Repository files navigation

• Stargazers over time
• How do I get started
  • For Consumers
  • For Developers
• Requirements
  • macOS
  • Ubuntu
• Local Development Guide
• Server Infrastructure
  • Naming Convention
  • Load Balancing
  • Provisioning
  • Deployment
• Deployment Advice
• Bare Metal Advice
• License

Visithttps://forwardemail.net to get started!

SeeRequirements andLocal Development Guide below.

1. Installn and Node v18.20.4:

   curl -L https://raw.githubusercontent.com/mklement0/n-install/stable/bin/n-install| bash -s -- -y 18.20.4

2. Ensure that you are running on Node v18.20.4:

   node --versionv18.20.4

3. Installbrew and the following dependencies usingbrew command:

   brew tap mongodb/brewbrew install mongodb-community redis libtool automake autoconf nasmbrew services start mongodb-communitybrew services start redis

4. Installpnpm:

   corepackenablecorepack prepare pnpm@9.15.9 --activate

5. Fork the repository from GitHub

6. Clone your fork locally (replaceforwardemail with your username):

   git clone git@github.com:forwardemail/forwardemail.net.gitcd forwardemail.net

7. Installnpm dependencies:

   pnpm install

8. Installwkhtmltopdf (optional: only used for generating PDF receipts)

1. Installn and Node v18.20.4:

   curl -L https://raw.githubusercontent.com/mklement0/n-install/stable/bin/n-install| bash -s -- -y 18.20.4

2. Ensure that you are running on Node v18.20.4:

   node --versionv18.20.4

3. Installpnpm:

   corepackenablecorepack prepare pnpm@9.15.9 --activate

4. Fork the repository from GitHub

5. Clone your fork locally (replaceforwardemail with your username):

   git clone git@github.com:forwardemail/forwardemail.net.gitcd forwardemail.net

6. Installnpm dependencies:

   pnpm install

7. Install fonts:

   echo ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eulaselecttrue| sudo debconf-set-selections

   sudo apt-get install xfonts-75dpi fontconfig libxrender1 xfonts-base ttf-mscorefonts-installer libfontconfig fonts-powerline

8. Installwkhtmltopdf (optional: only used for generating PDF receipts):

   wget"https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6.1-2/wkhtmltox_0.12.6.1-2.$(lsb_release -c -s)_$(dpkg --print-architecture).deb"sudo dpkg -i"wkhtmltox_0.12.6.1-2.$(lsb_release -c -s)_$(dpkg --print-architecture).deb"

9. Install MongoDB by following the guide athttps://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-ubuntu/#install-mongodb-community-edition

10. Install Redis by following the guide athttps://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-20-04.

Once you have followedRequirements, you should now have all the dependencies, repository, and npm packages installed.

You can start any of the services using our pre-built commands to make it easy. Note that all of these pre-built commands are usingnps.

You can test the local SMTP, IMAP, POP3, CalDAV, CardDAV servers usingThunderbird,telnet, oropenssl. Note that all local development servers do not require TLS and are running with{ rejectUnauthorized: true } option passed to TLS server configurations.

Try running the local web server:

npm start webAndWatch

It should open a new tab for you with the local web server running and terminal output usingsignale. You can now open your browser tohttp://localhost:3000 for a development playground.

You can also run all apps at once:

npm start all

Note that if you open your browser tohttp://localhost:3000 and no assets are rendering, then you must have forgotten to run a build beforehand. You can run builds manually by runningnpm run build.

An easy way to kill all existing Node apps running is by typingkillall node.

Our server alias naming convention consists of the following fields, joined together by a hyphen, and converted to lower case:

1. App name (e.g. "web", "api", "bree", "smtp", "imap", "pop3", "sqlite", "caldav", or "carddav")
2. (Optional) App count (starting with 1) of the application (relative to the same provider and region). Only applicable for apps with potential count > 1.
3. Provider name (abbreviated to 2 characters, e.g. "do" for "Digital Ocean", but you can optionally use more verbose for providers such as "DataPacket" as "dp")
4. Region name (this is the region name given by the provider, e.g. "sfo3" for DO's SFO3 region)

For example, one of our web servers is namedweb-dp-dv-co (for Web > DataPacket > Denver > Colorado).

