feat: implement dovecot backend server with postfix virtual mailbox integration

- create profiles::dovecot::backend class for IMAPS server configuration - add virtual mailbox support to profiles::postfix::gateway with enable_dovecot parameter - restructure common hieradata elements into mail.yaml - add virtual mailbox and alias map templates with ERB generation - add comprehensive type validation using Stdlib::Email, Stdlib::Fqdn, Stdlib::IP types - configure vmail user (UID/GID 5000) with shared storage on /shared/apps/maildata - update roles::infra::mail::backend to include both dovecot and postfix profiles
2025-11-02 11:53:02 +11:00
45 changed files with 300 additions and 1717 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+sources/
--- a/hieradata/common.eyaml
+++ b/hieradata/common.eyaml
@ -1,6 +1,6 @@
 ---
 profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn]
-profiles::accounts::root::password: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAIgzGQLoHrm7JSnWG4vdAtxSuETmnqbV7kUsQS8WCRUwFGenDFkps+OGMnOGEHLzMJzXihLfgfdWwTAI4fp48M+zhTMo9TQkdzZqtbFk3+RjV2jDF0wfe4kVUIpReOq+EkaDSkoRSG8V6hWvszhDHUrJBC9eDhomL0f3xNAWxmy5EIX/uMEvg9Ux5YX+E6k2pEIKnHNoVIaWDojlofSIzIqTSS7l3jQtJhs3YqBzLL1DsoF1kdn+Rwl5kcsKkhV+vzl76wEbpYVZW8lu4bFfP6QHMLPcep2tuUDMCDvARRXD7YyZcAtS7aMuqll+BLAszpWxAA7EU2hgvdr6t2uyVCTCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ4D5oDoyE6LPdjpVtGPoJD4BwfnQ9ORjYFPvHQmt+lgU4jMqh6BhqP0VN3lqVfUpOmiVMIqkO/cYtlwVLKEg36TPCHBSpqvhuahSF5saCVr8JY3xWOAmTSgnNjQOPlGrPnYWYbuRLxVRsU+KUkpAzR0c6VN0wYi6bI85Pcv8yHF3UYA==]
+profiles::accounts::root::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAM79PRxeAZHrDcSm4eSFqU94/LjuSbdUmJWivX/Pa8GumoW2e/PT9nGHW3p98zHthMgCglk52PECQ+TBKjxr+9dTyNK5ePG6ZJEqSHNRqsPGm+kfQj/hlTmq8vOBaFM5GapD1iTHs5JFbGngI56swKBEVXW9+Z37BjQb2xJuyLsu5Bo/tA0BaOKuCtjq1a6E38bOX+nJ+YF1uZgV9ofAEh1YvkcTmnEWYXFRPWd7AaNcWn03V2pfhGqxc+xydak620I47P+FE+qIY72+aQ6tmLU3X9vyA1HLF2Tv572l4a2i+YIk6nAgQdi+hQKznqNL9M9YV+s1AcmcKLT7cfLrjsjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCMWrdCWBQgtW3NOEpERwP+gBA3KDiqe4pQq6DwRfsEXQNZ]
 profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAS7pNFRX4onccFaR87zB/eFFORuF22j6xqjyeAqqjgEduYhkt6w5kkz+YfUoHUesU0Q6F2p6HrCSZ8yAsx5M25NCiud9P4hIpjKmOZ4zCNO7uhATh4AQDYw3BrdRwfO+c6jOl5wOiNLCfDBJ0sFT3akCvcuPS1xIoRJq4Gyn+uCbOsMbvSl25ld2xKt1/cqs8gc1d8mkpjwWto7t+qZSUFMCehTbehH3G4a3Q5rvfBoNwv42Wbs676BDcCurDaAzHNqE7pDbOWhGuVOBl+q+BU0Ri/CRkGcTViN9fr8Dc9SveVC6EPsMbw+05/8/NlfzQse3KAwQ34nR9tR2PQw5qEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB7LywscQtF7cG2nomfEsu9gDDVqJBFP1jAX2eGZ2crYS5gnBcsRwhc0HNo2/WWdhZprMW+vEJOOGXDelI53NxA3o0=]
 profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=]
 profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -129,9 +129,6 @@ lookup_options:
  profiles::ceph::client::keyrings:
    merge:
      strategy: deep
-  profiles::ceph::conf::config:
-    merge:
-      strategy: deep
  profiles::nginx::simpleproxy::locations:
    merge:
      strategy: deep
@ -170,12 +167,6 @@ lookup_options:
  postfix::virtuals:
    merge:
      strategy: deep
-  stalwart::postgresql_password:
-    convert_to: Sensitive
-  stalwart::s3_secret_key:
-    convert_to: Sensitive
-  stalwart::fallback_admin_password:
-    convert_to: Sensitive

 facts_path: '/opt/puppetlabs/facter/facts.d'

@ -407,49 +398,6 @@ profiles::ceph::conf::config:
      198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,
      198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,
      198.18.23.13/32
-  client.rgw.ausyd1nxvm2115:
-    rgw_realm: unkin
-    rgw_zonegroup: au
-    rgw_zone: syd1
-  client.rgw.ausyd1nxvm2116:
-    rgw_realm: unkin
-    rgw_zonegroup: au
-    rgw_zone: syd1
-  client.rgw.ausyd1nxvm2117:
-    rgw_realm: unkin
-    rgw_zonegroup: au
-    rgw_zone: syd1
-  client.rgw.ausyd1nxvm2118:
-    rgw_realm: unkin
-    rgw_zonegroup: au
-    rgw_zone: syd1
-  client.rgw.ausyd1nxvm2119:
-    rgw_realm: unkin
-    rgw_zonegroup: au
-    rgw_zone: syd1
-  mds:
-    keyring: /var/lib/ceph/mds/ceph-$id/keyring
-    mds_standby_replay: true
-  mds.prodnxsr0009-1:
-    host: prodnxsr0009
-  mds.prodnxsr0009-2:
-    host: prodnxsr0009
-  mds.prodnxsr0010-1:
-    host: prodnxsr0010
-  mds.prodnxsr0010-2:
-    host: prodnxsr0010
-  mds.prodnxsr0011-1:
-    host: prodnxsr0011
-  mds.prodnxsr0011-2:
-    host: prodnxsr0011
-  mds.prodnxsr0012-1:
-    host: prodnxsr0012
-  mds.prodnxsr0012-2:
-    host: prodnxsr0012
-  mds.prodnxsr0013-1:
-    host: prodnxsr0013
-  mds.prodnxsr0013-2:
-    host: prodnxsr0013

 #profiles::base::hosts::additional_hosts:
 #  - ip: 198.18.17.9
--- a/hieradata/country/au/region/syd1.yaml
+++ b/hieradata/country/au/region/syd1.yaml
@ -5,5 +5,3 @@ profiles_dns_upstream_forwarder_unkin:
  - 198.18.19.15
 profiles_dns_upstream_forwarder_consul:
  - 198.18.19.14
-profiles_dns_upstream_forwarder_k8s:
-  - 198.18.19.20
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
@ -11,11 +11,6 @@ profiles::haproxy::dns::vrrp_cnames:
  - fafflix.unkin.net
  - grafana.unkin.net
  - dashboard.ceph.unkin.net
-  - mail-webadmin.main.unkin.net
-  - mail-in.main.unkin.net
-  - mail.main.unkin.net
-  - autoconfig.main.unkin.net
-  - autodiscover.main.unkin.net

 profiles::haproxy::mappings:
  fe_http:
@ -34,9 +29,6 @@ profiles::haproxy::mappings:
      - 'git.unkin.net be_gitea'
      - 'grafana.unkin.net be_grafana'
      - 'dashboard.ceph.unkin.net be_ceph_dashboard'
-      - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
-      - 'autoconfig.main.unkin.net be_stalwart_webadmin'
-      - 'autodiscovery.main.unkin.net be_stalwart_webadmin'
  fe_https:
    ensure: present
    mappings:
@ -53,9 +45,6 @@ profiles::haproxy::mappings:
      - 'git.unkin.net be_gitea'
      - 'grafana.unkin.net be_grafana'
      - 'dashboard.ceph.unkin.net be_ceph_dashboard'
-      - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
-      - 'autoconfig.main.unkin.net be_stalwart_webadmin'
-      - 'autodiscovery.main.unkin.net be_stalwart_webadmin'

 profiles::haproxy::frontends:
  fe_http:
@ -77,9 +66,6 @@ profiles::haproxy::frontends:
        - 'acl_gitea req.hdr(host) -i git.unkin.net'
        - 'acl_grafana req.hdr(host) -i grafana.unkin.net'
        - 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
-        - 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
-        - 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
-        - 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
        - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -98,7 +84,6 @@ profiles::haproxy::frontends:
        - 'set-header X-Frame-Options DENY if acl_gitea'
        - 'set-header X-Frame-Options DENY if acl_grafana'
        - 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
-        - 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
        - 'set-header X-Content-Type-Options nosniff'
        - 'set-header X-XSS-Protection 1;mode=block'

@ -301,83 +286,7 @@ profiles::haproxy::backends:
        - add-header X-Forwarded-Proto https if { dst_port 9443 }
      redirect: 'scheme https if !{ ssl_fc }'
      stick-table: 'type ip size 200k expire 30m'
-  be_stalwart_webadmin:
-    description: Backend for Stalwart Webadmin
-    collect_exported: false # handled in custom function
-    options:
-      balance: roundrobin
-      option:
-        - httpchk GET /
-        - forwardfor
-        - http-keep-alive
-        - prefer-last-server
-      cookie: SRVNAME insert indirect nocache
-      http-reuse: always
-      http-check:
-        - expect status 200
-      http-request:
-        - set-header X-Forwarded-Port %[dst_port]
-        - add-header X-Forwarded-Proto https if { dst_port 9443 }
-      redirect: 'scheme https if !{ ssl_fc }'
-      stick-table: 'type ip size 200k expire 30m'
-  be_stalwart_imap:
-    description: Backend for Stalwart IMAP (STARTTLS)
-    collect_exported: false
-    options:
-      mode: tcp
-      balance: roundrobin
-      option:
-        - tcp-check
-        - prefer-last-server
-      stick-table: 'type ip size 200k expire 30m'
      stick: 'on src'
-      tcp-check:
-        - connect port 143 send-proxy
-        - expect string "* OK"
-        - send "A001 STARTTLS\r\n"
-        - expect rstring "A001 (OK|2.0.0)"
-  be_stalwart_imaps:
-    description: Backend for Stalwart IMAPS (implicit TLS)
-    collect_exported: false
-    options:
-      mode: tcp
-      balance: roundrobin
-      option:
-        - tcp-check
-        - prefer-last-server
-      stick-table: 'type ip size 200k expire 30m'
-      stick: 'on src'
-      tcp-check:
-        - connect ssl send-proxy
-        - expect string "* OK"
-  be_stalwart_smtp:
-    description: Backend for Stalwart SMTP
-    collect_exported: false
-    options:
-      mode: tcp
-      balance: roundrobin
-      option:
-        - tcp-check
-        - prefer-last-server
-      stick-table: 'type ip size 200k expire 30m'
-      stick: 'on src'
-      tcp-check:
-        - connect port 25 send-proxy
-        - expect string "220 "
-  be_stalwart_submission:
-    description: Backend for Stalwart SMTP Submission
-    collect_exported: false
-    options:
-      mode: tcp
-      balance: roundrobin
-      option:
-        - tcp-check
-        - prefer-last-server
-      stick-table: 'type ip size 200k expire 30m'
-      stick: 'on src'
-      tcp-check:
-        - connect port 587 send-proxy
-        - expect string "220 "

