide](REDIS_PERFORMANCE_TUNING.md)**
+
+Maximize Redis/Valkey performance:
+- 🚀 Memory optimization
+- ⚡ I/O threading configuration
+- 🔄 Persistence strategies
+- 📈 Monitoring and metrics
+- 🎯 Eviction policies
+- 🔧 Kernel parameter tuning
+
+---
+
+## 🆘 Disaster Recovery
+
+**[Disaster Recovery Guide](DISASTER_RECOVERY.md)**
+
+Complete disaster recovery procedures:
+- 💾 Backup strategies and schedules
+- 🔄 Restore procedures
+- 🚨 Incident response workflows
+- 📋 Recovery checklists
+- 🧪 Testing procedures
+- 📞 Escalation paths
+
+> [!CAUTION]
+> Review and test disaster recovery procedures regularly. Don't wait for an actual disaster!
+
+### Backup Schedule
+
+| Service | Frequency | Retention | Storage |
+|---------|-----------|-----------|---------|
+| MongoDB | Every 6 hours | 30 days | Cloudflare R2 |
+| Redis/Valkey | Every 6 hours | 30 days | Cloudflare R2 |
+| System configs | Daily | 90 days | Cloudflare R2 |
+
+> [!NOTE]
+> Backups older than 7 days are consolidated to one per day to save storage space.
+
+---
+
+## 🔒 Security & Auditing
+
+### Email Alerting System
+
+All critical system events are monitored and reported via email:
+
+- 🚫 **fail2ban** - IP ban notifications
+- 📦 **unattended-upgrades** - System update alerts
+- 💾 **MongoDB backups** - Backup failure alerts
+- 💾 **Redis backups** - Backup failure alerts
+- 🔴 **PM2 errors** - Application crash notifications
+- ⚠️ **systemd failures** - Service failure alerts
+
+> [!IMPORTANT]
+> Configure `POSTFIX_RCPTS` environment variable to receive alerts.
+
+### Rate Limiting
+
+Email alerts are rate-limited to prevent flooding:
+- **Limit**: 10 emails per hour per service
+- **Tracking**: JSON-based in `/var/lib/email-rate-limits/`
+- **Logging**: All rate limit events logged to syslog
+
+---
+
+## 🔗 Related Resources
+
+### External Documentation
+
+- [MongoDB Official Documentation](https://docs.mongodb.com/)
+- [Redis Documentation](https://redis.io/documentation)
+- [Valkey Documentation](https://valkey.io/docs/)
+- [Ansible Documentation](https://docs.ansible.com/)
+- [PM2 Documentation](https://pm2.keymetrics.io/docs/)
+
+### Ansible Roles Used
+
+- `trfore/ansible-role-mongodb-install` v3.0.5 - MongoDB installation
+- `hifis.toolkit` collection v6.2.2 - System hardening and unattended upgrades
+
+> [!NOTE]
+> Valkey (Redis fork) is installed directly via APT packages without using Galaxy roles for maximum control and compatibility.
+
+---
+
+## 📝 Document Conventions
+
+Throughout this documentation, you'll see these GitHub-style alerts:
+
+> [!NOTE]
+> General information and helpful context
+
+> [!TIP]
+> Suggestions and best practices
+
+> [!IMPORTANT]
+> Critical information that must be followed
+
+> [!WARNING]
+> Potential issues or risks to be aware of
+
+> [!CAUTION]
+> Dangerous operations that could cause data loss or downtime
+
+---
+
+## 🤝 Contributing
+
+When adding new documentation:
+
+1. Use GitHub-style markdown alerts for important information
+2. Include practical examples and commands
+3. Add cross-references to related documents
+4. Keep the table of contents updated
+5. Test all commands before documenting them
+
+---
+
+## 📧 Support
+
+For questions or issues:
+
+1. Check the relevant guide in this directory
+2. Review the troubleshooting sections
+3. Check application logs: `/var/log/pm2/`, `/var/log/mongodb/`, `/var/log/redis/`
+4. Contact the infrastructure team
+
+---
+
+**Last Updated**: November 25, 2025  
+**Version**: 2.0.0  
+**Maintained By**: Forward Email Infrastructure Team