Merge branch 'new-infra' of gitea.auro.re:aurore/ansible into new-infra

This commit is contained in:
jeltz 2024-01-28 19:33:04 +01:00
commit 00dcf27614
Signed by: jeltz
GPG key ID: 800882B66C0C3326
14 changed files with 405 additions and 2 deletions

View file

@ -1,6 +1,11 @@
---
systemd_link__links:
ext0: ae:ae:ae:1d:c8:b2
dovecot__auth_default_realm: test.auro.re
dovecot__auth_users:
jeltz@test.auro.re: "{plain}password"
lafeych@test.auro.re: "{plain}password"
toto@test.auro.re: "{plain}password"
root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
dovecot__lmtp_postmaster_address: postmaster@test.auro.re
ifupdown2__interfaces:
ext0:
@ -9,4 +14,25 @@ ifupdown2__interfaces:
- 10.211.1.5/16
- 45.66.111.205/30
gateways: "{{ ifupdown2__gateways.ext }}"
postfix__hostname: mx.test.auro.re
postfix__sasl_local_domain: test.auro.re
postfix__virtual_aliases:
postmaster@test.auro.re: root@test.auro.re
dmarc@test.auro.re: root@test.auro.re
postfix__virtual_mailbox_domains:
- infra.test.auro.re
- test.auro.re
postfix__virtual_mailboxes:
jeltz@test.auro.re: jeltz@test.auro.re
root@test.auro.re: root@test.auro.re
toto@test.auro.re: toto@test.auro.re
vincent.lafeychine@test.auro.re: lafeych@test.auro.re
systemd_link__links:
ext0: ae:ae:ae:1d:c8:b2
...

8
playbooks/mail.yml Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- vm_test
roles:
- postfix
- dovecot
...

View file

@ -0,0 +1,3 @@
---
dovecot__auth_users: {}
...

View file

@ -0,0 +1,6 @@
---
- name: Reload dovecot
systemd:
name: dovecot.service
state: reloaded
...

View file

@ -0,0 +1,47 @@
---
- name: Install dovecot
apt:
name:
- dovecot-core
- dovecot-imapd
- dovecot-lmtpd
- dovecot-managesieved
- dovecot-sieve
- name: Create group vmail for dovecot
group:
name: vmail
- name: Create account vmail for dovecot
user:
group: vmail
home: /srv/mail
name: vmail
password: "!"
system: true
- name: Configure dovecot main configuration
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: "{{ item.group }}"
mode: "{{ item.mode }}"
loop:
- src: dovecot.conf.j2
dest: /etc/dovecot/dovecot.conf
group: root
mode: u=rw,g=,o=
- src: auth.j2
dest: /etc/dovecot/auth
group: dovecot
mode: u=rw,g=r,o=
notify:
- Reload dovecot
- name: Enable and start dovecot
systemd:
name: dovecot.service
state: started
enabled: true
...

View file

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
{% for user, passwd in dovecot__auth_users.items() %}
{{ user }}:{{ passwd }}
{% endfor %}

View file

@ -0,0 +1,120 @@
protocols = imap lmtp sieve
ssl = yes
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/dovecot/private/dovecot.key
service stats {
inet_listener http {
port = 9900
}
}
metric auth_success {
filter = (event=auth_request_finished AND success=yes)
}
metric imap_command {
filter = event=imap_command_finished
group_by = cmd_name tagged_reply_state
}
metric smtp_command {
filter = event=smtp_server_command_finished
group_by = cmd_name status_code duration:exponential:1:5:10
}
metric mail_delivery {
filter = event=mail_delivery_finished
group_by = duration:exponential:1:5:10
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0660
group = postfix
user = postfix
}
# TODO
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
# TODO
unix_listener auth-userdb {
mode = 0660
user = vmail
group = vmail
}
}
protocol imap {
mail_plugins = imap_sieve
mail_max_userip_connections = 20 # TODO
imap_idle_notify_interval = 29 mins # TODO
}
protocol lmtp {
postmaster_address = {{ dovecot__lmtp_postmaster_address | enquote }}
mail_plugins = sieve notify push_notification # TODO sieve ??
}
auth_default_realm = {{ dovecot__auth_default_realm | enquote }}
auth_mechanisms = plain
auth_username_format = %Lu
disable_plaintext_auth = yes
mail_uid = vmail
mail_gid = vmail
mail_privileged_group = vmail
mail_home = /srv/mail/%d/%n
mail_location = maildir:~/mail:LAYOUT=fs
# TODO userdb vs passdb
passdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/auth
}
namespace inbox {
inbox = yes
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
}