 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@ -400,7 +309,6 @@ profiles::pki::vault::alt_names:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - jellyfin.main.unkin.net
-  - mail-webadmin.main.unkin.net

 # additional cnames
 profiles::haproxy::dns::cnames:
--- a/hieradata/roles/infra/ceph/rgw.yaml
+++ b/hieradata/roles/infra/ceph/rgw.yaml
@ -38,7 +38,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
  - radosgw.service.au-syd1.consul
 profiles::nginx::simpleproxy::proxy_port: 7480
 profiles::nginx::simpleproxy::proxy_path: '/'
-nginx::client_max_body_size: 5000M
+nginx::client_max_body_size: 100M

 # manage consul service
 consul::services:
--- a/hieradata/roles/infra/dns/externaldns.eyaml
+++ b/hieradata/roles/infra/dns/externaldns.eyaml
@ -1,2 +0,0 @@
---
-externaldns::externaldns_key_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEABqbZiK1NDTU+w2k7orz2HrB0EXwun7hn4pR6TeCHMp2IfrkPxlQT+f1J9c0PqJaAKvnyz+Cx0xNCrlnONqk+J57f48kYKYV+Vw+L0AYHYFj8/TizY5CwLpJS2XKyfRd4iEsWMonvfIYn71t3+YuXm4dkoEqGekW93qCr/KFtjAu0K3e+ypyl4EJqWokiUs7IbcSBNvrjUkP4yR8F/wHVKM1E5yfr+D1+nmMmt7Ob/J+am14492TppE2C7Xadg4us+kdYtuBsv9kTSi1GwwqUDjbeJVmfK3pKHjXdF+PI07AFLzo5bBZTJOzQfQ4SywpH8R5BDQoUCyHiaskB5wrmSDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB2LU9ZhefSg9PqqkwnfV65gDBvXuXco0moKCGjHqm5KcojWCK1BoS/+mltlr8kw9grZjN9jxHRLn1FjgBlq418c8w=]
--- a/hieradata/roles/infra/dns/externaldns.yaml
+++ b/hieradata/roles/infra/dns/externaldns.yaml
@ -1,65 +0,0 @@
---
-hiera_include:
-  - externaldns
-  - frrouting
-  - exporters::frr_exporter
-
-externaldns::bind_master_hostname: 'ausyd1nxvm2127.main.unkin.net'
-externaldns::k8s_zones:
-  - 'k8s.syd1.au.unkin.net'
-  - '200.18.198.in-addr.arpa'
-externaldns::slave_servers:
-  - 'ausyd1nxvm2128.main.unkin.net'
-  - 'ausyd1nxvm2129.main.unkin.net'
-externaldns::externaldns_key_algorithm: 'hmac-sha256'
-
-# networking
-anycast_ip: 198.18.19.20
-systemd::manage_networkd: true
-systemd::manage_all_network_files: true
-networking::interfaces:
-  eth0:
-    type: physical
-    forwarding: true
-    dhcp: true
-  anycast0:
-    type: dummy
-    ipaddress: "%{hiera('anycast_ip')}"
-    netmask: 255.255.255.255
-    mtu: 1500
-
-# frrouting
-exporters::frr_exporter::enable: true
-frrouting::ospfd_router_id: "%{facts.networking.ip}"
-frrouting::ospfd_redistribute:
-  - connected
-frrouting::ospfd_interfaces:
-  eth0:
-    area: 0.0.0.0
-  anycast0:
-    area: 0.0.0.0
-frrouting::daemons:
-  ospfd: true
-
-# consul
-profiles::consul::client::node_rules:
-  - resource: service
-    segment: frr_exporter
-    disposition: write
-
-# additional repos
-profiles::yum::global::repos:
-  frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
-  frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
--- a/hieradata/roles/infra/dns/resolver.yaml
+++ b/hieradata/roles/infra/dns/resolver.yaml
@ -82,11 +82,6 @@ profiles::dns::resolver::zones:
      - 10.10.16.32
      - 10.10.16.33
    forward: 'only'
-  k8s.syd1.au.unkin.net-forward:
-    domain: 'k8s.syd1.au.unkin.net'
-    zone_type: 'forward'
-    forwarders: "%{alias('profiles_dns_upstream_forwarder_k8s')}"
-    forward: 'only'
  unkin.net-forward:
    domain: 'unkin.net'
    zone_type: 'forward'
@ -177,11 +172,6 @@ profiles::dns::resolver::zones:
    zone_type: 'forward'
    forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
    forward: 'only'
-  200.18.198.in-addr.arpa-forward:
-    domain: '200.18.198.in-addr.arpa'
-    zone_type: 'forward'
-    forwarders: "%{alias('profiles_dns_upstream_forwarder_k8s')}"
-    forward: 'only'
  consul-forward:
    domain: 'consul'
    zone_type: 'forward'
@ -198,7 +188,6 @@ profiles::dns::resolver::views:
      - network.unkin.net-forward
      - prod.unkin.net-forward
      - consul-forward
-      - k8s.syd1.au.unkin.net-forward
      - 13.18.198.in-addr.arpa-forward
      - 14.18.198.in-addr.arpa-forward
      - 15.18.198.in-addr.arpa-forward
--- a/hieradata/roles/infra/git/runner.yaml
+++ b/hieradata/roles/infra/git/runner.yaml
@ -8,9 +8,9 @@ docker::version: latest
 docker::curl_ensure: false
 docker::root_dir: /data/docker

-profiles::gitea::runner::instance: https://git.unkin.net
 profiles::gitea::runner::home: /data/runner
-profiles::gitea::runner::version: '0.2.12'
+profiles::gitea::runner::version: '0.2.10'
+profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
 profiles::gitea::runner::config:
  log:
    level: info
--- a/hieradata/roles/infra/git/server.yaml
+++ b/hieradata/roles/infra/git/server.yaml
@ -71,7 +71,7 @@ profiles::nginx::simpleproxy::nginx_aliases:

 profiles::nginx::simpleproxy::proxy_port: 3000
 profiles::nginx::simpleproxy::proxy_path: '/'
-nginx::client_max_body_size: 5144M
+nginx::client_max_body_size: 1024M

 # enable external access via haproxy
 profiles::gitea::haproxy::enable: true
--- a/hieradata/roles/infra/halb/haproxy2.yaml
+++ b/hieradata/roles/infra/halb/haproxy2.yaml
@ -163,50 +163,6 @@ profiles::haproxy::frontends:
        - 'set-header X-Forwarded-Proto https'
        - 'set-header X-Real-IP %[src]'
        - 'use-service prometheus-exporter if { path /metrics }'
-  fe_imap:
-    description: 'Frontend for Stalwart IMAP (STARTTLS)'
-    bind:
-      0.0.0.0:143: []
-    mode: 'tcp'
-    options:
-      log: global
-      default_backend: be_stalwart_imap
-      tcp-request:
-        - inspect-delay 5s
-        - content accept if { req_len 0 }
-  fe_imaps:
-    description: 'Frontend for Stalwart IMAPS (implicit TLS)'
-    bind:
-      0.0.0.0:993: []
-    mode: 'tcp'
-    options:
-      log: global
-      default_backend: be_stalwart_imaps
-      tcp-request:
-        - inspect-delay 5s
-        - content accept if { req_len 0 }
-  fe_smtp:
-    description: 'Frontend for Stalwart SMTP'
-    bind:
-      0.0.0.0:25: []
-    mode: 'tcp'
-    options:
-      log: global
-      default_backend: be_stalwart_smtp
-      tcp-request:
-        - inspect-delay 5s
-        - content accept if { req_len 0 }
-  fe_submission:
-    description: 'Frontend for Stalwart SMTP Submission'
-    bind:
-      0.0.0.0:587: []
-    mode: 'tcp'
-    options:
-      log: global
-      default_backend: be_stalwart_submission
-      tcp-request:
-        - inspect-delay 5s
-        - content accept if { req_len 0 }

 profiles::haproxy::backends:
  be_letsencrypt:
--- a/hieradata/roles/infra/logs/vlinsert.yaml
+++ b/hieradata/roles/infra/logs/vlinsert.yaml
@ -14,8 +14,6 @@ victorialogs::node::options:
  envflag.enable: 'true'
  select.disable: 'undef'
  storageNode.tls: 'undef'
-  syslog.listenAddr.tcp: ':21514'
-  syslog.timezone: 'Australia/Sydney'
  storageNode:
    - ausyd1nxvm2108.main.unkin.net:9428
    - ausyd1nxvm2109.main.unkin.net:9428
@ -47,20 +45,7 @@ consul::services:
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
-  syslog:
-    service_name: 'syslog'
-    address: "%{facts.networking.ip}"
-    port: 21514
-    checks:
-      - id: 'vlinsert_syslog_tcp_check'
-        name: 'VictoriaLogs Syslog TCP Check'
-        tcp: "%{facts.networking.fqdn}:21514"
-        interval: '30s'
-        timeout: '5s'
 profiles::consul::client::node_rules:
  - resource: service
    segment: vlinsert
    disposition: write
-  - resource: service
-    segment: syslog
-    disposition: write
--- a/hieradata/roles/infra/mail.yaml
+++ b/hieradata/roles/infra/mail.yaml
@ -0,0 +1,20 @@
+---
+
+# Common mail server configuration
+
+# base postfix configuration (passed to postfix class)
+postfix::relayhost: 'direct'
+postfix::myorigin: 'main.unkin.net'
+postfix::manage_aliases: true
+
+# Common postfix virtuals for all mail servers
+postfix::virtuals:
+  'root':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'postmaster':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'abuse':
+    ensure: present
+    destination: 'ben@main.unkin.net'
--- a/hieradata/roles/infra/mail/backend.eyaml
+++ b/hieradata/roles/infra/mail/backend.eyaml
@ -1,5 +0,0 @@
---
-profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEZkKX2ThGom2PffofEuRBHbyiq68PCsq0+19eSa02fpVPKgZ/5BEjzBhwvrt0BWZWsjYGhccFQ69DR+lTuqS50GcRSAiNQ2LDX2a3J1pu39oIKsNVmcJTza0f5T0VeI3A7sZkn7jL+NVz5ANp8V0EMfAjaduGQ7Jac+8dBsvTrLbJ+1AZVrjaKPxOI1+5tpE7qx35mM0oDVy0NwmlaVf8vbK6jyzyUJRs4Sb+mpioPi5sDxHgClzsQnu93HqqAIqR5UzsUv7MDMljOGYUF5ITyPU836I1LEZ9UfiVO7AikQ3A31LaSUWvwsxRHKxiQXJ7v6W/O+Nt3jdIR0eoqC5xTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC11+SUDLmz6bBrGyfYT9DPgDB3UhuhJ3kUruMTdRCW0Y6hoSBBQYCO+ZRFJToGTkz/BcxVw2Xtwjc7UmKmLodsDAo=]
-stalwart::s3_access_key: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAm1fkuVcAt4UKFnpljH0o3eb3x1r2ieEU4NUzuSx8DDdOv4rh8rkqghPGn1xs6LGd9zLprc9ZWFowXCP4I2L0gZ4PekI04rV4lL02xYechIah1JAntdwECEks7rmI4BbPabIUIkaHW4i/WtntRNvv38g9JjiWrvOoJSABEsiIVZL0ct6NykLgQk27r4rcP8j7ukNQqPCAA02d4y9CB/5g6RKtYkv6FwZfLA/rFTUIXhKJsNtTa9Gm1yhvb/Y859X4qvsSFymCm/B8+2Bz5H57lE0r6xOBBBS5PfpeQ2YRxmedlkj0HxRFpl2e1W94OazMbbI6dlXa5ceHqHXDZL78EzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDhiBSQPgE+fwD1Y9Gc1wQ3gCCGeGdA4BKCvIhYaQmzv9wUFuNaO75qHrub0vY8Od1ilQ==]
-stalwart::s3_secret_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdFOGR2axfPIksXExnW8vAZBSBm8V/QqPtIMtuzleDLOGsOuyLgJAbHPZJoj/w5bBV9bBKMGfWs94GGbKZ2PafiJeCtqfFJnUAIpVBTZ5cfUhQXERAHcketMvKUi1J8jKLSFc9I3uTjIVcIasjk0oe7WmCPnoikjl1qJZ/lVDH0cXHevjMuohxEyyka5jzC0ixCOkxyqOV2LOqSc6J5d0WSsSWqw0lDmY7vJAtqNtH6y6ghKZo5zdLQOsF2Bseg3oVejRNqYwfUsaDnfiRwJS/Rm/TmtXb4i6Jn8coYplDaJHtxQSXJ+KvOy6LS7M8X5sQ/UZSRqcwM647Yg4pwVWqDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBKBF7hTs0e0FKdRpFYbx4kgDB0xkNe78n6VLbUTHX7vTw6J+K/mxf+XCV95/EIkvBbWBYuU8ZMHNQKMEExmci4C4o=]
-stalwart::fallback_admin_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMp9wmIhRwj5kxfUcvc+/q/oUs/vBhSqP19ZfErM4vLDK20VOBTnPhSP2lfVh9pqO0c2hpWFeuqBWMynghO+HUBJfAn29Vrc8a9iSBxQ3XuF/uiRq1inOKCQpdsU18TyCrYV9AJFNf9U20JuUoav79m7EKLHS07PHAZ0osqIYy93eXdCFhwXAGHijp4wMMQz/5z1F1mZoSrc1cXe3y8iBeAvvjnRfpw14gOKZBjmEGUbo7AIyc3wax5hbOQYf/v+Hd90JarvAufxGytg9WKO20cChWYbmYDnIkytVt3vHdHf4RT8M635l6qwLr/70O1MdE7bkrVRKP8M3KLyH072pJTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDSJwptBDvPd0WpxiIovZsjgDBBwesNW+UNo4b0idhyqsyWL2rtO7wLStWHgUIvRFJACCrTKKqlu7sta6mhu/ZsnF0=]
--- a/hieradata/roles/infra/mail/backend.yaml
+++ b/hieradata/roles/infra/mail/backend.yaml
@ -1,46 +1,87 @@
 ---
-hiera_include:
-  - stalwart
-  - profiles::sql::postgresdb
-  - profiles::stalwart::haproxy
-
 # additional altnames
 profiles::pki::vault::alt_names:
  - mail.main.unkin.net
-  - mail-webadmin.main.unkin.net
-  - main-in.main.unkin.net
-  - autoconfig.main.unkin.net
-  - autodiscovery.main.unkin.net

