Browse Source

postfix: use postfix-service-group instead of postfix-host

Fixes: main/infrastructure#218
keep-around/b4578807536f5a3164897b9eda50df9b0aa9ebdc
Loïc Dachary 1 year ago
committed by Loic Dachary
parent
commit
b457880753
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 7
      docs/services/postfix.rst
  2. 6
      docs/user-guide.rst
  3. 4
      enough-before-playbook.yml
  4. 4
      inventory/firewall.yml
  5. 4
      inventory/services.yml
  6. 2
      playbooks/cloud/conftest.py
  7. 1
      playbooks/cloud/playbook.yml
  8. 2
      playbooks/enough/conftest.py
  9. 1
      playbooks/enough/playbook.yml
  10. 2
      playbooks/forum/conftest.py
  11. 1
      playbooks/forum/playbook.yml
  12. 2
      playbooks/gitlab/conftest.py
  13. 1
      playbooks/gitlab/playbook.yml
  14. 8
      playbooks/icinga/roles/icinga2/templates/services/mail.conf
  15. 7
      playbooks/pad/playbook.yml
  16. 4
      playbooks/postfix/inventory/services.yml
  17. 1
      playbooks/postfix/playbook.yml
  18. 2
      playbooks/postfix/postfix-client-playbook.yml
  19. 8
      playbooks/postfix/postfix-relay-playbook.yml
  20. 2
      playbooks/securedrop/conftest.py
  21. 1
      playbooks/securedrop/playbook.yml
  22. 4
      playbooks/wazuh/inventory/services.yml
  23. 4
      playbooks/weblate/inventory/services.yml
  24. 4
      playbooks/wekan/inventory/test-hosts.yml

7
docs/services/postfix.rst

@ -3,6 +3,13 @@
SMTP server
===========
The service is created on the host specified by the `--host` argument:
.. code::
$ enough --domain example.com service create --host postfix-host postfix
A SMTP server is running on each host. A service running on
`some-host.example.com` can use the SMTP server as follows:

6
docs/user-guide.rst

@ -71,11 +71,6 @@ be created by Enough:
enough --domain example.com service create bind
.. note::
Other hosts are created such as ``postfix-host`` or ``icinga-host`` because
they are part of the core services that Enough needs. They however do not
require manual intervention.
Upon successfull completion, a machine named ``bind-host`` exists and
its public IP must be used as a `GLUE record
<https://en.wikipedia.org/wiki/Glue_record>`__.
@ -87,7 +82,6 @@ its public IP must be used as a `GLUE record
| ID | Name | Status | Networks | Image | Flavor |
+---------------+--------------+--------+-----------------------+-----------+--------+
| e4f50405-f58b | icinga-host | ACTIVE | Ext-Net=51.178.60.119 | Debian 10 | s1-2 |
| 75610dd4-eba7 | postfix-host | ACTIVE | Ext-Net=51.178.60.120 | Debian 10 | s1-2 |
| 2b9a1bda-c2c0 | bind-host | ACTIVE | Ext-Net=51.178.60.121 | Debian 10 | s1-2 |
+---------------+--------------+--------+-----------------------+-----------+--------+

4
enough-before-playbook.yml

@ -4,6 +4,7 @@
- import_playbook: "{{ '$SHARE_DIR/playbooks/infrastructure/encrypted-volume-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/firewall/firewall-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/wazuh/wazuh-firewall-playbook.yml' | expandvars }}"
when: (groups['wazuh-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/misc/sexy-debian-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/misc/sshd-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/bind/bind-playbook.yml' | expandvars }}"
@ -14,5 +15,8 @@
- import_playbook: "{{ '$SHARE_DIR/playbooks/icinga/monitor-external-ressources-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/bind/bind-monitoring-playbook.yml' | expandvars }}"
- import_playbook: "{{ '$SHARE_DIR/playbooks/postfix/postfix-playbook.yml' | expandvars }}"
when: (groups['postfix-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/wazuh/wazuh-manager-playbook.yml' | expandvars }}"
when: (groups['wazuh-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/wazuh/wazuh-agent-playbook.yml' | expandvars }}"
when: (groups['wazuh-service-group'] | length) > 0

