From d04968ba6186c46f77e04664428e5f4d5ec5d5ab Mon Sep 17 00:00:00 2001 From: Hamatoma Date: Wed, 23 Apr 2025 08:46:02 +0200 Subject: [PATCH] Important refactoring and improvements --- .stdusr | 1 + playbooks.templates/i_10_basic.yaml | 46 +++--- playbooks.templates/i_20_nginx.yaml | 38 ++--- playbooks.templates/i_30_mariadb.yaml | 4 +- playbooks.templates/i_40_php8.2.yaml | 6 +- playbooks.templates/i_60_postfix.yaml | 18 ++- playbooks.templates/i_62_postfix_dkim.yaml | 38 +++++ playbooks.templates/i_99_test.yaml | 10 +- playbooks/create_project.yaml | 59 +++++--- scripts.templates/SetRights | 5 + scripts/build_dkim_text.py | 17 +++ tasks.templates/t_copy_wildcard.yaml | 2 +- tasks.templates/t_dkim.yaml | 74 ++++++++++ tasks.templates/t_dkim_dns.yaml | 31 ++++ tasks.templates/t_dkim_keys.yaml | 34 +++++ tasks.templates/t_dmarc.yaml | 54 +++++++ tasks.templates/t_dmarc_dns.yaml | 17 +++ tasks.templates/t_link_wildcard.yaml | 2 +- tasks.templates/t_nginx_create_site.yaml | 2 +- tasks.templates/t_spf.yaml | 33 +++++ tasks.templates/t_ssl_create_certificate.yaml | 2 +- tasks.templates/t_webapp_backup.yaml | 4 +- tasks.templates/t_webapp_create.yaml | 10 +- tasks.templates/t_webapp_export.yaml | 2 +- templates.fix/antispam/key.table | 3 + templates.fix/antispam/signing.table | 3 + {templates => templates.fix}/nginx/hi1.txt | 0 {templates => templates.fix}/nginx/hi2.txt | 0 {templates => templates.fix}/nginx/index.html | 0 {templates => templates.fix}/nginx/index.php | 0 .../nginx/letsencrypt.conf | 2 +- {templates => templates.fix}/nginx/site.php | 0 {templates => templates.fix}/nginx/test.site | 0 templates.fix/readme.txt | 2 + {templates => templates.fix}/var/common.yaml | 1 + {templates => templates.fix}/var/db.yaml | 0 templates.fix/var/dkim.yaml | 8 + {templates => templates.fix}/var/php.yaml | 0 .../var/ssl-certificate.yaml | 0 .../var/vault_db.yaml | 0 {templates => templates.fix}/var/webapps.yaml | 0 templates.local/antispam/opendkim.conf | 20 +++ templates.local/antispam/trusted.hosts | 3 + .../nginx/http.conf | 0 templates.local/postfix/aliases | 9 ++ .../postfix/email_forwarding/main.cf | 31 ++++ .../postfix/email_forwarding/master.cf | 137 ++++++++++++++++++ templates.local/postfix/send_only/main.cf | 31 ++++ templates.local/postfix/send_only/master.cf | 137 ++++++++++++++++++ .../postfix/virtual | 0 templates.local/readme.txt | 2 + templates/var/postfix.yaml | 29 ---- 52 files changed, 805 insertions(+), 122 deletions(-) create mode 100644 .stdusr create mode 100644 playbooks.templates/i_62_postfix_dkim.yaml create mode 100755 scripts/build_dkim_text.py create mode 100644 tasks.templates/t_dkim.yaml create mode 100644 tasks.templates/t_dkim_dns.yaml create mode 100644 tasks.templates/t_dkim_keys.yaml create mode 100644 tasks.templates/t_dmarc.yaml create mode 100644 tasks.templates/t_dmarc_dns.yaml create mode 100644 tasks.templates/t_spf.yaml create mode 100644 templates.fix/antispam/key.table create mode 100644 templates.fix/antispam/signing.table rename {templates => templates.fix}/nginx/hi1.txt (100%) rename {templates => templates.fix}/nginx/hi2.txt (100%) rename {templates => templates.fix}/nginx/index.html (100%) rename {templates => templates.fix}/nginx/index.php (100%) rename {templates => templates.fix}/nginx/letsencrypt.conf (90%) rename {templates => templates.fix}/nginx/site.php (100%) rename {templates => templates.fix}/nginx/test.site (100%) create mode 100644 templates.fix/readme.txt rename {templates => templates.fix}/var/common.yaml (79%) rename {templates => templates.fix}/var/db.yaml (100%) create mode 100644 templates.fix/var/dkim.yaml rename {templates => templates.fix}/var/php.yaml (100%) rename {templates => templates.fix}/var/ssl-certificate.yaml (100%) rename {templates => templates.fix}/var/vault_db.yaml (100%) rename {templates => templates.fix}/var/webapps.yaml (100%) create mode 100644 templates.local/antispam/opendkim.conf create mode 100644 templates.local/antispam/trusted.hosts rename {templates => templates.local}/nginx/http.conf (100%) create mode 100644 templates.local/postfix/aliases create mode 100644 templates.local/postfix/email_forwarding/main.cf create mode 100644 templates.local/postfix/email_forwarding/master.cf create mode 100644 templates.local/postfix/send_only/main.cf create mode 100644 templates.local/postfix/send_only/master.cf rename {templates => templates.local}/postfix/virtual (100%) create mode 100644 templates.local/readme.txt delete mode 100644 templates/var/postfix.yaml diff --git a/.stdusr b/.stdusr new file mode 100644 index 0000000..f0b4160 --- /dev/null +++ b/.stdusr @@ -0,0 +1 @@ +STD_USER=wk diff --git a/playbooks.templates/i_10_basic.yaml b/playbooks.templates/i_10_basic.yaml index d806556..2530b6e 100644 --- a/playbooks.templates/i_10_basic.yaml +++ b/playbooks.templates/i_10_basic.yaml @@ -1,57 +1,57 @@ --- - +# Ansible playbook to prepare the system for a standarized server - hosts: all vars: hostname: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+')}}" tasks: - name: Prepare /media/trg directory - file: path=/media/trg state=directory + ansible.builtin.file: path=/media/trg state=directory - name: Prepare /media/tmp directory - file: path=/media/trg state=directory + ansible.builtin.file: path=/media/trg state=directory - name: Prepare /media/fs.cave directory - file: path=/media/fs.cave state=directory + ansible.builtin.file: path=/media/fs.cave state=directory - name: Prepare /media/fs.sys directory - file: path=/media/fs.sys state=directory + ansible.builtin.file: path=/media/fs.sys state=directory - name: Prepare /usr/local/bin directory - file: path=/usr/local/bin state=directory + ansible.builtin.file: path=/usr/local/bin state=directory - name: Prepare /usr/local/bin/local directory - file: path=/usr/local/bin/local state=directory + ansible.builtin.file: path=/usr/local/bin/local