fix: added missing envs, ansible fixes and modernization, FAQ updates

Author: titanism

.env.defaults

@@ -1,3 +1,7 @@
+SSL_CERT_PATH=
+SSL_KEY_PATH=
+SSL_CA_PATH=
+BACKUP_SECRET=
 MONGO_BACKUP_BUCKET=forwardemail-backups
 REDIS_BACKUP_BUCKET=forwardemail-backups
 REDIS_DATA_DIR=/var/lib/redis

ansible/docs/README_MONGO_REDIS.md

@@ -73,7 +73,6 @@ ansible-galaxy install -r ansible/requirements.yml
 
 This installs:
 - `trfore.mongodb_install` v3.0.5 - MongoDB installation
-- `geerlingguy.redis` v1.9.0 - Redis installation
 
 ### Environment Variables
 

ansible/playbooks/certificates.yml

@@ -2,23 +2,40 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 ---
-- hosts: all
+# mail mongo and redis don't need this
+- hosts: imap:pop3:smtp:http:bree:sqlite:mx1:mx2
   name: Certificates
   vars_prompt:
     - name: input_key
-      prompt: Enter path to certificate private key file (e.g. /path/to/.ssl-key)
+      prompt: "Enter path to certificate private key file (e.g. /path/to/.ssl-key) [REQUIRED]"
       private: false
     - name: input_cert
-      prompt: Enter path to certificate full chain/certificate file (e.g. /path/to/.ssl-cert)
+      prompt: "Enter path to certificate full chain/certificate file (e.g. /path/to/.ssl-cert) [REQUIRED]"
       private: false
     - name: input_bundle
-      prompt: "Optional: Leave blank or enter path to certificate CA bundle file (e.g. /path/to/.ssl-ca)"
+      prompt: "Enter path to certificate CA bundle file (e.g. /path/to/.ssl-ca) [REQUIRED]"
       private: false
     - name: input_apple_key
       prompt: "Optional: Leave blank or enter path to Apple K8 certificate key file (e.g. /path/to/AuthKey_00000000000.p8)"
       private: false
 
   tasks:
+    # Validate required inputs
+    - name: Fail if key path is empty
+      fail:
+        msg: "Certificate private key path is required. Please re-run the playbook and provide a valid path."
+      when: (input_key is not defined) or (input_key | length == 0)
+
+    - name: Fail if cert path is empty
+      fail:
+        msg: "Certificate file path is required. Please re-run the playbook and provide a valid path."
+      when: (input_cert is not defined) or (input_cert | length == 0)
+
+    - name: Fail if bundle path is empty
+      fail:
+        msg: "CA bundle file path is required. Please re-run the playbook and provide a valid path."
+      when: (input_bundle is not defined) or (input_bundle | length == 0)
+
     # key file
     - name: Check if key file exists
       local_action: stat path={{ input_key }}
@@ -45,12 +62,11 @@
       local_action: stat path={{ input_bundle }}
       register: local_bundle_file
       become: false
-      when: (input_bundle is defined) and (input_bundle | length > 0)
 
     - name: Fail when local bundle file does not exist
       fail:
         msg: "bundle file does not exist: {{ input_bundle }}"
-      when: (input_bundle is defined) and (input_bundle | length > 0) and (not local_bundle_file.stat.exists)
+      when: not local_bundle_file.stat.exists
 
     # apple_key file
     - name: Check if apple_key file exists
@@ -101,7 +117,6 @@
         owner: deploy
         # https://chmodcommand.com/chmod-660/
         mode: "0660"
-      when: (input_bundle is defined) and (input_bundle | length > 0)
 
     # copy local apple_key
     - name: Copy local apple_key file to server

ansible/playbooks/env.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 ---
-- hosts: all
+# mail mongo and redis don't need this
+- hosts: imap:pop3:smtp:http:bree:sqlite:mx1:mx2
   name: Env
   vars:
     env_path: "{{ inventory_dir }}/.env.production"