4
inventory/firewall.yml

@ -5,8 +5,8 @@ firewall_ssh_server_group:
# postfix
firewall_postfix_server_group:
hosts:
postfix-host:
children:
postfix-service-group:
firewall_postfix_client_group:
children:

4
inventory/services.yml

@ -23,8 +23,7 @@ bind-client-group:
all-hosts:
postfix-service-group:
hosts:
postfix-host:
hosts: {}
postfix-service-hosts:
children:
@ -87,6 +86,7 @@ weblate-service-group:
weblate-service-hosts:
children:
weblate-service-group:
postfix-service-group:
essential-service-group:
packages-service-group:

2
playbooks/cloud/conftest.py

@ -3,7 +3,7 @@ def pytest_addoption(parser):
"--enough-hosts",
action="store",
default="bind-host,postfix-host,icinga-host,cloud-host",
default="bind-host,icinga-host,cloud-host",
help="list of hosts"
)
parser.addoption(

1
playbooks/cloud/playbook.yml

@ -6,6 +6,5 @@
- import_playbook: ../bind/bind-playbook.yml
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
- import_playbook: cloud-playbook.yml
- import_playbook: ../enough/enough-playbook.yml

2
playbooks/enough/conftest.py

@ -3,7 +3,7 @@ def pytest_addoption(parser):
"--enough-hosts",
action="store",
default="bind-host,postfix-host,icinga-host,cloud-host",
default="bind-host,icinga-host,cloud-host",
help="list of hosts"
)
parser.addoption(

1
playbooks/enough/playbook.yml

@ -6,5 +6,4 @@
- import_playbook: ../bind/bind-playbook.yml
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
- import_playbook: enough-playbook.yml

2
playbooks/forum/conftest.py

@ -3,7 +3,7 @@ def pytest_addoption(parser):
"--enough-hosts",
action="store",
default="bind-host,postfix-host,icinga-host,forum-host",
default="bind-host,icinga-host,forum-host",
help="list of hosts"
)
parser.addoption(

1
playbooks/forum/playbook.yml

@ -6,5 +6,4 @@
- import_playbook: ../bind/bind-playbook.yml
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
- import_playbook: forum-playbook.yml

2
playbooks/gitlab/conftest.py

@ -3,7 +3,7 @@ def pytest_addoption(parser):
"--enough-hosts",
action="store",
default="bind-host,postfix-host,icinga-host,runner-host,gitlab-host",
default="bind-host,icinga-host,runner-host,gitlab-host",
help="list of hosts"
)
parser.addoption(

1
playbooks/gitlab/playbook.yml

@ -7,6 +7,5 @@
- import_playbook: ../bind/bind-playbook.yml
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
- import_playbook: gitlab-playbook.yml
- import_playbook: gitlab-ci-playbook.yml

8
playbooks/icinga/roles/icinga2/templates/services/mail.conf

@ -42,13 +42,15 @@ apply Service "Check local smtp service" {
assign where host.address
}
{% if (groups['postfix-service-group'] | length) > 0 %}
apply Service "Check smtp relay service" {
import host.vars.service_template
check_command = "ssmtp"
command_endpoint = host.vars.client_endpoint
vars.ssmtp_address = "postfix-host.{{ domain }}"
vars.ssmtp_address = "{{ groups['postfix-service-group'][0] }}.{{ domain }}"
assign where host.address
}
@ -59,10 +61,12 @@ apply Service "Check smtps TLS certificate" {
check_command = "ssl"
command_endpoint = NodeName
vars.ssl_address = "postfix-host.{{ domain }}"
vars.ssl_address = "{{ groups['postfix-service-group'][0] }}.{{ domain }}"
vars.ssl_port = 465
vars.ssl_cert_valid_days_warn = 21
vars.ssl_cert_valid_days_critical = 14
assign where host.vars.postfix_relay == true
}
{% endif %}

