From: Hamatoma Date: Wed, 23 Apr 2025 06:46:02 +0000 (+0200) Subject: Important refactoring and improvements X-Git-Url: https://gitweb.hamatoma.de/?a=commitdiff_plain;h=refs%2Fheads%2Fmain;p=ansknife.git Important refactoring and improvements --- diff --git a/.stdusr b/.stdusr new file mode 100644 index 0000000..f0b4160 --- /dev/null +++ b/.stdusr @@ -0,0 +1 @@ +STD_USER=wk diff --git a/playbooks.templates/i_10_basic.yaml b/playbooks.templates/i_10_basic.yaml index d806556..2530b6e 100644 --- a/playbooks.templates/i_10_basic.yaml +++ b/playbooks.templates/i_10_basic.yaml @@ -1,57 +1,57 @@ --- - +# Ansible playbook to prepare the system for a standarized server - hosts: all vars: hostname: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+')}}" tasks: - name: Prepare /media/trg directory - file: path=/media/trg state=directory + ansible.builtin.file: path=/media/trg state=directory - name: Prepare /media/tmp directory - file: path=/media/trg state=directory + ansible.builtin.file: path=/media/trg state=directory - name: Prepare /media/fs.cave directory - file: path=/media/fs.cave state=directory + ansible.builtin.file: path=/media/fs.cave state=directory - name: Prepare /media/fs.sys directory - file: path=/media/fs.sys state=directory + ansible.builtin.file: path=/media/fs.sys state=directory - name: Prepare /usr/local/bin directory - file: path=/usr/local/bin state=directory + ansible.builtin.file: path=/usr/local/bin state=directory - name: Prepare /usr/local/bin/local directory - file: path=/usr/local/bin/local state=directory + ansible.builtin.file: path=/usr/local/bin/local state=directory - name: Prepare /usr/share/pyrshell directory - file: path=/usr/share/pyrshell state=directory + ansible.builtin.file: path=/usr/share/pyrshell state=directory - name: Symbolic link to local directory - file: src=/usr/local/bin/local dest=/usr/local/bin/{{hostname}} state=link + ansible.builtin.file: src=/usr/local/bin/local dest=/usr/local/bin/{{hostname}} state=link - name: Unpack a tar into /usr/local/bin/local unarchive: src=../resources/needed.tgz dest=/usr/local/bin - name: Symbolic link to /p - file: src=/usr/local/bin/std.profile dest=/p state=link + ansible.builtin.file: src=/usr/local/bin/std.profile dest=/p state=link - name: Unpack a tar into /usr/share/pyrshell unarchive: src=../resources/rsh.tgz dest=/usr/share/pyrshell - name: Create user bupsrv - user: name=bupsrv state=present uid=201 + ansible.builtin.user: name=bupsrv state=present uid=201 - name: Create user bupsupply - user: name=bupsupply state=present uid=202 + ansible.builtin.user: name=bupsupply state=present uid=202 - name: Create ssh directory for bupsupply - file: path=/home/bupsupply/.ssh state=directory group=bupsupply owner=bupsupply mode=0700 + ansible.builtin.file: path=/home/bupsupply/.ssh state=directory group=bupsupply owner=bupsupply mode=0700 - name: Create authorized_keys for bupsupply - file: path=/home/bupsupply/.ssh/authorized_keys state=touch group=bupsupply owner=bupsupply mode=0600 + ansible.builtin.file: path=/home/bupsupply/.ssh/authorized_keys state=touch group=bupsupply owner=bupsupply mode=0600 - name: Create user bupwiki - user: name=bupwiki state=present uid=203 + ansible.builtin.user: name=bupwiki state=present uid=203 - name: Create user buptmp - user: name=buptmp state=present uid=204 + ansible.builtin.user: name=buptmp state=present uid=204 - name: Create ssh directory for buptmp - file: path=/home/buptmp/.ssh state=directory group=buptmp owner=buptmp mode=0700 + ansible.builtin.file: path=/home/buptmp/.ssh state=directory group=buptmp owner=buptmp mode=0700 - name: Create authorized_keys for buptmp - file: path=/home/buptmp/.ssh/authorized_keys state=touch group=buptmp owner=buptmp mode=0600 + ansible.builtin.file: path=/home/buptmp/.ssh/authorized_keys state=touch group=buptmp owner=buptmp mode=0600 - name: Create user extdata - user: name=extdata state=present uid=211 + ansible.builtin.user: name=extdata state=present uid=211 - name: Create user extcloud - user: name=extcloud state=present uid=212 + ansible.builtin.user: name=extcloud state=present uid=212 - name: Create user extbup - user: name=extbup state=present uid=213 + ansible.builtin.user: name=extbup state=present uid=213 - name: Create configuration directory - file: path=/etc/config state=directory mode=0700 + ansible.builtin.file: path=/etc/config state=directory mode=0700 - name: Create webapp.d - file: path=/etc/config/webapps.d state=directory mode=0700 + ansible.builtin.file: path=/etc/config/webapps.d state=directory mode=0700 - name: install standard packages apt: name: "{{ item }}" diff --git a/playbooks.templates/i_20_nginx.yaml b/playbooks.templates/i_20_nginx.yaml index 188c31e..3124ba9 100644 --- a/playbooks.templates/i_20_nginx.yaml +++ b/playbooks.templates/i_20_nginx.yaml @@ -8,54 +8,54 @@ hostname: "{{ inventory_hostname }}" log_name: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}" vars_files: + - ../var/common.yaml - ../var/ssl-certificate.yaml tasks: - name: Install nginx - apt: + ansible.builtin.apt: name: nginx state: latest update_cache: yes - name: Prepare letsencrypt home directory - file: path=/home/www/letsencrypt/.well-known/acme-challenge state=directory + ansible.builtin.file: path=/srv/www/letsencrypt/.well-known/acme-challenge state=directory - name: Add test file1 - copy: src=../templates/nginx/hi1.txt dest=/home/www/letsencrypt/.well-known/ + ansible.builtin.copy: src=../templates.fix/nginx/hi1.txt dest=/srv/www/letsencrypt/.well-known/ - name: Add test file2 - copy: src=../templates/nginx/hi2.txt dest=/home/www/letsencrypt/.well-known/acme-challenge/hi2.txt + ansible.builtin.copy: src=../templates.fix/nginx/hi2.txt dest=/srv/www/letsencrypt/.well-known/acme-challenge/hi2.txt - name: Prepare letsencrypt - copy: - src: ../templates/nginx/letsencrypt.conf + ansible.builtin.copy: + src: ../templates.fix/nginx/letsencrypt.conf dest: /etc/nginx/snippets - name: add HTTP-variables - copy: - src: ../templates/nginx/http.conf + ansible.builtin.copy: + src: ../templates.local/nginx/http.conf dest: /etc/nginx/snippets - name: create a www directory - file: path=/home/www state=directory owner=root group=www-data - + ansible.builtin.file: path={{ remote_www_directory }} state=directory owner=root group=www-data - name: create the /srv/www link - file: src=/home/www dest=/srv/www state=link + ansible.builtin.file: src={{ remote_www_directory }} dest=/srv/www state=link - name: Ensure nginx is running - systemd: + ansible.builtin.systemd: name: nginx state: started enabled: yes - name: create a test virtual hosts - template: - src: ../templates/nginx/test.site + ansible.builtin.template: + src: ../templates.fix/nginx/test.site dest: /etc/nginx/sites-available/{{hostname}} - name: activate by link in sites-enabled - file: + ansible.builtin.file: src: /etc/nginx/sites-available/{{hostname}} dest: /etc/nginx/sites-enabled/{{hostname}} state: link - name: create a ssh-certificate - command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/{{hostname}}.key -out /etc/ssl/certs/{{hostname}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{hostname}}" + ansible.builtin.command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/{{hostname}}.key -out /etc/ssl/certs/{{hostname}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{hostname}}" args: creates: /etc/ssl/private/{{hostname}}.key - name: create a document root - file: dest=/srv/www/{{hostname}} state=directory owner=www-data group=www-data + ansible.builtin.file: dest=/srv/www/{{hostname}} state=directory owner=www-data group=www-data - name: create a test index.html - template: src=../templates/nginx/index.html dest=/srv/www/{{hostname}}/index.html + template: src=../templates.fix/nginx/index.html dest=/srv/www/{{hostname}}/index.html - name: create a test index.php - copy: src=../templates/nginx/index.php dest=/srv/www/{{hostname}}/index.php + ansible.builtin.copy: src=../templates.fix/nginx/index.php dest=/srv/www/{{hostname}}/index.php diff --git a/playbooks.templates/i_30_mariadb.yaml b/playbooks.templates/i_30_mariadb.yaml index cc81299..fc72983 100644 --- a/playbooks.templates/i_30_mariadb.yaml +++ b/playbooks.templates/i_30_mariadb.yaml @@ -3,8 +3,8 @@ - name: Install mariadb ansible.builtin.apt: name: - - mariadb-server - - python3-mysqldb + - "mariadb-server" + - "python3-mysqldb" state: latest update_cache: yes - name: Ensure mariadb is running diff --git a/playbooks.templates/i_40_php8.2.yaml b/playbooks.templates/i_40_php8.2.yaml index 0d95ebd..2f7956b 100644 --- a/playbooks.templates/i_40_php8.2.yaml +++ b/playbooks.templates/i_40_php8.2.yaml @@ -5,19 +5,19 @@ - ../var/php.yaml pre_tasks: - name: - apt: + ansible.builtin.apt: name: gpg state: present update_cache: true - name: add packages.sury.org (Debian case) block: - name: add gpg repo key - apt_key: + ansible.builtin.apt_key: url: 'https://packages.sury.org/php/apt.gpg' state: present - name: add apt repo - apt_repository: + ansible.builtin.apt_repository: repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release|lower }} main' state: present filename: php diff --git a/playbooks.templates/i_60_postfix.yaml b/playbooks.templates/i_60_postfix.yaml index 32f997d..eb4aeae 100644 --- a/playbooks.templates/i_60_postfix.yaml +++ b/playbooks.templates/i_60_postfix.yaml @@ -18,8 +18,8 @@ - postfix - mailutils - name: build the main.cf - copy: - src: "../resources/postfix/{{ item }}" + ansible.builtin.copy: + src: "../templates.local/postfix/send_only/{{ item }}" dest: "/etc/postfix/{{ item }}" mode: 0640 owner: root @@ -31,7 +31,7 @@ - restart postfix - name: create alias template: - src: "../resources/postfix/aliases" + src: "../templates.local/postfix/aliases" dest: "/etc/aliases" mode: 0640 owner: root @@ -40,17 +40,18 @@ - restart postfix - name: create virtual alias template: - src: "../resources/postfix/virtual" + src: "../templates.local/postfix/virtual" dest: "/etc/postfix/virtual" mode: 0640 owner: root group: root + when: postfix_mode == "email_forwarding" notify: - restart postfix - name: create the mailname file - copy: + ansible.builtin.copy: content: | - {{ postfix_domain }} + {{ postfix_host }} dest: "/etc/mailname" mode: 0644 owner: root @@ -58,7 +59,7 @@ notify: - restart postfix - name: create a script to activate the virtual alias - copy: + ansible.builtin.copy: content: | #! /bin/bash postmap virtual @@ -66,6 +67,7 @@ mode: 0700 owner: root group: root + when: postfix_mode == "email_forwarding" notify: - postalias - name: Ensure postfix is running @@ -81,7 +83,7 @@ - name: postalias shell: postalias /etc/aliases - name: postmap - shell: postalias /etc/postfix/virtual + shell: postmap /etc/postfix/virtual diff --git a/playbooks.templates/i_62_postfix_dkim.yaml b/playbooks.templates/i_62_postfix_dkim.yaml new file mode 100644 index 0000000..195ebae --- /dev/null +++ b/playbooks.templates/i_62_postfix_dkim.yaml @@ -0,0 +1,38 @@ +--- +# Installs the the spam reducing staff for postfix: SPF DKIM DMARYC +# Needed facts (variables): +# - +# Needed role installation: +- hosts: all + vars_files: + - ../var/common.yaml + - ../var/antispam.yaml + tasks: + - name: install the packages + ansible.builtin.package: + name: "{{ item }}" + state: present + with_items: [ postfix-policyd-spf-python, opendkim, opendkim-tools, opendmarc] + # ====== SPF ====== + - name: Configure the SPF staff + ansible.builtin.include_tasks: ../tasks/t_spf_configuration.yaml + # ====== DKIM ====== + - name: Configure the DKIM staff + ansible.builtin.include_tasks: ../tasks/t_dkim.yaml + # ====== DMARC ====== + - name: Configure the DMARC staff + ansible.builtin.include_tasks: ../tasks/t_dmarc.yaml + handlers: + - name: restart opendkim + ansible.builtin.systemd: + name: opendkim + state: restarted + - name: restart opendmarc + ansible.builtin.systemd: + name: opendmarc + state: restarted + - name: restart postfix + ansible.builtin.systemd: + name: postfix + state: restarted + diff --git a/playbooks.templates/i_99_test.yaml b/playbooks.templates/i_99_test.yaml index ec4552f..910626c 100644 --- a/playbooks.templates/i_99_test.yaml +++ b/playbooks.templates/i_99_test.yaml @@ -1,6 +1,6 @@ --- - name: Install and configure with letsencrypt - hosts: all + hosts: localhost become: yes vars: @@ -11,8 +11,14 @@ vars_files: - ../var/webapps.yaml tasks: + - name: Test regexpr + lineinfile: + dest: /tmp/wk.conf + regexp: '^{{ item }}\s*=\s*Fail' + line: "{{ item }} = False" + with_items: [x, y] - name: Test Dateiänderung - copy: + ansible.builtin.copy: content: | Line 1 Line 2 diff --git a/playbooks/create_project.yaml b/playbooks/create_project.yaml index 3ac29f8..71d866d 100644 --- a/playbooks/create_project.yaml +++ b/playbooks/create_project.yaml @@ -1,41 +1,54 @@ --- +# Create a new project directory structure for an Ansible project. +# needed facts (variables) from the commandline: - hosts: localhost - become: yes + become: true tasks: + - name: check if postfix_mode is defined + ansible.builtin.fail: + msg: "The 'postfix_mode' variable is not defined. -e postfix_mode=none|send_only|email_forwarding" + when: postfix_mode is not defined - name: Check if project variable is defined - fail: + ansible.builtin.fail: msg: "The 'project' variable is not defined. -e project=your_project_name" when: project is not defined - name: Prepare base directory for {{ project }} - file: path=../../{{ project }} state=directory + ansible.builtin.file: path=../../{{ project }} state=directory - name: create sub directories for {{ project }} - file: path=../../{{ project }}/{{ item }} state=directory + ansible.builtin.file: path=../../{{ project }}/{{ item }} state=directory with_items: [playbooks, tasks, var, scripts, templates, resources, roles] - name: create the links into the resources directory - file: - src: "../../ansknife/resources/{{ item }}" - dest: "../resources/{{ item }}" + ansible.builtin.file: + src: ../../ansknife/resources/{{ item }}" + dest: "../../{{ project }}/resources/{{ item }}" + force: yes state: link with_items: [needed.tgz, rsh.tgz] - name: create the nginx link into the templates directory - file: + ansible.builtin.file: src: "../../ansknife/templates/nginx" - dest: "../templates/nginx" - state: link - - name: create the postfix link into the templates directory - file: - src: "../../ansknife/templates/postfix" - dest: "../templates/postfix" + dest: "../../{{ project }}/templates/nginx" + force: yes state: link + - name: create the postfix directory in the templates directory + ansible.builtin.file: + path: "../../{{ project }}/resources/postfix" + state: directory + - name: copy the postfix configuration files into the resources directory + ansible.builtin.template: + src: "../templates/postfix/{{ postfix_mode }}/{{ item }}" + dest: "../../{{ project }}/resources/postfix/{{ item }}" + when: postfix_mode != 'none' + with_items: [master.cf, main.cf] - name: Prepare task facts - set_fact: + ansible.builtin.set_fact: src_dir: '../templates/var' dest_dir: "../../{{ project }}/var" pattern: "*.yaml" - name: Copy var.templates - import_tasks: ../tasks.templates/t_copy_wildcard.yaml + ansible.builtin.import_tasks: ../tasks.templates/t_copy_wildcard.yaml - name: Prepare facts for links in playbooks - set_fact: + ansible.builtin.set_fact: src_dir: '../playbooks.templates' src_relative: '../../ansknife/playbooks.templates' dest_dir: "../../{{ project }}/playbooks" @@ -43,13 +56,13 @@ - name: Create links in playbooks import_tasks: ../tasks.templates/t_link_wildcard.yaml - name: Prepare facts for links in tasks - set_fact: + ansible.builtin.set_fact: src_dir: '../tasks.templates' src_relative: '../../ansknife/tasks.templates' dest_dir: "../../{{ project }}/tasks" pattern: "*.yaml" - name: Create links in tasks - import_tasks: ../tasks.templates/t_link_wildcard.yaml + ansible.builtin.import_tasks: ../tasks.templates/t_link_wildcard.yaml - name: Prepare facts for links in scripts set_fact: src_dir: "../scripts.templates" @@ -57,7 +70,7 @@ dest_dir: "../../{{ project }}/scripts" pattern: "*" - name: Create links in scripts - import_tasks: ../tasks.templates/t_link_wildcard.yaml + ansible.builtin.import_tasks: ../tasks.templates/t_link_wildcard.yaml - name: create a README file copy: dest: ../../{{ project }}/README.md @@ -67,13 +80,13 @@ # Description This project defines the software of the server - name: create a CHANGELOG file - copy: + ansible.builtin.copy: dest: ../../{{ project }}/CHANGELOG.md content: | # V0.1.0 - Initial version - name: create a the inventory (host definition) - copy: + ansible.builtin.copy: dest: ../../{{ project }}/inventory content: | [hosts] @@ -84,7 +97,7 @@ ansible_user=ansadm ansible_become=yes - name: create a the ansible configuration file - copy: + ansible.builtin.copy: dest: ../../{{ project }}/ansible.cfg content: | [defaults] diff --git a/scripts.templates/SetRights b/scripts.templates/SetRights index b532e93..c6005fc 100755 --- a/scripts.templates/SetRights +++ b/scripts.templates/SetRights @@ -1,4 +1,9 @@ #! /bin/bash chown -R ansadm:ansadm * chmod -R g+rw * +if [ -d playbooks.templates ]; then + echo "protecting templates.local from changing" + chmod -R uog-w templates.local +fi + diff --git a/scripts/build_dkim_text.py b/scripts/build_dkim_text.py new file mode 100755 index 0000000..33e271a --- /dev/null +++ b/scripts/build_dkim_text.py @@ -0,0 +1,17 @@ +#! /usr/bin/python3 +import sys +def main(args): + filename = args[0] + with open(filename, "r") as fp: + lines = fp.read().split('\n') + # 20250419._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " + # "p=MIIBIjANBgkqh...QoSuyvjwoNEUNO" + # "dfsOuTKBzmchQ4Z...c2jwIDAQAB" ) ; ----- DKIM key 20250419 for f-r-e-i.de + info = lines[0].split('"')[1] + info += lines[1].split('"')[1] + info += lines[2].split('"')[1] + print(info) + +if __name__ == '__main__': + #main(["/tmp/example.txt"]) + main(sys.argv[1:]) diff --git a/tasks.templates/t_copy_wildcard.yaml b/tasks.templates/t_copy_wildcard.yaml index 0fd64c7..846ccbe 100644 --- a/tasks.templates/t_copy_wildcard.yaml +++ b/tasks.templates/t_copy_wildcard.yaml @@ -5,7 +5,7 @@ # - dest_dir: destination directory # - pattern: wildcard pattern - name: Copy files matching {{ pattern }} from {{ src_dir }} to {{dest_dir}} - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "{{ dest_dir }}" with_fileglob: diff --git a/tasks.templates/t_dkim.yaml b/tasks.templates/t_dkim.yaml new file mode 100644 index 0000000..0c9aade --- /dev/null +++ b/tasks.templates/t_dkim.yaml @@ -0,0 +1,74 @@ +--- +# Configures DKIM +# needed facts (variables): +# dkim_domains: a list of domains handled by DKIM +# dkim_opendkim_config_dir: normally /etc/opendkim +# dkim_config_ansible.builtin.file: normally /etc/opendkim.conf +# dkim_selector: normally the date yyyymmdd +# dkim_user: the user running opendkim +# dkim_group: the user group running opendkim +# dkim_socket_port: port of the socket of opendkim + + +- name: add user to group postfix + ansible.builtin.user: + name: '{{ dkim_user }}' + groups: postfix + append: yes +- name: ensure existence of /var/spool/postfix/opendkim + ansible.builtin.file: + path: /var/spool/postfix/opendkim + state: directory + recurse: true + owner: "{{ dkim_user }}" + group: "{{ dkim_group }}" + +- name: opendkim directory present + ansible.builtin.file: + path: '{{ dkim_opendkim_config_dir }}/keys' + owner: "{{ dkim_user }}" + state: directory + group: "{{ dkim_group }}" + mode: 0750 + +- name: opendkim trusted.hosts present + ansible.builtin.template: + src: ../templates.local/antispam/trusted.hosts + dest: '{{ dkim_opendkim_config_dir }}/trusted.hosts' + notify: + - restart opendkim + +- name: configure opendkim in {{ dkim_config_file }} + ansible.builtin.copy: + src: ../templates.local/antispam/opendkim.conf + dest: "{{ dkim_config_file }}" + notify: + - restart opendkim + +- name: installing tables + ansible.builtin.template: + src: "../templates.fix/antispam/{{ item }}" + dest: '{{ dkim_opendkim_config_dir }}/{{item}}' + notify: + - restart opendkim + with_items: [key.table, signing.table] + +- name: generate opendkim keys + ansible.builtin.include_tasks: "../tasks/t_dkim_keys.yaml" + loop: "{{ dkim_domains }}" + loop_control: + loop_var: dkim_domain + +- name: ensure opendkim is running + service: + name: opendkim + state: started + enabled: yes +- name: display DNS staff and tests + ansible.builtin.include_tasks: "../tasks/t_dkim_dns.yaml" + loop: "{{ dkim_domains }}" + loop_control: + loop_var: dkim_domain + + +... diff --git a/tasks.templates/t_dkim_dns.yaml b/tasks.templates/t_dkim_dns.yaml new file mode 100644 index 0000000..8b7eb9f --- /dev/null +++ b/tasks.templates/t_dkim_dns.yaml @@ -0,0 +1,31 @@ +--- +# Show the DNS records to configure with dkim publik key +# needed facts (variables): +# dkim_domain: the domain to configure +# dkim_opendkim_config_dir: normally /etc/opendkim +# dkim_selector: normally the date yyyymmdd +- name: store hostname and name of the public key file + ansible.builtin.set_fact: + hostname: "{{ inventory_hostname }}" + public_key: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}/{{ dkim_selector }}.txt" +- name: fetch the remote key file to the (local) control host + fetch: + src: "{{ public_key }}" + dest: "/tmp" +- name: start the local script to find out the related info + script: "../scripts/build_dkim_text.py /tmp/{{ hostname }}{{ public_key }}" + register: dns_text + delegate_to: localhost +- name: display DKIM public key DNS record + debug: + msg: + - "#=============================================" + - "zone: {{ dkim_selector }}._domainkey.{{ dkim_domain }}" + - "type: TXT" + - "content: {{ dns_text.stdout | regex_replace('\n', '')}}" + - "#=============================================" + - "Test:" + - "host -t txt {{ dkim_selector }}._domainkey.{{ dkim_domain }}._domainkey" + - "opendkim-testkey -d {{ dkim_domain }} -s {{ dkim_selector }} -vvv" + - "#=============================================" +... diff --git a/tasks.templates/t_dkim_keys.yaml b/tasks.templates/t_dkim_keys.yaml new file mode 100644 index 0000000..ba35e97 --- /dev/null +++ b/tasks.templates/t_dkim_keys.yaml @@ -0,0 +1,34 @@ +--- +## DKIM: Generates a key for a given domain +# dkim_domain: the domain to configure +# dkim_opendkim_config_dir: normally /etc/opendkim +# dkim_selector: normally the date yyyymmdd +# dkim_user: the user running DKIM +# dkim_group: the group running DKIM +# dkim_rsa_keylen: the count of bits of the RSA key + +- name: creates domain's keys directory + file: + path: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}" + state: directory + recurse: true + +- name: ensure signing key is present + stat: + path: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}/{{ dkim_selector }}.private" + get_checksum: false + register: dkim_key + +- name: generate signing key + command: opendkim-genkey -b {{ dkim_rsa_keylen }} -s {{ dkim_selector }} -d {{ dkim_domain }} -D {{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }} + when: not dkim_key.stat.exists + notify: + - restart opendkim + +- name: ensure signing key owner + file: + path: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}/{{ dkim_selector }}.private" + owner: '{{ dkim_user }}' + group: '{{ dkim_group }}' + +... diff --git a/tasks.templates/t_dmarc.yaml b/tasks.templates/t_dmarc.yaml new file mode 100644 index 0000000..3f016eb --- /dev/null +++ b/tasks.templates/t_dmarc.yaml @@ -0,0 +1,54 @@ +--- +# Configures DMARC +# needed facts (variables): +# dkim_domains: a list of domains handled by DKIM +# dmarc_config_dir: normally /etc/opendmarc +# dmarc_config_file: normally /etc/opendmarc.conf +# dmarc_user: the user running opendmarc +# dmarc_group: the user group running opendmarc + +- name: add user to group postfix + ansible.builtin.user: + name: '{{ dmarc_user }}' + groups: postfix + append: yes +- name: ensure existence of /var/spool/postfix/opendmarc + file: + path: /var/spool/postfix/opendmarc + state: directory + recurse: true + owner: "{{ dmarc_user }}" + group: "{{ dmarc_group }}" + mode: "0750" +- name: configure opendmarc in {{ dmarc_config_file }} + ansible.builtin.copy: + src: ../templates.local/antispam/opendmarc.conf + dest: "{{ dmarc_config_file }}" + notify: + - restart opendmarc +- name: "create configuration directory {{ dmarc_config_dir }}" + ansible.builtin.file: + path: "{{ dmarc_config_dir }}" + state: directory + owner: "{{ dmarc_user }}" + group: "{{ dmarc_group }}" + mode: "0750" + +- name: create ignore.hosts + ansible.builtin.copy: + src: ../templates.local/antispam/ignore.hosts + dest: "{{ dmarc_config_dir }}/ignore.hosts" + notify: + - restart opendmarc +- name: download suffix list + get_url: + url: https://publicsuffix.org/list/public_suffix_list.dat + dest: "{{ dmarc_config_dir }}" + owner: "{{ dmarc_user }}" + group: "{{ dmarc_group }}" +- name: display DNS staff and tests + ansible.builtin.include_tasks: "../tasks/t_dmarc_dns.yaml" + loop: "{{ dkim_domains }}" + loop_control: + loop_var: dkim_domain + diff --git a/tasks.templates/t_dmarc_dns.yaml b/tasks.templates/t_dmarc_dns.yaml new file mode 100644 index 0000000..0bc19ec --- /dev/null +++ b/tasks.templates/t_dmarc_dns.yaml @@ -0,0 +1,17 @@ +--- +# Show the DNS records to configure DMARC +# needed facts (variables): +# dkim_domain: the domain to configure +# dmarc_email_report: receipient email addres for reports +- name: display DMARC public key DNS record + debug: + msg: + - "#=============================================" + - "zone: _dmarc.