Merge branch 'unifysmtp'

2025-06-08 15:14:02 +02:00 · 2025-06-08 15:14:02 +02:00 · 0c33aa4c81
commit 0c33aa4c81
parent c652d4f2ee
19 changed files with 210 additions and 171 deletions
--- a/g00.rhizogen.es.eu.org.yaml
+++ b/g00.rhizogen.es.eu.org.yaml
@ -11,7 +11,8 @@
    - adminuser
    - default_user
    - ssh
-    - smtp_client
+    # - smtp_client
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/g01.rhizogen.es.eu.org.yaml
+++ b/g01.rhizogen.es.eu.org.yaml
@ -11,7 +11,8 @@
    - adminuser
    - default_user
    - ssh
-    - smtp_client
+    # - smtp_client
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/g02.rhizogen.es.eu.org.yaml
+++ b/g02.rhizogen.es.eu.org.yaml
@ -23,7 +23,8 @@
    - testuser
    - testuser_maildir
    - ssh
-    - smtp_mx
+    # - smtp_mx
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/g03.rhizogen.es.eu.org.yaml
+++ b/g03.rhizogen.es.eu.org.yaml
@ -11,7 +11,8 @@
    - adminuser
    - default_user
    - ssh
-    - smtp_client
+    # - smtp_client
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 323103b52004edff878a8230d2ae640195652ced
+Subproject commit 8031e2c636f7e3473418286a8047b089d3b0ab59
--- a/ks1.rhizogen.es.eu.org.yaml
+++ b/ks1.rhizogen.es.eu.org.yaml
@ -14,7 +14,8 @@
    - firstuser
    - firstuser_home
    - ssh
-    - smtp_client
+    # - smtp_client
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/ks2.rhizogen.es.eu.org.yaml
+++ b/ks2.rhizogen.es.eu.org.yaml
@ -14,7 +14,8 @@
    - firstuser
    - firstuser_home
    - ssh
-    - smtp_client
+    # - smtp_client
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/ov1.rhizogen.es.eu.org.yaml
+++ b/ov1.rhizogen.es.eu.org.yaml
@ -16,7 +16,8 @@
    - firstuser_home
    - firstuser_sync
    - ssh
-    - smtp_mx
+    # - smtp_mx
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/ov2.rhizogen.es.eu.org.yaml
+++ b/ov2.rhizogen.es.eu.org.yaml
@ -12,7 +12,8 @@
    - default_user
    - adminuser_home
    - ssh
-    - smtp_client
+    # - smtp_client
+    - smtp
    - sendmail_gpg
    - rkhunter
    - fail2ban
--- a/roles/smtp/tasks/main.yaml
+++ b/roles/smtp/tasks/main.yaml
@ -0,0 +1,4 @@
+---
+- name: Include role depending on mta type
+  ansible.builtin.include_role:
+    name: "smtp_{{ mta_type }}"
--- a/roles/smtp_client/tasks/client.yaml
+++ b/roles/smtp_client/tasks/client.yaml
@ -0,0 +1 @@
+---
--- a/roles/smtp_client/tasks/main.yaml
+++ b/roles/smtp_client/tasks/main.yaml
@ -1,13 +1,21 @@
 ---
- name: Template postfix config
+- name: Include mta-type-related tasks
+  ansible.builtin.include_tasks: "{{ mta_type }}.yaml"
+
+- name: Template postfix main config
  ansible.builtin.template:
-    src: postfix/main.cf_{{ ansible_os_family }}_{{ ansible_distribution_major_version }}_.j2
-    dest: /etc/postfix/main.cf
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
    owner: root
    group: root
    mode: '0644'
  become: yes
  notify: restart_postfix
+  with_items:
+    - { src: 'postfix/main.cf_{{ mta_type }}_{{ mx_type }}_{{ ansible_os_family }}_{{ ansible_distribution_major_version }}_.j2', dest: '/etc/postfix/main.cf' }
+
+- name: Include mta-type-related servicecheck tasks
+  ansible.builtin.include_tasks: servicecheck-{{ mta_type }}.yaml

