Verified Commit e7e124c1 authored by Hephaestus Builder's avatar Hephaestus Builder
Browse files

NEW: rspamd

NEW: postsrsd, create new envelope for forwarded mail
NEW: apnscp_update_policy, yum_update_policy: control panel/OS updates (apnscp-vars.yml)
FIX: alias expansion (mail/configure-postfix)
FIX: virtual_mailbox_limit less than $message_size_limit (mail/configure-postfix)
FIX: pass HOME when running Bootstrapper as background job (mysql/install)
FIX: /etc/sudoers inherited from system default (apnscp/initialize-filesystem-template)
FIX: add MariaDB startup timeout for large InnoDB pools which could result in a cyclic restart on large servers (mysql/install)
CHG: preserve maildrop templates (mail/maildir)
CHG: Configuration tweaks- constrain Redis memory. Normal worker on UNIX socket. Enable reputation module. Reclassify autolearn within [-2.5, 7.5] threshold. Disable normal worker in low memory environments (rspamd)
CHG: always use X-Spam-Score header (mail/rspamd)
CHG: swap localmaildrop service with mailbox_transport (mail/configure-postfix)
CHG: cleanup (mail/rspamd)
CHG: smtpd_relay_restrictions separate subset of smtps_recipient_restrictions as of 2.10 (mail/configure-postfix)
CHG: move to GitLab
REM: --extra-vars save. Use "cpcmd config_set apnscp.bootstrapper var val" to permanently alter Bootstrapper parameters (common/update-config)
parent 2c3e3c15
......@@ -38,8 +38,27 @@ has_low_memory: false
# - no bypasses fst creation
populate_filesystem_template: auto
# apnscp update policy. Possible values:
# - edge: nightly updates off Gitlab - DEFAULT
# - minor: update patch levels (3.0.x)
# - major: update minor levels (3.x.x)
# - all: update all releases (x.x.x)
# - false: disable updates
apnscp_update_policy: edge
# Automatic update policy with yum. Possible values:
# - default: yum upgrade (always update) - DEFAULT
# - security: yum --security upgrade
# - security-severity: yum --sec-severity=critical upgrade
# - minimal: yum --bugfix upgrade-minimal
# - minimal-security: yum --security upgrade-minimal
# - minimal-security-severity: yum --sec-severity=critical upgrade-minimal
# - false: disable
yum_update_policy: default
# Perform nightly panel updates? Panel may be updated manually with
# "upcp" or running build/upcp.sh
# "upcp" or running build/upcp.sh. Panel follows apnscp_update_policy
# Setting apnscp_update_policy to false disables updates.
apnscp_nightly_update: true
# Default IPv4 address for apnscp to listen to. If undefined will
......
......@@ -33,11 +33,11 @@
- packages/install
- apnscp/testing
- pgsql/install
- mysql/install
- mysql/install
- system/rsyslog
- vsftpd/configure
- browscap
- php/install
- php/install
- php/install-pecl-module
- php/create-configuration
- java/tomcat
......@@ -73,14 +73,13 @@
- system/cgroup
- system/sysctl
- system/tuned
- system/sshd
- system/sshd
- network/setup-firewall
- fail2ban/whitelist-self
- fail2ban/configure-jails
- mail/maildir
- mail/spamassassin
# Needs more testing...
#- mail/rspamd
- mail/rspamd
- apnscp/register-ssl
- network/optimizations
# Odds and ends
......@@ -110,8 +109,6 @@
# Last checkpoint, validate a mock account
- apnscp/assert-account-works
- apnscp/notify-installed
# Holy shit, DONE!
# 🎉🙌🎊🍺
####################################
# Add post-provisioning roles here #
####################################
......