View file

@ -0,0 +1,9 @@
---
postfix__destination_concurrency_limit: 50
postfix__destination_rate_delay: 3s
postfix__destination_recipient_limit: 50
postfix__recipient_delimiter: +
postfix__virtual_aliases: {}
postfix__virtual_mailbox_domains: []
postfix__virtual_mailboxes: {}
...

View file

@ -0,0 +1,6 @@
---
- name: Reload postfix
systemd:
name: postfix.service
state: reloaded
...

View file

@ -0,0 +1,30 @@
---
- name: Install postfix
apt:
name: postfix
- name: Configure postfix
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: u=rw,g=,o=
loop:
- src: main.cf.j2
dest: /etc/postfix/main.cf
- src: master.cf.j2
dest: /etc/postfix/master.cf
- src: virtual.j2
dest: /etc/postfix/virtual
- src: vmailbox.j2
dest: /etc/postfix/vmailbox
notify:
- Reload postfix
- name: Enable and start postfix
systemd:
name: postfix.service
state: started
enabled: true
...

View file

@ -0,0 +1,73 @@
{{ ansible_managed | comment }}
myhostname = {{ postfix__hostname }}
smtpd_banner = $myhostname ESMTP
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
#delay_warning_time = 4h
compatibility_level = 3.6
virtual_alias_maps = texthash:/etc/postfix/virtual
virtual_mailbox_domains = {{ postfix__virtual_mailbox_domains | join(" ") }}
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sender_login_maps = $virtual_mailbox_maps, $virtual_alias_maps
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
alias_maps =
# TODO peut-être
#smtpd_helo_required = yes
#strict_rfc821_envelopes = yes
# TLS parameters
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
# M2M
smtpd_client_restrictions = permit
smtpd_helo_restrictions = permit
smtpd_recipient_restrictions =
reject_unverified_recipient,
permit
smtpd_relay_restrictions =
reject_unauth_destination,
permit
smtpd_sender_restrictions = permit
# MUA
mua_client_restrictions =
permit_sasl_authenticated,
reject
mua_helo_restrictions = permit
# TODO match envelope
mua_recipient_restrictions =
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject
mua_reject_unlisted_sender = yes
mua_reject_unlisted_recipient = no
mua_relay_restrictions = permit
mua_sasl_local_domain = {{ postfix__sasl_local_domain }}
mua_sender_restrictions = permit
# TODO mails depuis *@infra.auro.re + localhost
#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
#mailbox_size_limit = 0
recipient_delimiter = {{ postfix__recipient_delimiter }}
inet_interfaces = all
inet_protocols = all
default_destination_rate_delay = {{ postfix__destination_rate_delay }}
smtp_destination_concurrency_limit = {{ postfix__destination_concurrency_limit }}
smtp_destination_recipient_limit = {{ postfix__destination_recipient_limit }}

View file

@ -0,0 +1,60 @@
{{ ansible_managed | comment }}
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
smtp inet n - y - - smtpd
-o syslog_name=postfix/smtp
-o smtpd_sasl_auth_enable=no
-o smtpd_tls_security_level=may
submissions inet n - y - - smtpd
-o syslog_name=postfix/submissions
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$mua_sasl_local_domain
-o smtpd_reject_unlisted_sender=$mua_reject_unlisted_sender
-o smtpd_reject_unlisted_recipient=$mua_reject_unlisted_recipient
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
# -o milter_macro_daemon_name=ORIGINATING
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
# TODO
# relay unix - - y - - smtp
# -o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5
# -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

View file

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
{% for src, dest in postfix__virtual_aliases.items() %}
{{ src }} {{ dest }}
{% endfor %}

View file

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
{% for src, dest in postfix__virtual_mailboxes.items() %}
{{ src }} {{ dest }}
{% endfor %}