state=directory - name: Prepare /usr/share/pyrshell directory - file: path=/usr/share/pyrshell state=directory + ansible.builtin.file: path=/usr/share/pyrshell state=directory - name: Symbolic link to local directory - file: src=/usr/local/bin/local dest=/usr/local/bin/{{hostname}} state=link + ansible.builtin.file: src=/usr/local/bin/local dest=/usr/local/bin/{{hostname}} state=link - name: Unpack a tar into /usr/local/bin/local unarchive: src=../resources/needed.tgz dest=/usr/local/bin - name: Symbolic link to /p - file: src=/usr/local/bin/std.profile dest=/p state=link + ansible.builtin.file: src=/usr/local/bin/std.profile dest=/p state=link - name: Unpack a tar into /usr/share/pyrshell unarchive: src=../resources/rsh.tgz dest=/usr/share/pyrshell - name: Create user bupsrv - user: name=bupsrv state=present uid=201 + ansible.builtin.user: name=bupsrv state=present uid=201 - name: Create user bupsupply - user: name=bupsupply state=present uid=202 + ansible.builtin.user: name=bupsupply state=present uid=202 - name: Create ssh directory for bupsupply - file: path=/home/bupsupply/.ssh state=directory group=bupsupply owner=bupsupply mode=0700 + ansible.builtin.file: path=/home/bupsupply/.ssh state=directory group=bupsupply owner=bupsupply mode=0700 - name: Create authorized_keys for bupsupply - file: path=/home/bupsupply/.ssh/authorized_keys state=touch group=bupsupply owner=bupsupply mode=0600 + ansible.builtin.file: path=/home/bupsupply/.ssh/authorized_keys state=touch group=bupsupply owner=bupsupply mode=0600 - name: Create user bupwiki - user: name=bupwiki state=present uid=203 + ansible.builtin.user: name=bupwiki state=present uid=203 - name: Create user buptmp - user: name=buptmp state=present uid=204 + ansible.builtin.user: name=buptmp state=present uid=204 - name: Create ssh directory for buptmp - file: path=/home/buptmp/.ssh state=directory group=buptmp owner=buptmp mode=0700 + ansible.builtin.file: path=/home/buptmp/.ssh state=directory group=buptmp owner=buptmp mode=0700 - name: Create authorized_keys for buptmp - file: path=/home/buptmp/.ssh/authorized_keys state=touch group=buptmp owner=buptmp mode=0600 + ansible.builtin.file: path=/home/buptmp/.ssh/authorized_keys state=touch group=buptmp owner=buptmp mode=0600 - name: Create user extdata - user: name=extdata state=present uid=211 + ansible.builtin.user: name=extdata state=present uid=211 - name: Create user extcloud - user: name=extcloud state=present uid=212 + ansible.builtin.user: name=extcloud state=present uid=212 - name: Create user extbup - user: name=extbup state=present uid=213 + ansible.builtin.user: name=extbup state=present uid=213 - name: Create configuration directory - file: path=/etc/config state=directory mode=0700 + ansible.builtin.file: path=/etc/config state=directory mode=0700 - name: Create webapp.d - file: path=/etc/config/webapps.d state=directory mode=0700 + ansible.builtin.file: path=/etc/config/webapps.d state=directory mode=0700 - name: install standard packages apt: name: "{{ item }}" diff --git a/playbooks.templates/i_20_nginx.yaml b/playbooks.templates/i_20_nginx.yaml index 188c31e..3124ba9 100644 --- a/playbooks.templates/i_20_nginx.yaml +++ b/playbooks.templates/i_20_nginx.yaml @@ -8,54 +8,54 @@ hostname: "{{ inventory_hostname }}" log_name: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}" vars_files: + - ../var/common.yaml - ../var/ssl-certificate.yaml tasks: - name: Install nginx - apt: + ansible.builtin.apt: name: nginx state: latest update_cache: yes - name: Prepare letsencrypt home directory - file: path=/home/www/letsencrypt/.well-known/acme-challenge state=directory + ansible.builtin.file: path=/srv/www/letsencrypt/.well-known/acme-challenge state=directory - name: Add test file1 - copy: src=../templates/nginx/hi1.txt dest=/home/www/letsencrypt/.well-known/ + ansible.builtin.copy: src=../templates.fix/nginx/hi1.txt dest=/srv/www/letsencrypt/.well-known/ - name: Add test file2 - copy: src=../templates/nginx/hi2.txt dest=/home/www/letsencrypt/.well-known/acme-challenge/hi2.txt + ansible.builtin.copy: src=../templates.fix/nginx/hi2.txt dest=/srv/www/letsencrypt/.well-known/acme-challenge/hi2.txt - name: Prepare letsencrypt - copy: - src: ../templates/nginx/letsencrypt.conf + ansible.builtin.copy: + src: ../templates.fix/nginx/letsencrypt.conf dest: /etc/nginx/snippets - name: add HTTP-variables - copy: - src: ../templates/nginx/http.conf + ansible.builtin.copy: + src: ../templates.local/nginx/http.conf dest: /etc/nginx/snippets - name: create a www directory - file: path=/home/www state=directory owner=root group=www-data - + ansible.builtin.file: path={{ remote_www_directory }} state=directory owner=root group=www-data - name: create the /srv/www link - file: src=/home/www dest=/srv/www state=link + ansible.builtin.file: src={{ remote_www_directory }} dest=/srv/www state=link - name: Ensure nginx is running - systemd: + ansible.builtin.systemd: name: nginx state: started enabled: yes - name: create a test virtual hosts - template: - src: ../templates/nginx/test.site + ansible.builtin.template: + src: ../templates.fix/nginx/test.site dest: /etc/nginx/sites-available/{{hostname}} - name: activate by link in sites-enabled - file: + ansible.builtin.file: src: /etc/nginx/sites-available/{{hostname}} dest: /etc/nginx/sites-enabled/{{hostname}} state: link - name: create a ssh-certificate - command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/{{hostname}}.key -out /etc/ssl/certs/{{hostname}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{hostname}}" + ansible.builtin.command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/{{hostname}}.key -out /etc/ssl/certs/{{hostname}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{hostname}}" args: creates: /etc/ssl/private/{{hostname}}.key - name: create a document root - file: dest=/srv/www/{{hostname}} state=directory owner=www-data group=www-data + ansible.builtin.file: dest=/srv/www/{{hostname}} state=directory owner=www-data group=www-data - name: create a test index.html - template: src=../templates/nginx/index.html dest=/srv/www/{{hostname}}/index.html + template: src=../templates.fix/nginx/index.html dest=/srv/www/{{hostname}}/index.html - name: create a test index.php - copy: src=../templates/nginx/index.php dest=/srv/www/{{hostname}}/index.php + ansible.builtin.copy: src=../templates.fix/nginx/index.php dest=/srv/www/{{hostname}}/index.php diff --git a/playbooks.templates/i_30_mariadb.yaml b/playbooks.templates/i_30_mariadb.yaml index cc81299..fc72983 100644 --- a/playbooks.templates/i_30_mariadb.yaml +++ b/playbooks.templates/i_30_mariadb.yaml @@ -3,8 +3,8 @@ - name: Install mariadb ansible.builtin.apt: name: - - mariadb-server - - python3-mysqldb + - "mariadb-server" + - "python3-mysqldb" state: latest update_cache: yes - name: Ensure mariadb is running diff --git a/playbooks.templates/i_40_php8.2.yaml b/playbooks.templates/i_40_php8.2.yaml index 0d95ebd..2f7956b 100644 --- a/playbooks.templates/i_40_php8.2.yaml +++ b/playbooks.templates/i_40_php8.2.yaml @@ -5,19 +5,19 @@ - ../var/php.yaml pre_tasks: - name: - apt: + ansible.builtin.apt: name: gpg state: present update_cache: true - name: add packages.sury.org (Debian case) block: - name: add gpg repo key - apt_key: + ansible.builtin.apt_key: url: 'https://packages.sury.org/php/apt.gpg' state: present - name: add apt repo - apt_repository: + ansible.builtin.apt_repository: repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release|lower }} main' state: present filename: php diff --git a/playbooks.templates/i_60_postfix.yaml b/playbooks.templates/i_60_postfix.yaml index 32f997d..eb4aeae 100644 --- a/playbooks.templates/i_60_postfix.yaml +++ b/playbooks.templates/i_60_postfix.yaml @@ -18,8 +18,8 @@ - postfix - mailutils - name: build the main.cf - copy: - src: "../resources/postfix/{{ item }}" + ansible.builtin.copy: + src: "../templates.local/postfix/send_only/{{ item }}" dest: "/etc/postfix/{{ item }}" mode: 0640 owner: root @@ -31,7 +31,7 @@ - restart postfix - name: create alias template: - src: "../resources/postfix/aliases" + src: "../templates.local/postfix/aliases" dest: "/etc/aliases" mode: 0640 owner: root @@ -40,17 +40,18 @@ - restart postfix - name: create virtual alias template: - src: "../resources/postfix/virtual" + src: "../templates.local/postfix/virtual" dest: "/etc/postfix/virtual" mode: 0640 owner: root group: root + when: postfix_mode == "email_forwarding" notify: - restart postfix - name: create the mailname file - copy: + ansible.builtin.copy: content: | - {{ postfix_domain }} + {{ postfix_host }} dest: "/etc/mailname" mode: 0644 owner: root @@ -58,7 +59,7 @@ notify: - restart postfix - name: create a script to activate the virtual alias - copy: + ansible.builtin.copy: content: | #! /bin/bash postmap virtual @@ -66,6 +67,7 @@ mode: 0700 owner: root group: root + when: postfix_mode == "email_forwarding" notify: - postalias - name: Ensure postfix is running @@ -81,7 +83,7 @@ - name: postalias shell: postalias /etc/aliases - name: postmap - shell: postalias /etc/postfix/virtual + shell: postmap /etc/postfix/virtual diff --git a/playbooks.templates/i_62_postfix_dkim.yaml b/playbooks.templates/i_62_postfix_dkim.yaml new file mode 100644 index 0000000..195ebae --- /dev/null +++ b/playbooks.templates/i_62_postfix_dkim.yaml @@ -0,0 +1,38 @@ +--- +# Installs the the spam reducing staff for postfix: SPF DKIM DMARYC +# Needed facts (variables): +# - +# Needed role installation: +- hosts: all + vars_files: + - ../var/common.yaml + - ../var/antispam.yaml + tasks: + - name: install the packages + ansible.builtin.package: + name: "{{ item }}" + state: present + with_items: [ postfix-policyd-spf-python, opendkim, opendkim-tools, opendmarc] + # ====== SPF ====== + - name: Configure the SPF staff + ansible.builtin.include_tasks: ../tasks/t_spf_configuration.yaml + # ====== DKIM ====== + - name: Configure the DKIM staff + ansible.builtin.include_tasks: ../tasks/t_dkim.yaml + # ====== DMARC ====== + - name: Configure the DMARC staff + ansible.builtin.include_tasks: ../tasks/t_dmarc.yaml + handlers: + - name: restart opendkim + ansible.builtin.systemd: + name: opendkim + state: restarted + - name: restart opendmarc + ansible.builtin.systemd: + name: opendmarc + state: restarted + - name: restart postfix + ansible.builtin.systemd: + name: postfix + state: restarted + diff --git a/playbooks.templates/i_99_test.yaml b/playbooks.templates/i_99_test.yaml index ec4552f..910626c 100644 --- a/playbooks.templates/i_99_test.yaml +++ b/playbooks.templates/i_99_test.yaml @@ -1,6 +1,6 @@ --- - name: Install and configure with letsencrypt - hosts: all + hosts: localhost become: yes vars: @@ -11,8 +11,14 @@ vars_files: - ../var/webapps.yaml tasks: + - name: Test regexpr + lineinfile: + dest: /tmp/wk.conf + regexp: '^{{ item }}\s*=\s*Fail' + line: "{{ item }} = False" + with_items: [x, y] - name: Test Dateiänderung - copy: + ansible.builtin.copy: content: | Line 1 Line 2 diff --git a/playbooks/create_project.yaml b/playbooks/create_project.yaml index 3ac29f8..71d866d 100644 --- a/playbooks/create_project.yaml +++ b/playbooks/create_project.yaml @@ -1,41 +1,54 @@ --- +# Create a new project directory structure for an Ansible project. +# needed facts (variables) from the commandline: - hosts: localhost - become: yes + become: true tasks: + - name: check if postfix_mode is defined + ansible.builtin.fail: + msg: "The 'postfix_mode' variable is not defined. -e postfix_mode=none|send_only|email_forwarding" + when: postfix_mode is not defined - name: Check if project variable is defined - fail: + ansible.builtin.fail: msg: "The 'project' variable is not defined. -e project=your_project_name" when: project is not defined - name: Prepare base directory for {{ project }} - file: path=../../{{ project }} state=directory + ansible.builtin.file: path=../../{{ project }} state=directory - name: create sub directories for {{ project }} - file: path=../../{{ project }}/{{ item }} state=directory + ansible.builtin.file: path=../../{{ project }}/{{ item }} state=directory with_items: [playbooks, tasks, var, scripts, templates, resources, roles] - name: create the links into the resources directory - file: - src: "../../ansknife/resources/{{ item }}" - dest: "../resources/{{ item }}" + ansible.builtin.file: + src: ../../ansknife/resources/{{ item }}" + dest: "../../{{ project }}/resources/{{ item }}" + force: yes state: link with_items: [needed.tgz, rsh.tgz] - name: create the nginx link into the templates directory - file: + ansible.builtin.file: src: "../../ansknife/templates/nginx" - dest: "../templates/nginx" - state: link - - name: create the postfix link into the templates directory - file: - src: "../../ansknife/templates/postfix" - dest: "../templates/postfix" + dest: "../../{{ project }}/templates/nginx" + force: yes state: link + - name: create the postfix directory in the templates directory + ansible.builtin.file: + path: "../../{{ project }}/resources/postfix" + state: directory + - name: copy the postfix configuration files into the resources directory + ansible.builtin.template: + src: "../templates/postfix/{{ postfix_mode }}/{{ item }}" + dest: "../../{{ project }}/resources/postfix/{{ item }}" + when: postfix_mode != 'none' + with_items: [master.cf, main.cf] - name: Prepare task facts - set_fact: + ansible.builtin.set_fact: src_dir: '../templates/var' dest_dir: "../../{{ project }}/var" pattern: "*.yaml" - name: Copy var.templates - import_tasks: ../tasks.templates/t_copy_wildcard.yaml + ansible.builtin.import_tasks: ../tasks.templates/t_copy_wildcard.yaml - name: Prepare facts for links in playbooks - set_fact: + ansible.builtin.set_fact: src_dir: '../playbooks.templates' src_relative: '../../ansknife/playbooks.templates' dest_dir: "../../{{ project }}/playbooks" @@ -43,13 +56,13 @@ - name: Create links in playbooks import_tasks: ../tasks.templates/t_link_wildcard.yaml - name: Prepare facts for links in tasks - set_fact: + ansible.builtin.set_fact: src_dir: '../tasks.templates' src_relative: '../../ansknife/tasks.templates' dest_dir: "../../{{ project }}/tasks" pattern: "*.yaml" - name: Create links in tasks - import_tasks: ../tasks.templates/t_link_wildcard.yaml + ansible.builtin.import_tasks: ../tasks.templates/t_link_wildcard.yaml - name: Prepare facts for links in scripts set_fact: src_dir: "../scripts.templates" @@ -57,7 +70,7 @@ dest_dir: "../../{{ project }}/scripts" pattern: "*" - name: Create links in scripts - import_tasks: ../tasks.templates/t_link_wildcard.yaml + ansible.builtin.import_tasks: ../tasks.templates/t_link_wildcard.yaml - name: create a README file copy: dest: ../../{{ project }}/README.md @@ -67,13 +80,13 @@ # Description This project defines the software of the server - name: create a CHANGELOG file - copy: + ansible.builtin.copy: dest: ../../{{ project }}/CHANGELOG.md content: | # V0.1.0 - Initial version - name: create a the inventory (host definition) - copy: + ansible.builtin.copy: dest: ../../{{ project }}/inventory content: | [hosts] @@ -84,7 +97,7 @@ ansible_user=ansadm ansible_become=yes - name: create a the ansible configuration file - copy: + ansible.builtin.copy: dest: ../../{{ project }}/ansible.cfg content: | [defaults] diff --git a/scripts.templates/SetRights b/scripts.templates/SetRights index b532e93..c6005fc 100755 --- a/scripts.templates/SetRights +++ b/scripts.templates/SetRights @@ -1,4 +1,9 @@ #! /bin/bash chown -R ansadm:ansadm * chmod -R g+rw * +if [ -d playbooks.templates ]; then + echo "protecting templates.local from changing" + chmod -R uog-w templates.local +fi + diff --git a/scripts/build_dkim_text.py b/scripts/build_dkim_text.py new file mode 100755 index 0000000..33e271a --- /dev/null +++ b/scripts/build_dkim_text.py @@ -0,0 +1,17 @@ +#! /usr/bin/python3 +import sys +def main(args): + filename = args[0] + with open(filename, "r") as fp: + lines = fp.read().split('\n') + # 20250419._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " + # "p=MIIBIjANBgkqh...QoSuyvjwoNEUNO" + # "dfsOuTKBzmchQ4Z...c2jwIDAQAB" ) ; ----- DKIM key 20250419 for f-r-e-i.de + info = lines[0].split('"')[1] + info += lines[1].split('"')[1] + info += lines[2].split('"')[1] + print(info) + +if __name__ == '__main__': + #main(["/tmp/example.txt"]) + main(sys.argv[1:]) diff --git a/tasks.templates/t_copy_wildcard.yaml b/tasks.templates/t_copy_wildcard.yaml index 0fd64c7..846ccbe 100644 --- a/tasks.templates/t_copy_wildcard.yaml +++ b/tasks.templates/t_copy_wildcard.yaml @@ -5,7 +5,7 @@ # - dest_dir: destination directory # - pattern: wildcard pattern - name: Copy files matching {{ pattern }} from {{ src_dir }} to {{dest_dir}} - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "{{ dest_dir }}" with_fileglob: diff --git a/tasks.templates/t_dkim.yaml b/tasks.templates/t_dkim.yaml new file mode 100644 index 0000000..0c9aade --- /dev/null +++ b/tasks.templates/t_dkim.yaml @@ -0,0 +1,74 @@ +--- +# Configures DKIM +# needed facts (variables): +# dkim_domains: a list of domains handled by DKIM +# dkim_opendkim_config_dir: normally /etc/opendkim +# dkim_config_ansible.builtin.file: normally /etc/opendkim.conf +# dkim_selector: normally the date yyyymmdd +# dkim_user: the user running opendkim +# dkim_group: the user group running opendkim +# dkim_socket_port: port of the socket of opendkim + + +- name: add user to group postfix + ansible.builtin.user: + name: '{{ dkim_user }}' + groups: postfix + append: yes +- name: ensure existence of /var/spool/postfix/opendkim + ansible.builtin.file: + path: /var/spool/postfix/opendkim + state: directory + recurse: true + owner: "{{ dkim_user }}" + group: "{{ dkim_group }}" + +- name: opendkim directory present + ansible.builtin.file: + path: '{{ dkim_opendkim_config_dir }}/keys' + owner: "{{ dkim_user }}" + state: directory + group: "{{ dkim_group }}" + mode: 0750 + +- name: opendkim trusted.hosts present + ansible.builtin.template: + src: ../templates.local/antispam/trusted.hosts + dest: '{{ dkim_opendkim_config_dir }}/trusted.hosts' + notify: + - restart opendkim + +- name: configure opendkim in {{ dkim_config_file }} + ansible.builtin.copy: + src: ../templates.local/antispam/opendkim.conf + dest: "{{ dkim_config_file }}" + notify: + - restart opendkim + +- name: installing tables + ansible.builtin.template: + src: "../templates.fix/antispam/{{ item }}" + dest: '{{ dkim_opendkim_config_dir }}/{{item}}' + notify: + - restart opendkim + with_items: [key.table, signing.table] + +- name: generate opendkim keys + ansible.builtin.include_tasks: "../tasks/t_dkim_keys.yaml" + loop: "{{ dkim_domains }}" + loop_control: + loop_var: dkim_domain + +- name: ensure opendkim is running + service: + name: opendkim + state: started + enabled: yes +- name: display DNS staff and tests + ansible.builtin.include_tasks: "../tasks/t_dkim_dns.yaml" + loop: "{{ dkim_domains }}" + loop_control: + loop_var: dkim_domain + + +... diff --git a/tasks.templates/t_dkim_dns.yaml b/tasks.templates/t_dkim_dns.yaml new file mode 100644 index 0000000..8b7eb9f --- /dev/null +++ b/tasks.templates/t_dkim_dns.yaml @@ -0,0 +1,31 @@ +--- +# Show the DNS records to configure with dkim publik key +# needed facts (variables): +# dkim_domain: the domain to configure +# dkim_opendkim_config_dir: normally /etc/opendkim +# dkim_selector: normally the date yyyymmdd +- name: store hostname and name of the public key file + ansible.builtin.set_fact: + hostname: "{{ inventory_hostname }}" + public_key: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}/{{ dkim_selector }}.txt" +- name: fetch the remote key file to the (local) control host + fetch: + src: "{{ public_key }}" + dest: "/tmp" +- name: start the local script to find out the related info + script: "../scripts/build_dkim_text.py /tmp/{{ hostname }}{{ public_key }}" + register: dns_text + delegate_to: localhost +- name: display DKIM public key DNS record + debug: + msg: + - "#=============================================" + - "zone: {{ dkim_selector }}._domainkey.{{ dkim_domain }}" + - "type: TXT" + - "content: {{ dns_text.stdout | regex_replace('\n', '')}}" + - "#=============================================" + - "Test:" + - "host -t txt {{ dkim_selector }}._domainkey.{{ dkim_domain }}._domainkey" + - "opendkim-testkey -d {{ dkim_domain }} -s {{ dkim_selector }} -vvv" + - "#=============================================" +... diff --git a/tasks.templates/t_dkim_keys.yaml b/tasks.templates/t_dkim_keys.yaml new file mode 100644 index 0000000..ba35e97 --- /dev/null +++ b/tasks.templates/t_dkim_keys.yaml @@ -0,0 +1,34 @@ +--- +## DKIM: Generates a key for a given domain +# dkim_domain: the domain to configure +# dkim_opendkim_config_dir: normally /etc/opendkim +# dkim_selector: normally the date yyyymmdd +# dkim_user: the user running DKIM +# dkim_group: the group running DKIM +# dkim_rsa_keylen: the count of bits of the RSA key + +- name: creates domain's keys directory + file: + path: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}" + state: directory + recurse: true + +- name: ensure signing key is present + stat: + path: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}/{{ dkim_selector }}.private" + get_checksum: false + register: dkim_key + +- name: generate signing key + command: opendkim-genkey -b {{ dkim_rsa_keylen }} -s {{ dkim_selector }} -d {{ dkim_domain }} -D {{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }} + when: not dkim_key.stat.exists + notify: + - restart opendkim + +- name: ensure signing key owner + file: + path: "{{ dkim_opendkim_config_dir }}/keys/{{ dkim_domain }}/{{ dkim_selector }}.private" + owner: '{{ dkim_user }}' + group: '{{ dkim_group }}' + +... diff --git a/tasks.templates/t_dmarc.yaml b/tasks.templates/t_dmarc.yaml new file mode 100644 index 0000000..3f016eb --- /dev/null +++ b/tasks.templates/t_dmarc.yaml @@ -0,0 +1,54 @@ +--- +# Configures DMARC +# needed facts (variables): +# dkim_domains: a list of domains handled by DKIM +# dmarc_config_dir: normally /etc/opendmarc +# dmarc_config_file: normally /etc/opendmarc.conf +# dmarc_user: the user running opendmarc +# dmarc_group: the user group running opendmarc + +- name: add user to group postfix + ansible.builtin.user: + name: '{{ dmarc_user }}' + groups: postfix + append: yes +- name: ensure existence of /var/spool/postfix/opendmarc + file: + path: /var/spool/postfix/opendmarc + state: directory + recurse: true + owner: "{{ dmarc_user }}" + group: "{{ dmarc_group }}" + mode: "0750" +- name: configure opendmarc in {{ dmarc_config_file }} + ansible.builtin.copy: + src: ../templates.local/antispam/opendmarc.conf + dest: "{{ dmarc_config_file }}" + notify: + - restart opendmarc +- name: "create configuration directory {{ dmarc_config_dir }}" + ansible.builtin.file: + path: "{{ dmarc_config_dir }}" + state: directory + owner: "{{ dmarc_user }}" + group: "{{ dmarc_group }}" + mode: "0750" + +- name: create ignore.hosts + ansible.builtin.copy: + src: ../templates.local/antispam/ignore.hosts + dest: "{{ dmarc_config_dir }}/ignore.hosts" + notify: + - restart opendmarc +- name: download suffix list + get_url: + url: https://publicsuffix.org/list/public_suffix_list.dat + dest: "{{ dmarc_config_dir }}" + owner: "{{ dmarc_user }}" + group: "{{ dmarc_group }}" +- name: display DNS staff and tests + ansible.builtin.include_tasks: "../tasks/t_dmarc_dns.yaml" + loop: "{{ dkim_domains }}" + loop_control: + loop_var: dkim_domain + diff --git a/tasks.templates/t_dmarc_dns.yaml b/tasks.templates/t_dmarc_dns.yaml new file mode 100644 index 0000000..0bc19ec --- /dev/null +++ b/tasks.templates/t_dmarc_dns.yaml @@ -0,0 +1,17 @@ +--- +# Show the DNS records to configure DMARC +# needed facts (variables): +# dkim_domain: the domain to configure +# dmarc_email_report: receipient email addres for reports +- name: display DMARC public key DNS record + debug: + msg: + - "#=============================================" + - "zone: _dmarc.