# Dovecot mailbox backup relay (replacement for the old KVM # bareos-mailbackup-relay.isti.cnr.it). # # AlmaLinux 9 VM in the S2I2S OpenStack project. It receives the per-user # mdbox trees pushed by the imap{1..4}-b backends via `doveadm backup` / # `dsync` over SSH and stages them on a large dedicated data volume; bareos-fd # (port 9102) running on this host backs that volume up to the Bareos Director. # # On the production IMAP servers attachments are single-instance (shared # between recipients); `doveadm backup` breaks that deduplication, so the # staging tree needs far more space than the old 1.5 TB relay. Hence the 5 TB # data volume here. data "terraform_remote_state" "privnet_dns_router" { backend = "local" config = { path = "../main_net_dns_router/terraform.tfstate" } } # Project core resources (security groups, etc.) data "terraform_remote_state" "project_setup" { backend = "local" config = { path = "../project-setup/terraform.tfstate" } } module "labs_common_variables" { source = "../../modules/labs_common_variables" } module "ssh_settings" { source = "../../modules/ssh-key-ref" } locals { # Bareos Director address (bareos-fd listens for it on 9102) bareos_director_cidr = "146.48.28.141/32" # S2I2S area network: the imap backends SSH in from here to push mailboxes, # and it is also the admin network. ssh_source_cidr = "146.48.28.0/22" # From the network/DNS remote state dns_zone = data.terraform_remote_state.privnet_dns_router.outputs.dns_zone dns_zone_id = data.terraform_remote_state.privnet_dns_router.outputs.dns_zone_id main_private_network_id = data.terraform_remote_state.privnet_dns_router.outputs.main_private_network_id main_private_subnet_id = data.terraform_remote_state.privnet_dns_router.outputs.main_subnet_network_id floating_ip_pool = data.terraform_remote_state.privnet_dns_router.outputs.floating_ip_pools.main_public_ip_pool # From the project-setup remote state default_security_group_id = data.terraform_remote_state.project_setup.outputs.default_security_group_id # From common variables availability_zone = module.labs_common_variables.availability_zones_names.availability_zone_no_gpu } # --- Security group: SSH from the area network + bareos-fd from the Director --- resource "openstack_networking_secgroup_v2" "relay_access" { name = "mailbackup-relay-access" description = "SSH from the S2I2S area network and bareos-fd from the Director" delete_default_rules = true } resource "openstack_networking_secgroup_rule_v2" "ssh_ingress" { security_group_id = openstack_networking_secgroup_v2.relay_access.id description = "SSH from the S2I2S area network (imap backends push + admin)" direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = 22 port_range_max = 22 remote_ip_prefix = local.ssh_source_cidr } resource "openstack_networking_secgroup_rule_v2" "bareos_fd_ingress" { security_group_id = openstack_networking_secgroup_v2.relay_access.id description = "bareos-fd from the Bareos Director" direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = 9102 port_range_max = 9102 remote_ip_prefix = local.bareos_director_cidr } # --- Network port (main private network) --- resource "openstack_networking_port_v2" "relay_port" { name = "mailbackup-relay-port" admin_state_up = true network_id = local.main_private_network_id security_group_ids = [ local.default_security_group_id, openstack_networking_secgroup_v2.relay_access.id, ] fixed_ip { subnet_id = local.main_private_subnet_id } } # --- Data volume (5 TB, SSD-backed) --- resource "openstack_blockstorage_volume_v3" "relay_data_vol" { name = "mailbackup-relay-data" size = 5120 volume_type = "CephSSD" enable_online_resize = true } # --- Compute instance --- resource "openstack_compute_instance_v2" "relay" { name = "mailbackup-relay" availability_zone_hints = local.availability_zone flavor_name = "m2.medium" key_pair = module.ssh_settings.ssh_key_name block_device { uuid = module.labs_common_variables.almalinux_9.uuid source_type = "image" volume_size = 20 boot_index = 0 destination_type = "volume" delete_on_termination = false } network { port = openstack_networking_port_v2.relay_port.id } user_data = file("${module.labs_common_variables.almalinux9_data_file}") lifecycle { ignore_changes = [ key_pair, user_data, network ] } } # --- Attach the data volume --- resource "openstack_compute_volume_attach_v2" "relay_data_attach" { instance_id = openstack_compute_instance_v2.relay.id volume_id = openstack_blockstorage_volume_v3.relay_data_vol.id device = "/dev/vdb" } # --- Floating IP --- resource "openstack_networking_floatingip_v2" "relay_ip" { pool = local.floating_ip_pool description = "Dovecot mailbox backup relay" } resource "openstack_networking_floatingip_associate_v2" "relay_ip" { floating_ip = openstack_networking_floatingip_v2.relay_ip.address port_id = openstack_networking_port_v2.relay_port.id } # --- DNS record --- resource "openstack_dns_recordset_v2" "relay_dns" { zone_id = local.dns_zone_id name = "mailbackup-relay.${local.dns_zone.name}" description = "Public IP of the Dovecot mailbox backup relay" ttl = 8600 type = "A" records = [openstack_networking_floatingip_v2.relay_ip.address] }