-# manage a pgsql database + user
-profiles::sql::postgresdb::cluster_name: "patroni-shared-%{facts.environment}"
-profiles::sql::postgresdb::dbname: stalwart
-profiles::sql::postgresdb::dbuser: stalwart
+# manage dovecot
+dovecot::install::packages:
+  - dovecot
+  - dovecot-pgsql
+profiles::dovecot::server::maildir_path: "%{hiera('profiles::postfix::gateway::virtual_mailbox_base')}"

-# export backends to haproxy
-profiles::stalwart::haproxy::enable: true
+#dovecot::config:
+#  auth.conf:
+#    values:
+#      auth_mechanisms: 'plain login'
+#      auth_username_format: '%Lu'
+#      auth_default_realm: 'main.unkin.net'
+#  auth-vmail.conf:
+#    values:
+#      passdb: |
+#        {
+#          driver = pam
+#        }
+#      userdb: |
+#        {
+#          driver = passwd
+#          override_fields = uid=vmail gid=vmail home=/shared/apps/maildata/%u
+#        }
+#  mail.conf:
+#    values:
+#      mail_plugins: '$mail_plugins'
+#      namespace inbox: |
+#        {
+#          inbox = yes
+#          location =
+#          mailbox Drafts {
+#            special_use = \Drafts
+#          }
+#          mailbox Junk {
+#            special_use = \Junk
+#          }
+#          mailbox Sent {
+#            special_use = \Sent
+#          }
+#          mailbox "Sent Messages" {
+#            special_use = \Sent
+#          }
+#          mailbox Trash {
+#            special_use = \Trash
+#          }
+#        }
+#    sections:
+#      - name: 'namespace inbox'
+#        values:
+#          'inbox': 'yes'
+#          'seperator': '.'
+#          'prefix': 'INBOX'

-# Cluster role for node discovery
-stalwart::cluster_role: "%{facts.enc_role}"
+# backend-specific postfix configuration
+postfix::mydestination: 'localhost'
+postfix::mynetworks: '127.0.0.0/8 [::1]/128 10.10.12.0/24'
+postfix::smtp_listen: ['0.0.0.0', '::']
+postfix::use_dovecot_lda: true        # use built-in dovecot LDA support
+postfix::mail_user: 'vmail:vmail'
+profiles::postfix::gateway::enable_postscreen: false  # disable postscreen (backend doesn't need it)
+profiles::postfix::gateway::myhostname: 'mail.main.unkin.net'
+profiles::postfix::gateway::enable_dovecot: true    # enable dovecot integration
+profiles::postfix::gateway::virtual_mailbox_domains:
+  - 'main.unkin.net'
+profiles::postfix::gateway::virtual_mailbox_base: '/shared/apps/maildata'

-# PostgreSQL connection
-stalwart::postgresql_host: "master.%{hiera('profiles::sql::postgresdb::cluster_name')}.service.%{facts.country}-%{facts.region}.consul"
-stalwart::postgresql_database: "%{hiera('profiles::sql::postgresdb::dbname')}"
-stalwart::postgresql_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
-stalwart::postgresql_password: "%{hiera('profiles::sql::postgresdb::dbpass')}"
+profiles::postfix::gateway::virtual_mailbox_maps:
+  'ben@main.unkin.net': 'main.unkin.net/ben/'
+  'root@main.unkin.net': 'main.unkin.net/ben/'
+  'postmaster@main.unkin.net': 'main.unkin.net/ben/'
+  'abuse@main.unkin.net': 'main.unkin.net/ben/'

-# S3/Ceph-RGW connection
-stalwart::s3_endpoint: 'https://radosgw.service.consul'
-stalwart::s3_bucket: 'stalwart-maildata'
-stalwart::s3_region: "%{facts.region}"
-
-# Domains and relay
-stalwart::domains:
-  - 'mail.unkin.net'
-stalwart::postfix_relay_host: 'out-mta.main.unkin.net'
-stalwart::service_hostname: 'mail.main.unkin.net'
-stalwart::manage_dns_records: false
-
-## With load balancer:
-#stalwart::manage_dns_records: true
-#stalwart::loadbalancer_host: 'mail-lb.example.com'
+profiles::postfix::gateway::smtpd_client_restrictions:
+  - 'permit_mynetworks'
+  - 'reject_unauth_destination'
+profiles::postfix::gateway::smtpd_sender_restrictions:
+  - 'permit_mynetworks'
+  - 'reject_non_fqdn_sender'
+profiles::postfix::gateway::smtpd_recipient_restrictions:
+  - 'permit_mynetworks'
+  - 'reject_non_fqdn_recipient'
+  - 'reject_unauth_destination'
--- a/hieradata/roles/infra/mail/gateway.yaml
+++ b/hieradata/roles/infra/mail/gateway.yaml
@ -1,21 +1,15 @@
 ---
-
 # additional altnames
 profiles::pki::vault::alt_names:
  - in-mta.main.unkin.net

-# base postfix configuration (passed to postfix class)
-postfix::relayhost: 'direct'
-postfix::myorigin: 'main.unkin.net'
+# gateway-specific postfix configuration
 postfix::mydestination: 'blank'
 postfix::mynetworks: '127.0.0.0/8 [::1]/128'
+postfix::smtp_listen: '0.0.0.0'
 postfix::mta: true
-postfix::manage_aliases: true
-
-# profile parameters for customization
 profiles::postfix::gateway::myhostname: 'in-mta.main.unkin.net'

-# postfix map content (templates)
 profiles::postfix::gateway::relay_recipients_maps:
  '@main.unkin.net': 'OK'

@ -37,16 +31,4 @@ postfix::transports:
  'main.unkin.net':
    ensure: present
    destination: 'relay'
-    nexthop: 'mail-in.main.unkin.net:25'
-
-# postfix virtuals
-postfix::virtuals:
-  'root':
-    ensure: present
-    destination: 'ben@main.unkin.net'
-  'postmaster':
-    ensure: present
-    destination: 'ben@main.unkin.net'
-  'abuse':
-    ensure: present
-    destination: 'ben@main.unkin.net'
+    nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
--- a/hieradata/roles/infra/metrics/vmagent.yaml
+++ b/hieradata/roles/infra/metrics/vmagent.yaml
@ -3,16 +3,6 @@ hiera_include:
  - vmcluster::vmagent

 vmcluster::vmagent::enable: true
-vmcluster::vmagent::static_targets:
-  vyos_node:
-    targets:
-      - '198.18.21.160:9100'
-    scrape_interval: '15s'
-    metrics_path: '/metrics'
-    scheme: 'http'
-    labels:
-      instance: 'syrtvm0001.main.unkin.net'
-      job: 'vyos_node'
 vmcluster::vmagent::options:
  tls: 'true'
  tlsCertFile: '/etc/pki/tls/vault/certificate.crt'
--- a/hieradata/roles/infra/reposync/syncer.yaml
+++ b/hieradata/roles/infra/reposync/syncer.yaml
@ -3,41 +3,6 @@ profiles::packages::include:
  createrepo: {}

 profiles::reposync::repos_list:
-  almalinux_9.7_baseos:
-    repository: 'baseos'
-    description: 'AlmaLinux 9.7 BaseOS'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/baseos'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_appstream:
-    repository: 'appstream'
-    description: 'AlmaLinux 9.7 AppStream'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/appstream'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_crb:
-    repository: 'crb'
-    description: 'AlmaLinux 9.7 CRB'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/crb'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_ha:
-    repository: 'ha'
-    description: 'AlmaLinux 9.7 HighAvailability'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/highavailability'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_extras:
-    repository: 'extras'
-    description: 'AlmaLinux 9.7 extras'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/extras'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
  almalinux_9.6_baseos:
    repository: 'baseos'
    description: 'AlmaLinux 9.6 BaseOS'
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@ -5,7 +5,7 @@ profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
 vault::package_name: openbao
-vault::package_ensure: latest
+vault::package_ensure: 2.4.1