All server aliases with the same hostname (with a minimum count of at least 2) are set in Cloudflare under a geo-located load balancer.

Unless otherwise noted, all of the servers should have dedicated CPU's and not be running in a shared CPU environment.

See theansible folder for ourAnsible configuration and playbooks, which we use to provision servers with.

We recommend you to installyamllint and configure it in your editor while working withAnsible playbooks.

Also note thatansible-lint is a helpful linting tool you can use if you plan on making changes to playbooks. Note that our current playbooks have several existing lint errors.

First you must provision Ubuntu 18.04 LTS 64-bit server(s) usingDigital Ocean,Linode,Vultr, or your host of choice. These newly provisioned server(s) should have your SSH key automatically added.

Follow theDeployment guide below for automatic provisioning and deployment instructions.

1. Ensure that you havepm2 installed locally:

   npm i -g pm2

2. Ensure that you haveansible andansible-lint installed locally:

   For macOS:

   brew install ansible ansible-lint

   For Ubuntu:

   sudo apt-add-repository ppa:ansible/ansiblesudo apt updatesudo apt install ansiblepip3 install ansible-lint

3. Installansible-galaxy requirements (assumes current working directory is the root of this repository):

   ansible-galaxy install -r ansible/requirements.yml

4. Set up host configuration by copying thehosts.yml file template:

   cp ansible/playbooks/templates/hosts.yml hosts.yml

5. Edit this configuration and update the file with your newly created server aliases and IP addresses. You can add more than one host to each group if you are setting up load balancing. Refer to theNaming Convention documentation for our recommended approach to server alias naming. Note that this file is automatically ignored by git. If you have a private repository and would like to commit this, then removehosts.yml from the root.gitignore file.

   vim hosts.yml

6. Set up environment configuration by copying theenv file template:

   cp ansible/playbooks/templates/env .env.production

7. Edit this configuration and reference the officialLad documentation for a list of all available environment variables (or see.env.defaults).You will need to open this file in your preferred editor and set the values for any fields containingTODO, whereby you replaceTODO with the appropriate value. Preserve double quotes where they are already defined.

   vim .env.production

8. Generatepm2ecosystem files using our automatic template generator. We created anansible-playbook.js which loads the.env.production environment variables rendered with@ladjs/env intoprocess.env, which then gets used in the playbooks. This is a superior, simple, and the only known dotenv approach we know of in Ansible. Newly createdecosystem-api.json,ecosystem-bree.json,ecosystem-web.json,ecosystem-smtp.json,ecosystem-imap.json,ecosystem-pop3.json,ecosystem-sqlite.json,ecosystem-caldav.json, andecosystem-carddav.json files will now be created for you in the root of the repository. If you ever more add or change IP addresses, you can simply re-run this command.

   node ansible-playbook ansible/playbooks/ecosystem.yml -l'localhost'

9. Set up the web, API, CalDAV, and CardDAV server(s) (seepatterns and ansible-playbook flags docs if you need help). If you completely (or partially) run this playbook (or any others below), then the second time you try to run it may not succeed. This is because we prevent root user access through security hardening. To workaround this, run the same command but without--user root appended as it will default to thedevops user created.

   node ansible-playbook ansible/playbooks/http.yml --user root -l'http'

10. Set up the Bree server(s):

    node ansible-playbook ansible/playbooks/bree.yml --user root -l'bree'

11. Set up the SMTP server(s):

    node ansible-playbook ansible/playbooks/smtp.yml --user root -l'smtp'

12. Set up the IMAP server(s):

    node ansible-playbook ansible/playbooks/imap.yml --user root -l'imap'

13. Set up the POP3 server(s):

    node ansible-playbook ansible/playbooks/pop3.yml --user root -l'pop3'

14. Set up the SQLite server(s):

    node ansible-playbook ansible/playbooks/sqlite.yml --user root -l'sqlite'