{{ dkim_domain }}" + - "type: TXT" + - "content: v=DMARC1; p=reje; sp=reje; adkim; aspf; pct=1; rua=mailto:{{ dmarc_email_report }}; ruf=mailto:{{ dmarc_email_report }}; fo=1;" + - "#=============================================" + - "Test:" + - "host -t txt _dmarc.{{ dkim_domain }}" + - "#=============================================" +... diff --git a/tasks.templates/t_link_wildcard.yaml b/tasks.templates/t_link_wildcard.yaml index d9e455a..818c9ed 100644 --- a/tasks.templates/t_link_wildcard.yaml +++ b/tasks.templates/t_link_wildcard.yaml @@ -7,7 +7,7 @@ # - pattern: wildcard pattern - name: Link files matching {{ pattern }} from {{ src_dir }} to {{dest_dir}} #command: ln -s {{ src_relative }}/{{ item | basename}} {{ dest_dir }}/{{ item | basename }} - file: + ansible.builtin.file: src: "{{ src_relative }}/{{ item | basename }}" dest: "{{ dest_dir }}/{{ item | basename }}" state: link diff --git a/tasks.templates/t_nginx_create_site.yaml b/tasks.templates/t_nginx_create_site.yaml index 47efe7d..b64b337 100644 --- a/tasks.templates/t_nginx_create_site.yaml +++ b/tasks.templates/t_nginx_create_site.yaml @@ -31,7 +31,7 @@ when: not force and site_config.stat.exists - name: Create nginx site configuration of {{ domain }} ansible.builtin.template: - src: ../templates/nginx/site.php + src: ../templates.fix/nginx/site.php dest: /etc/nginx/sites-available/{{ domain }} owner: root group: root diff --git a/tasks.templates/t_spf.yaml b/tasks.templates/t_spf.yaml new file mode 100644 index 0000000..bf50d1e --- /dev/null +++ b/tasks.templates/t_spf.yaml @@ -0,0 +1,33 @@ +--- +# Installs the SPF staff for postfix +# needed facts (variables): +# dkim_domains: the list of email domains +- name: intro + debug: + msg: "domains: {{ dkim_domains }}" +- name: Adapt policyd-spf.conf + lineinfile: + dest: /etc/postfix-policyd-spf-python/policyd-spf.conf + regexp: "^{{ item }}\\s*=\\s*Fail" + line: "{{ item }} = False" + notify: + - restart postfix + with_items: [ HELO_reject, Mail_From_reject] +- name: Display DNS configuration + debug: + msg: + - "*************************************************************" + - "zone: {{ item }}" + - "type: TXT" + - "content: 'v=spf1 mx -all' deny other" + - "content: 'v=spf1 mx ~all' allow other" + - "*************************************************************" + with_items: "{{ dkim_domains }}" +- name: Display test command + debug: + msg: + - "*************************************************************" + - "Test it with:" + - "host -t txt {{ item }}" + - "*************************************************************" + with_items: "{{ dkim_domains }}" diff --git a/tasks.templates/t_ssl_create_certificate.yaml b/tasks.templates/t_ssl_create_certificate.yaml index da6eaa0..5d9550c 100644 --- a/tasks.templates/t_ssl_create_certificate.yaml +++ b/tasks.templates/t_ssl_create_certificate.yaml @@ -8,6 +8,6 @@ # - ssl_lifetime: the lifetime of the certificate in days # - ssl_rsa_key_size: the size of the RSA key for the certificate - name: create a ssh-certificate - command: openssl req -x509 -nodes -days {{ssl_lifetime}} -newkey rsa:{{ssl_rsa_key_size}} -keyout /etc/ssl/private/{{domain}}.key -out /etc/ssl/certs/{{domain}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}" + ansible.builtin.command: openssl req -x509 -nodes -days {{ssl_lifetime}} -newkey rsa:{{ssl_rsa_key_size}} -keyout /etc/ssl/private/{{domain}}.key -out /etc/ssl/certs/{{domain}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}" args: creates: /etc/ssl/private/{{domain}}.key diff --git a/tasks.templates/t_webapp_backup.yaml b/tasks.templates/t_webapp_backup.yaml index 2760339..43da64e 100644 --- a/tasks.templates/t_webapp_backup.yaml +++ b/tasks.templates/t_webapp_backup.yaml @@ -6,14 +6,14 @@ # webapp_backup_directory: a local directory which will be syncronized with the web application # webapps_list: the list defined in ../var/webapps.yaml # fetch: true: the file will be fetched to the local machine -- set_fact: +- ansible.builtin.set_fact: db_name: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_name') | first }}" db_user: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_user') | first }}" db_password: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_password') | first }}" document_root: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='directory') | first }}" target_file: "{{ document_root }}/db/{{ webapp_name }}.sql.gz" - name: Dump the database {{ db_name }} into {{ document_root }} - import_tasks: t_webapp_export.yaml + ansible.builtin.import_tasks: t_webapp_export.yaml - name: Synchronize the web application {{ webapp_name }} with {{ webapp_backup_directory }} ansible.posix.synchronize: mode: push diff --git a/tasks.templates/t_webapp_create.yaml b/tasks.templates/t_webapp_create.yaml index a76a6b4..2c40ee5 100644 --- a/tasks.templates/t_webapp_create.yaml +++ b/tasks.templates/t_webapp_create.yaml @@ -9,19 +9,19 @@ # remote_webapps_directory: the access data will be stored there, e.g. /etc/ansknife/webapp.d # local_webapps_directory: the access data will be stored there, e.g. ../webapp.d - name: 'check if the webapp is already defined' - stat: + ansible.builtin.stat: path: "{{remote_webapps_directory}}/{{ webapp_name }}.yaml" register: webapp - name: 'stop if the webapp already defined' - fail: msg="webapp {{ webapp_name }} is already defined" + ansible.builtin.fail: msg="webapp {{ webapp_name }} is already defined" when: webapp.stat.exists - name: 'stop on missing facts' - fail: msg="missing facts! webapp_name, db_name, db_user, db_password. Use -e webapp_name=..., -e db_name=..., -e db_user=..., -e db_password=..." + ansible.builtin.fail: msg="missing facts! webapp_name, db_name, db_user, db_password. Use -e webapp_name=..., -e db_name=..., -e db_user=..., -e db_password=..." when: webapp_name is not defined or db_name is not defined or db_user is not defined or db_password is not defined - name: Create the database {{db_name}} and db user {{db_user}} - import_tasks: ../tasks/t_mysql_create_db_and_user.yaml + ansible.builtin.import_tasks: ../tasks/t_mysql_create_db_and_user.yaml - name: Store data in remote configuration file - copy: + ansible.builtin.copy: content: | db_name={{ db_name }} db_user={{ db_user }} diff --git a/tasks.templates/t_webapp_export.yaml b/tasks.templates/t_webapp_export.yaml index 0f18699..81eee15 100644 --- a/tasks.templates/t_webapp_export.yaml +++ b/tasks.templates/t_webapp_export.yaml @@ -23,7 +23,7 @@ single_transaction: true pipefail: "{{ compressed }}" - name: Fetch the database dump {{ target_file }} to local machine - fetch: + ansible.builtin.fetch: src: "{{ remote_file }}" dest: "{{ target_file }}" flat: true diff --git a/templates.fix/antispam/key.table b/templates.fix/antispam/key.table new file mode 100644 index 0000000..58d41bc --- /dev/null +++ b/templates.fix/antispam/key.table @@ -0,0 +1,3 @@ +{% for domain in dkim_domains %} +{{ dkim_selector }}._domainkey.{{ domain }} {{ domain }}:{{ dkim_selector }}:/etc/opendkim/keys/{{ domain }}/{{ dkim_selector }}.private +{% endfor %} diff --git a/templates.fix/antispam/signing.table b/templates.fix/antispam/signing.table new file mode 100644 index 0000000..f7d5949 --- /dev/null +++ b/templates.fix/antispam/signing.table @@ -0,0 +1,3 @@ +{% for domain in dkim_domains %} +*@{{ domain }} {{ dkim_selector }}._domainkey.{{ domain }} +{% endfor %} diff --git a/templates/nginx/hi1.txt b/templates.fix/nginx/hi1.txt similarity index 100% rename from templates/nginx/hi1.txt rename to templates.fix/nginx/hi1.txt diff --git a/templates/nginx/hi2.txt b/templates.fix/nginx/hi2.txt similarity index 100% rename from templates/nginx/hi2.txt rename to templates.fix/nginx/hi2.txt diff --git a/templates/nginx/index.html b/templates.fix/nginx/index.html similarity index 100% rename from templates/nginx/index.html rename to templates.fix/nginx/index.html diff --git a/templates/nginx/index.php b/templates.fix/nginx/index.php similarity index 100% rename from templates/nginx/index.php rename to templates.fix/nginx/index.php diff --git a/templates/nginx/letsencrypt.conf b/templates.fix/nginx/letsencrypt.conf similarity index 90% rename from templates/nginx/letsencrypt.conf rename to templates.fix/nginx/letsencrypt.conf index 67149c9..61e17f2 100644 --- a/templates/nginx/letsencrypt.conf +++ b/templates.fix/nginx/letsencrypt.conf @@ -1,6 +1,6 @@ location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; - root /home/www/letsencrypt; + root /srv/www/letsencrypt; } # Hide /acme-challenge subdirectory and return 404 on all requests. # It is somewhat more secure than letting Nginx return 403. diff --git a/templates/nginx/site.php b/templates.fix/nginx/site.php similarity index 100% rename from templates/nginx/site.php rename to templates.fix/nginx/site.php diff --git a/templates/nginx/test.site b/templates.fix/nginx/test.site similarity index 100% rename from templates/nginx/test.site rename to templates.fix/nginx/test.site diff --git a/templates.fix/readme.txt b/templates.fix/readme.txt new file mode 100644 index 0000000..89c8c5f --- /dev/null +++ b/templates.fix/readme.txt @@ -0,0 +1,2 @@ +Objective: This directory contains templates that can be used in all projects without modification. +Therefore, the files should only be linked within the project, not copied. diff --git a/templates/var/common.yaml b/templates.fix/var/common.yaml similarity index 79% rename from templates/var/common.yaml rename to templates.fix/var/common.yaml index 99858d1..bc90f8e 100644 --- a/templates/var/common.yaml +++ b/templates.fix/var/common.yaml @@ -1,5 +1,6 @@ configuration_directory: /etc/ansknife remote_webapps_directory: "{{ configuration_directory }}/webapps.d" +remote_domain: "{{ inventory_hostname | regex_replace('[0-9a-zA-Z_]+\.', '') }} local_webapps_directory: "../webapps" webmaster_email: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}@hamatoma.de" systemd_journal_system_max_use: 200M diff --git a/templates/var/db.yaml b/templates.fix/var/db.yaml similarity index 100% rename from templates/var/db.yaml rename to templates.fix/var/db.yaml diff --git a/templates.fix/var/dkim.yaml b/templates.fix/var/dkim.yaml new file mode 100644 index 0000000..c61e6f3 --- /dev/null +++ b/templates.fix/var/dkim.yaml @@ -0,0 +1,8 @@ +--- +dkim_domains: ["example.com"] +dkim_opendkim_config_dir: /etc/opendkim +dkim_config_file: /etc/opendkim.conf +dkim_selector: "email" +dkim_user: opendkim +dkim_group: opendkim + diff --git a/templates/var/php.yaml b/templates.fix/var/php.yaml similarity index 100% rename from templates/var/php.yaml rename to templates.fix/var/php.yaml diff --git a/templates/var/ssl-certificate.yaml b/templates.fix/var/ssl-certificate.yaml similarity index 100% rename from templates/var/ssl-certificate.yaml rename to templates.fix/var/ssl-certificate.yaml diff --git a/templates/var/vault_db.yaml b/templates.fix/var/vault_db.yaml similarity index 100% rename from templates/var/vault_db.yaml rename to templates.fix/var/vault_db.yaml diff --git a/templates/var/webapps.yaml b/templates.fix/var/webapps.yaml similarity index 100% rename from templates/var/webapps.yaml rename to templates.fix/var/webapps.yaml diff --git a/templates.local/antispam/opendkim.conf