mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
The docs still described Cloudflare as DNS + CDN in front of helsinki-a, but that was dropped in #90 - pez.sh lives on Hetzner DNS via Terraform now and records point straight at the origin. Updated README, architecture, networking, getting-started and the nuremberg-a host doc to match, and noted that pez.solutions still resolves via Cloudflare outside Terraform. Also fixed while I was in there: - terraform/README: PagerDuty provider is ~> 3.32 (table said ~> 2.2), and the B2 secret keys are backblaze_keyID/backblaze_applicationKey - secrets docs: group_vars secrets file is .enc.yaml, dropped the FreeBSD install steps, the long-gone .sops.yaml placeholder note and the ANSIBLE_VAULT_PASS migration note, swapped the cloudflare_record example for hcloud - getting-started referenced ansible/scripts/sops-setup.sh which doesn't exist - added naveen.pez.sh to the subdomain tables and a note about the DNS-only records (mail, minecraft, wow, public)
40 lines
1.5 KiB
Markdown
40 lines
1.5 KiB
Markdown
# nuremberg-a
|
|
|
|
Dedicated mail server. One job, does it well.
|
|
|
|
## Overview
|
|
|
|
| | |
|
|
|---|---|
|
|
| **Location** | Hetzner Cloud (Nuremberg) |
|
|
| **OS** | Debian 13 (Trixie) |
|
|
| **Tailscale IP** | 100.70.180.24 |
|
|
| **Role** | Mail server (poste.io) |
|
|
| **Provider** | Hetzner Cloud VPS |
|
|
|
|
## Services
|
|
|
|
| Service | Ports | Deployment |
|
|
|---------|-------|-----------|
|
|
| poste.io | 25, 80, 110, 143, 443, 465, 587, 993, 995 | Docker |
|
|
|
|
poste.io is a batteries-included mail server that bundles postfix, dovecot, rspamd, and webmail into a single Docker container. No juggling separate containers for each mail component.
|
|
|
|
The compose definition lives at `ansible/services/poste-io/docker-compose.yml` and is deployed via the `docker_services` Ansible role (see `ansible/inventory/host_vars/nuremberg-a.yml`).
|
|
|
|
## Why a separate server
|
|
|
|
Mail lives on its own VPS to isolate its IP reputation. If the IP gets flagged for any reason, it doesn't affect the rest of the infrastructure. And if something else gets flagged, it doesn't affect mail deliverability.
|
|
|
|
## DNS
|
|
|
|
Mail-related DNS records are managed in Hetzner DNS (Terraform, `terraform/hetzner/dns.tf`):
|
|
|
|
- **MX** record for inbound mail routing
|
|
- **SPF** for sender verification
|
|
- **DKIM** for message signing
|
|
- **DMARC** for policy enforcement
|
|
|
|
## Firewall
|
|
|
|
Managed by Hetzner Cloud firewall rules (Terraform, `terraform/hetzner/firewall.tf`). Mail ports are exposed via Docker port mappings in `ansible/services/poste-io/docker-compose.yml`.
|