15. Set up the MX server(s):

    node ansible-playbook ansible/playbooks/mx1.yml --user root -l'mx1'node ansible-playbook ansible/playbooks/mx2.yml --user root -l'mx2'

16. Set up GitHub deployment keys for all the servers. Note that thedeployment-keys directory is ignored from git, so if you have a private repository and wish to commit it, then removedeployment-keys from the.gitignore file.

    node ansible-playbook ansible/playbooks/deployment-keys.yml -l'imap:pop3:smtp:http:bree:sqlite:mx1:mx2' --user deploy

17. Go to your repository "Settings" page on GitHub, click on "Deploy keys", and then add a deployment key for each servers' deployment key copied to thedeployment-keys directory. If you're on macOS, you can use thepbcopy command to copy each file's contents to your clipboard. Use tab completion for speed, and replace the server names and paths with yours. You can also use thegh CLI athttps://cli.github.com/manual/gh_repo_deploy-key_add as shown below (switch the repo/org/repo paths and deployment key paths below to yours):

    gh repo deploy-key add deployment-keys/api-vu-sj-ca.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/api-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/web-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/web-vu-sj-ca.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/bree-vu-sj-ca.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/bree-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/smtp-vu-sj-ca.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/smtp-dp-dv-co-1.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/smtp-dp-dv-co-2.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/smtp-dp-dv-co-3.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/imap-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/pop3-vu-sj-ca.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/pop3-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/sqlite-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/caldav-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/carddav-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/mx1-dp-dv-co.pub -R forwardemail/forwardemail.netgh repo deploy-key add deployment-keys/mx2-dp-dv-co.pub -R forwardemail/forwardemail.net

18. Set up PM2 deployment directories on all the servers:

    pm2 deploy ecosystem-web.json production setup

    pm2 deploy ecosystem-api.json production setup

    pm2 deploy ecosystem-bree.json production setup

    pm2 deploy ecosystem-smtp.json production setup

    pm2 deploy ecosystem-imap.json production setup

    pm2 deploy ecosystem-pop3.json production setup

    pm2 deploy ecosystem-sqlite.json production setup

    pm2 deploy ecosystem-caldav.json production setup

    pm2 deploy ecosystem-carddav.json production setup

    pm2 deploy ecosystem-mx.json production setup

19. Create a SSL certificate atNamecheap (we recommend a 5 year wildcard certificate), set up the certificate, and download and extract the ZIP file with the certificate (emailed to you) to your computer. We do not recommend using tools likeLetsEncrypt andcertbot due to complexity when you have (or scale to) a cluster of servers set up behind load balancers. In other words, we've tried approaches likelsyncd in combination withcrontab forcertbot renewals and automatic checking. Furthermore, using this exposes the server(s) to downtime as ports80 and443 may need to be shut down so thatcertbot can use them for certificate generation. This is not a reliable approach, and simply renewing certificates once a year is vastly simpler and also makes using load balancers trivial. Instead you can use a provider likeNamecheap to get a cheap SSL certificate, then run a few commands as we've documented below. This command will prompt you for an absolute file path to the certificates you downloaded. Renewed your certificate after 1 year? Simply follow this step again. Do not set a password on the certificate files. When using theopenssl command (see Namecheap instructions), you need to use*.example.com with an asterisk followed by a period if you are registering a wildcard certificate.

    node ansible-playbook ansible/playbooks/certificates.yml --user deploy

    Important: If you renew or change certificates in the future, then after running the previous command, you will subsequently need to reload the processes as such:

    ## NOTE: See the "Important" note above BEFORE running this command.#       This command ONLY APPLIES for certificate renewals/changes.#pm2 deploy ecosystem-web.json productionexec"pm2 reload all"pm2 deploy ecosystem-api.json productionexec"pm2 reload all"pm2 deploy ecosystem-smtp.json productionexec"pm2 reload all"pm2 deploy ecosystem-imap.json productionexec"pm2 reload all"pm2 deploy ecosystem-pop3.json productionexec"pm2 reload all"pm2 deploy ecosystem-sqlite.json productionexec"pm2 reload all"pm2 deploy ecosystem-caldav.json productionexec"pm2 reload all"pm2 deploy ecosystem-carddav.json productionexec"pm2 reload all"pm2 deploy ecosystem-mx.json productionexec"pm2 reload all"