b/templates.local/antispam/opendkim.conf new file mode 100644 index 0000000..61329f8 --- /dev/null +++ b/templates.local/antispam/opendkim.conf @@ -0,0 +1,20 @@ +# normally no need for changes +UserID opendkim:opendkim +UMask 002 +PidFile /var/run/opendkim/opendkim.pid +SOCKET local:/var/spool/postfix/opendkim/opendkim.sock +Mode sv +Domain * +#Selector mail +Canonicalization relaxed/relaxed +SignatureAlgorithm rsa-sha256 +OversignHeaders From +AutoRestart yes +AutoRestartRate 10/1h +SigningTable refile:/etc/opendkim/signing.table +KeyTable /etc/opendkim/key.table +ExternalIgnoreList refile:/etc/opendkim/trusted.hosts +InternalHosts refile:/etc/opendkim/trusted.hosts +Syslog yes +SyslogSuccess yes +LogWhy yes diff --git a/templates.local/antispam/trusted.hosts b/templates.local/antispam/trusted.hosts new file mode 100644 index 0000000..3f4908e --- /dev/null +++ b/templates.local/antispam/trusted.hosts @@ -0,0 +1,3 @@ +127.0.0.1 +::1 +localhost \ No newline at end of file diff --git a/templates/nginx/http.conf b/templates.local/nginx/http.conf similarity index 100% rename from templates/nginx/http.conf rename to templates.local/nginx/http.conf diff --git a/templates.local/postfix/aliases b/templates.local/postfix/aliases new file mode 100644 index 0000000..2d4e090 --- /dev/null +++ b/templates.local/postfix/aliases @@ -0,0 +1,9 @@ +# ansible controlled: do not change manually on remote server! +# +postmaster: root +devnull: /dev/null +mailer-daemon: root +webmaster: root +www: root +security: root +root: root.nest1@hamatoma.de diff --git a/templates.local/postfix/email_forwarding/main.cf b/templates.local/postfix/email_forwarding/main.cf new file mode 100644 index 0000000..c6f17d2 --- /dev/null +++ b/templates.local/postfix/email_forwarding/main.cf @@ -0,0 +1,31 @@ +myorigin = /etc/mailname +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +append_dot_mydomain = no +#delay_warning_time = 4h +readme_directory = no +compatibility_level = 3.6 + + +smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = nest1.gemeinwohl-gesellschaft.de +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = $myhostname, localhost.{{ postfix_domain }}, , localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/templates.local/postfix/email_forwarding/master.cf b/templates.local/postfix/email_forwarding/master.cf new file mode 100644 index 0000000..fd0d581 --- /dev/null +++ b/templates.local/postfix/email_forwarding/master.cf @@ -0,0 +1,137 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - y - - smtpd +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable submissions for loopback clients only, or for any client. +#127.0.0.1:submissions inet n - y - - smtpd +#submissions inet n - y - - smtpd +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} diff --git a/templates.local/postfix/send_only/main.cf b/templates.local/postfix/send_only/main.cf new file mode 100644 index 0000000..c6f17d2 --- /dev/null +++ b/templates.local/postfix/send_only/main.cf @@ -0,0 +1,31 @@ +myorigin = /etc/mailname +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +append_dot_mydomain = no +#delay_warning_time = 4h +readme_directory = no +compatibility_level = 3.6 + + +smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = nest1.gemeinwohl-gesellschaft.de +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = $myhostname, localhost.{{ postfix_domain }}, , localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/templates.local/postfix/send_only/master.cf b/templates.local/postfix/send_only/master.cf new file mode 100644 index 0000000..fd0d581 --- /dev/null +++ b/templates.local/postfix/send_only/master.cf @@ -0,0 +1,137 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - y - - smtpd +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable submissions for loopback clients only, or for any client. +#127.0.0.1:submissions inet n - y - - smtpd +#submissions inet n - y - - smtpd +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} diff --git a/templates/postfix/virtual b/templates.local/postfix/virtual similarity index 100% rename from templates/postfix/virtual rename to templates.local/postfix/virtual diff --git a/templates.local/readme.txt b/templates.local/readme.txt new file mode 100644 index 0000000..bb20bd9 --- /dev/null +++ b/templates.local/readme.txt @@ -0,0 +1,2 @@ +Objective: This directory contains templates that are specific to the project and must be adapted for each project. +Therefore, the files may only be copied into the project, not linked. diff --git a/templates/var/postfix.yaml b/templates/var/postfix.yaml deleted file mode 100644 index a06f19c..0000000 --- a/templates/var/postfix.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# postfix.yaml: -# Defines variables for the postfix configuration. -# Needed facts (variables): -# - postfix_domain: The full qualified name of the postfix server. -postfix_configuration: - - alias_database: "hash:/etc/aliases" - - alias_maps: "hash:/etc/aliases" - - append_dot_mydomain: no - - biff: no - - compatibility_level: 2 - - inet_interfaces: all - - inet_protocols: all - - mailbox_size_limit: 0 - - mydestination: $myhostname, {{ postfix_domain }}, ,localhost - - myhostname: "{{ postfix_domain }}" - - mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 - - myorigin: /etc/mailname - - readme_directory: no - - recipient_delimiter: + - - relayhost: "" - - smtpd_banner: $myhostname ESMTP $mail_name (Debian/GNU) - - smtpd_relay_restrictions: permit_mynetworks permit_sasl_authenticated defer_unauth_destination - - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem - - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key - - smtpd_tls_security_level: may - - smtp_tls_CApath: /etc/ssl/certs - - smtp_tls_security_level: may - - smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache -postfix_recipient_email: jonny@example.com -- 2.39.5