# Migration play
# vim:et ts=2 sw=2 sts=2 syntax=yaml filetype=yaml
# - Add SRS support
# - Change tracking repo over to Gitlab
# - Startup delay for MySQL on large systems
# - rspamd experimental support
# - Unlink /etc/sudoers
---
- block:
- name: Update synchronizer skiplist
lineinfile:
path: "{{ apnscp_root }}/config/synchronizer.skiplist"
line: "{{ item }}"
state: present
with_items:
- /etc/authlib/*
- /usr/libexec/courier-authlib/*
- /var/spool/authdaemon/*
- /etc/sudoers
- name: Match alternative X-Spam-Flag form
replace:
path: "{{ item }}"
regexp: "X-Spam-Flag: YES"
replace: "X-Spam-Flag: (?:YES|yes)"
with_items:
- "{{ (apnscp_account_root + '/site*/fst/etc/maildroprc') | fileglob }}"
- "{{ apnscp_filelists }}/siteinfo/etc/maildroprc"
- name: Add courier-authlib RPM
include_role: name=apnscp/initialize-filesystem-template tasks_from=install-package.yml
vars:
package: courier-authlib
service: siteinfo
- include_role: name=mail/rspamd
- include_role: name=mail/configure-postfix
- include_role: name=apnscp/crons
- include_role: name=mysql/install
- include_role: name=system/yum
- name: Check if repo is bitbucket
shell: git remote -v | grep bitbucket | grep fetch | cut -f1
register: r
failed_when: false
changed_when: r.rc == 0 and r.stdout != ""
args:
chdir: "{{ apnscp_root }}"
- name: Change tracking repo to Gitlab
shell: git remote set-url "{{ r.stdout }}" "{{ apnscp_release_repo }}"
args:
chdir: "{{ apnscp_root }}"
when: r.changed
- name: Fetch refs
shell: git fetch "{{ r.stdout }}"
args:
chdir: "{{ apnscp_root }}"
when: r.changed
- name: Unlink /etc/sudoers
include_role:
name: apnscp/initialize-filesystem-template
tasks_from: oneshot-files.yml
vars:
force: yes
item:
service: siteinfo
file: /etc/sudoers
- name: Remove %wheel sudo access
lineinfile:
path: "{{ apnscp_filesystem_template }}/siteinfo/etc/sudoers"
regexp: '^\s*%wheel\s+ALL\s*=\s*\(ALL\)\s+ALL'
state: absent
tags: ['up']
\ No newline at end of file
......@@ -14,8 +14,8 @@ SYSTEMCTL_SKIP_REDIRECT=1
[[ -f /etc/sysconfig/apnscp ]] && . /etc/sysconfig/apnscp
# Prevent runaway logging
# Maximum blocksize of all files, 1 block = 4 KB
ulimit -f "${MAX_FILESIZE:-524288}"
# Maximum blocksize of all files, works out to be 2 GB... ?!
ulimit -f "${MAX_FILESIZE:-4194304}"
CP_DIR={{apnscp_root|quote}}
declare -x HOSTNAME="$(hostname -f)"
......
......@@ -9,4 +9,8 @@
#APNSCP_UPDATE_USER=
# Installation path of apnscp
#APNSCP_HOME={{ apnscp_root }}
\ No newline at end of file
#APNSCP_HOME={{ apnscp_root }}
# Default apnscp update policy.
# Refer to apnscp-vars in resources/playbooks
APNSCP_UPDATE_POLICY=edge
\ No newline at end of file
......@@ -33,7 +33,14 @@
dest: "{{ apnscp_update_cron }}"
mode: 0755
force: true
when: apnscp_nightly_update | bool
when: (apnscp_nightly_update | bool) and apnscp_update_policy != false
- name: Disable apnscp nightly updates
file: path={{ apnscp_update_cron }} state=absent
when: not apnscp_nightly_update | bool
\ No newline at end of file
when: not (apnscp_nightly_update | bool) or apnscp_update_policy == false
- name: Set apnscp update policy
ini_file:
path: /etc/sysconfig/apnscp
no_extra_spaces: yes
section: null
option: APNSCP_UPDATE_POLICY
value: "{{ (apnscp_update_policy != false) | ternary(apnscp_update_policy, '')}}"
\ No newline at end of file
......@@ -118,6 +118,7 @@ oneshot_files:
- {file: /etc/services }
- {file: /etc/shells }
- {file: /etc/skel }
- {file: /etc/sudoers }
- {file: /etc/profile.d/lang.csh}
- {file: /etc/profile.d/lang.sh}
- {file: /etc/profile.d/256term.csh}
......