20. Create a DKIM key for your domain name (must matchWEB_HOST environment variable) with a default selector ofdefault (must matchDKIM_KEY_SELECTOR environment variable). Then upload it to the servers:

    node ansible-playbook ansible/playbooks/dkim.yml --user deploy

21. (Optional) Create a Google application credentials profile file and store it locally. You only need this if you want to support automatic translation. The following command will prompt you for the absolute file path (e.g./path/to/client-profile.json). See themandarin docs for more information.

    node ansible-playbook ansible/playbooks/gapp-creds.yml --user deploy

22. (Optional) Copy over custom TTF or OTF fonts to be installed on the server (e.g. used for PDF rendering, rendering with Sharp, open-graph images, etc):

    node ansible-playbook ansible/playbooks/fonts.yml --user deploy

    Note that at the time of this writing we copy these files:

    • inconsolata-dz.otf
    • VCHoney-Bold.otf
    • VCHoney-Regular.otf
    • VCHoney-SemiBold.otf

23. (Optional) Copy over GPG keys to be installed on the server (e.g. used for GPG signingsecurity.txt, seehttps://forwardemail.net/security.txt).

    NOTE: This assumes that you have also set in.env file the keys ofGPG_SECURITY_KEY with the full file path to the keyandGPG_SECURITY_PASSPHRASE with the GPG passphrase. You can export viagpg --armor --export-secret-key YOURKEYIDHERE > .gpg-security-key. You can getYOURKEYIDHERE viagpg --list-keys. You can generate a key withgpg --full-generate-key (e.g. forsupport@yourdomain.com orsecurity@yourdomain.com). Note you should also update the path inconfig/index.js foropenPGPKey value.

    node ansible-playbook ansible/playbooks/gpg-security-key.yml --user deploy

24. Copy the.env.production to the servers:

    node ansible-playbook ansible/playbooks/env.yml --user deploy

25. Run an initial deploy to all the servers:

    pm2 deploy ecosystem-web.json production

    pm2 deploy ecosystem-api.json production

    pm2 deploy ecosystem-bree.json production

    pm2 deploy ecosystem-smtp.json production

    pm2 deploy ecosystem-imap.json production

    pm2 deploy ecosystem-pop3.json production

    pm2 deploy ecosystem-sqlite.json production

    pm2 deploy ecosystem-caldav.json production

    pm2 deploy ecosystem-carddav.json production

    pm2 deploy ecosystem-mx.json production

26. Save the process list on the servers so when if the server were to reboot, it will automatically boot back up the processes:

    pm2 deploy ecosystem-web.json productionexec"pm2 save"

    pm2 deploy ecosystem-api.json productionexec"pm2 save"

    pm2 deploy ecosystem-bree.json productionexec"pm2 save"

    pm2 deploy ecosystem-smtp.json productionexec"pm2 save"

    pm2 deploy ecosystem-imap.json productionexec"pm2 save"

    pm2 deploy ecosystem-pop3.json productionexec"pm2 save"

    pm2 deploy ecosystem-sqlite.json productionexec"pm2 save"

    pm2 deploy ecosystem-caldav.json productionexec"pm2 save"

    pm2 deploy ecosystem-carddav.json productionexec"pm2 save"

    pm2 deploy ecosystem-mx.json productionexec"pm2 save"

27. Test by visiting your web and API server in your browser (click "proceed to unsafe" site and bypass certificate warning).

28. Configure your DNS records for the web and API server hostnames and respective IP addresses.

29. Test by visiting your web and API server in your browser (in an incognito window). There should not be any certificate warnings (similar to the one that occurred in step 15).

30. (Optional) Remove the local.env.production file for security purposes. If you do this, then make sure you have a backup, or securely back up off the server in the future before destroying the server.

    rm .env.production

31. (Optional) Remove the local certificate files you downloaded locally and specified in step 11. If you do this, then make sure you have a backup, or securely back up off the server in the future before destroying the server.