 # additional altnames
 profiles::pki::vault::alt_names:
--- a/modules/externaldns/manifests/init.pp
+++ b/modules/externaldns/manifests/init.pp
@ -1,15 +0,0 @@
-# ExternalDNS BIND module - automatically configures master or slave
-class externaldns (
-  Stdlib::Fqdn $bind_master_hostname,
-  Array[Stdlib::Fqdn] $k8s_zones = [],
-  Array[Stdlib::Fqdn] $slave_servers = [],
-  String $externaldns_key_secret = '',
-  String $externaldns_key_algorithm = 'hmac-sha256',
-) {
-
-  if $trusted['certname'] == $bind_master_hostname {
-    include externaldns::master
-  } else {
-    include externaldns::slave
-  }
-}
--- a/modules/externaldns/manifests/master.pp
+++ b/modules/externaldns/manifests/master.pp
@ -1,45 +0,0 @@
-# ExternalDNS BIND master server class
-class externaldns::master inherits externaldns {
-
-  include bind
-
-  # Query PuppetDB for slave server IP addresses
-  $slave_ips = $externaldns::slave_servers.map |$fqdn| {
-    puppetdb_query("inventory[facts.networking.ip] { certname = '${fqdn}' }")[0]['facts.networking.ip']
-  }.filter |$ip| { $ip != undef }
-
-  # Create TSIG key for ExternalDNS authentication
-  bind::key { 'externaldns-key':
-    algorithm => $externaldns::externaldns_key_algorithm,
-    secret    => $externaldns::externaldns_key_secret,
-  }
-
-  # Create ACL for slave servers
-  if !empty($slave_ips) {
-    bind::acl { 'dns-slaves':
-      addresses => $slave_ips,
-    }
-  }
-
-  # Create master zones for each Kubernetes domain
-  $externaldns::k8s_zones.each |$zone| {
-    bind::zone { $zone:
-      zone_type       => 'master',
-      dynamic         => true,
-      allow_updates   => ['key externaldns-key'],
-      allow_transfers => empty($slave_ips) ? {
-        true  => [],
-        false => ['dns-slaves'],
-      },
-      ns_notify       => !empty($slave_ips),
-      also_notify     => $slave_ips,
-      dnssec          => false,
-    }
-  }
-
-  # Create default view to include the zones
-  bind::view { 'externaldns':
-    recursion => false,
-    zones     => $externaldns::k8s_zones,
-  }
-}
--- a/modules/externaldns/manifests/slave.pp
+++ b/modules/externaldns/manifests/slave.pp
@ -1,36 +0,0 @@
-# ExternalDNS BIND slave server class
-class externaldns::slave inherits externaldns {
-
-  include bind
-
-  # Query PuppetDB for master server IP address
-  $query = "inventory[facts.networking.ip] { certname = '${externaldns::bind_master_hostname}' }"
-  $master_ip = puppetdb_query($query)[0]['facts.networking.ip']
-
-  # Create TSIG key for zone transfers (same as master)
-  bind::key { 'externaldns-key':
-    algorithm => $externaldns::externaldns_key_algorithm,
-    secret    => $externaldns::externaldns_key_secret,
-  }
-
-  # Create ACL for master server
-  bind::acl { 'dns-master':
-    addresses => [$master_ip],
-  }
-
-  # Create slave zones for each Kubernetes domain
-  $externaldns::k8s_zones.each |$zone| {
-    bind::zone { $zone:
-      zone_type    => 'slave',
-      masters      => [$master_ip],
-      allow_notify => ['dns-master'],
-      ns_notify    => false,
-    }
-  }
-
-  # Create default view to include the zones
-  bind::view { 'externaldns':
-    recursion => false,
-    zones     => $externaldns::k8s_zones,
-  }
-}
--- a/modules/stalwart/README.md
+++ b/modules/stalwart/README.md
@ -1,230 +0,0 @@
-# Stalwart Mail Server Module
-
-This Puppet module manages Stalwart Mail Server, a modern, secure, and scalable mail server implementation that supports IMAP, JMAP, WebDAV, and SMTP protocols.
-
-## Overview
-
-The `stalwart` module provides a comprehensive solution for deploying Stalwart Mail Server in a clustered environment with:
-
- **PostgreSQL backend** for data, full-text search, and in-memory storage
- **S3/Ceph-RGW backend** for blob storage (emails, attachments, sieve scripts)
- **Automatic cluster discovery** using `query_nodes()`
- **DNS autodiscovery records** for email client configuration
- **TLS certificate management** integration
- **Postfix relay integration** for SMTP routing
-
-## Features
-
- ✅ **Multi-node clustering** with peer-to-peer coordination
- ✅ **PostgreSQL authentication** with SQL directory backend
- ✅ **S3 blob storage** with compression support
- ✅ **IMAP/IMAPS protocols** for email access
- ✅ **HTTP/HTTPS protocols** for JMAP, WebDAV, and autodiscovery
- ✅ **SMTP relay** for postfix integration
- ✅ **DNS autodiscovery** record management
- ✅ **Automatic role distribution** across cluster nodes
- ✅ **TLS security** with Vault PKI integration
-
-## Requirements
-
- **Puppet 6+** with `query_nodes()` function support
- **Stalwart RPM package** (creates user, directories, systemd service)
- **PostgreSQL cluster** for data storage
- **S3-compatible storage** (Ceph-RGW, MinIO, AWS S3)
- **DNS management** via `profiles::dns::record`
- **PKI management** via `profiles::pki::vault::alt_names`
-
-## Usage
-
-### Recommended Usage with Role
-
-The recommended way to use this module is via the `roles::infra::mail::backend` role with hieradata configuration:
-
-```puppet
-include roles::infra::mail::backend
-```
-
-Configure all parameters in `hieradata/roles/infra/mail/backend.yaml` - see `examples/role-hieradata.yaml` for a complete example.
-
-### Direct Class Usage
-
-```puppet
-class { 'stalwart':
-  node_id             => 1,
-  cluster_role        => 'mail-backend',
-  postgresql_host     => 'pgsql.example.com',
-  postgresql_database => 'stalwart',
-  postgresql_user     => 'stalwart',
-  postgresql_password => Sensitive('secretpassword'),
-  s3_endpoint         => 'https://ceph-rgw.example.com',
-  s3_bucket           => 'stalwart-blobs',
-  s3_access_key       => 'accesskey',
-  s3_secret_key       => Sensitive('secretkey'),
-  domains             => ['example.com'],
-  postfix_relay_host  => 'postfix.example.com',
-}
-```
-
-## Hieradata Configuration
-
-See `examples/role-hieradata.yaml` for a complete example of role-based hieradata configuration.
-
-### Required Parameters
-
-```yaml
-# Cluster role for node discovery
-stalwart::cluster_role: 'mail-backend'
-
-# Optional: Unique node identifier (auto-calculated if not specified)
-# stalwart::node_id: 1
-
-# PostgreSQL connection
-stalwart::postgresql_host: 'pgsql.example.com'
-stalwart::postgresql_database: 'stalwart'
-stalwart::postgresql_user: 'stalwart'
-stalwart::postgresql_password: >
-  ENC[PKCS7,encrypted_password...]
-
-# S3/Ceph-RGW connection
-stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
-stalwart::s3_bucket: 'stalwart-blobs'
-stalwart::s3_access_key: 'access_key'
-stalwart::s3_secret_key: >
-  ENC[PKCS7,encrypted_secret...]
-
-# Domains and relay
-stalwart::domains:
-  - 'example.com'
-stalwart::postfix_relay_host: 'postfix.example.com'
-```
-
-## Architecture
-
-### Cluster Setup
-
-The module automatically discovers cluster members using `query_nodes()` based on:
- `enc_role` matching `cluster_role` parameter
- `country` fact matching the node's country fact
- `region` fact matching the node's region fact
-
-**Node ID Assignment:**
- Node IDs are **automatically extracted** from the last 4 digits of the hostname
- Example: `ausyd1nxvm1234` → node ID `1234`
- Manual override available via `stalwart::node_id` parameter if needed
- Hostname must end with 4 digits for automatic extraction to work
- Ensures unique IDs when following consistent hostname patterns
-
-### Storage Layout
-
- **Data Store**: PostgreSQL (metadata, folders, settings)
- **Full-Text Search**: PostgreSQL (search indexes)
- **In-Memory Store**: PostgreSQL (caching, sessions)
- **Blob Store**: S3/Ceph-RGW (emails, attachments, files)
-
-### Directory Structure (Created by RPM)
-
- **Config**: `/opt/stalwart/etc/config.toml`
- **Data**: `/var/lib/stalwart/` (queue, reports)
- **Logs**: `/var/log/stalwart/stalwart.log`
- **Binary**: `/opt/stalwart/bin/stalwart`
- **User**: `stalwart:stalwart` (system user)
-
-### Network Ports
-
- **143**: IMAP (STARTTLS)
- **993**: IMAPS (implicit TLS)
- **443**: HTTPS (JMAP, WebDAV, autodiscovery)
- **2525**: SMTP relay (postfix communication)
- **11200**: Cluster coordination (peer-to-peer)
- **9090**: Prometheus metrics
-
-### DNS Records
-
-When `manage_dns_records: true`, the module creates:
- `autoconfig.domain.com` → server FQDN (Thunderbird)
- `autodiscover.domain.com` → server FQDN (Outlook)
- `_imap._tcp.domain.com` SRV record
- `_imaps._tcp.domain.com` SRV record
- `_caldav._tcp.domain.com` SRV record
- `_carddav._tcp.domain.com` SRV record
-
-## PostgreSQL Schema
-
-The module expects these tables in the PostgreSQL database:
-
-```sql
-CREATE TABLE accounts (
-  name TEXT PRIMARY KEY,
-  secret TEXT,
-  description TEXT,
-  type TEXT NOT NULL,
-  quota INTEGER DEFAULT 0,
-  active BOOLEAN DEFAULT true
-);
-
-CREATE TABLE group_members (
-  name TEXT NOT NULL,
-  member_of TEXT NOT NULL,
-  PRIMARY KEY (name, member_of)
-);
-
-CREATE TABLE emails (
-  name TEXT NOT NULL,
-  address TEXT NOT NULL,
-  type TEXT,
-  PRIMARY KEY (name, address)
-);
-```
-
-## Security
-
- **TLS required** for all connections
- **PostgreSQL SSL** enabled by default
- **S3 HTTPS** endpoints required
- **Password hashing** supported (SHA512, BCRYPT, etc.)
- **Certificate management** via Vault PKI
-
-### Fallback Administrator
-
-Stalwart includes a fallback administrator account for initial setup and emergency access:
-
- **Default username**: `admin` (configurable via `stalwart::fallback_admin_user`)
- **Default password**: `admin` (configurable via `stalwart::fallback_admin_password`)
- **Purpose**: Initial server configuration and emergency access when directory services are unavailable
- **Security**: Password is automatically hashed using SHA-512 crypt format
-
-**Important**: Change the default password in production by setting different hieradata values:
-
-```yaml
-stalwart::fallback_admin_password: "your-secure-password"
-```
-
-The fallback admin should only be used for initial setup and emergencies. Create regular admin accounts in PostgreSQL for day-to-day management.
-
-## Monitoring
-
- **Prometheus metrics** on port 9090
- **Log files** in `/var/log/stalwart/`
- **Queue monitoring** in `/var/lib/stalwart/queue/`
- **Service status** via systemd (`stalwart.service`)
-
-## Troubleshooting
-
-### Cluster Formation Issues
- Verify `query_nodes()` returns expected nodes
- Check `country` and `region` facts are consistent
- Ensure `cluster_role` matches across all nodes
-
-### Storage Connection Issues
- Test PostgreSQL connectivity and credentials
- Verify S3 endpoint accessibility and credentials
- Check network connectivity between nodes
-
-### TLS Certificate Issues
- Ensure PKI alt_names include all required domains
- Verify certificate paths exist and are readable
- Check certificate expiration dates
-
-## License
-
-This module is part of the internal infrastructure management system.
--- a/modules/stalwart/examples/hieradata.yaml
+++ b/modules/stalwart/examples/hieradata.yaml
@ -1,57 +0,0 @@
-# Example hieradata for profiles::mail::stalwart
-# This shows the required and optional parameters for Stalwart configuration
-
-# Required: Unique node ID for each server in the cluster (1, 2, 3, etc.)
-profiles::mail::stalwart::node_id: 1
-
-# Required: Cluster role name for query_nodes() discovery
-profiles::mail::stalwart::cluster_role: 'mail-backend'
-
-# Required: PostgreSQL connection settings
-profiles::mail::stalwart::postgresql_host: 'pgsql.example.com'
-profiles::mail::stalwart::postgresql_port: 5432
-profiles::mail::stalwart::postgresql_database: 'stalwart'
-profiles::mail::stalwart::postgresql_user: 'stalwart'
-profiles::mail::stalwart::postgresql_password: >
-  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
-profiles::mail::stalwart::postgresql_ssl: true
-
-# Required: S3/Ceph-RGW connection settings
-profiles::mail::stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
-profiles::mail::stalwart::s3_bucket: 'stalwart-blobs'
-profiles::mail::stalwart::s3_region: 'default'
-profiles::mail::stalwart::s3_access_key: 'stalwart_access_key'
-profiles::mail::stalwart::s3_secret_key: >
-  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
-profiles::mail::stalwart::s3_key_prefix: 'stalwart/'
-
-# Required: Domains this mail backend serves
-profiles::mail::stalwart::domains:
-  - 'example.com'
-  - 'mail.example.com'
-
-# Required: Postfix relay host for SMTP delivery
-profiles::mail::stalwart::postfix_relay_host: 'postfix.example.com'
-
-# Optional: Protocol configuration (defaults shown)
-profiles::mail::stalwart::enable_imap: true
-profiles::mail::stalwart::enable_imap_tls: true
-profiles::mail::stalwart::enable_http: true
-profiles::mail::stalwart::enable_smtp_relay: true
-
-# Optional: Management settings
-profiles::mail::stalwart::manage_dns_records: true
-profiles::mail::stalwart::log_level: 'info'
-
-# Optional: TLS certificate paths (defaults shown)
-profiles::mail::stalwart::tls_cert: '/etc/pki/tls/vault/certificate.crt'
-profiles::mail::stalwart::tls_key: '/etc/pki/tls/vault/private.key'
-
-# Example PKI alt_names configuration for TLS certificates
-# This should include all domains and hostnames that need certificates
-profiles::pki::vault::alt_names:
-  mail-backend:
-    - 'imap.example.com'
-    - 'mail.example.com'
-    - 'autoconfig.example.com'
-    - 'autodiscover.example.com'
--- a/modules/stalwart/examples/role-hieradata.yaml
+++ b/modules/stalwart/examples/role-hieradata.yaml
@ -1,58 +0,0 @@
-# Example hieradata for roles::infra::mail::backend
-# Place this in: hieradata/roles/infra/mail/backend.yaml
-
-# Stalwart module configuration - all parameters passed directly to the module
-# stalwart::node_id: 1234  # Optional - automatically extracted from last 4 digits of hostname
-stalwart::cluster_role: 'mail-backend'
-
-# PostgreSQL connection settings
-stalwart::postgresql_host: 'pgsql.example.com'
-stalwart::postgresql_port: 5432
-stalwart::postgresql_database: 'stalwart'
-stalwart::postgresql_user: 'stalwart'
-stalwart::postgresql_password: >
-  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
-stalwart::postgresql_ssl: true
-
-# S3/Ceph-RGW connection settings
-stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
-stalwart::s3_bucket: 'stalwart-blobs'
-stalwart::s3_region: 'default'
-stalwart::s3_access_key: 'stalwart_access_key'
-stalwart::s3_secret_key: >
-  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
-stalwart::s3_key_prefix: 'stalwart/'
-
-# Domains this mail backend serves
-stalwart::domains:
-  - 'example.com'
-  - 'mail.example.com'
-
-# Postfix relay host for SMTP delivery
-stalwart::postfix_relay_host: 'postfix.example.com'
-
-# Optional protocol configuration (defaults shown)
-stalwart::enable_imap: true
-stalwart::enable_imap_tls: true
-stalwart::enable_http: true
-stalwart::enable_smtp_relay: true
-
-# Optional management settings
-stalwart::manage_dns_records: true
-stalwart::log_level: 'info'
-
-# Optional TLS certificate paths (defaults work with profiles::pki::vault)
-# stalwart::tls_cert: '/etc/pki/tls/vault/certificate.crt'
-# stalwart::tls_key: '/etc/pki/tls/vault/private.key'
-
-# Optional path overrides (RPM package sets up these defaults)
-# stalwart::config_dir: '/opt/stalwart/etc'
-# stalwart::data_dir: '/var/lib/stalwart'
-
-# PKI alt_names configuration for TLS certificates
-# This should include all domains and hostnames that need certificates
-profiles::pki::vault::alt_names:
-  - 'imap.example.com'
-  - 'mail.example.com'
-  - 'autoconfig.example.com'
-  - 'autodiscover.example.com'
--- a/modules/stalwart/manifests/config.pp
+++ b/modules/stalwart/manifests/config.pp
@ -1,84 +0,0 @@
-# @summary Manages Stalwart Mail Server configuration
-#
-# @api private
-class stalwart::config {
-  assert_private()
-
-  # Create base directories (package creates user/group and base dirs)
-  file { [$stalwart::config_dir, $stalwart::data_dir, $stalwart::webadmin_unpack_path]:
-    ensure => directory,
-    owner  => 'stalwart',
-    group  => 'stalwart',
-    mode   => '0750',
-  }
-
-  # Ensure log directory exists
-  file { '/var/log/stalwart':
-    ensure => directory,
-    owner  => 'stalwart',
-    group  => 'stalwart',
-    mode   => '0755',
-  }
-
-  # Main configuration file
-  file { "${stalwart::config_dir}/config.toml":
-    ensure  => file,
-    owner   => 'stalwart',
-    group   => 'stalwart',
-    mode    => '0640',
-    content => epp('stalwart/config.toml.epp', {
-      'cluster_size'            => $stalwart::cluster_size,
-      'other_cluster_members'   => $stalwart::other_cluster_members,
-      'haproxy_ips'             => $stalwart::haproxy_ips,
-      'effective_node_id'       => $stalwart::effective_node_id,
-      'bind_address'            => $stalwart::bind_address,
-      'advertise_address'       => $stalwart::advertise_address,
-      'postgresql_host'         => $stalwart::postgresql_host,
-      'postgresql_port'         => $stalwart::postgresql_port,
-      'postgresql_database'     => $stalwart::postgresql_database,
-      'postgresql_user'         => $stalwart::postgresql_user,
-      'postgresql_password'     => $stalwart::postgresql_password.unwrap,
-      'postgresql_ssl'          => $stalwart::postgresql_ssl,
-      's3_endpoint'             => $stalwart::s3_endpoint,
-      's3_bucket'               => $stalwart::s3_bucket,
-      's3_region'               => $stalwart::s3_region,
-      's3_access_key'           => $stalwart::s3_access_key,
-      's3_secret_key'           => $stalwart::s3_secret_key.unwrap,
-      's3_key_prefix'           => $stalwart::s3_key_prefix,
-      'domains'                 => $stalwart::domains,
-      'postfix_relay_host'      => $stalwart::postfix_relay_host,
-      'enable_imap'             => $stalwart::enable_imap,
-      'enable_imap_tls'         => $stalwart::enable_imap_tls,
-      'enable_http'             => $stalwart::enable_http,
-      'enable_smtp_submission'  => $stalwart::enable_smtp_submission,
-      'data_dir'                => $stalwart::data_dir,
-      'tls_cert'                => $stalwart::tls_cert,
-      'tls_key'                 => $stalwart::tls_key,
-      'log_level'               => $stalwart::log_level,
-      'service_hostname'        => $stalwart::service_hostname,
-      'fallback_admin_user'     => $stalwart::fallback_admin_user,
-      'fallback_admin_password' => $stalwart::fallback_admin_password,
-      'webadmin_unpack_path'    => $stalwart::webadmin_unpack_path,
-      'webadmin_resource_url'   => $stalwart::webadmin_resource_url,
-      'webadmin_auto_update'    => $stalwart::webadmin_auto_update,
-      'node_facts'              => $facts,
-    }),
-    notify  => Service['stalwart'],
-  }
-
-  # Create directories for storage