 - name: Make sure postfix is running
  ansible.builtin.service:
--- a/roles/smtp_client/tasks/servicecheck-client.yaml
+++ b/roles/smtp_client/tasks/servicecheck-client.yaml
@ -0,0 +1 @@
+---
--- a/roles/smtp_client/templates/postfix/main.cf_client_client_Debian_10_.j2
+++ b/roles/smtp_client/templates/postfix/main.cf_client_client_Debian_10_.j2
--- a/roles/smtp_client/templates/postfix/main.cf_client_client_Debian_11_.j2
+++ b/roles/smtp_client/templates/postfix/main.cf_client_client_Debian_11_.j2
--- a/roles/smtp_client/templates/postfix/main.cf_client_client_Debian_12_.j2
+++ b/roles/smtp_client/templates/postfix/main.cf_client_client_Debian_12_.j2
--- a/roles/smtp_mx/tasks/main.yaml
+++ b/roles/smtp_mx/tasks/main.yaml
@ -1,157 +1,8 @@
 ---
- name: Install dependencies for postfix MTA
-  ansible.builtin.package:
-    name:
-      - sasl2-bin
-      - libsasl2-modules
-      - postfix-policyd-spf-perl
-      - opendkim
-      - opendkim-tools
-      - procmail
-    state: present
-  become: yes
+- name: Include mta-type-related tasks
+  ansible.builtin.include_tasks: "{{ mta_type }}.yaml"

- name: Copy postfix certs
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: postfix
-    mode: "{{ item.mode }}"
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'tls/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt', dest: '{{ ca_path }}/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt', mode: '0644' }
-
- name: Copy postfix keys
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: postfix
-    mode: "{{ item.mode }}"
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'tls/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key', dest: '{{ ca_path }}/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key', mode: '0440' }
-  # dont show file content
-  diff: no
-  #no_log: true
-
- name: Copy postfix sender_access
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify:
-    - postmap_senderaccess
-    - reload_postfix
-  with_items:
-    - { src: 'postfix/sender_access', dest: '/etc/postfix/sender_access' }
-
- name: Copy postfix header_checks
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'postfix/header_checks', dest: '/etc/postfix/header_checks' }
-
- name: Copy postfix virtual
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'postfix/virtual.j2', dest: '/etc/postfix/virtual' }
-  # dont show file content
-  diff: no
-  #no_log: true
-
- name: Include mx-type-related tasks
-  ansible.builtin.include_tasks: mx-{{ mx_type }}.yaml
-
- name: Add user postfix to group opendkim
-  ansible.builtin.user:
-    name: postfix
-    groups: opendkim
-    append: yes
-  notify: restart_postfix
-  become: yes
-
- name: Create chroot for opendkim
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    mode: '0771'
-  become: yes
-  notify:
-    - restart_opendkim
-    - restart_postfix
-  with_items:
-    - { path: '{{ opendkim_chroot }}', owner: 'root', group: 'opendkim' }
-
- name: Include mx-type-related opendkim tasks
-  ansible.builtin.include_tasks: mx-{{ mx_type }}_opendkim.yaml
-
- name: Create directory for opendkim service file customization
-  ansible.builtin.file:
-    path: /etc/systemd/system/opendkim.service.d/
-    state: directory
-    owner: root
-    group: root
-    mode: '0755'
-  become: yes
-  when: ansible_service_mgr == "systemd"
-
- name: Copy opendkim systemd service file
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  with_items:
-    - { src: 'systemd/system/opendkim.service.d/override.conf.j2', dest: '/etc/systemd/system/opendkim.service.d/override.conf' }
-  notify: daemonreload
-  when: ansible_service_mgr == "systemd"
-
- name: Template opendkim config
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify:
-    # reloading is not enough, we must restart
-    - restart_opendkim
-    - restart_postfix
-  with_items:
-    - { src: 'default/opendkim.j2', dest: '/etc/default/opendkim' }
-    - { src: 'opendkim.conf_{{ mta_type }}_{{ mx_type }}_.j2', dest: '/etc/opendkim.conf' }
-
- name: Include fail2ban conf for postfix
-  ansible.builtin.include_role:
-    name: fail2ban
-    tasks_from: postfix
-
- name: Template postfix master config
+- name: Template postfix main config
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
@ -162,14 +13,9 @@
  notify: restart_postfix
  with_items:
    - { src: 'postfix/main.cf_{{ mta_type }}_{{ mx_type }}_{{ ansible_os_family }}_{{ ansible_distribution_major_version }}_.j2', dest: '/etc/postfix/main.cf' }
-    - { src: 'postfix/master.cf_{{ mta_type }}_{{ mx_type }}_.j2', dest: '/etc/postfix/master.cf' }