32. Finished. If you need to deploy again, then push your changes to GitHubmaster branch and then follow step 14 again. We recommend you to read theAnsible getting started guide, as it provides you with insight into commands likeansible all -a "echo hello" which can be run across all or specific servers.

If you do not change any assets, then there is no reason to do a full deployment.

For example, if you made changes to a web controller, then you only need to deploy it to the web codebase without a build:

pm2 deploy ecosystem-web.json productionexec"git reset --hard HEAD && git pull origin master && pm2 reload all"

To set up initial servers, you may need to append the flag-- to the scripts above, for example:

node ansible-playbook ansible/playbooks/mx2.yml --user ubuntu -l'mx2' --ask-become-pass

If you are provisioning servers after IPMI/VPN access, then you may need to take these additional steps:

1. Remove theubuntu (or other named) default user created during ISO installation:

   sudo deluser --remove-home ubuntu

2. Resize the disk partition to 100%:

   df -hsudo lvdisplaysudo lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lvsudo resize2fs /dev/mapper/ubuntu--vg-ubuntu--lvdf -h

3. Setupcrypttab for auto-mount of LUKS encrypted root volume:

   Important: if you have multiple LUKS devices you cannot use these steps below.Instead you will need to modify the one-liner commands below to specifically replace UUID value.This guide only accounts for one LUKS encrypted volume (e.g. usesudo blkid | grep "crypto_LUKS" orrefer to this guide to determine your values).

   Run the following commands individually:

   sudo mkdir /etc/lukssudo dd if=/dev/urandom of=/etc/luks/root.keyfile bs=4096 count=1sudo chmod 700 /etc/lukssudo chmod 400 /etc/luks/root.keyfilesudo cryptsetup luksAddKey$(sudo blkid| grep"crypto_LUKS"| cut -d':' -f 1| head -n 1) /etc/luks/root.keyfileecho"KEYFILE_PATTERN=/etc/luks/*.keyfile"| sudo tee -a /etc/cryptsetup-initramfs/conf-hookecho"UMASK=0077"| sudo tee -a /etc/initramfs-tools/initramfs.confsudo sed -i'/dm_crypt-0/d' /etc/crypttabecho"dm_crypt-0 UUID=$(sudo blkid| grep"crypto_LUKS"| cut -d'"' -f 2| head -n 1) /etc/luks/root.keyfile luks,discard"| sudo tee -a /etc/crypttab> /dev/null

   sudo vim /etc/initramfs-tools/hooks/cryptroot

   +#!/bin/sh+cp /etc/crypttab "${DESTDIR}/cryptroot/crypttab"+sed -i 's/\/etc\/luks\/root\.keyfile/\/cryptroot\/keyfiles\/dm_crypt-0\.key/' "${DESTDIR}/cryptroot/crypttab"+exit 0

   sudo chmod +x /etc/initramfs-tools/hooks/cryptrootsudo update-initramfs -c -k all

   NOTE: THE REST OF THIS STEP IS NOT MEANT TO BE COPIED/PASTED, IT IS A SECTION DEDICATED FOR DEBUGGING:

   If you get sent to aBusyBox shell on reboot, then something in your configuration is wrong.

   Fortunately you can regain access by running the following command (source):

   Note that the path to/dev/nvme0n1p3 will instead be the path to your device in/dev that uses LUKS encryption for mounting as the root volume (in our case it's a NVMe SSD, hencenvme in the name).

   sudo cryptsetup luksOpen /dev/nvme0n1p3 dm_crypt-0exit

   Additionally, you can inspect yourinitrd image (the generated file fromsudo update-initramfs -c -k all) using these commands (source):

   sudo update-initramfs -c -k all

   sudo -irm -rf /tmp/xmkdir /tmp/xcd /tmp/xunmkinitramfs -v /boot/initrd.img-$(uname -r).cd /tmp/x/main/cryptroot/crypttabll

4. If you need to configure IPv6 on your server, here is an example network config:

   sudo vim /etc/cloud/cloud.cfg.d/90-installer-network.cfg

   ReplaceIPV4_GOES_HERE with IPv4 address,IPV6_GOES_HERE with IPv6 address,IPV6_GATEWAY with IPv6 gateway, andIPV4_GATEWAY with IPV4 gateway:

   For a comparison of802.3ad and other parameter mode values such asbalance-rr,please see this article on ServerFault.