---
services:
- name: fsmount
files:
- src: fsmount.init
dest: /etc/systemd/user/fsmount.init
perm: "0755"
- src: fsmount.service
dest: /etc/systemd/system/fsmount.service
systemd:
state: started
- name: populate-tmp
files:
- src: fstmp.init
dest: /etc/systemd/user/fstmp.init
perm: "0755"
- src: populate-tmp.service
dest: /etc/systemd/system/populate-tmp.service
systemd:
state: started
- name: virtualcroncleanstate
files:
- src: virtualcroncleanstate.service
dest: /etc/systemd/system/virtualcroncleanstate.service
systemd:
state: stopped
- name: virtualcron
files:
- src: virtualcron.init
dest: /etc/systemd/user/virtualcron.init
perm: "0755"
- src: virtualcron.service
dest: /etc/systemd/system/virtualcron.service
systemd:
state: started
- name: virtualhosting
files:
- src: virtualhosting.init
dest: /etc/systemd/user/virtualhosting.init
perm: "0755"
- src: virtualhosting.service
dest: /etc/systemd/system/virtualhosting.service
systemd:
state: started
- name: rc-local
files:
- src: rc-local.service
dest: /etc/systemd/system/rc-local.service
systemd:
enabled: yes
state: started
- name: bwcron.timer
files:
- src: bwcron.timer
dest: /etc/systemd/system/bwcron.timer
perm: "0644"
- src: "{{ bwcron_service_file }}"
dest: /etc/systemd/system/bwcron.service
systemd:
state: started
# Handled otherwise by apnscp-update.cron
- name: apnscp-housekeeping.timer
files:
- src: apnscp-housekeeping.timer
dest: /etc/systemd/system/apnscp-housekeeping.timer
perm: "0644"
- src: "{{ apnscp_housekeeping_service_file }}"
dest: /etc/systemd/system/apnscp-housekeeping.service
systemd:
state: "{{ apnscp_nightly_update | bool | ternary('stopped', 'started') }}"
enabled: "{{ apnscp_nightly_update | bool | ternary('no', 'yes') }}"
templated_services:
- service: bwcron
template: bwcron.service.j2
- service: apnscp-housekeeping
template: apnscp-housekeeping.service.j2
\ No newline at end of file
......@@ -6,7 +6,6 @@
with_items: "{{ templated_services }}"
loop_control:
label: "Templating {{ item.service }}"
- include_vars: vars/main.yml
- name: "Install systemd services"
include_tasks: install-service.yml
vars:
......
---
services:
- name: fsmount
files:
- src: fsmount.init
dest: /etc/systemd/user/fsmount.init
perm: "0755"
- src: fsmount.service
dest: /etc/systemd/system/fsmount.service
systemd:
state: started
- name: populate-tmp
files:
- src: fstmp.init
dest: /etc/systemd/user/fstmp.init
perm: "0755"
- src: populate-tmp.service
dest: /etc/systemd/system/populate-tmp.service
systemd:
state: started
- name: virtualcroncleanstate
files:
- src: virtualcroncleanstate.service
dest: /etc/systemd/system/virtualcroncleanstate.service
systemd:
state: stopped
- name: virtualcron
files:
- src: virtualcron.init
dest: /etc/systemd/user/virtualcron.init
perm: "0755"
- src: virtualcron.service
dest: /etc/systemd/system/virtualcron.service
systemd:
state: started
- name: virtualhosting
files:
- src: virtualhosting.init
dest: /etc/systemd/user/virtualhosting.init
perm: "0755"
- src: virtualhosting.service
dest: /etc/systemd/system/virtualhosting.service
systemd:
state: started
- name: rc-local
files:
- src: rc-local.service
dest: /etc/systemd/system/rc-local.service
systemd:
enabled: yes
state: started
- name: bwcron.timer
files:
- src: bwcron.timer
dest: /etc/systemd/system/bwcron.timer
perm: "0644"
- src: "{{ bwcron_service_file }}"
dest: /etc/systemd/system/bwcron.service
systemd:
state: started
# Handled otherwise by apnscp-update.cron
- name: apnscp-housekeeping.timer
files:
- src: apnscp-housekeeping.timer
dest: /etc/systemd/system/apnscp-housekeeping.timer
perm: "0644"
- src: "{{ apnscp_housekeeping_service_file }}"
dest: /etc/systemd/system/apnscp-housekeeping.service
systemd:
state: "{{ apnscp_nightly_update | bool | ternary('stopped', 'started') }}"
enabled: "{{ apnscp_nightly_update | bool | ternary('no', 'yes') }}"
templated_services:
- service: bwcron
template: bwcron.service.j2
- service: apnscp-housekeeping
template: apnscp-housekeeping.service.j2
\ No newline at end of file
......@@ -24,19 +24,40 @@
- name: Restart postgresql
systemd: state=restarted name=postgresql
listen: Restart services
- name: Restart redis
systemd: state=restarted name=redis
- name: Reload firewalld
command: /bin/firewall-cmd --reload
- name: Reload fail2ban
systemd: state=reloaded name=fail2ban enabled=yes
- name: Restart spamassassin
block:
- command: rpm -q spamassassin
ignore_errors: true
register: sa_present
- systemd: state=restarted name=spamassassin
when: sa_present.rc == 0
- command: rpm -q spamassassin
args:
warn: false
failed_when: false
changed_when: false
register: sa_present
listen: Restart spamassassin
- systemd: state=restarted name=spamassassin enabled=yes
when: sa_present.rc == 0
listen: Restart spamassassin
- command: rpm -q rspamd
args:
warn: false
changed_when: false
failed_when: false
register: rspamd_present
listen: Restart rspamd
- systemd: state=restarted name=rspamd enabled=yes
when: rspamd_present.rc == 0
listen: Restart rspamd
- name: Restart postfix
systemd: state=restarted name=postfix enabled=yes
- name: Restart postsrsd
systemd: state=restarted name=postsrsd enabled=yes
- name: Restart fail2ban
systemd: state=restarted name=fail2ban enabled=yes
- name: Restart sshd
......
......@@ -12,16 +12,4 @@
include_vars: file="{{ item }}" name=customdiff
with_first_found:
- "{{ apnscp_last_run_vars }}"
- /dev/null
- name: Update apnscp-vars with --extra-vars overrides
set_fact:
customdiff: "{{ customdiff|default({}) | combine({item: hostvars[inventory_hostname][item]}) }}"
with_items: "{{ hostvars[inventory_hostname] | intersect(original)}}"
when: item not in custom or hostvars[inventory_hostname][item] != custom[item]
loop_control:
label: "Setting {{ item }} => {{ hostvars[inventory_hostname][item] }}"
- name: Save apnscp-vars state
copy:
dest: "{{ apnscp_last_run_vars }}"
content: "{{ customdiff | default({}) | to_nice_yaml(indent=4) }}"
when: customdiff
\ No newline at end of file
- /dev/null
\ No newline at end of file
......@@ -3,7 +3,10 @@
# Don't change below here #
####################################
DEV_TAG: ">>> DEVELOPMENT PLAY ONLY - REMOVE BEFORE FLIGHT <<<"
apnscp_release_repo: https://gitlab.com/apisnetworks/apnscp.git
apnscp_last_run_vars: /root/apnscp-vars-runtime.yml
# SRS - reformatting forwarded email
postsrsd_enabled: "{{ mail_enabled | bool }}"
# Restrict last/lastlog usage
wtmp_limit_snooping: true
# Enable apnscp testing repo
......@@ -43,7 +46,8 @@ rbenv_usergems_version: ad2fd08
ftp_enabled: yes
# Maximum PASV port when user_daemons disabled. Supports up to 10 concurrent transfers
pasv_max_port: 40010
# Enable outgoing filtering with rspamd - experimental
rspamd_enabled: false
# Use SpamAssassin or rspamd for spam filtering. rspamd is experimental
spamassassin_enabled: yes
# apnscp is part of a multi-server environment
......
......@@ -7,7 +7,6 @@
- name: Add tomcat system user
user:
name: tomcat
system: yes
update_password: on_create
shell: /sbin/nologin
home: /opt/tomcat
......