-  file { "${stalwart::data_dir}/queue":
-    ensure => directory,
-    owner  => 'stalwart',
-    group  => 'stalwart',
-    mode   => '0750',
-  }
-
-  file { "${stalwart::data_dir}/reports":
-    ensure => directory,
-    owner  => 'stalwart',
-    group  => 'stalwart',
-    mode   => '0750',
-  }
-
-}
--- a/modules/stalwart/manifests/dns.pp
+++ b/modules/stalwart/manifests/dns.pp
@ -1,67 +0,0 @@
-# @summary Manages DNS autodiscovery records for Stalwart
-#
-# @param target_host
-#   FQDN to point DNS records to (defaults to current server)
-#
-# @api private
-class stalwart::dns (
-  Stdlib::Fqdn $target_host = $facts['networking']['fqdn'],
-) {
-  assert_private()
-
-  # Create autodiscovery DNS records for each domain
-  $stalwart::domains.each |$domain| {
-
-    # Autoconfig record for Thunderbird/Mozilla clients
-    profiles::dns::record { "autoconfig_${domain}":
-      record => "autoconfig.${domain}",
-      type   => 'CNAME',
-      value  => "${target_host}.",
-      zone   => $domain,
-      order  => 100,
-    }
-
-    # Autodiscover record for Outlook/Microsoft clients
-    profiles::dns::record { "autodiscover_${domain}":
-      record => "autodiscover.${domain}",
-      type   => 'CNAME',
-      value  => "${target_host}.",
-      zone   => $domain,
-      order  => 101,
-    }
-
-    # IMAP SRV records
-    profiles::dns::record { "imap_srv_${domain}":
-      record => "_imap._tcp.${domain}",
-      type   => 'SRV',
-      value  => "10 1 143 ${target_host}.",
-      zone   => $domain,
-      order  => 102,
-    }
-
-    profiles::dns::record { "imaps_srv_${domain}":
-      record => "_imaps._tcp.${domain}",
-      type   => 'SRV',
-      value  => "10 1 993 ${target_host}.",
-      zone   => $domain,
-      order  => 103,
-    }
-
-    # CalDAV and CardDAV SRV records
-    profiles::dns::record { "caldav_srv_${domain}":
-      record => "_caldav._tcp.${domain}",
-      type   => 'SRV',
-      value  => "10 1 443 ${target_host}.",
-      zone   => $domain,
-      order  => 104,
-    }
-
-    profiles::dns::record { "carddav_srv_${domain}":
-      record => "_carddav._tcp.${domain}",
-      type   => 'SRV',
-      value  => "10 1 443 ${target_host}.",
-      zone   => $domain,
-      order  => 105,
-    }
-  }
-}
--- a/modules/stalwart/manifests/init.pp
+++ b/modules/stalwart/manifests/init.pp
@ -1,245 +0,0 @@
-# @summary Main class for managing Stalwart Mail Server
-#
-# This class provides a comprehensive setup of Stalwart Mail Server with
-# clustering, authentication, storage, and protocol support.
-#
-# @example Basic Stalwart setup
-#   class { 'stalwart':
-#     node_id                => 1,
-#     postgresql_host        => 'pgsql.example.com',
-#     postgresql_database    => 'stalwart',
-#     postgresql_user        => 'stalwart',
-#     postgresql_password    => Sensitive('secretpassword'),
-#     s3_endpoint            => 'https://ceph-rgw.example.com',
-#     s3_bucket              => 'stalwart-blobs',
-#     s3_access_key          => 'accesskey',
-#     s3_secret_key          => Sensitive('secretkey'),
-#     domains                => ['example.com'],
-#     postfix_relay_host     => 'postfix.example.com',
-#   }
-#
-# @param node_id
-#   Unique identifier for this node in the cluster (1-N). If not specified,
-#   automatically calculated based on sorted position in cluster member list.
-#
-# @param cluster_role
-#   Role name for cluster member discovery via query_nodes()
-#
-#
-# @param postgresql_host
-#   PostgreSQL server hostname/IP
-#
-# @param postgresql_port
-#   PostgreSQL server port
-#
-# @param postgresql_database
-#   PostgreSQL database name
-#
-# @param postgresql_user
-#   PostgreSQL username
-#
-# @param postgresql_password
-#   PostgreSQL password (Sensitive)
-#
-# @param postgresql_ssl
-#   Enable SSL/TLS for PostgreSQL connections
-#
-# @param s3_endpoint
-#   S3/Ceph-RGW endpoint URL
-#
-# @param s3_bucket
-#   S3 bucket name for blob storage
-#
-# @param s3_region
-#   S3 region
-#
-# @param s3_access_key
-#   S3 access key
-#
-# @param s3_secret_key
-#   S3 secret key (Sensitive)
-#
-# @param s3_key_prefix
-#   S3 key prefix for stalwart objects
-#
-# @param domains
-#   Array of domains this server handles
-#
-# @param postfix_relay_host
-#   Postfix relay host for SMTP delivery
-#
-# @param bind_address
-#   IP address to bind services to
-#
-# @param advertise_address
-#   IP address to advertise to cluster members
-#
-# @param enable_imap
-#   Enable IMAP protocol listener
-#
-# @param enable_imap_tls
-#   Enable IMAP over TLS listener
-#
-# @param enable_http
-#   Enable HTTP listener for JMAP/WebDAV/Autodiscovery
-#
-# @param enable_smtp_relay
-#   Enable SMTP for postfix relay communication
-#
-# @param enable_smtp_submission
-#   Enable SMTP submission listener on port 587
-#
-# @param haproxy_role
-#   Role name for HAProxy nodes to include in proxy trusted networks
-#
-# @param service_hostname
-#   Service hostname used for autoconfig/autodiscover and SMTP greeting
-#
-# @param package_ensure
-#   Package version to install
-#
-# @param config_dir
-#   Stalwart configuration directory
-#
-# @param data_dir
-#   Stalwart data directory
-#
-# @param log_level
-#   Logging verbosity level
-#
-# @param manage_firewall
-#   Whether to manage firewall rules
-#
-# @param tls_cert
-#   Path to TLS certificate file
-#
-# @param tls_key
-#   Path to TLS private key file
-#
-# @param manage_dns_records
-#   Whether to create DNS autodiscovery records
-#
-class stalwart (
-  String                    $cluster_role,
-  Stdlib::Host              $postgresql_host,
-  String                    $postgresql_database,
-  String                    $postgresql_user,
-  Sensitive[String]         $postgresql_password,
-  Stdlib::HTTPUrl           $s3_endpoint,
-  String                    $s3_bucket,
-  String                    $s3_access_key,
-  Sensitive[String]         $s3_secret_key,
-  Array[Stdlib::Fqdn]       $domains,
-  Stdlib::Host              $postfix_relay_host,
-  Optional[Integer]         $node_id                 = undef,
-  Stdlib::Port              $postgresql_port          = 5432,
-  Boolean                   $postgresql_ssl           = true,
-  String                    $s3_region               = 'us-east-1',
-  String                    $s3_key_prefix           = 'stalwart/',
-  Stdlib::IP::Address       $bind_address            = $facts['networking']['ip'],
-  Stdlib::IP::Address       $advertise_address       = $facts['networking']['ip'],
-  Boolean                   $enable_imap             = true,
-  Boolean                   $enable_imap_tls         = true,
-  Boolean                   $enable_http             = true,
-  Boolean                   $enable_smtp_relay       = true,
-  Boolean                   $enable_smtp_submission  = true,
-  String                    $haproxy_role            = 'roles::infra::halb::haproxy2',
-  Stdlib::Fqdn              $service_hostname        = $facts['networking']['fqdn'],
-  String                    $package_ensure          = 'present',
-  Stdlib::Absolutepath      $config_dir              = '/opt/stalwart/etc',
-  Stdlib::Absolutepath      $data_dir                = '/var/lib/stalwart',
-  Enum['error','warn','info','debug','trace'] $log_level = 'info',
-  Boolean                   $manage_firewall         = false,
-  Stdlib::Absolutepath      $tls_cert                = '/etc/pki/tls/vault/certificate.crt',
-  Stdlib::Absolutepath      $tls_key                 = '/etc/pki/tls/vault/private.key',
-  Boolean                   $manage_dns_records      = true,
-  Optional[Stdlib::Fqdn]    $loadbalancer_host       = undef,
-  String                    $fallback_admin_user     = 'admin',
-  Sensitive[String]         $fallback_admin_password = Sensitive('admin'),
-  Stdlib::Absolutepath      $webadmin_unpack_path    = "${data_dir}/webadmin",
-  Stdlib::HTTPUrl           $webadmin_resource_url   = 'https://github.com/stalwartlabs/webadmin/releases/latest/download/webadmin.zip',
-  Boolean                   $webadmin_auto_update    = true,
-) {
-
-  # Calculate node_id from last 4 digits of hostname if not provided
-  $my_fqdn = $facts['networking']['fqdn']
-  $hostname = $facts['networking']['hostname']
-
-  # Query cluster members for validation
-  $cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'"
-  $cluster_members_raw = query_nodes($cluster_query, 'networking.fqdn')
-  $cluster_members = $cluster_members_raw ? {
-    undef   => [],
-    default => $cluster_members_raw,
-  }
-  $sorted_cluster_members = sort($cluster_members)
-
-  # Calculate cluster information for templates
-  $other_cluster_members = $sorted_cluster_members.filter |$member| { $member != $my_fqdn }
-  $cluster_size = length($sorted_cluster_members)
-
-  # Query HAProxy nodes for proxy trusted networks
-  $haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
-  $haproxy_members_raw = query_nodes($haproxy_query, 'networking.ip')
-  $haproxy_ips = $haproxy_members_raw ? {
-    undef   => [],
-    default => sort($haproxy_members_raw),
-  }
-
-  # Extract last 4 digits from hostname (e.g., ausyd1nxvm1234 -> 1234)
-  if $hostname =~ /^.*(\d{4})$/ {
-    $hostname_digits = $1
-    $calculated_node_id = Integer($hostname_digits)
-  } else {
-    fail("Unable to extract 4-digit node ID from hostname '${hostname}'. Hostname must end with 4 digits or specify node_id manually.")
-  }
-
-  # Use provided node_id or calculated one
-  $effective_node_id = $node_id ? {
-    undef   => $calculated_node_id,
-    default => $node_id,
-  }
-
-  # Validate parameters
-  if $effective_node_id < 1 {
-    fail('node_id must be a positive integer')
-  }
-
-  if empty($domains) {
-    fail('At least one domain must be specified')
-  }
-
-  if !($my_fqdn in $sorted_cluster_members) {
-    fail("This node (${my_fqdn}) is not found in cluster members for role '${cluster_role}' in ${facts['country']}-${facts['region']}")
-  }
-
-
-  # Include sub-classes in dependency order
-  include stalwart::install
-  include stalwart::config
-  include stalwart::service
-
-  # Handle DNS records if requested
-  if $manage_dns_records {
-    if $loadbalancer_host {
-      # Only first node in cluster creates DNS records pointing to load balancer
-      if $my_fqdn == $sorted_cluster_members[0] {
-        class { 'stalwart::dns':
-          target_host => $loadbalancer_host,
-        }
-      }
-    } else {
-      # Current behavior: each server creates its own DNS records
-      include stalwart::dns
-    }
-  }
-
-  # Class ordering
-  Class['stalwart::install']
-  -> Class['stalwart::config']
-  -> Class['stalwart::service']
-
-  if $manage_dns_records {
-    Class['stalwart::service'] -> Class['stalwart::dns']
-  }
-}
--- a/modules/stalwart/manifests/install.pp
+++ b/modules/stalwart/manifests/install.pp
@ -1,11 +0,0 @@
-# @summary Manages Stalwart Mail Server package installation
-#
-# @api private
-class stalwart::install {
-  assert_private()
-
-  # Install stalwart package (user/group created by package preinstall script)
-  package { 'stalwart':
-    ensure => $stalwart::package_ensure,
-  }
-}
--- a/modules/stalwart/manifests/service.pp
+++ b/modules/stalwart/manifests/service.pp
@ -1,26 +0,0 @@
-# @summary Manages Stalwart Mail Server service
-#
-# @api private
-class stalwart::service {
-  assert_private()
-
-  # Service is installed by the RPM package
-  service { 'stalwart':
-    ensure    => running,
-    enable    => true,
-    subscribe => [
-      File[$stalwart::tls_cert],
-      File[$stalwart::tls_key],
-    ],
-  }
-
-  # Add capability to bind to privileged ports (143, 443, 993)
-  systemd::manage_dropin { 'bind-capabilities.conf':
-    ensure        => present,
-    unit          => 'stalwart.service',
-    service_entry => {
-      'AmbientCapabilities' => 'CAP_NET_BIND_SERVICE',
-    },
-    notify        => Service['stalwart'],
-  }
-}
--- a/modules/stalwart/templates/config.toml.epp
+++ b/modules/stalwart/templates/config.toml.epp
@ -1,296 +0,0 @@
-# Stalwart Mail Server Configuration
-# Generated by Puppet - DO NOT EDIT MANUALLY
-
-[server]
-hostname = "<%= $service_hostname %>"
-greeting = "Stalwart ESMTP"
-
-[server.listener."smtp-relay"]
-bind = ["<%= $bind_address %>:25"]
-protocol = "smtp"
-greeting = "Stalwart SMTP Relay"
-
-<% if !$haproxy_ips.empty { -%>
-[server.listener."smtp-relay".proxy]
-trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
-<% } -%>
-
-<% if $enable_smtp_submission { -%>
-[server.listener."submission"]
-bind = ["<%= $bind_address %>:587"]
-protocol = "smtp"
-greeting = "Stalwart SMTP Submission"
-tls.require = true
-
-<% if !$haproxy_ips.empty { -%>
-[server.listener."submission".proxy]
-trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
-<% } -%>
-<% } -%>
-
-<% if $enable_imap { -%>
-[server.listener."imap"]
-bind = ["<%= $bind_address %>:143"]
-protocol = "imap"
-
-<% if !$haproxy_ips.empty { -%>
-[server.listener."imap".proxy]
-trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
-<% } -%>
-<% } -%>
-
-<% if $enable_imap_tls { -%>
-[server.listener."imaps"]
-bind = ["<%= $bind_address %>:993"]
-protocol = "imap"
-tls.implicit = true
-
-<% if !$haproxy_ips.empty { -%>
-[server.listener."imaps".proxy]
-trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
-<% } -%>
-<% } -%>
-
-<% if $enable_http { -%>
-[server.listener."https"]
-bind = ["<%= $bind_address %>:443"]
-protocol = "http"
-tls.implicit = true
-
-<% if !$haproxy_ips.empty { -%>
-[server.listener."https".proxy]
-trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
-<% } -%>
-<% } -%>
-
-[server.tls]
-enable = true
-implicit = false
-certificate = "default"
-
-
-[webadmin]
-path = "<%= $webadmin_unpack_path %>"
-auto-update = <%= $webadmin_auto_update %>
-resource = "<%= $webadmin_resource_url %>"
-
-# Cluster Configuration
-[cluster]
-node-id = <%= $effective_node_id %>
-
-<% if $cluster_size > 1 { -%>
-# Peer-to-peer coordination
-[cluster.coordinator]
-type = "peer-to-peer"
-addr = "<%= $bind_address %>:11200"
-advertise-addr = "<%= $advertise_address %>:11200"
-
-<% $other_cluster_members.each |$node| { -%>
-[[cluster.coordinator.peers]]
-addr = "<%= $node %>:11200"
-<% } -%>
-
-# Cluster roles for 3-node setup
-[cluster.roles.purge]
-stores = ["1", "2", "3"]
-accounts = ["1", "2"]
-
-[cluster.roles.acme]
-renew = ["1"]
-
-[cluster.roles.metrics]
-calculate = ["1", "2"]
-push = ["1"]
-
-[cluster.roles.push-notifications]
-push-notifications = ["1", "3"]
-
-[cluster.roles.fts-indexing]
-fts-indexing = ["2", "3"]
-
-[cluster.roles.bayes-training]
-bayes-training = ["1"]
-
-[cluster.roles.imip-processing]
-imip-processing = ["2"]
-
-[cluster.roles.calendar-alerts]
-calendar-alerts = ["3"]
-<% } -%>
-
-# Storage Configuration
-
-# PostgreSQL store for data, FTS, and in-memory
-[store."postgresql"]
-type = "postgresql"
-host = "<%= $postgresql_host %>"
-port = <%= $postgresql_port %>
-database = "<%= $postgresql_database %>"
-user = "<%= $postgresql_user %>"
-password = "<%= $postgresql_password %>"
-timeout = "15s"
-
-[store."postgresql".tls]
-enable = <%= $postgresql_ssl %>
-allow-invalid-certs = false
-
-[store."postgresql".pool]
-max-connections = 10
-
-[store."postgresql".purge]
-frequency = "0 3 *"
-
-# S3/Ceph-RGW store for blobs
-[store."s3"]
-type = "s3"
-bucket = "<%= $s3_bucket %>"
-region = "<%= $s3_region %>"
-access-key = "<%= $s3_access_key %>"
-secret-key = "<%= $s3_secret_key %>"
-endpoint = "<%= $s3_endpoint %>"
-timeout = "30s"
-key-prefix = "<%= $s3_key_prefix %>"
-compression = "lz4"
-
-[store."s3".purge]
-frequency = "30 5 *"
-
-# Storage assignment
-[storage]
-data = "postgresql"
-fts = "postgresql"
-blob = "s3"
-lookup = "postgresql"
-directory = "internal"
-in-memory = "postgresql"
-
-# Directory configuration
-[directory.internal]
-type = "internal"
-store = "postgresql"
-
-# Authentication configuration
-[authentication.fallback-admin]
-user = "<%= $fallback_admin_user %>"
-secret = "<%= pw_hash($fallback_admin_password.unwrap, 'SHA-512', 'stalwart') %>"
-
-[authentication]
-[authentication.directory]
-directories = ["internal"]
-
-# Authorization configuration
-[authorization]
-directory = "internal"
-
-# JMAP configuration
-[jmap]
-directory = "internal"
-
-[jmap.protocol]
-request-max-size = 10485760
-get.max-objects = 500
-query.max-results = 5000
-changes.max-results = 5000
-upload.max-size = 50000000
-upload.ttl = "1h"
-
-# IMAP configuration
-[imap]
-directory = "internal"
-
-[imap.protocol]
-max-requests = 64
-
-# Inbound rate limiting
-[[queue.limiter.inbound]]
-key = ["remote_ip"]
-rate = "500/1s"
-enable = true
-
-# SMTP configuration for postfix relay
-[session.data]
-pipe.command = "sendmail"
-pipe.arguments = ["-i", "-f", "{sender}", "{recipient}"]
-
-# Outbound SMTP configuration
-[queue]
-path = "<%= $data_dir %>/queue"
-
-[queue.schedule]
-retry = ["2s", "5s", "1m", "5m", "15m", "30m", "1h", "2h"]
-notify = ["1d", "3d"]
-expire = "5d"
-
-[session.extensions]
-future-release = "7d"
-
-# Relay configuration for postfix
-[remote."postfix"]
-address = "<%= $postfix_relay_host %>"
-port = 25
-protocol = "smtp"
-
-# HTTP configuration
-[server.http]
-use-x-forwarded = false
-permissive-cors = false
-
-# Disable spam filtering (handled by postfix)
-[session.ehlo]
-reject-non-fqdn = false
-
-[session.rcpt]
-type = "internal"
-store = "postgresql"
-max-recipients = 25
-
-[session.data]
-max-messages = 10
-max-message-size = 52428800
-
-# TLS configuration
-[certificate."default"]
-cert = "%{file:<%= $tls_cert %>}%"
-private-key = "%{file:<%= $tls_key %>}%"
-default = true
-
-# Logging configuration
-[tracer]
-type = "log"
-level = "<%= $log_level %>"
-ansi = false
-multiline = true
-
-[tracer.file]
-path = "/var/log/stalwart/stalwart.log"
-rotate = "daily"
-keep = 30
-
-# Report storage
-[report]
-path = "<%= $data_dir %>/reports"
-hash = "sha256"
-encrypt = false
-
-# Metrics configuration
-[metrics]
-prometheus.enable = true
-prometheus.port = 9090
-
-# Queue routing configuration
-[queue.strategy]
-route = [ { if = "is_local_domain('', rcpt_domain)", then = "'local'" },
-          { else = "'relay'" } ]
-
-[queue.route."local"]
-type = "local"
-
-[queue.route."relay"]
-type = "relay"
-address = "<%= $postfix_relay_host %>"
-port = 25
-protocol = "smtp"
-
-[queue.route."relay".tls]
-implicit = false
-allow-invalid-certs = false
--- a/modules/vmcluster/manifests/vmagent.pp
+++ b/modules/vmcluster/manifests/vmagent.pp
@ -10,7 +10,6 @@ class vmcluster::vmagent (
  Stdlib::Absolutepath $vars_file = '/etc/default/vmagent',
  String  $consul_node_token      = $facts['consul_node_token'],
  Hash[String, Variant[String, Array[String]]] $options = {},
-  Hash[String, Hash] $static_targets = {},
 ) {