7
playbooks/pad/playbook.yml

@ -6,4 +6,11 @@
- import_playbook: ../bind/bind-playbook.yml
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
#
# the following is intended to test the when expression used
# in ../../enough-playbook.yml
# there no need for postfix in the pad
#
- import_playbook: ../postfix/postfix-playbook.yml
when: (groups['postfix-service-group'] | length) > 0
- import_playbook: pad-playbook.yml

4
playbooks/postfix/inventory/services.yml

@ -0,0 +1,4 @@
---
postfix-service-group:
hosts:
postfix-host:

1
playbooks/postfix/playbook.yml

@ -7,3 +7,4 @@
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../icinga/test-icinga-playbook.yml
- import_playbook: postfix-playbook.yml
when: (groups['postfix-service-group'] | length) > 0

2
playbooks/postfix/postfix-client-playbook.yml

@ -17,7 +17,7 @@
- role: debops.postfix
postfix__mailname: '{{ domain }}'
postfix__fqdn: '{{ inventory_hostname }}.{{ domain }}'
postfix__relayhost: '[postfix-host.{{ domain }}]:465'
postfix__relayhost: "[{{ groups['postfix-service-group'][0] }}.{{ domain }}]:465"
postfix__maincf:
- name: 'mynetworks'
value: [ '172.0.0.0/8', '{{ ansible_host }}/32' ]

8
playbooks/postfix/postfix-relay-playbook.yml

@ -15,7 +15,7 @@
become: false
- role: certificate
certificate_fqdn: "postfix-host.{{ domain }}"
certificate_fqdn: "{{ groups['postfix-service-group'][0] }}.{{ domain }}"
become: true
- role: firewall
@ -69,13 +69,13 @@
of a publicly-referenced Postfix SMTP server.
section: 'smtpd-tls'
- name: 'smtpd_tls_cert_file'
value: '/etc/certificates/postfix-host.{{ domain }}.crt'
value: "/etc/certificates/{{ groups['postfix-service-group'][0] }}.{{ domain }}.crt"
section: 'smtpd-tls'
- name: 'smtpd_tls_key_file'
value: '/etc/certificates/postfix-host.{{ domain }}.key'
value: "/etc/certificates/{{ groups['postfix-service-group'][0] }}.{{ domain }}.key"
section: 'smtpd-tls'
- name: 'smtpd_tls_CAfile'
value: '/etc/certificates/postfix-host.{{ domain }}.chain.crt'
value: "/etc/certificates/{{ groups['postfix-service-group'][0] }}.{{ domain }}.chain.crt"
section: 'smtpd-tls'
postfix__maincf: "{{ base__maincf + TLS__maincf }}"
postfix__restrictions_maincf: [ ]

2
playbooks/securedrop/conftest.py

@ -3,7 +3,7 @@ def pytest_addoption(parser):
"--enough-hosts",
action="store",
default="bind-host,postfix-host,icinga-host,securedrop-host",
default="bind-host,icinga-host,securedrop-host",
help="list of hosts"
)
parser.addoption(

1
playbooks/securedrop/playbook.yml

@ -6,5 +6,4 @@
- import_playbook: ../bind/bind-playbook.yml
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
- import_playbook: securedrop-playbook.yml

4
playbooks/wazuh/inventory/services.yml

@ -2,3 +2,7 @@
wazuh-service-group:
hosts:
wazuh-host:
postfix-service-group:
hosts:
postfix-host:

4
playbooks/weblate/inventory/services.yml

@ -0,0 +1,4 @@
---
postfix-service-group:
hosts:
postfix-host:

4
playbooks/wekan/inventory/test-hosts.yml

@ -10,3 +10,7 @@ firewall_web_server_group:
wekan-service-group:
hosts:
wekan-host:
postfix-service-group:
hosts:
postfix-host:

Loading…
Cancel
Save