YOLO deployment

2f275bbe · MichiK · 3275a221 · 2f275bbe · 2f275bbe · 2f275bbe
Commit 2f275bbe authored 5 years ago by MichiK
--- a/host_vars/gabriel.c3heaven.de
+++ b/host_vars/gabriel.c3heaven.de
+acmetool_cert_domains:
+ - gabriel.c3heaven.de
+ - c3heaven.de
+ - lists.c3heaven.de
+ - wiki.c3heaven.de
+
+nginx_http_locations:
+ - location: "/"
+   config: |
+     access_log off;
+     log_not_found off;
+     return 301 https://$host$request_uri;
+
+nginx_https_default_headers:
+ - name: "Strict-Transport-Security"
+   value: "max-age=31536000; includeSubDomains"
+ - name: "X-XSS-Protection"
+   value: "1; mode=block"
+ - name: "X-Frame-Options"
+   value: "DENY"
+ - name: "X-Content-Type-Options"
+   value: "nosniff"
+ - name: "Referrer-Policy"
+   value: "same-origin"
+
+rspamd_enabled: true
+
+postfix_mydestination: "localhost, $myhostname, c3heaven.de"
+postfix_myorigin: "c3heaven.de"
+postfix_generic_map:
+ - "www-data@c3heaven.de noreply@c3heaven.de"
+postfix_additional_admin_aliases:
+ - shift
+ - shifts
+ - ticket
+postfix_alias_maps:
+ - "hash:/etc/aliases"
+ - "hash:/var/lib/mailman/data/aliases"
+postfix_virtual_alias_domains:
+ - "lists.c3heaven.de"
+postfix_virtual_alias_maps:
+ - "hash:/var/lib/mailman/data/virtual-mailman"
--- a/roles/nginx-https/templates/https-site.j2
+++ b/roles/nginx-https/templates/https-site.j2
@@ -16,13 +16,13 @@ server {

 {% if nginx_https_default_headers %}
 {% for header in nginx_https_default_headers %}
-  add_header {{ header }};
+  add_header {{ header.name }} "{{ header.value }}";
 {% endfor %}
 {% endif %}

 {% if item.headers %}
 {% for header in item.headers %}
-  add_header {{ header }};
+  add_header {{ header.name }} "{{ header.value }}";
 {% endfor %}
 {% endif %}


--- a/roles/postfix/defaults/main.yml
+++ b/roles/postfix/defaults/main.yml
+postfix_mydestination: "localhost, $myhostname"
+postfix_myorigin: null
 postfix_alias_maps:
 - "hash:/etc/aliases"
 postfix_virtual_alias_domains: []
@@ -8,6 +10,4 @@ postfix_tls_high_cipherlist: "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-S
 postfix_smtpd_tls_mandatory_protocols: "TLSv1.2"
 postfix_ssl_dhparam: "/etc/postfix/dh_2048.pem"
 postfix_ssl_dhparam_bits: 2048
-
-opendkim_enabled: false
-
+postfix_additional_admin_aliases: []
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
+- name: newaliases
+  command: newaliases
+
+- name: postmap generic
+  command: postmap /etc/postfix/generic
+
 - name: restart postfix
  systemd:
    name: postfix
    state: restarted
-
- name: newaliases
-  command: newaliases
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -26,3 +26,9 @@
    src: "aliases.j2"
    dest: "/etc/aliases"
  notify: newaliases
+
+- name: configure generic map
+  template:
+    src: "generic.j2"
+    dest: "/etc/postfix/generic"
+  notify: postmap generic
--- a/roles/postfix/templates/aliases.j2
+++ b/roles/postfix/templates/aliases.j2
@@ -11,3 +11,10 @@ security: admins
 postmaster: admins
 webmaster: admins
 root: admins
+
+{% if postfix_additional_admin_aliases %}
+# additional admin aliases
+{% for alias in postfix_additional_admin_aliases %}
+{{ alias }}: admins
+{% endfor %}
+{% endif %}
--- a/roles/postfix/templates/generic.j2
+++ b/roles/postfix/templates/generic.j2
+# {{ ansible_managed }}
+
+{% for line in postfix_generic_map %}
+{{ line }}
+{% endfor %}
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -5,25 +5,40 @@ biff = no
 compatibility_level = 2

 myhostname = {{ inventory_hostname }}
-mydestination = localhost, $myhostname
+mydestination = {{ postfix_mydestination }}
+{% if postfix_myorigin %}
+myorigin = {{ postfix_myorigin }}
+{% endif %}

+show_user_unknown_table_name = no
 alias_database = hash:/etc/aliases
 alias_maps = {{ postfix_alias_maps|join(', ') }}
-{% if postfix_virtual_alias_domains %}virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}{% endif %}
-{% if postfix_virtual_alias_maps %}virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}{% endif %}
+{% if postfix_virtual_alias_domains %}
+virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}
+{% endif %}
+{% if postfix_virtual_alias_maps %}
+virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}
+{% endif %}

 inet_interfaces = all
 inet_protocols = ipv6, ipv4

+{% if rspamd_enabled %}
+smtpd_milters = inet:localhost:11332
+non_smtpd_milters = inet:localhost:11332
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_default_action = accept
+{% endif %}
+
 mailbox_size_limit = {{ postfix_mailbox_size_limit }}
 message_size_limit = {{ postfix_message_size_limit }}
-{% if opendkim_enabled %}non_smtpd_milters = inet:localhost:11332{% endif %}

 tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}

 smtp_tls_security_level = may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_use_tls = yes
+smtp_generic_maps = hash:/etc/postfix/generic

 smtpd_banner = $myhostname loves ESMTP
 smtpd_tls_cert_file=/var/lib/acme/live/{{ inventory_hostname }}/fullchain