autonomic-cooperative/autonomic.discourse-email
Archived
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
decentral1se
2022-05-30 09:31:11 +02:00
commit a66d7d6e8d
28 changed files with 1011 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
tasks/dkim_domain.yml Normal file
View File

@ -0,0 +1,98 @@
---
- name: "Directory for opendkim keys for {{ domain }} present"
file:
path: "/etc/opendkim/keys/{{ domain }}"
state: directory
owner: opendkim
group: opendkim
mode: 0700
tags:
- email
- name: "OpenDKIM selector present for {{ domain }}"
shell: "date +%Y%m%d > /etc/opendkim/{{ domain }}_selector.txt"
args:
executable: /bin/bash
creates: "/etc/opendkim/{{ domain }}_selector.txt"
tags:
- email
- name: "OpenDKIM selector selector read for {{ domain }}"
slurp:
src: "/etc/opendkim/{{ domain }}_selector.txt"
register: "selector_b64encoded"
tags:
- email
- name: "Set a fact for the selector for {{ domain }}"
set_fact:
selector: "{{ selector_b64encoded['content'] | b64decode | trim }}"
tags:
- email
- name: "Keys for {{ domain }} present"
command: "opendkim-genkey -b 2048 -h sha256 -s {{ selector }} -d {{ domain }} -D /etc/opendkim/keys/{{ domain }}"
args:
creates: "/etc/opendkim/keys/{{ domain }}/{{ selector }}.private"
tags:
- email
- name: "SPF record added to /etc/opendkim/keys/{{ domain }}/{{ selector }}.txt"
lineinfile:
path: "/etc/opendkim/keys/{{ domain }}/{{ selector }}.txt"
line: '{{ domain }}. IN TXT "v=spf1 a mx include:{{ domain }} ~all"'
state: present
tags:
- email
- name: "OpenDKIM private key for {{ domain }} owned and only readable by opendkim user"
file:
path: "/etc/opendkim/keys/{{ domain }}/{{ selector }}.private"
owner: opendkim
group: opendkim
mode: 0600
tags:
- email
- name: "OpenDKIM key check for {{ domain }}"
shell: "opendkim-testkey -d {{ domain }} -s {{ selector }} -k {{ selector }}.private -vvv || echo 'key FAIL'"
args:
chdir: "/etc/opendkim/keys/{{ domain }}"
check_mode: false
register: opendkim_check
changed_when: false
tags:
- email
- name: "DNS configuration needed for {{ domain }}"
debug:
msg: "Please add the DNS record from /etc/opendkim/keys/{{ domain }}/{{ selector }}.txt"
when: '"key OK" not in opendkim_check.stdout'
tags:
- email
- name: "OpenDKIM key check passed so {{ domain }} added to new KeyTable and SigningTable files"
block:
- name: "KeyTable for {{ domain }} {{ opendkim_check.stdout }}"
lineinfile:
path: /etc/opendkim/KeyTable.new
line: "{{ selector }}._domainkey.{{ domain }} {{ domain }}:{{ selector }}:/etc/opendkim/keys/{{ domain }}/{{ selector }}.private"
regexp: "\\._domainkey\\.{{ domain }} {{ domain }}:{{ selector }}:"
state: present
create: true
tags:
- email
- name: "SigningTable for {{ domain }} {{ opendkim_check.stdout }}"
lineinfile:
path: /etc/opendkim/SigningTable.new
line: "*@{{ domain }} {{ selector }}._domainkey.{{ domain }}"
regexp: "^\\*@{{ domain }} "
state: present
create: true
tags:
- email
when: '"key OK" in opendkim_check.stdout'
...