{{ dkim_domain }}" + - "type: TXT" + - "content: v=DMARC1; p=reje; sp=reje; adkim; aspf; pct=1; rua=mailto:{{ dmarc_email_report }}; ruf=mailto:{{ dmarc_email_report }}; fo=1;" + - "#=============================================" + - "Test:" + - "host -t txt _dmarc.{{ dkim_domain }}" + - "#=============================================" +... diff --git a/tasks.templates/t_link_wildcard.yaml b/tasks.templates/t_link_wildcard.yaml index d9e455a..818c9ed 100644 --- a/tasks.templates/t_link_wildcard.yaml +++ b/tasks.templates/t_link_wildcard.yaml @@ -7,7 +7,7 @@ # - pattern: wildcard pattern - name: Link files matching {{ pattern }} from {{ src_dir }} to {{dest_dir}} #command: ln -s {{ src_relative }}/{{ item | basename}} {{ dest_dir }}/{{ item | basename }} - file: + ansible.builtin.file: src: "{{ src_relative }}/{{ item | basename }}" dest: "{{ dest_dir }}/{{ item | basename }}" state: link diff --git a/tasks.templates/t_nginx_create_site.yaml b/tasks.templates/t_nginx_create_site.yaml index 47efe7d..b64b337 100644 --- a/tasks.templates/t_nginx_create_site.yaml +++ b/tasks.templates/t_nginx_create_site.yaml @@ -31,7 +31,7 @@ when: not force and site_config.stat.exists - name: Create nginx site configuration of {{ domain }} ansible.builtin.template: - src: ../templates/nginx/site.php + src: ../templates.fix/nginx/site.php dest: /etc/nginx/sites-available/{{ domain }} owner: root group: root diff --git a/tasks.templates/t_spf.yaml b/tasks.templates/t_spf.yaml new file mode 100644 index 0000000..bf50d1e --- /dev/null +++ b/tasks.templates/t_spf.yaml @@ -0,0 +1,33 @@ +--- +# Installs the SPF staff for postfix +# needed facts (variables): +# dkim_domains: the list of email domains +- name: intro + debug: + msg: "domains: {{ dkim_domains }}" +- name: Adapt policyd-spf.conf + lineinfile: + dest: /etc/postfix-policyd-spf-python/policyd-spf.conf + regexp: "^{{ item }}\\s*=\\s*Fail" + line: "{{ item }} = False" + notify: + - restart postfix + with_items: [ HELO_reject, Mail_From_reject] +- name: Display DNS configuration + debug: + msg: + - "*************************************************************" + - "zone: {{ item }}" + - "type: TXT" + - "content: 'v=spf1 mx -all' deny other" + - "content: 'v=spf1 mx ~all' allow other" + - "*************************************************************" + with_items: "{{ dkim_domains }}" +- name: Display test command + debug: + msg: + - "*************************************************************" + - "Test it with:" + - "host -t txt {{ item }}" + - "*************************************************************" + with_items: "{{ dkim_domains }}" diff --git a/tasks.templates/t_ssl_create_certificate.yaml b/tasks.templates/t_ssl_create_certificate.yaml index da6eaa0..5d9550c 100644 --- a/tasks.templates/t_ssl_create_certificate.yaml +++ b/tasks.templates/t_ssl_create_certificate.yaml @@ -8,6 +8,6 @@ # - ssl_lifetime: the lifetime of the certificate in days # - ssl_rsa_key_size: the size of the RSA key for the certificate - name: create a ssh-certificate - command: openssl req -x509 -nodes -days {{ssl_lifetime}} -newkey rsa:{{ssl_rsa_key_size}} -keyout /etc/ssl/private/{{domain}}.key -out /etc/ssl/certs/{{domain}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}" + ansible.builtin.command: openssl req -x509 -nodes -days {{ssl_lifetime}} -newkey rsa:{{ssl_rsa_key_size}} -keyout /etc/ssl/private/{{domain}}.key -out /etc/ssl/certs/{{domain}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}" args: creates: /etc/ssl/private/{{domain}}.key diff --git a/tasks.templates/t_webapp_backup.yaml b/tasks.templates/t_webapp_backup.yaml index 2760339..43da64e 100644 --- a/tasks.templates/t_webapp_backup.yaml +++ b/tasks.templates/t_webapp_backup.yaml @@ -6,14 +6,14 @@ # webapp_backup_directory: a local directory which will be syncronized with the web application # webapps_list: the list defined in ../var/webapps.yaml # fetch: true: the file will be fetched to the local machine -- set_fact: +- ansible.builtin.set_fact: db_name: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_name') | first }}" db_user: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_user') | first }}" db_password: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_password') | first }}" document_root: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='directory') | first }}" target_file: "{{ document_root }}/db/{{ webapp_name }}.sql.gz" - name: Dump the database {{ db_name }} into {{ document_root }} - import_tasks: t_webapp_export.yaml + ansible.builtin.import_tasks: t_webapp_export.yaml - name: Synchronize the web application {{ webapp_name }} with {{ webapp_backup_directory }} ansible.posix.synchronize: mode: push diff --git a/tasks.templates/t_webapp_create.yaml b/tasks.templates/t_webapp_create.yaml index a76a6b4..2c40ee5 100644 --- a/tasks.templates/t_webapp_create.yaml +++ b/tasks.templates/t_webapp_create.yaml @@ -9,19 +9,19 @@ # remote_webapps_directory: the access data will be stored there, e.g. /etc/ansknife/webapp.d # local_webapps_directory: the access data will be stored there, e.g. ../webapp.d - name: 'check if the webapp is already defined' - stat: + ansible.builtin.stat: path: "{{remote_webapps_directory}}/{{ webapp_name }}.yaml" register: webapp - name: 'stop if the webapp