  # if enabled, manage this service
--- a/modules/vmcluster/templates/vmagent.scrape.yaml.erb
+++ b/modules/vmcluster/templates/vmagent.scrape.yaml.erb
@ -35,28 +35,3 @@ scrape_configs:
      - source_labels: [__meta_consul_tag_metrics_job]
        target_label: job
        action: replace
-
-<% if @static_targets -%>
-<% @static_targets.each do |job_name, config| -%>
-  - job_name: '<%= job_name %>'
-    static_configs:
-<% config['targets'].each do |target| -%>
-      - targets: ['<%= target %>']
-<% if config['labels'] -%>
-        labels:
-<% config['labels'].each do |label_name, label_value| -%>
-          <%= label_name %>: '<%= label_value %>'
-<% end -%>
-<% end -%>
-<% end -%>
-<% if config['scrape_interval'] -%>
-    scrape_interval: <%= config['scrape_interval'] %>
-<% end -%>
-<% if config['metrics_path'] -%>
-    metrics_path: <%= config['metrics_path'] %>
-<% end -%>
-<% if config['scheme'] -%>
-    scheme: <%= config['scheme'] %>
-<% end -%>
-<% end -%>
-<% end -%>
--- a/site/profiles/manifests/accounts/root.pp
+++ b/site/profiles/manifests/accounts/root.pp
@ -1,12 +1,12 @@
 # manage the root user
 class profiles::accounts::root (
-  String $password,
  Optional[Array[String]] $sshkeys = undef,
 ) {

