diff options
24 files changed, 343 insertions, 0 deletions
diff --git a/roles/mailman/files/dump_mailman.sh b/roles/mailman/files/dump_mailman.sh new file mode 100644 index 0000000..4626e31 --- /dev/null +++ b/roles/mailman/files/dump_mailman.sh @@ -0,0 +1,10 @@ +#!/bin/bash +DIR=/var/backups/mailman/ +[ -d $DIR ] || mkdir -p $DIR + +for i in $(/usr/lib/mailman/bin/list_lists -b); do + for j in admins members owners; do + /usr/lib/mailman/bin/list_${j} > $DIR/${i}.${j} + done + /usr/lib/mailman/bin/config_list -o $DIR/${i}.config ${i} +done diff --git a/roles/mailman/files/fix_ansible.conf b/roles/mailman/files/fix_ansible.conf new file mode 100644 index 0000000..036fa8e --- /dev/null +++ b/roles/mailman/files/fix_ansible.conf @@ -0,0 +1,5 @@ +[Service] +ExecStop= +ExecStop=/usr/lib/mailman/bin/mailman-update-cfg +ExecStop=/usr/lib/mailman/bin/mailmanctl stop +ExecStop=/bin/sh -c 'echo -e "# Master copy is /usr/lib/mailman/cron/crontab.in" > /etc/cron.d/mailman' diff --git a/roles/mailman/files/update_templates_mailman.sh b/roles/mailman/files/update_templates_mailman.sh new file mode 100644 index 0000000..1e954ce --- /dev/null +++ b/roles/mailman/files/update_templates_mailman.sh @@ -0,0 +1,16 @@ +#!/bin/bash +GIT_URL=$1 +CACHE_DIR=/var/cache/mailman_templates + +if [ ! -d $CACHE_DIR ]; then + git clone $GIT_URL /var/cache/mailman_templates + cd $CACHE_DIR +else + cd $CACHE_DIR + # on EL6, git is not respecting -q, unlike Fedora + git pull --rebase -q >/dev/null +fi +cp -R * /var/lib/mailman/lists/ +rm -f /var/lib/mailman/lists/README.md +chown -R apache:mailman /var/lib/mailman/lists/ + diff --git a/roles/mailman/handlers/main.yml b/roles/mailman/handlers/main.yml new file mode 100644 index 0000000..2995857 --- /dev/null +++ b/roles/mailman/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: restart mailman + service: name=mailman state=restarted + +- name: update mailman aliases + command: postalias {{ item }} + with_items: + - /etc/postfix/aliases.mailman + - /etc/postfix/aliases.mailman_default diff --git a/roles/mailman/meta/main.yml b/roles/mailman/meta/main.yml new file mode 100644 index 0000000..e949ef9 --- /dev/null +++ b/roles/mailman/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: +- { role: postfix } +- { role: httpd, custom_vhost: yes } + diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml new file mode 100644 index 0000000..e5b78da --- /dev/null +++ b/roles/mailman/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- yum: name={{ item }} state=installed + with_items: + - mailman + - git + - pwgen + +- command: creates=/var/lib/mailman/lists/mailman /usr/lib/mailman/bin/newlist -q mailman root@{{ ansible_domain }} {{ mailman_pass }} + +# +# this is a ugly work around for https://github.com/ansible/ansible-modules-core/issues/127 +- file: name=/etc/systemd/system/mailman.service.d/ state=directory + when: ansible_distribution == 'Fedora' or ansible_distribution_major_version == '7' + +- copy: mode=0644 src=fix_ansible.conf dest=/etc/systemd/system/mailman.service.d/fix_ansible_bug.conf + when: ansible_distribution == 'Fedora' or ansible_distribution_major_version == '7' + +- template: src=mm_cfg.py dest=/etc/mailman/mm_cfg.py + +- service: name=mailman state=started enabled=yes + +- template: src=aliases dest=/etc/postfix/aliases.mailman_default + notify: update mailman aliases + + +- template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url | default( ansible_hostname ) }}.conf + notify: restart httpd + +- copy: mode=0755 src=update_templates_mailman.sh dest=/usr/local/bin/update_templates_mailman.sh + +- cron: name="update mailman {{ mailman_git }}" job="/usr/local/bin/update_templates_mailman.sh {{ mailman_git }}" minute="*/5" + when: mailman_git is defined + +- copy: mode=0755 src=dump_mailman.sh dest=/usr/local/bin/dump_mailman.sh + +- cron: name="dump mailman" job=/usr/local/bin/dump_mailman.sh hour=3 minute=30 diff --git a/roles/mailman/templates/aliases b/roles/mailman/templates/aliases new file mode 100644 index 0000000..9fbf58f --- /dev/null +++ b/roles/mailman/templates/aliases @@ -0,0 +1,12 @@ +## default list +mailman: "|/usr/lib/mailman/mail/mailman post mailman" +mailman-admin: "|/usr/lib/mailman/mail/mailman admin mailman" +mailman-bounces: "|/usr/lib/mailman/mail/mailman bounces mailman" +mailman-confirm: "|/usr/lib/mailman/mail/mailman confirm mailman" +mailman-join: "|/usr/lib/mailman/mail/mailman join mailman" +mailman-leave: "|/usr/lib/mailman/mail/mailman leave mailman" +mailman-owner: "|/usr/lib/mailman/mail/mailman owner mailman" +mailman-request: "|/usr/lib/mailman/mail/mailman request mailman" +mailman-subscribe: "|/usr/lib/mailman/mail/mailman subscribe mailman" +mailman-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe mailman" + diff --git a/roles/mailman/templates/mm_cfg.py b/roles/mailman/templates/mm_cfg.py new file mode 100644 index 0000000..539234a --- /dev/null +++ b/roles/mailman/templates/mm_cfg.py @@ -0,0 +1,12 @@ +# -*- python -*- + +from Defaults import * +import pwd, grp + +MAILMAN_UID = pwd.getpwnam('mailman')[2] +MAILMAN_GID = grp.getgrnam('mailman')[2] + +DEFAULT_URL_HOST = "{{ mailman_webinterface }}" +DEFAULT_EMAIL_HOST = "{{ mailman_prefix }}" + +add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) diff --git a/roles/mailman/templates/vhost.conf b/roles/mailman/templates/vhost.conf new file mode 100644 index 0000000..bd2f01e --- /dev/null +++ b/roles/mailman/templates/vhost.conf @@ -0,0 +1,14 @@ +{% for i in '80', '443' %} +<VirtualHost *:{{ i }}> + + <Directory /usr/lib/mailman/cgi-bin/> + DirectoryIndex listinfo + </Directory> + + RedirectMatch ^/$ /mailman/ + + RedirectMatch ^/mailman[/]*$ /mailman/listinfo + ServerName {{ website_url | default( ansible_hostname ) }} + +</VirtualHost> +{% endfor %} diff --git a/roles/mailman_lists/meta/main.yml b/roles/mailman_lists/meta/main.yml new file mode 100644 index 0000000..6eb9cb8 --- /dev/null +++ b/roles/mailman_lists/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: +- { role: mailman } + diff --git a/roles/mailman_lists/tasks/main.yml b/roles/mailman_lists/tasks/main.yml new file mode 100644 index 0000000..c9c1634 --- /dev/null +++ b/roles/mailman_lists/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- command: creates=/var/lib/mailman/lists/{{ item.name }} /usr/lib/mailman/bin/newlist {{ item.name }}@{{ mailman_prefix }} {{ item.owner | default( mailman_default_owner ) }} $(pwgen -1 14) + with_items: mailman_lists + +- template: src=aliases dest=/etc/postfix/aliases.mailman + notify: update mailman aliases diff --git a/roles/mailman_lists/templates/aliases b/roles/mailman_lists/templates/aliases new file mode 100644 index 0000000..7d83dd3 --- /dev/null +++ b/roles/mailman_lists/templates/aliases @@ -0,0 +1,13 @@ +{% for item in mailman_lists %} +## +{{ item.name }}: "|/usr/lib/mailman/mail/mailman post {{ item.name }}" +{{ item.name }}-admin: "|/usr/lib/mailman/mail/mailman admin {{ item.name }}" +{{ item.name }}-bounces: "|/usr/lib/mailman/mail/mailman bounces {{ item.name }}" +{{ item.name }}-confirm: "|/usr/lib/mailman/mail/mailman confirm {{ item.name }}" +{{ item.name }}-join: "|/usr/lib/mailman/mail/mailman join {{ item.name }}" +{{ item.name }}-leave: "|/usr/lib/mailman/mail/mailman leave {{ item.name }}" +{{ item.name }}-owner: "|/usr/lib/mailman/mail/mailman owner {{ item.name }}" +{{ item.name }}-request: "|/usr/lib/mailman/mail/mailman request {{ item.name }}" +{{ item.name }}-subscribe: "|/usr/lib/mailman/mail/mailman subscribe {{ item.name }}" +{{ item.name }}-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe {{ item.name }}" +{% endfor %} diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml new file mode 100644 index 0000000..4ce4f0a --- /dev/null +++ b/roles/postfix/defaults/main.yml @@ -0,0 +1,6 @@ +locals_users: [] +use_tls: True +use_sasl: False +use_local: False +postfix_key: /etc/pki/tls/private/postfix.key +postfix_cert: /etc/pki/tls/certs/postfix.pem diff --git a/roles/postfix/files/aliases b/roles/postfix/files/aliases new file mode 100644 index 0000000..3f03455 --- /dev/null +++ b/roles/postfix/files/aliases @@ -0,0 +1,5 @@ +# Basic system aliases -- these MUST be present. +# Ansible managed file, do not edit +# use postfix_aliases variable instead +mailer-daemon: postmaster +postmaster: root diff --git a/roles/postfix/files/smtpd.sasl.conf b/roles/postfix/files/smtpd.sasl.conf new file mode 100644 index 0000000..250057e --- /dev/null +++ b/roles/postfix/files/smtpd.sasl.conf @@ -0,0 +1,3 @@ +pwcheck_method: auxprop +auxprop_plugin: sasldb +mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..ad944ce --- /dev/null +++ b/roles/postfix/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: rebuild aliases + command: newaliases + +- name: restart postfix + service: name=postfix state=restarted + +- name: update postfix aliases + command: postalias /etc/postfix/aliases.{{ item }} + with_items: + - local + - users + +- name: update postfix maps + command: postmap /etc/postfix/local_recipient diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..9fd4d61 --- /dev/null +++ b/roles/postfix/tasks/main.yml @@ -0,0 +1,75 @@ +--- +- yum: name={{ item }} state=installed + with_items: + - postfix + +- set_fact: use_sasl=True + when: sasl_user is defined and sasl_pass is defined + +- set_fact: use_tls=True + when: use_sasl == True + +- set_fact: use_local=True + when: local_users is defined + +- service: name=postfix state=started enabled=yes + +- template: dest=/etc/postfix/main.cf src=main.cf + notify: restart postfix + +- copy: dest=/etc/aliases src=aliases + notify: rebuild aliases + +- template: dest=/etc/postfix/aliases.{{ item }} src=aliases.{{ item }} + notify: update postfix aliases + with_items: + - users + - local + +- shell: lokkit -s {{ item }} + with_items: + - smtp + when: ansible_distribution_major_version == '6' and (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') + +- firewalld: service={{ item }} permanent=true state=enabled + with_items: + - smtp + when: ansible_distribution == 'Fedora' or ansible_distribution_major_version == '7' + +- shell: create={{ postfix_cert }} openssl req -x509 -newkey rsa:2048 -keyout {{ postfix_key }} -out {{ postfix_cert }} -days 3650 -nodes -subj '/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./OU=OSAS/CN={{ ansible_domain }}/emailAddress=postmaster@{{ ansible_domain }}' + when: use_tls +# TODO enforce proper permission on cert + selinux + +- group: name=mail + register: mail_group + +- user: name=nobody + register: nobody_user + when: use_local + +- file: state=directory path=/var/mail/discourse{{ item }} owner={{ nobody_user.uid }} group={{ mail_group.gid }} + with_items: + - / + - /cur + - /tmp + - /new + when: use_local + +- template: src={{ item }} dest=/etc/postfix/{{ item }} + notify: update postfix maps + with_items: + - local_recipient + when: use_local + + +- copy: src=smtpd.sasl.conf