already defined' - fail: msg="webapp {{ webapp_name }} is already defined" + ansible.builtin.fail: msg="webapp {{ webapp_name }} is already defined" when: webapp.stat.exists - name: 'stop on missing facts' - fail: msg="missing facts! webapp_name, db_name, db_user, db_password. Use -e webapp_name=..., -e db_name=..., -e db_user=..., -e db_password=..." + ansible.builtin.fail: msg="missing facts! webapp_name, db_name, db_user, db_password. Use -e webapp_name=..., -e db_name=..., -e db_user=..., -e db_password=..." when: webapp_name is not defined or db_name is not defined or db_user is not defined or db_password is not defined - name: Create the database {{db_name}} and db user {{db_user}} - import_tasks: ../tasks/t_mysql_create_db_and_user.yaml + ansible.builtin.import_tasks: ../tasks/t_mysql_create_db_and_user.yaml - name: Store data in remote configuration file - copy: + ansible.builtin.copy: content: | db_name={{ db_name }} db_user={{ db_user }} diff --git a/tasks.templates/t_webapp_export.yaml b/tasks.templates/t_webapp_export.yaml index 0f18699..81eee15 100644 --- a/tasks.templates/t_webapp_export.yaml +++ b/tasks.templates/t_webapp_export.yaml @@ -23,7 +23,7 @@ single_transaction: true pipefail: "{{ compressed }}" - name: Fetch the database dump {{ target_file }} to local machine - fetch: + ansible.builtin.fetch: src: "{{ remote_file }}" dest: "{{ target_file }}" flat: true diff --git a/templates.fix/antispam/key.table b/templates.fix/antispam/key.table new file mode 100644 index 0000000..58d41bc --- /dev/null +++ b/templates.fix/antispam/key.table @@ -0,0 +1,3 @@ +{% for domain in dkim_domains %} +{{ dkim_selector }}._domainkey.{{ domain }} {{ domain }}:{{ dkim_selector }}:/etc/opendkim/keys/{{ domain }}/{{ dkim_selector }}.private +{% endfor %} diff --git a/templates.fix/antispam/signing.table b/templates.fix/antispam/signing.table new file mode 100644 index 0000000..f7d5949 --- /dev/null +++ b/templates.fix/antispam/signing.table @@ -0,0 +1,3 @@ +{% for domain in dkim_domains %} +*@{{ domain }} {{ dkim_selector }}._domainkey.{{ domain }} +{% endfor %} diff --git a/templates.fix/nginx/hi1.txt b/templates.fix/nginx/hi1.txt new file mode 100644 index 0000000..877acc4 --- /dev/null +++ b/templates.fix/nginx/hi1.txt @@ -0,0 +1 @@ +Hi 1! diff --git a/templates.fix/nginx/hi2.txt b/templates.fix/nginx/hi2.txt new file mode 100644 index 0000000..e42aa2a --- /dev/null +++ b/templates.fix/nginx/hi2.txt @@ -0,0 +1 @@ +Hi 2! diff --git a/templates.fix/nginx/index.html b/templates.fix/nginx/index.html new file mode 100644 index 0000000..0e0cbca --- /dev/null +++ b/templates.fix/nginx/index.html @@ -0,0 +1,5 @@ + + +

Welcome to {{hostname}}!

+ \ No newline at end of file diff --git a/templates.fix/nginx/index.php b/templates.fix/nginx/index.php new file mode 100644 index 0000000..bfd863b --- /dev/null +++ b/templates.fix/nginx/index.php @@ -0,0 +1,2 @@ + resources/.vaults +# Creation of the encrypted vault file: +# ansible-vault encrypt_string --vault-password-file resources/.vault --name 'vault_dba_password' --stdin-name 'vault_dba_password' | tee var/vault_db.yaml +# Find the password file: ANSIBLE_VAULT_PASSWORD_FILE=resources/.vault +dba_name: dba +dba_password: "{{ vault_dba_password }}" \ No newline at end of file diff --git a/templates.fix/var/dkim.yaml b/templates.fix/var/dkim.yaml new file mode 100644 index 0000000..c61e6f3 --- /dev/null +++ b/templates.fix/var/dkim.yaml @@ -0,0 +1,8 @@ +--- +dkim_domains: ["example.com"] +dkim_opendkim_config_dir: /etc/opendkim +dkim_config_file: /etc/opendkim.conf +dkim_selector: "email" +dkim_user: opendkim +dkim_group: opendkim + diff --git a/templates.fix/var/php.yaml b/templates.fix/var/php.yaml new file mode 100644 index 0000000..5bc552c --- /dev/null +++ b/templates.fix/var/php.yaml @@ -0,0 +1,44 @@ +--- +# php.yaml: +# Defines variables for the PHP role. +# This file is used to set up the PHP environment and configuration. +# needed variables: PHP_VERS + +php_packages: + - php{{PHP_VERS}}-common + - php{{PHP_VERS}}-curl + - php{{PHP_VERS}}-fpm + - php{{PHP_VERS}}-gd + - php{{PHP_VERS}}-igbinary + - php{{PHP_VERS}}-imagick + - php{{PHP_VERS}}-imap + - php{{PHP_VERS}}-intl + - php{{PHP_VERS}}-mbstring + - php{{PHP_VERS}}-memcached + - php{{PHP_VERS}}-msgpack + - php{{PHP_VERS}}-mysql + - php{{PHP_VERS}}-opcache + - php{{PHP_VERS}}-phpdbg + - php{{PHP_VERS}}-readline + - php{{PHP_VERS}}-redis + - php{{PHP_VERS}}-xdebug + - php{{PHP_VERS}}-xml + - php{{PHP_VERS}}-zip +php_additional_packages: + - redis-server + - imagemagick + +php_ini_settings: + - { section: "DEFAULT", option: "memory_limit", value: "512M" } + - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" } + - { section: "DEFAULT", option: "max_file_uploads", value: 100 } + - { section: "DEFAULT", option: "post_max_size", value: "512M" } + - { section: "DEFAULT", option: "max_execution_time", value: 600 } + - { section: "DEFAULT", option: "max_input_time", value: 600 } + - { section: "DEFAULT", option: "default_socket_timeout", value: 600 } + - { section: "Session", option: "session.save_handler", value: "redis" } + - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" } + - { section: "opcache", option: "opcache.enable", value: 1 } + - { section: "opcache", option: "opcache.memory_consumption", value: 512 } + - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 } + diff --git a/templates.fix/var/ssl-certificate.yaml b/templates.fix/var/ssl-certificate.yaml new file mode 100644 index 0000000..cdef775 --- /dev/null +++ b/templates.fix/var/ssl-certificate.yaml @@ -0,0 +1,9 @@ +--- +# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}" +ssl_country: DE +ssl_state: Bavaria +ssl_locality: Kempten +ssl_organization: 'Gemeinwohl-Gesellschaft e.V.' +ssl_lifetime: 365 +ssl_rsa_key_size: 2048 + diff --git a/templates.fix/var/vault_db.yaml b/templates.fix/var/vault_db.yaml new file mode 100644 index 0000000..5241a79 --- /dev/null +++ b/templates.fix/var/vault_db.yaml @@ -0,0 +1 @@ +vault_dba_password: TopSecret \ No newline at end of file diff --git a/templates.fix/var/webapps.yaml b/templates.fix/var/webapps.yaml new file mode 100644 index 