397
tasks/main.yml Normal file
View File

@ -0,0 +1,397 @@
---
- name: Ruby packages installed
apt:
pkg:
- ruby2.3
- ruby-addressable
- ruby-json
- ruby-net-http-persistent
- ruby-syslog-logger
state: present
update_cache: yes
tags:
- email
- name: Ruby script receive-mail in place
copy:
src: files/receive-mail
dest: /usr/local/bin/receive-mail
mode: 0755
tags:
- email
- name: Ruby script discourse-smtp-fast-rejection in place
copy:
src: files/discourse-smtp-fast-rejection
dest: /usr/local/bin/discourse-smtp-fast-rejection
mode: 0755
tags:
- email
- name: Old, unneeded files removed
file:
path: /usr/local/bin/discourse-smtp-rcpt-acl
state: absent
tags:
- email
- name: debconf-utils installed for Ansible
apt:
name: debconf-utils
state: present
tags:
- email
- name: Debconf Postfix hostname set
debconf:
name: postfix
question: "postfix/mailname"
value: "{{ hostname }}"
vtype: string
tags:
- email
- name: Debconf Postfix set to be a internet server
debconf:
name: postfix
question: "postfix/main_mailer_type"
value: "Internet Site"
vtype: string
tags:
- email
- name: Postfix and related email packages installed
apt:
pkg:
- ca-certificates
- curl
- debian-archive-keyring
- dnsutils
- mailutils
- mutt
- opendkim
- opendkim-tools
- postfix
- pwgen
- whois
state: present
tags:
- email
- name: Postfix smtpd_relay_restrictions set
command: postconf -e "smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination"
changed_when: false
tags:
- email
- name: Postfix set not to use /etc/aliases
command: postconf -e "alias_maps = "
changed_when: false
tags:
- email
- name: Postfix mydestination set to localhost
command: postconf -e "mydestination = localhost"
changed_when: false
tags:
- email
- name: python-docker installed
apt:
pkg:
- python3-docker
state: present
tags:
- email
- name: Fetch app container information
docker_container_info:
name: app
register: containerinfo
tags:
- email
- name: Get the app container IP address
set_fact:
app_ip_address: '{{ containerinfo.container.NetworkSettings.IPAddress }}'
tags:
- email
- name: Postfix my networks set to include {{ app_ip_address }}
command: postconf -e "mynetworks = 127.0.0.0/8,{{ app_ip_address }}"
changed_when: false
tags:
- email
- name: Postfix relay domains set to {{ hostname }}
command: postconf -e "relay_domains = {{ hostname }}"
changed_when: false
tags:
- email
- name: Postfix smtpd_recipient_restrictions set
command: postconf -e "smtpd_recipient_restrictions = permit_mynetworks, check_policy_service unix:private/policy"
changed_when: false
tags:
- email
- name: Postfix opportunistic TLS enabled
command: postconf -e "smtp_tls_security_level = may"
changed_when: false
tags:
- email
- name: Postfix set to use sub-addresing
command: postconf -e "recipient_delimiter = +"
changed_when: false
tags:
- email
- name: Postfix disable UTF-8 SMTP input
command: postconf -e "smtputf8_enable=no"
changed_when: false
tags:
- email
- name: Postfix Time Zone and Lang set
command: postconf -e "export_environment='TZ LANG'"
changed_when: false
tags:
- email
- name: Postfix set for ipv4 only
command: postconf -e "inet_protocols = ipv4"
changed_when: false
tags:
- email
- name: Postfix set to use /usr/local/bin/receive-mail
command: postconf -M -e "discourse/unix=discourse unix - n n - - pipe user=nobody:nogroup argv=/usr/local/bin/receive-mail ${recipient}"
changed_when: false
tags:
- email
- name: Postfix transport in place
template:
src: templates/transport.j2
dest: /etc/postfix/transport
mode: 0644
tags:
- email
- name: Postfix Transport Maps file set
command: postconf -e "transport_maps=hash:/etc/postfix/transport"
changed_when: false
tags:
- email
- name: Postmap run with Transport Maps file
command: postmap /etc/postfix/transport
changed_when: false
tags:
- email
- name: Postfix set to reject incorrect email addresses
command: postconf -M -e "policy/unix=policy unix - n n - - spawn user=nobody argv=/usr/local/bin/discourse-smtp-fast-rejection"
changed_when: false
tags:
- email
- name: Stat "/var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.cer"
stat:
path: "/var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.cer"
check_mode: false
register: le_cert
tags:
- email
- block:
- name: Postfix configured to use Let's Encrypt RSA cert for incoming email
command: postconf -e "smtpd_tls_cert_file = /var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.cer"
tags:
- email
- name: Postfix configured to use Let's Encrypt RSA key for incoming email
command: postconf -e "smtpd_tls_key_file = /var/discourse/shared/standalone/letsencrypt/{{ hostname }}/{{ hostname }}.key"
tags:
- email
when: le_cert.stat.exists
- name: Directories for opendkim keys and configuration present
file:
path: "{{ dir.name }}"
state: directory
owner: "{{ dir.owner }}"
group: "{{ dir.group }}"
mode: "{{ dir.mode }}"
loop:
- name: /etc/opendkim
mode: "0750"
owner: root
group: opendkim
- name: /etc/opendkim/keys
mode: "0750"
owner: root
group: opendkim
loop_control:
loop_var: dir
tags:
- email
- name: Set a fact for the postfix_dkim_domains array if it it not defined
set_fact:
dkim_domains:
- "{{ hostname | default(inventory_hostname) }}"
when: ( dkim_domains is not defined ) or ( dkim_domains == [] )
tags:
- email
- name: Generate new KeyTable and SigningTable files
template:
src: "{{ template }}.j2"
dest: "/etc/opendkim/{{ template }}.new"
loop:
- KeyTable
- SigningTable
loop_control:
loop_var: template
tags:
- email
- name: Loop through the postfix_dkim_domains array including DKIM tasks
include_tasks: dkim_domain.yml
loop: "{{ dkim_domains }}"
loop_control:
loop_var: domain
tags:
- email
- name: Copy the new KeyTable and SigningTable files into place if changed
copy:
src: "{{ file }}.new"
dest: "{{ file }}"
remote_src: true
loop:
- /etc/opendkim/KeyTable
- /etc/opendkim/SigningTable
loop_control:
loop_var: file
tags:
- email
- name: Check if the KeyTable has more than one line
command: wc -l /etc/opendkim/KeyTable
check_mode: false
changed_when: false
register: opendkim_keytable_check
tags:
- email
- name: Check if the SigningTable has more than one line
command: wc -l /etc/opendkim/SigningTable
check_mode: false
changed_when: false
register: opendkim_signingtable_check
tags:
- email
- name: Set fact for KeyTable and SigningTable file lengths
set_fact:
opendkim_keytable_length: "{{ opendkim_keytable_check.stdout | replace('/etc/opendkim/KeyTable', '') | trim | int }}"
opendkim_signingtable_length: "{{ opendkim_signingtable_check.stdout | replace('/etc/opendkim/SigningTable', '') | trim | int }}"
tags:
- email
- name: Enable OpenDKIM
block:
- name: Configure TrustedHosts
template:
src: templates/TrustedHosts.j2
dest: /etc/opendkim/TrustedHosts
owner: root
group: root
mode: 0644
tags:
- email
- name: OpenDKIM configuration in place
template:
src: templates/opendkim.conf.j2
dest: /etc/opendkim.conf
tags:
- email
- name: Run postconf to add DKIM configuration to main.cf
command: postconf -e "{{ edit }}"
loop:
- "milter_default_action = accept"
- "milter_protocol = 6"
- "smtpd_milters = inet:localhost:{{ postfix_opendkim_port }}"
- "non_smtpd_milters = inet:localhost:{{ postfix_opendkim_port }}"
loop_control:
loop_var: edit
tags:
- email
- name: OpenDKIM enabled and restarted
service:
name: opendkim
enabled: true
state: restarted
tags:
- email
when: ( opendkim_keytable_length | int > 1 ) and ( opendkim_signingtable_length | int > 1 )
- name: Disable OpenDKIM
block:
- name: Run postconf to remove DKIM configuration from main.cf
command: postconf -X "{{ remove }}"
loop:
- "milter_default_action"
- "milter_protocol"
- "smtpd_milters"
- "non_smtpd_milters"
loop_control:
loop_var: remove
changed_when: false
tags:
- email
- name: OpenDKIM disabled and stopped
service:
name: opendkim
enabled: false
state: stopped
when: ( postfix_dkim_dns_configured is not defined ) or ( not postfix_dkim_dns_configured )
tags:
- email
when: ( opendkim_keytable_length | int == 1 ) or ( opendkim_signingtable_length | int == 1 )
- name: mail-receiver-environment in place
template:
src: templates/mail-receiver-environment.json.j2
dest: /etc/postfix/mail-receiver-environment.json
owner: root
group: root
mode: 0644
- name: Postfix restarted
service:
name: postfix
state: restarted
tags:
- email
- name: Root .forward in place
template:
src: templates/forward.j2
dest: /root/.forward
tags:
- email
...