From 02bb84f1f201bc907fc4e34789227a5c39ee0f5b Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 9 Aug 2020 12:00:39 +0200 Subject: [PATCH] Fix few deprecated options, add MX, update mail, remove AWS stuff and update commits --- .gitmodules | 9 +++++++++ dev.yml | 2 +- dns.yml | 10 +++++++++- mail.yml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ monitoring.yml | 40 +++++----------------------------------- net.yml | 2 ++ production | 3 +++ roles/dovecot | 1 + roles/gitea | 2 +- roles/grafana | 2 +- roles/opendkim | 1 + roles/pleroma | 2 +- roles/postfix | 1 + roles/systemd | 2 +- roles/unbound | 2 +- roles/users | 2 +- roles/varnish | 2 +- 17 files changed, 85 insertions(+), 44 deletions(-) create mode 100644 mail.yml create mode 160000 roles/dovecot create mode 160000 roles/opendkim create mode 160000 roles/postfix diff --git a/.gitmodules b/.gitmodules index 6e80588..00c1bed 100644 --- a/.gitmodules +++ b/.gitmodules @@ -94,3 +94,12 @@ [submodule "roles/factorio"] path = roles/factorio url = https://git.redxen.eu/RedXen/ansible-factorio +[submodule "roles/postfix"] + path = roles/postfix + url = https://git.redxen.eu/RedXen/ansible-postfix +[submodule "roles/dovecot"] + path = roles/dovecot + url = https://git.redxen.eu/RedXen/ansible-dovecot +[submodule "roles/opendkim"] + path = roles/opendkim + url = https://git.redxen.eu/RedXen/ansible-opendkim diff --git a/dev.yml b/dev.yml index 9d8d366..e7e03b8 100644 --- a/dev.yml +++ b/dev.yml @@ -3,7 +3,7 @@ vars: systemd: services: - - { name: "gitea", enabled: true, state: restarted } + - { name: "gitea", enabled: true, action: restarted } file: - { path: "{{ gitea.path.config }}", owner: "git", group: "git", mode: "770", state: directory } - { path: "{{ gitea.path.data }}", owner: "git", group: "git", mode: "770", state: directory } diff --git a/dns.yml b/dns.yml index 7a179ce..e6dc7c1 100644 --- a/dns.yml +++ b/dns.yml @@ -55,12 +55,17 @@ TXT: - { name: "_amazonses.", content: "PAdK+hmtSCYH2lDwBdiCfJDxyhBj2UHJtwQzL7+kh50="} - { name: "", content: "brave-ledger-verification=1f77ffecf7da410af2f4eeb5953ae13c5ee9ddfdfed5cae63458e63003b97444" } + - { name: "", content: "v=spf1 a mx -all" } + - { name: "_DMARC.", content: "v=DMARC1; p=quarantine; rua=mailto:postmaster@redxen.eu; ruf=mailto:postmaster@redxen.eu; fo=1; pct=100" } + - { name: "mail._domainkey.", content: "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8PakBAIZxmAmqyukuwZT92I5gsM8rCD2o+abGbtXSgNCXcKEz+sWZ6kY/EAO5ABxihjyXaETsVTBuoYB514GqCFM9mZNRHHKS87rAE", content2: "/UcXUmgeydxPjqlRzEPxladjh2MhiQijT+XZzfyBVLdK9oYGPlol3VVKn48odiJIx4oRCdQhyiGTzkZGf6QMIJ5XwFqj66+Qv7OkyT6munKhFk974acL4MdL5H+LZwFAWYbRjx6j1zx3Hm7ua/EUHDcPYG6rFbJEwbyFvr1529u9H0OCn9fnIfzqMT+JEgKZRSgOWtK4jLuHcyrXTUkZzbmY8Eho+FxZszDEdvUmUQexKKQIDAQAB" } #- { name: "_acme-challenge.", content: "" } #- { name: "_acme-challenge.", content: "" } CNAME: - { name: "6jxdve2mevelrsc4lrp5ymhu2pku67v4._domainkey.", pointer: "6jxdve2mevelrsc4lrp5ymhu2pku67v4.dkim.amazonses.com" } - { name: "jqo2wv2wek7sh26vmc2tdzc4gdco6uou._domainkey.", pointer: "jqo2wv2wek7sh26vmc2tdzc4gdco6uou.dkim.amazonses.com" } - { name: "edzxe6qpinwhafgwlt6b44yarhhfn3xl._domainkey.", pointer: "edzxe6qpinwhafgwlt6b44yarhhfn3xl.dkim.amazonses.com" } + MX: + - { name: "", priority: 10, host: "mail.redxen.eu" } group: A: - { domain: "stats.", group: "frontend" } @@ -68,9 +73,12 @@ - { domain: "seed.", group: "frontend" } - { domain: "sd.", group: "frontend" } - { domain: "social.", group: "frontend" } + - { domain: "mail.", group: "mail" } + - { domain: "smtp.", group: "mail" } + - { domain: "imap.", group: "mail" } - { domain: "", group: "frontend" } roles: - - file + #- file - apt #- nsd - unbound diff --git a/mail.yml b/mail.yml new file mode 100644 index 0000000..176d74b --- /dev/null +++ b/mail.yml @@ -0,0 +1,46 @@ +--- +- hosts: mail + vars: + apt: + packages: + - { package: "postfix", state: present } + - { package: "postfix-pcre", state: present } + - { package: "dovecot-core", state: present } + - { package: "dovecot-lmtpd", state: present } + - { package: "dovecot-imapd", state: present } + - { package: "dovecot-sieve", state: present } + - { package: "opendkim", state: present } + - { package: "opendkim-tools", state: present } + firewall: + - { port: 25, ipv: "v4", proto: "tcp" } + - { port: 25, ipv: "v6", proto: "tcp" } + - { port: 143, ipv: "v4", proto: "tcp" } + - { port: 143, ipv: "v6", proto: "tcp" } + - { port: 465, ipv: "v4", proto: "tcp" } + - { port: 465, ipv: "v6", proto: "tcp" } + - { port: 587, ipv: "v4", proto: "tcp" } + - { port: 587, ipv: "v6", proto: "tcp" } + - { port: 993, ipv: "v4", proto: "tcp" } + - { port: 993, ipv: "v6", proto: "tcp" } + systemd: + services: + - { name: "dovecot", enabled: true, action: reloaded } + - { name: "postfix", enabled: true, action: reloaded } + - { name: "opendkim", enabled: true, action: reloaded } + file: + - { path: "/etc/opendkim-data", owner: "opendkim", group: "opendkim", mode: "700", state: directory } + - { path: "/var/spool/postfix/opendkim", owner: "postfix", group: "opendkim", mode: "650", state: directory } + - { path: "/var/lib/dovecot/sieve/", owner: "vmail", group: "vmail", mode: "655", state: directory } + - { path: "/etc/ssl/private", owner: "root", group: "root", mode: "655", state: directory } + - { path: "/etc/ssl/private/mail", owner: "root", group: "root", mode: "655", state: directory } + users: + - { name: "vmail", shell: "/sbin/nologin", lock: true } + roles: + - users + - file + - firewall + - apt + - postfix + - dovecot + - opendkim + - systemd diff --git a/monitoring.yml b/monitoring.yml index afdc41a..447ffcf 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -39,42 +39,12 @@ - "tcp://{{ global.backend.redis.host }}:{{ global.backend.redis.port }}" postgresql: address: "host={{ global.backend.postgres.host }} port={{ global.backend.postgres.port }} user={{ vault_postgres.user }} password={{ vault_postgres.password }} sslmode=prefer" - - cloudwatch: - - { - region: "eu-central-1", - access_key: "{{ vault_telegraf.aws.access_key }}", - secret_key: "{{ vault_telegraf.aws.secret_key }}", - period: "48h", - interval: "12h", - namespace: "AWS/S3", - ratelimit: 50, - statistic_include: ["average"], - cache_ttl: "1h" - } - - { - region: "eu-west-1", - access_key: "{{ vault_telegraf.aws.access_key }}", - secret_key: "{{ vault_telegraf.aws.secret_key }}", - period: "24h", - interval: "6h", - namespace: "AWS/SES", - ratelimit: 15, - statistic_include: ["average"], - cache_ttl: "1h" - } - - { - region: "us-east-1", - access_key: "{{ vault_telegraf.aws.access_key }}", - secret_key: "{{ vault_telegraf.aws.secret_key }}", - period: "24h", - interval: "6h", - namespace: "AWS/Billing", - ratelimit: 15, - statistic_include: ["average"], - cache_ttl: "1h" - } grafana: + smtp: + from: "grafana@redxen.eu" + host: "mail.redxen.eu:465" + user: "grafana" + password: "{{ vault_grafana.smtp.password }}" listen: port: '{{ global.monitoring.grafana.port }}' domain: '{{ global.monitoring.grafana.domain }}' diff --git a/net.yml b/net.yml index 8fa866f..b1bf3e1 100644 --- a/net.yml +++ b/net.yml @@ -33,6 +33,8 @@ - { bit: 10, pubkey: "wpjMlhrcv173ER7rZ0KrmaqahcqZA/fm3ovpaGlRIRo=" } - { bit: 12, pubkey: "2FRcncz/oSmqFQLrHqICi4fEkgxrCeS9P8TTv5gcfCw=" } - { bit: 14, pubkey: "XYUXzDDXzo1uDadvJ8YW5X/ISCZSyu10d35i7mb0pAY=" } + - { bit: 16, pubkey: "d459SqKVWko+wBhoFrU+yrFVM4BqI8FSmPtdrWepkw0=" } + - { bit: 18, pubkey: "Fb8sYfZghohEpznWpt46x1cmmkymt2ksQL7fEBI6qlc=" } vault: roles: - "wireguard" diff --git a/production b/production index 936d164..5f0f01e 100644 --- a/production +++ b/production @@ -45,3 +45,6 @@ n0 [homepage] n1 + +[mail] +n1 diff --git a/roles/dovecot b/roles/dovecot new file mode 160000 index 0000000..5d7f2b0 --- /dev/null +++ b/roles/dovecot @@ -0,0 +1 @@ +Subproject commit 5d7f2b0f4cf16f71c0469bb33e87998f7056e9c0 diff --git a/roles/gitea b/roles/gitea index 7f80dca..e31d393 160000 --- a/roles/gitea +++ b/roles/gitea @@ -1 +1 @@ -Subproject commit 7f80dca6c6c4aa1eda2ccc5a53398889fa20e0f9 +Subproject commit e31d393bb44cc4145dc4700d88406895d2df6036 diff --git a/roles/grafana b/roles/grafana index d87f3eb..2f29689 160000 --- a/roles/grafana +++ b/roles/grafana @@ -1 +1 @@ -Subproject commit d87f3eb533eb186139c0bb7efa4387d0c809d592 +Subproject commit 2f296892cb5b37198b1ff983d64c86e7c9d88692 diff --git a/roles/opendkim b/roles/opendkim new file mode 160000 index 0000000..b2431d8 --- /dev/null +++ b/roles/opendkim @@ -0,0 +1 @@ +Subproject commit b2431d8f374e9cbe9e9229165f6673f720a8fbfb diff --git a/roles/pleroma b/roles/pleroma index c27fe21..505adf9 160000 --- a/roles/pleroma +++ b/roles/pleroma @@ -1 +1 @@ -Subproject commit c27fe21daba201c012fb6cb71684604bf5b8b676 +Subproject commit 505adf97339797b0cef9f14d810631dca9b870e3 diff --git a/roles/postfix b/roles/postfix new file mode 160000 index 0000000..104494b --- /dev/null +++ b/roles/postfix @@ -0,0 +1 @@ +Subproject commit 104494b70998780800bc5d852feec6aa5a42a7c6 diff --git a/roles/systemd b/roles/systemd index 12081a5..04998bc 160000 --- a/roles/systemd +++ b/roles/systemd @@ -1 +1 @@ -Subproject commit 12081a5fc072bc78dac01afc9741ec8f8289c564 +Subproject commit 04998bc7f87c9aa08d7579f1fb954a23cb1fe80f diff --git a/roles/unbound b/roles/unbound index 8e2f773..33c4e6d 160000 --- a/roles/unbound +++ b/roles/unbound @@ -1 +1 @@ -Subproject commit 8e2f773811063d04174b65113a11a245b22bf043 +Subproject commit 33c4e6de98bc280a2159b36ec4f7489a14c605d5 diff --git a/roles/users b/roles/users index ec6918d..ae925a9 160000 --- a/roles/users +++ b/roles/users @@ -1 +1 @@ -Subproject commit ec6918d583dc2971561799eb36c09800a247291d +Subproject commit ae925a9400e421afdf5814b1eba219496f1351b6 diff --git a/roles/varnish b/roles/varnish index 29c25ff..e5dfd2e 160000 --- a/roles/varnish +++ b/roles/varnish @@ -1 +1 @@ -Subproject commit 29c25ff02474d2eb9929f65b05acd71b81f0c108 +Subproject commit e5dfd2e8b5fcc8ec4d0537b5efe76d107829cc7e