0000000..4825c48 --- /dev/null +++ b/templates.fix/var/webapps.yaml @@ -0,0 +1,6 @@ +webapps_list: + - dummy + db_name: dbdummy5 + db_user: dummy5 + db_password: NeverKnown5 + directory: /srv/www/myapp5.example.com diff --git a/templates.local/antispam/opendkim.conf b/templates.local/antispam/opendkim.conf new file mode 100644 index 0000000..61329f8 --- /dev/null +++ b/templates.local/antispam/opendkim.conf @@ -0,0 +1,20 @@ +# normally no need for changes +UserID opendkim:opendkim +UMask 002 +PidFile /var/run/opendkim/opendkim.pid +SOCKET local:/var/spool/postfix/opendkim/opendkim.sock +Mode sv +Domain * +#Selector mail +Canonicalization relaxed/relaxed +SignatureAlgorithm rsa-sha256 +OversignHeaders From +AutoRestart yes +AutoRestartRate 10/1h +SigningTable refile:/etc/opendkim/signing.table +KeyTable /etc/opendkim/key.table +ExternalIgnoreList refile:/etc/opendkim/trusted.hosts +InternalHosts refile:/etc/opendkim/trusted.hosts +Syslog yes +SyslogSuccess yes +LogWhy yes diff --git a/templates.local/antispam/trusted.hosts b/templates.local/antispam/trusted.hosts new file mode 100644 index 0000000..3f4908e --- /dev/null +++ b/templates.local/antispam/trusted.hosts @@ -0,0 +1,3 @@ +127.0.0.1 +::1 +localhost \ No newline at end of file diff --git a/templates.local/nginx/http.conf b/templates.local/nginx/http.conf new file mode 100644 index 0000000..0eed601 --- /dev/null +++ b/templates.local/nginx/http.conf @@ -0,0 +1,9 @@ +client_max_body_size 512M; +## Detect when HTTPS is used +map $scheme $fastcgi_https { + default off; + https on; +} +fastcgi_read_timeout 3600s; +fastcgi_request_buffering off; +error_log /var/log/nginx/error.log; diff --git a/templates.local/postfix/aliases b/templates.local/postfix/aliases new file mode 100644 index 0000000..2d4e090 --- /dev/null +++ b/templates.local/postfix/aliases @@ -0,0 +1,9 @@ +# ansible controlled: do not change manually on remote server! +# +postmaster: root +devnull: /dev/null +mailer-daemon: root +webmaster: root +www: root +security: root +root: root.nest1@hamatoma.de diff --git a/templates.local/postfix/email_forwarding/main.cf b/templates.local/postfix/email_forwarding/main.cf new file mode 100644 index 0000000..c6f17d2 --- /dev/null +++ b/templates.local/postfix/email_forwarding/main.cf @@ -0,0 +1,31 @@ +myorigin = /etc/mailname +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +append_dot_mydomain = no +#delay_warning_time = 4h +readme_directory = no +compatibility_level = 3.6 + + +smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = nest1.gemeinwohl-gesellschaft.de +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = $myhostname, localhost.{{ postfix_domain }}, , localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/templates.local/postfix/email_forwarding/master.cf b/templates.local/postfix/email_forwarding/master.cf new file mode 100644 index 0000000..fd0d581 --- /dev/null +++ b/templates.local/postfix/email_forwarding/master.cf @@ -0,0 +1,137 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - y - - smtpd +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable submissions for loopback clients only, or for any client. +#127.0.0.1:submissions inet n - y - - smtpd +#submissions inet n - y - - smtpd +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} diff --git a/templates.local/postfix/send_only/main.cf b/templates.local/postfix/send_only/main.cf new file mode 100644 index 0000000..c6f17d2 --- /dev/null +++ b/templates.local/postfix/send_only/main.cf @@ -0,0 +1,31 @@ +myorigin = /etc/mailname +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +append_dot_mydomain = no +#delay_warning_time = 4h +readme_directory = no +compatibility_level = 3.6 + + +smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = nest1.gemeinwohl-gesellschaft.de +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = $myhostname, localhost.{{ postfix_domain }}, , localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/templates.local/postfix/send_only/master.cf b/templates.local/postfix/send_only/master.cf new file mode 100644 index 0000000..fd0d581 --- /dev/null +++ b/templates.local/postfix/send_only/master.cf @@ -0,0 +1,137 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - y - - smtpd +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable submissions for loopback clients only, or for any client. +#127.0.0.1:submissions inet n - y - - smtpd +#submissions inet n - y - - smtpd +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} diff --git a/templates.local/postfix/virtual b/templates.local/postfix/virtual new file mode 100644 index 0000000..771d803 --- /dev/null +++ b/templates.local/postfix/virtual @@ -0,0 +1,6 @@ +root {{ postfix_receipient_email }} +webmaster {{ postfix_receipient_email }} +#ada ada@miller.com +#all@example.com jonny@miller.com ada@miller.com +#@example.com info@miller.com + diff --git a/templates.local/readme.txt b/templates.local/readme.txt new file mode 100644 index 0000000..bb20bd9 --- /dev/null +++ b/templates.local/readme.txt @@ -0,0 +1,2 @@ +Objective: This directory contains templates that are specific to the project and must be adapted for each project. +Therefore, the files may only be copied into the project, not linked. diff --git a/templates/nginx/hi1.txt b/templates/nginx/hi1.txt deleted file mode 100644 index 877acc4..0000000 --- a/templates/nginx/hi1.txt +++ /dev/null @@ -1 +0,0 @@ -Hi 1! diff --git a/templates/nginx/hi2.txt b/templates/nginx/hi2.txt deleted file mode 100644 index e42aa2a..0000000 --- a/templates/nginx/hi2.txt +++ /dev/null @@ -1 +0,0 @@ -Hi 2! diff --git a/templates/nginx/http.conf b/templates/nginx/http.conf deleted file mode 100644 index 0eed601..0000000 --- a/templates/nginx/http.conf +++ /dev/null @@ -1,9 +0,0 @@ -client_max_body_size 512M; -## Detect when HTTPS is used -map $scheme $fastcgi_https { - default off; - https on; -} -fastcgi_read_timeout 3600s; -fastcgi_request_buffering off; -error_log /var/log/nginx/error.log; diff --git a/templates/nginx/index.html b/templates/nginx/index.html deleted file mode 100644 index 0e0cbca..0000000 --- a/templates/nginx/index.html +++ /dev/null @@ -1,5 +0,0 @@ - - -

Welcome to {{hostname}}!