-  accounts::user { 'root':
-    sshkeys  => $sshkeys,
-    password => $password,
+  if $sshkeys {
+    accounts::user { 'root':
+      sshkeys => $sshkeys,
+    }
  }

  file {'/root/.config':
--- a/site/profiles/manifests/dovecot/server.pp
+++ b/site/profiles/manifests/dovecot/server.pp
@ -0,0 +1,99 @@
+class profiles::dovecot::server (
+  Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
+  Stdlib::Absolutepath $tls_key_file  = '/etc/pki/tls/vault/certificate.pem',
+  Stdlib::Absolutepath $tls_ca_file   = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+  Stdlib::Absolutepath $maildir_path  = '/var/vmail',
+  String $maildir_var                 = '%d/%n',
+  String $hostname                    = $trusted['certname'],
+  Array[String] $listen               = ['*', '::'],
+  Array[String] $protocols            = ['imap'],
+) {
+
+  # Ensure the maildata directory exists
+  file { $maildir_path:
+    ensure => directory,
+    owner  => 'vmail',
+    group  => 'vmail',
+    mode   => '0755',
+  }
+
+  # Create vmail user for dovecot
+  user { 'vmail':
+    ensure     => present,
+    uid        => 5000,
+    gid        => 5000,
+    home       => $maildir_path,
+    shell      => '/usr/sbin/nologin',
+    managehome => false,
+    system     => true,
+  }
+
+  group { 'vmail':
+    ensure => present,
+    gid    => 5000,
+    system => true,
+  }
+
+  # Main dovecot configuration
+  $main_config = {
+    values => {
+      'listen'                    => join($listen, ', '),
+      'protocols'                 => join($protocols, ' '),
+      'default_login_user'        => 'vmail',
+      'default_internal_user'     => 'vmail',
+      'first_valid_uid'           => '5000',
+      'last_valid_uid'            => '5000',
+      'first_valid_gid'           => '5000',
+      'last_valid_gid'            => '5000',
+      'mail_uid'                  => 'vmail',
+      'mail_gid'                  => 'vmail',
+      'mail_location'             => "maildir:${maildir_path}/${maildir_var}/Maildir",
+      'login_trusted_networks'    => '10.0.0.0/8 127.0.0.0/8 [::1]/128',
+      'disable_plaintext_auth'    => 'no',
+      'auth_mechanisms'           => 'cram-md5 plain login',
+      'ssl'                       => 'required',
+      'ssl_cert'                  => $tls_cert_file,
+      'ssl_key'                   => $tls_key_file,
+      'ssl_ca'                    => $tls_ca_file,
+      'ssl_min_protocol'          => 'TLSv1.2',
+      'ssl_cipher_list'           => join([
+        'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES',
+        'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
+      ], ':'),
+      'ssl_prefer_server_ciphers' => 'yes',
+    },
+    sections => [
+      {
+        name   => 'passdb',
+        values => {
+          'driver' => 'passwd-file',
+          'args'   => 'scheme=CRAM-MD5 username_format=%u /etc/dovecot/users',
+        },
+      },
+      {
+        name   => 'userdb',
+        values => {
+          'driver' => 'static',
+          'args'   => "uid=vmail gid=vmail home=${maildir_path}/${maildir_var}",
+        },
+      },
+    ],
+  }
+
+
+  #  # Postfix smtp-auth
+  #  unix_listener /var/spool/postfix/private/auth {
+  #    mode = 0666
+  #    user = postfix
+  #    group = postfix
+  #  }
+
+
+  # Configure dovecot
+  class { 'dovecot':
+    main_config        => $main_config,
+    include_sysdefault => false,
+    require            => [User['vmail'], Group['vmail'], File[$maildir_path]],
+  }
+
+}
--- a/site/profiles/manifests/gitea/runner.pp
+++ b/site/profiles/manifests/gitea/runner.pp
@ -1,12 +1,13 @@
 # profiles::gitea::init
 class profiles::gitea::runner (
  String $registration_token,
+  Stdlib::HTTPSUrl $source,
  String $user = 'runner',
  String $group = 'runner',
  Stdlib::Absolutepath $home = '/data/runner',
  Hash $config = {},
  Stdlib::HTTPSUrl $instance = 'https://git.query.consul',
-  String $version = 'latest',
+  String $version = '0.2.10',
 ) {

  group { $group:
@ -31,27 +32,24 @@ class profiles::gitea::runner (
    require => User[$user],
  }