dest=/etc/sasl2/smtpd.conf + when: use_sasl +# TODO check if needed + notify: restart saslauthd + +- shell: echo {{ sasl_pass }} | saslpasswd2 -a smtpd -u {{ ansible_domain }} -c {{ sasl_user }} -p + when: use_sasl + +- file: path=/etc/sasldb2 owner=root group=mail mode=0640 + when: use_sasl + diff --git a/roles/postfix/templates/aliases.local b/roles/postfix/templates/aliases.local new file mode 100644 index 0000000..9b23aec --- /dev/null +++ b/roles/postfix/templates/aliases.local @@ -0,0 +1,4 @@ +{% for item in local_users %} +{{ item }}: /var/mail/{{ item }}/ +{% endfor %} + diff --git a/roles/postfix/templates/aliases.users b/roles/postfix/templates/aliases.users new file mode 100644 index 0000000..20ef480 --- /dev/null +++ b/roles/postfix/templates/aliases.users @@ -0,0 +1,5 @@ +{% for item in postfix_aliases %} +{{ item.alias }}: {% if item.mail is string %} {{ item.mail }} +{% else %} {{ item.mail |join(',') }} +{% endif %} +{% endfor %} diff --git a/roles/postfix/templates/local_recipient b/roles/postfix/templates/local_recipient new file mode 100644 index 0000000..39d554e --- /dev/null +++ b/roles/postfix/templates/local_recipient @@ -0,0 +1,4 @@ +{% for item in local_users %} +{{ item }} OK +{% endfor %} + diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf new file mode 100644 index 0000000..22546d1 --- /dev/null +++ b/roles/postfix/templates/main.cf @@ -0,0 +1,76 @@ +queue_directory = /var/spool/postfix +command_directory = /usr/sbin +daemon_directory = /usr/libexec/postfix +data_directory = /var/lib/postfix +mail_owner = postfix + +inet_interfaces = all +inet_protocols = all + + +mydestination = $myhostname, + localhost.$mydomain, + localhost, + {{ ansible_domain }}, + {{ mailman_prefix | default('') }} + +unknown_local_recipient_reject_code = 550 + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +alias_maps = hash:/etc/aliases, +{% if use_local == True %} + hash:/etc/postfix/aliases.local, +{% endif %} + hash:/etc/postfix/aliases.mailman_default, + hash:/etc/postfix/aliases.mailman, + hash:/etc/postfix/aliases.users + + +{% if use_local == True %} +local_recipient_maps = hash:/etc/postfix/local_recipient, $alias_maps +{% endif %} + +recipient_delimiter = + + + +debug_peer_level = 2 +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +{% if use_tls == True %} +smtpd_tls_cert_file={{ postfix_cert }} +smtpd_tls_key_file={{ postfix_key }} +smtpd_use_tls=yes +{% endif %} + +{% if use_sasl == True %} +smtpd_tls_auth_only = yes +smtpd_sasl_auth_enable = yes +smtpd_sasl_application_name = smtpd +smtpd_sasl_local_domain = {{ ansible_domain }} +{% endif %} + +smtp_use_tls = yes + +sendmail_path = /usr/sbin/sendmail.postfix +newaliases_path = /usr/bin/newaliases.postfix +mailq_path = /usr/bin/mailq.postfix +setgid_group = postdrop + diff --git a/roles/postfix/templates/virtual_gid b/roles/postfix/templates/virtual_gid new file mode 100644 index 0000000..62f452c --- /dev/null +++ b/roles/postfix/templates/virtual_gid @@ -0,0 +1 @@ +@{{ ansible_domain }} {{ mail_group.gid }} diff --git a/roles/postfix/templates/virtual_mailbox b/roles/postfix/templates/virtual_mailbox new file mode 100644 index 0000000..ced3f62 --- /dev/null +++ b/roles/postfix/templates/virtual_mailbox @@ -0,0 +1,5 @@ +# user@{{ ansible_domain }} user +{% for item in local_users %} +{{ item }}@{{ ansible_domain }} {{ item }} +{% endfor %} + diff --git a/roles/postfix/templates/virtual_uid b/roles/postfix/templates/virtual_uid new file mode 100644 index 0000000..8ac4140 --- /dev/null +++ b/roles/postfix/templates/virtual_uid @@ -0,0 +1,2 @@ +# @manageiq.org 97 +@{{ ansible_domain }} {{ dovecot_user.uid }} |