ansible/playbooks/mongo.yml

@@ -8,20 +8,68 @@
   import_playbook: ssh-keys.yml
 
 - hosts: mongo
-  name: Prepare for certificates
-  become: true
-  become_user: root
+  name: Certificate Paths
+  vars_prompt:
+    - name: input_key
+      prompt: "Enter path to certificate private key file on local machine (e.g. /path/to/.ssl-key) [REQUIRED]"
+      private: false
+    - name: input_cert
+      prompt: "Enter path to certificate full chain/certificate file on local machine (e.g. /path/to/.ssl-cert) [REQUIRED]"
+      private: false
+    - name: input_ca
+      prompt: "Enter path to certificate CA bundle file on local machine (e.g. /path/to/.ssl-ca) [REQUIRED]"
+      private: false
   tasks:
-    - name: Ensure /var/www/production directory exists for certificates
-      file:
-        path: /var/www/production
-        state: directory
-        owner: deploy
-        group: deploy
-        mode: "0755"
-
-- name: Import certificates playbook
-  import_playbook: certificates.yml
+    - name: Fail if key path is empty
+      fail:
+        msg: "Certificate private key path is required. Please re-run the playbook and provide a valid path."
+      when: (input_key is not defined) or (input_key | length == 0)
+
+    - name: Fail if cert path is empty
+      fail:
+        msg: "Certificate file path is required. Please re-run the playbook and provide a valid path."
+      when: (input_cert is not defined) or (input_cert | length == 0)
+
+    - name: Fail if CA path is empty
+      fail:
+        msg: "CA bundle file path is required. Please re-run the playbook and provide a valid path."
+      when: (input_ca is not defined) or (input_ca | length == 0)
+
+    - name: Check if key file exists locally
+      local_action: stat path={{ input_key }}
+      become: false
+      register: local_key_file
+
+    - name: Fail when local key file does not exist
+      fail:
+        msg: "key file does not exist: {{ input_key }}"
+      when: not local_key_file.stat.exists
+
+    - name: Check if cert file exists locally
+      local_action: stat path={{ input_cert }}
+      become: false
+      register: local_cert_file
+
+    - name: Fail when local cert file does not exist
+      fail:
+        msg: "cert file does not exist: {{ input_cert }}"
+      when: not local_cert_file.stat.exists
+
+    - name: Check if CA file exists locally
+      local_action: stat path={{ input_ca }}
+      become: false
+      register: local_ca_file
+
+    - name: Fail when local CA file does not exist
+      fail:
+        msg: "CA file does not exist: {{ input_ca }}"
+      when: not local_ca_file.stat.exists
+
+    - name: Store certificate paths as facts
+      set_fact:
+        ssl_key_path: "{{ input_key }}"
+        ssl_cert_path: "{{ input_cert }}"
+        ssl_ca_path: "{{ input_ca }}"
 
 - hosts: mongo
   name: Hostname
@@ -33,9 +81,6 @@
         that:
           - lookup('env', 'MONGO_HOST') != ''
           - lookup('env', 'MONGO_PORT') != ''
-          - lookup('env', 'SSL_CERT_PATH') != ''
-          - lookup('env', 'SSL_KEY_PATH') != ''
-          - lookup('env', 'SSL_CA_PATH') != ''
           - lookup('env', 'AWS_ACCESS_KEY_ID') != ''
           - lookup('env', 'AWS_SECRET_ACCESS_KEY') != ''
           - lookup('env', 'AWS_ENDPOINT_URL') != ''
@@ -184,32 +229,30 @@
         group: mongodb
         mode: "0750"
 
-    - name: Copy SSL certificate from /var/www/production to MongoDB directory
+    # Copy SSL certificates directly from local machine to MongoDB directory
+    - name: Copy SSL certificate to MongoDB directory
       copy:
-        src: "{{ lookup('env', 'SSL_CERT_PATH') }}"
+        src: "{{ hostvars[inventory_hostname]['ssl_cert_path'] }}"
         dest: /etc/mongodb/ssl/mongodb.crt
         owner: mongodb
         group: mongodb
         mode: "0400"
-        remote_src: yes
 
-    - name: Copy SSL private key from /var/www/production to MongoDB directory
+    - name: Copy SSL private key to MongoDB directory
       copy:
-        src: "{{ lookup('env', 'SSL_KEY_PATH') }}"
+        src: "{{ hostvars[inventory_hostname]['ssl_key_path'] }}"
         dest: /etc/mongodb/ssl/mongodb.key
         owner: mongodb
         group: mongodb
         mode: "0400"
-        remote_src: yes
 
-    - name: Copy CA certificate from /var/www/production to MongoDB directory
+    - name: Copy CA certificate to MongoDB directory
       copy:
-        src: "{{ lookup('env', 'SSL_CA_PATH') }}"
+        src: "{{ hostvars[inventory_hostname]['ssl_ca_path'] }}"
         dest: /etc/mongodb/ssl/ca.pem
         owner: mongodb
         group: mongodb
         mode: "0400"
-        remote_src: yes
 
     - name: Create MongoDB TLS/SSL certificate PEM file (cert + key)
       shell: |
@@ -219,22 +262,6 @@
       args:
         creates: /etc/mongodb/ssl/mongodb.pem
 
-    # Clean up certificates from /var/www/production for security
-    - name: Remove SSL certificate from /var/www/production (security cleanup)
-      file:
-        path: "{{ lookup('env', 'SSL_CERT_PATH') }}"
-        state: absent
-
-    - name: Remove SSL private key from /var/www/production (security cleanup)
-      file:
-        path: "{{ lookup('env', 'SSL_KEY_PATH') }}"
-        state: absent
-
-    - name: Remove CA certificate from /var/www/production (security cleanup)
-      file:
-        path: "{{ lookup('env', 'SSL_CA_PATH') }}"
-        state: absent
-
     - name: Configure MongoDB TLS/SSL in mongod.conf
       blockinfile:
         path: /etc/mongod.conf