-  unless $version in ['latest', 'present'] {
-    # versionlock act
-    yum::versionlock{ 'act_runner':
-      ensure  => present,
-      version => $version,
-      before  => Package['act_runner'],
-    }
+  archive { '/usr/local/bin/act_runner':
+    ensure  => present,
+    extract => false,
+    source  => $source,
+    creates => '/usr/local/bin/act_runner',
+    cleanup => true,
  }

-  # install act
-  package { 'act_runner':
-    ensure => $version,
-  }
-
-  # remove manually installed act_runner
  file { '/usr/local/bin/act_runner':
-    ensure => absent,
+    ensure  => 'file',
+    mode    => '0755',
+    owner   => 'root',
+    group   => 'root',
+    require => Archive['/usr/local/bin/act_runner'],
  }

-  exec { 'register_act_runner':
-    command => "/usr/bin/act_runner register \
+  exec {'register_act_runner':
+    command => "/usr/local/bin/act_runner register \
                --no-interactive \
                --instance ${instance} \
                --token ${registration_token} \
@ -62,12 +60,12 @@ class profiles::gitea::runner (
    user    => $user,
    group   => $group,
    require => [
-      Package['act_runner'],
+      File['/usr/local/bin/act_runner'],
      File["${home}/config.yaml"],
    ],
  }

-  systemd::unit_file { 'act_runner.service':
+  systemd::unit_file {'act_runner.service':
    enable  => true,
    active  => true,
    content => template('profiles/gitea/act_runner.service.erb'),
--- a/site/profiles/manifests/postfix/gateway.pp
+++ b/site/profiles/manifests/postfix/gateway.pp
@ -47,15 +47,24 @@ class profiles::postfix::gateway (
    'permit_mynetworks',
    'reject_unauth_destination',
  ],
-  Hash[String, String] $smtp_tls_policy_maps = {},
+  Hash[Stdlib::Fqdn, String] $smtp_tls_policy_maps = {},
  Hash[String, String] $sender_canonical_maps = {},
-  Hash[String, String] $sender_access_maps = {},
+  Hash[Stdlib::Email, String] $sender_access_maps = {},
  Hash[String, String] $relay_recipients_maps = {},
-  Hash[String, String] $relay_domains_maps = {},
+  Hash[Stdlib::Fqdn, String] $relay_domains_maps = {},
  Hash[String, String] $recipient_canonical_maps = {},
-  Hash[String, String] $recipient_access_maps = {},
-  Hash[String, String] $postscreen_access_maps = {},
+  Hash[Stdlib::Email, String] $recipient_access_maps = {},
+  Hash[Variant[Stdlib::IP::Address, Stdlib::IP::Address::CIDR], String] $postscreen_access_maps = {},
  Hash[String, String] $helo_access_maps = {},
+  Hash[Stdlib::Email, String] $virtual_mailbox_maps = {},
+  Hash[Variant[Stdlib::Email, Pattern[/^@.+$/]], Stdlib::Email] $virtual_alias_maps = {},
+  # Dovecot integration
+  Boolean $enable_dovecot = false,
+  Array[Stdlib::Fqdn] $virtual_mailbox_domains = [],
+  String $virtual_uid_maps = 'static:5000',
+  String $virtual_gid_maps = 'static:5000',
+  Stdlib::Absolutepath $virtual_mailbox_base = '/var/vmail',
+  String $virtual_transport = 'dovecot',
 ) {

  $alias_maps_string = join($alias_maps, ', ')
@ -281,6 +290,7 @@ class profiles::postfix::gateway (
    },
  }

+
  # Postfix maps (all using templates now)
  $postfix_maps = {
    'postscreen_access' => {
@ -333,6 +343,39 @@ class profiles::postfix::gateway (
      'type'    => 'hash',
      'content' => template('profiles/postfix/gateway/smtp_tls_policy_maps.erb')
    },
+    'virtual_mailbox_maps' => {
+      'ensure'  => 'present',
+      'type'    => 'hash',
+      'content' => template('profiles/postfix/gateway/virtual_mailbox_maps.erb')
+    },
+    'virtual_alias_maps' => {
+      'ensure'  => 'present',
+      'type'    => 'hash',
+      'content' => template('profiles/postfix/gateway/virtual_alias_maps.erb')
+    },
+  }
+
+  if $enable_dovecot {
+    postfix::config {
+      'virtual_mailbox_domains': value => join($virtual_mailbox_domains, ', ');
+      'virtual_mailbox_maps':    value => 'hash:/etc/postfix/virtual_mailbox_maps';
+      'virtual_alias_maps':      value => 'hash:/etc/postfix/virtual_alias_maps';
+      'virtual_uid_maps':        value => $virtual_uid_maps;
+      'virtual_gid_maps':        value => $virtual_gid_maps;
+      'virtual_mailbox_base':    value => $virtual_mailbox_base;
+      'virtual_transport':       value => $virtual_transport;
+      'home_mailbox':            value => "${virtual_mailbox_base}/%d/%n/Maildir";
+    }
+  } else {
+    postfix::config {
+      'virtual_mailbox_domains': ensure => 'absent';
+      'virtual_mailbox_maps':    ensure => 'absent';
+      'virtual_uid_maps':        ensure => 'absent';
+      'virtual_gid_maps':        ensure => 'absent';
+      'virtual_mailbox_base':    ensure => 'absent';
+      'virtual_transport':       ensure => 'absent';
+      'home_mailbox':            ensure => 'absent';
+    }
  }

  # Merge base configs with postscreen configs
--- a/site/profiles/manifests/stalwart/haproxy.pp
+++ b/site/profiles/manifests/stalwart/haproxy.pp
@ -1,76 +0,0 @@
-# enable external access via haproxy
-class profiles::stalwart::haproxy (
-  Boolean $enable = false,
-){
-
-  # webadmin
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
-    service => 'be_stalwart_webadmin',
-    ports   => [443],
-    options => [
-      "cookie ${facts['networking']['hostname']}",
-      'ssl',
-      'verify none',
-      'check',
-      'inter 2s',
-      'rise 3',
-      'fall 2',
-      'send-proxy-v2',
-    ]
-  }
-
-  # imap
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_143":
-    service => 'be_stalwart_imap',
-    ports   => [143],
-    options => [
-      'check',
-      'inter 3s',
-      'rise 2',
-      'fall 3',
-      'send-proxy-v2',
-    ]
-  }
-
-  # imaps
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_993":
-    service => 'be_stalwart_imaps',
-    ports   => [993],
-    options => [
-      'check',
-      'ssl',
-      'verify none',
-      'inter 3s',
-      'rise 2',
-      'fall 3',
-      'send-proxy-v2',
-    ]
-  }
-
-  # smtp
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_25":
-    service => 'be_stalwart_smtp',
-    ports   => [25],
-    options => [
-      'check',
-      'inter 3s',
-      'rise 2',
-      'fall 3',
-      'send-proxy-v2',
-    ]
-  }
-
-  # smtp submission
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_587":
-    service => 'be_stalwart_submission',
-    ports   => [587],
-    options => [
-      'check',
-      'inter 3s',
-      'rise 2',
-      'fall 3',
-      'send-proxy-v2',
-    ]
-  }
-
-}
--- a/site/profiles/templates/ceph/conf.erb
+++ b/site/profiles/templates/ceph/conf.erb
@ -2,7 +2,7 @@
 <% @config.each do |section, settings| -%>
 [<%= section %>]
 <% settings.each do |key, value| -%>
-<%# Convert booleans and numbers to strings, leave strings untouched -%>
+<%# Convert booleans and numbers to strings, leave strings untouched %>
 <%= key %> = <%= value.is_a?(TrueClass) ? 'true' : value.is_a?(FalseClass) ? 'false' : value %>
 <% end -%>

--- a/site/profiles/templates/gitea/act_runner.service.erb
+++ b/site/profiles/templates/gitea/act_runner.service.erb
@ -4,7 +4,7 @@ Documentation=https://gitea.com/gitea/act_runner
 After=docker.service

 [Service]
-ExecStart=/usr/bin/act_runner daemon --config <%= @home %>/config.yaml
+ExecStart=/usr/local/bin/act_runner daemon --config <%= @home %>/config.yaml
 ExecReload=/bin/kill -s HUP $MAINPID
 WorkingDirectory=<%= @home %>
 TimeoutSec=0
--- a/site/profiles/templates/postfix/gateway/virtual_alias_maps.erb
+++ b/site/profiles/templates/postfix/gateway/virtual_alias_maps.erb
@ -0,0 +1,9 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Defines virtual alias mappings
+# Maps email addresses or patterns to target addresses
+# Format: alias@foo.net    real@corp.foo.net
+
+<% @virtual_alias_maps.each do |source, target| -%>
+<%= source %>       <%= target %>
+<% end -%>
--- a/site/profiles/templates/postfix/gateway/virtual_mailbox_maps.erb
+++ b/site/profiles/templates/postfix/gateway/virtual_mailbox_maps.erb
@ -0,0 +1,9 @@
+# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
+#
+# Defines virtual mailbox mappings for dovecot delivery
+# Maps email addresses to maildir paths
+# Format: user@domain    maildir/path/
+
+<% @virtual_mailbox_maps.each do |email, path| -%>
+<%= email %>       <%= path %>
+<% end -%>
--- a/site/roles/manifests/infra/dns/externaldns.pp
+++ b/site/roles/manifests/infra/dns/externaldns.pp
@ -1,11 +0,0 @@
-# BIND server role for ExternalDNS integration
-class roles::infra::dns::externaldns {
-  if $facts['firstrun'] {
-    include profiles::defaults
-    include profiles::firstrun::init
-  } else {
-    include profiles::defaults
-    include profiles::base
-    include externaldns
-  }
-}
--- a/site/roles/manifests/infra/mail/backend.pp
+++ b/site/roles/manifests/infra/mail/backend.pp
@ -1,15 +1,12 @@
-# roles::infra::mail::backend
-#
-# Configures Stalwart IMAP backend servers in a clustered configuration
-# with PostgreSQL for data/fts/memory storage and S3/Ceph-RGW for blob storage.
-# Integrates with postfix hosts for SMTP relay functionality.
-#
+# a role to deploy a imap/pop3 backend for mail services
 class roles::infra::mail::backend {
  if $facts['firstrun'] {
    include profiles::defaults
    include profiles::firstrun::init
-  } else {
+  }else{
    include profiles::defaults
    include profiles::base
+    include profiles::dovecot::server
+    include profiles::postfix::gateway
  }
 }