   You may need to remove or change thetransmit-hash-policy as well for your configuration.

   # This is the network config written by 'subiquity'network:  bonds:    bond0:      addresses:      - IPV4_GOES_HERE/24      - IPV6_GOES_HERE/64      interfaces:      - enp1s0f0      - enp1s0f1      nameservers:        addresses:        - 1.1.1.1        - 1.0.0.1        - 2606:4700:4700::1111        - 2606:4700:4700::1001        search: []      parameters:        mode: 802.3ad        transmit-hash-policy: layer3+4      routes:      - to: ::/0        via: IPV6_GATEWAY      - to: default        via: IPV4_GATEWAY  ethernets:    enp1s0f0: {}    enp1s0f1: {}  version: 2

5. If you need to encrypt and auto-mount a disk, e.g. NVMe SSD drive at/mnt/storage_do_1 for SQLite (SQLITE_STORAGE_PATH; seehelpers/get-path-to-database.js):

   1. Get partition name:

      lsblk

   2. Encrypt partition with LUKS:

      NOTE: Do not useaes-xts-plain – instead you should useaes-xts-plain64 as shown below – this is becauseaes-xts-plain has limitations on larger containers over 2 TiB and does not offer the same protection asaes-xts-plain64.

      NOTE: Replacenvme1n1 with the name of the unencrypted partition shown in step 1:

      mkdir -p /etc/luks-keyssudo touch /etc/luks-keys/key.keysudo chmod 400 /etc/luks-keys/key.keysudo dd if=/dev/urandom of=/etc/luks-keys/key.key bs=4096 count=1sudo cryptsetup --cipher aes-xts-plain64 --key-file=/etc/luks-keys/key.key --key-size 512 --hash sha512 -v luksFormat /dev/nvme1n1 --batch-mode

   3. Open the partition:

      NOTE: Replacenvme1n1 with the name of the unencrypted partition shown in step 1:

      sudo cryptsetup -v --key-file=/etc/luks-keys/key.key luksOpen /dev/nvme1n1 nvme1n1

   4. Get UUID of storage device:

      sudo cryptsetup luksDump /dev/nvme1n1| grep UUID| sed -e"s/UUID: //"| sed's/^[[:space:]]*//;s/[[:space:]]*$//'

      NOTE: This will output a UUID value such as the following, which you need to use later:

      f0f59f79-f8f8-4a39-8dd7-a04ccc5e50a3

   5. Add to/etc/crypttab:

      NOTE: Replacenvme1n1 with the name of the unencrypted partition shown in step 1:

      NOTE: Replace theUUID value with the value output from above.

      echo"nvme1n1 UUID=f0f59f79-f8f8-4a39-8dd7-a04ccc5e50a3 /etc/luks-keys/key.key luks"| sudo tee -a /etc/crypttab

   6. Initialize mapper:

      NOTE: Replacenvme1n1 with the name of the unencrypted partition shown in step 1:

      sudo cryptdisks_start nvme1n1

   7. Create partition:

      NOTE: Replacenvme1n1 with the name of the unencrypted partition shown in step 1:

      sudo mkfs -t ext4 -L nvme1n1 /dev/mapper/nvme1n1

   8. Add to/etc/fstab:

      NOTE: Replacenvme1n1 with the name of the unencrypted partition shown in step 1:

      echo"/dev/mapper/nvme1n1 /mnt/storage_do_1 ext4 defaults 0 2"| sudo tee -a /etc/fstab

   9. Mount it and adjust permissions todeploy user:

      sudo mkdir -p /mnt/storage_do_1sudo mount -asudo chown -R deploy:deploy /mnt/storage_do_1

(BUSL-1.1 AND MPL-2.0) ©Forward Email LLC