- \ No newline at end of file diff --git a/templates/nginx/index.php b/templates/nginx/index.php deleted file mode 100644 index bfd863b..0000000 --- a/templates/nginx/index.php +++ /dev/null @@ -1,2 +0,0 @@ - resources/.vaults -# Creation of the encrypted vault file: -# ansible-vault encrypt_string --vault-password-file resources/.vault --name 'vault_dba_password' --stdin-name 'vault_dba_password' | tee var/vault_db.yaml -# Find the password file: ANSIBLE_VAULT_PASSWORD_FILE=resources/.vault -dba_name: dba -dba_password: "{{ vault_dba_password }}" \ No newline at end of file diff --git a/templates/var/php.yaml b/templates/var/php.yaml deleted file mode 100644 index 5bc552c..0000000 --- a/templates/var/php.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# php.yaml: -# Defines variables for the PHP role. -# This file is used to set up the PHP environment and configuration. -# needed variables: PHP_VERS - -php_packages: - - php{{PHP_VERS}}-common - - php{{PHP_VERS}}-curl - - php{{PHP_VERS}}-fpm - - php{{PHP_VERS}}-gd - - php{{PHP_VERS}}-igbinary - - php{{PHP_VERS}}-imagick - - php{{PHP_VERS}}-imap - - php{{PHP_VERS}}-intl - - php{{PHP_VERS}}-mbstring - - php{{PHP_VERS}}-memcached - - php{{PHP_VERS}}-msgpack - - php{{PHP_VERS}}-mysql - - php{{PHP_VERS}}-opcache - - php{{PHP_VERS}}-phpdbg - - php{{PHP_VERS}}-readline - - php{{PHP_VERS}}-redis - - php{{PHP_VERS}}-xdebug - - php{{PHP_VERS}}-xml - - php{{PHP_VERS}}-zip -php_additional_packages: - - redis-server - - imagemagick - -php_ini_settings: - - { section: "DEFAULT", option: "memory_limit", value: "512M" } - - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" } - - { section: "DEFAULT", option: "max_file_uploads", value: 100 } - - { section: "DEFAULT", option: "post_max_size", value: "512M" } - - { section: "DEFAULT", option: "max_execution_time", value: 600 } - - { section: "DEFAULT", option: "max_input_time", value: 600 } - - { section: "DEFAULT", option: "default_socket_timeout", value: 600 } - - { section: "Session", option: "session.save_handler", value: "redis" } - - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" } - - { section: "opcache", option: "opcache.enable", value: 1 } - - { section: "opcache", option: "opcache.memory_consumption", value: 512 } - - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 } - diff --git a/templates/var/postfix.yaml b/templates/var/postfix.yaml deleted file mode 100644 index a06f19c..0000000 --- a/templates/var/postfix.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# postfix.yaml: -# Defines variables for the postfix configuration. -# Needed facts (variables): -# - postfix_domain: The full qualified name of the postfix server. -postfix_configuration: - - alias_database: "hash:/etc/aliases" - - alias_maps: "hash:/etc/aliases" - - append_dot_mydomain: no - - biff: no - - compatibility_level: 2 - - inet_interfaces: all - - inet_protocols: all - - mailbox_size_limit: 0 - - mydestination: $myhostname, {{ postfix_domain }}, ,localhost - - myhostname: "{{ postfix_domain }}" - - mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 - - myorigin: /etc/mailname - - readme_directory: no - - recipient_delimiter: + - - relayhost: "" - - smtpd_banner: $myhostname ESMTP $mail_name (Debian/GNU) - - smtpd_relay_restrictions: permit_mynetworks permit_sasl_authenticated defer_unauth_destination - - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem - - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key - - smtpd_tls_security_level: may - - smtp_tls_CApath: /etc/ssl/certs - - smtp_tls_security_level: may - - smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache -postfix_recipient_email: jonny@example.com diff --git a/templates/var/ssl-certificate.yaml b/templates/var/ssl-certificate.yaml deleted file mode 100644 index cdef775..0000000 --- a/templates/var/ssl-certificate.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}" -ssl_country: DE -ssl_state: Bavaria -ssl_locality: Kempten -ssl_organization: 'Gemeinwohl-Gesellschaft e.V.' -ssl_lifetime: 365 -ssl_rsa_key_size: 2048 - diff --git a/templates/var/vault_db.yaml b/templates/var/vault_db.yaml deleted file mode 100644 index 5241a79..0000000 --- a/templates/var/vault_db.yaml +++ /dev/null @@ -1 +0,0 @@ -vault_dba_password: TopSecret \ No newline at end of file diff --git a/templates/var/webapps.yaml b/templates/var/webapps.yaml deleted file mode 100644 index 4825c48..0000000 --- a/templates/var/webapps.yaml +++ /dev/null @@ -1,6 +0,0 @@ -webapps_list: - - dummy - db_name: dbdummy5 - db_user: dummy5 - db_password: NeverKnown5 - directory: /srv/www/myapp5.example.com