- name: Make sure opendkim is running
-  ansible.builtin.service:
-    name: opendkim
-    enabled: yes
-    state: started
-  become: yes
+- name: Include mta-type-related servicecheck tasks
+  ansible.builtin.include_tasks: servicecheck-{{ mta_type }}.yaml

 - name: Make sure postfix is running
  ansible.builtin.service:
--- a/roles/smtp_mx/tasks/mx.yaml
+++ b/roles/smtp_mx/tasks/mx.yaml
@ -0,0 +1,164 @@
+---
+- name: Install dependencies for postfix MTA
+  ansible.builtin.package:
+    name:
+      - sasl2-bin
+      - libsasl2-modules
+      - postfix-policyd-spf-perl
+      - opendkim
+      - opendkim-tools
+      - procmail
+    state: present
+  become: yes
+
+- name: Copy postfix certs
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: postfix
+    mode: "{{ item.mode }}"
+  become: yes
+  notify: reload_postfix
+  with_items:
+    - { src: 'tls/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt', dest: '{{ ca_path }}/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt', mode: '0644' }
+
+- name: Copy postfix keys
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: postfix
+    mode: "{{ item.mode }}"
+  become: yes
+  notify: reload_postfix
+  with_items:
+    - { src: 'tls/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key', dest: '{{ ca_path }}/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key', mode: '0440' }
+  # dont show file content
+  diff: no
+  #no_log: true
+
+- name: Copy postfix sender_access
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify:
+    - postmap_senderaccess
+    - reload_postfix
+  with_items:
+    - { src: 'postfix/sender_access', dest: '/etc/postfix/sender_access' }
+
+- name: Copy postfix header_checks
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify: reload_postfix
+  with_items:
+    - { src: 'postfix/header_checks', dest: '/etc/postfix/header_checks' }
+
+- name: Copy postfix virtual
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify: reload_postfix
+  with_items:
+    - { src: 'postfix/virtual.j2', dest: '/etc/postfix/virtual' }
+  # dont show file content
+  diff: no
+  #no_log: true
+
+- name: Include mx-type-related tasks
+  ansible.builtin.include_tasks: mx-{{ mx_type }}.yaml
+
+- name: Add user postfix to group opendkim
+  ansible.builtin.user:
+    name: postfix
+    groups: opendkim
+    append: yes
+  notify: restart_postfix
+  become: yes
+
+- name: Create chroot for opendkim
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: '0771'
+  become: yes
+  notify:
+    - restart_opendkim
+    - restart_postfix
+  with_items:
+    - { path: '{{ opendkim_chroot }}', owner: 'root', group: 'opendkim' }
+
+- name: Include mx-type-related opendkim tasks
+  ansible.builtin.include_tasks: mx-{{ mx_type }}_opendkim.yaml
+
+- name: Create directory for opendkim service file customization
+  ansible.builtin.file:
+    path: /etc/systemd/system/opendkim.service.d/
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  become: yes
+  when: ansible_service_mgr == "systemd"
+
+- name: Copy opendkim systemd service file
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  with_items:
+    - { src: 'systemd/system/opendkim.service.d/override.conf.j2', dest: '/etc/systemd/system/opendkim.service.d/override.conf' }
+  notify: daemonreload
+  when: ansible_service_mgr == "systemd"
+
+- name: Template opendkim config
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify:
+    # reloading is not enough, we must restart
+    - restart_opendkim
+    - restart_postfix
+  with_items:
+    - { src: 'default/opendkim.j2', dest: '/etc/default/opendkim' }
+    - { src: 'opendkim.conf_{{ mta_type }}_{{ mx_type }}_.j2', dest: '/etc/opendkim.conf' }
+
+- name: Include fail2ban conf for postfix
+  ansible.builtin.include_role:
+    name: fail2ban
+    tasks_from: postfix
+
+- name: Template postfix master config
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify: restart_postfix
+  with_items:
+    - { src: 'postfix/master.cf_{{ mta_type }}_{{ mx_type }}_.j2', dest: '/etc/postfix/master.cf' }
--- a/roles/smtp_mx/tasks/servicecheck-mx.yaml
+++ b/roles/smtp_mx/tasks/servicecheck-mx.yaml
@ -0,0 +1,7 @@
+---
+- name: Make sure opendkim is running
+  ansible.builtin.service:
+    name: opendkim
+    enabled: yes
+    state: started
+  become: yes