......@@ -3,6 +3,10 @@ aliases_file: /etc/aliases
postfix_conf_dir: /etc/postfix
# apnscp-specific lookup file for database configuration
postfix_control_file: "{{ postfix_conf_dir }}/mailboxes.cf"
# Allow unauthenticated relaying from 127.0.0.1
# See also StealCat malware
postfix_relay_mynetworks: false
postfix_sysuser: postfix
postfix_user: postfix
# Override to force a password otherwise randomly assigned
......@@ -17,4 +21,9 @@ template_files:
- postscreen_access.cidr.j2
- client_access.j2
- domains.cf.j2
postfix_inet_interfaces: "{{ mail_enabled | bool | ternary('all','loopback-only') }}"
\ No newline at end of file
postfix_inet_interfaces: "{{ mail_enabled | bool | ternary('all','loopback-only') }}"
postfix_mydomain: "{{ data_center_mode | bool | ternary(ansible_nodename, None) }}"
# PostSRS
postsrs_sender_map_port: 10001
postsrs_recipient_map_port: 10002
\ No newline at end of file
- name: Update aliases
command: /usr/sbin/postalias "{{ aliases_file }}"
\ No newline at end of file
# Install PostSRS
---
- name: Install postsrsd RPM
yum: name=postsrsd state=installed
- name: Enable postsrsd
systemd: name=postsrsd daemon_reload=yes state=started enabled=yes
- name: Set hostname for SRS
ini_file:
path: /etc/default/postsrsd
section: null
option: SRS_DOMAIN
value: "{{ srs_domain|default(ansible_fqdn) }}"
when: (data_center_mode | bool)
notify: Restart postsrsd
\ No newline at end of file
---
- include_vars: "{{playbook_dir}}/roles/mail/maildir/defaults/main.yml"
- include_tasks: register-password.yml
- include_tasks: install-postsrs.yml
when: postsrsd_enabled
- name: Remove postsrsd
yum: name=postsrsd state=absent
when: not postsrsd_enabled
- name: Create Postfix user
postgresql_user:
name: "{{ postfix_user }}"
......@@ -19,29 +25,23 @@
mode: 0640
with_items: "{{ template_files }}"
notify: Restart postfix
- name: Set main.cf configuration
ini_file:
path: "{{ config_file }}"
section: null
option: "{{ item.key }}"
value: "{{ item.value }}"
- include_tasks: set-configuration.yml
with_dict: "{{ config }}"
notify: Restart postfix
vars:
notify: Restart postfix
loop_control:
label: "Set {{ item.key }} => {{ item.value }}"
- name: Create aliases
lineinfile:
path: "{{ aliases_file }}"
regexp: '^\s*{{ item.key }}\s*:'
line: '{{ item.key }}: {{ item.value }}'
state: present
include_tasks: manage-alias.yml
vars:
email: "{{ item.key }}"
destination: "{{ item.value }}"
with_dict:
site_blackhole: /dev/null
site_blackhole: >
{{ (spamfilter == 'rspamd') | ternary('rspamc learn_spam', '/dev/null') }}
"{{ apnscp_system_user }}": root
loop_control:
label: "Adding alias {{ item.key }} to {{ item.value }}"
register: lif
- name: Update aliases
command: /usr/sbin/postalias "{{ aliases_file }}"
when: lif.changed
- name: Check if sender transport creation necessary
stat: path="{{ postfix_conf_dir}}/sender_transport"
register: st
......
- name: "Manage alias {{ email }} => {{ destination }}"
lineinfile:
path: "{{ aliases_file }}"
regexp: '^\s*{{ email }}\s*:'
line: '{{ email }}: {{ destination }}'
state: '{{ destination | ternary("present", "absent") }}'
loop_control:
label: "Adding alias {{ email }} to {{ destination }}"
notify: Update aliases
\ No newline at end of file
- name: "{{ item.value | default(false, true) | ternary('Set', 'Remove') }} {{item.key}} => {{ item.value}} in {{ config_file }}"
ini_file:
path: "{{ config_file }}"
section: null
option: "{{ item.key }}"
value: "{{ item.value }}"
state: "{{ item.value | default(false, True) | ternary('present', 'absent') }}"
notify: "{{ notify | default(omit) }}"
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment