From 2f275bbeef7222de61d94fa77cd5874d0f31de39 Mon Sep 17 00:00:00 2001
From: MichiK <michik@michik.net>
Date: Sat, 28 Sep 2019 16:26:10 +0200
Subject: [PATCH] YOLO deployment

---
 host_vars/gabriel.c3heaven.de             | 42 +++++++++++++++++++++++
 roles/nginx-https/templates/https-site.j2 |  4 +--
 roles/postfix/defaults/main.yml           |  6 ++--
 roles/postfix/handlers/main.yml           |  9 +++--
 roles/postfix/tasks/main.yml              |  6 ++++
 roles/postfix/templates/aliases.j2        |  7 ++++
 roles/postfix/templates/generic.j2        |  5 +++
 roles/postfix/templates/main.cf.j2        | 23 ++++++++++---
 8 files changed, 90 insertions(+), 12 deletions(-)
 create mode 100644 host_vars/gabriel.c3heaven.de
 create mode 100644 roles/postfix/templates/generic.j2

diff --git a/host_vars/gabriel.c3heaven.de b/host_vars/gabriel.c3heaven.de
new file mode 100644
index 0000000..709b128
--- /dev/null
+++ b/host_vars/gabriel.c3heaven.de
@@ -0,0 +1,42 @@
+acmetool_cert_domains:
+ - gabriel.c3heaven.de
+ - c3heaven.de
+ - lists.c3heaven.de
+ - wiki.c3heaven.de
+
+nginx_http_locations:
+ - location: "/"
+   config: |
+     access_log off;
+     log_not_found off;
+     return 301 https://$host$request_uri;
+
+nginx_https_default_headers:
+ - name: "Strict-Transport-Security"
+   value: "max-age=31536000; includeSubDomains"
+ - name: "X-XSS-Protection"
+   value: "1; mode=block"
+ - name: "X-Frame-Options"
+   value: "DENY"
+ - name: "X-Content-Type-Options"
+   value: "nosniff"
+ - name: "Referrer-Policy"
+   value: "same-origin"
+
+rspamd_enabled: true
+
+postfix_mydestination: "localhost, $myhostname, c3heaven.de"
+postfix_myorigin: "c3heaven.de"
+postfix_generic_map:
+ - "www-data@c3heaven.de noreply@c3heaven.de"
+postfix_additional_admin_aliases:
+ - shift
+ - shifts
+ - ticket
+postfix_alias_maps:
+ - "hash:/etc/aliases"
+ - "hash:/var/lib/mailman/data/aliases"
+postfix_virtual_alias_domains:
+ - "lists.c3heaven.de"
+postfix_virtual_alias_maps:
+ - "hash:/var/lib/mailman/data/virtual-mailman"
diff --git a/roles/nginx-https/templates/https-site.j2 b/roles/nginx-https/templates/https-site.j2
index e24fb3c..45d8e77 100644
--- a/roles/nginx-https/templates/https-site.j2
+++ b/roles/nginx-https/templates/https-site.j2
@@ -16,13 +16,13 @@ server {
 
 {% if nginx_https_default_headers %}
 {% for header in nginx_https_default_headers %}
-  add_header {{ header }};
+  add_header {{ header.name }} "{{ header.value }}";
 {% endfor %}
 {% endif %}
 
 {% if item.headers %}
 {% for header in item.headers %}
-  add_header {{ header }};
+  add_header {{ header.name }} "{{ header.value }}";
 {% endfor %}
 {% endif %}
 
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
index 39e9ae3..9105874 100644
--- a/roles/postfix/defaults/main.yml
+++ b/roles/postfix/defaults/main.yml
@@ -1,3 +1,5 @@
+postfix_mydestination: "localhost, $myhostname"
+postfix_myorigin: null
 postfix_alias_maps:
  - "hash:/etc/aliases"
 postfix_virtual_alias_domains: []
@@ -8,6 +10,4 @@ postfix_tls_high_cipherlist: "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-S
 postfix_smtpd_tls_mandatory_protocols: "TLSv1.2"
 postfix_ssl_dhparam: "/etc/postfix/dh_2048.pem"
 postfix_ssl_dhparam_bits: 2048
-
-opendkim_enabled: false
-
+postfix_additional_admin_aliases: []
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index 3c53c32..816869d 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,7 +1,10 @@
+- name: newaliases
+  command: newaliases
+
+- name: postmap generic
+  command: postmap /etc/postfix/generic
+
 - name: restart postfix
   systemd:
     name: postfix
     state: restarted
-
-- name: newaliases
-  command: newaliases
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index 4c8b976..abc4897 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -26,3 +26,9 @@
     src: "aliases.j2"
     dest: "/etc/aliases"
   notify: newaliases
+
+- name: configure generic map
+  template:
+    src: "generic.j2"
+    dest: "/etc/postfix/generic"
+  notify: postmap generic
diff --git a/roles/postfix/templates/aliases.j2 b/roles/postfix/templates/aliases.j2
index 89a3919..9d96228 100644
--- a/roles/postfix/templates/aliases.j2
+++ b/roles/postfix/templates/aliases.j2
@@ -11,3 +11,10 @@ security: admins
 postmaster: admins
 webmaster: admins
 root: admins
+
+{% if postfix_additional_admin_aliases %}
+# additional admin aliases
+{% for alias in postfix_additional_admin_aliases %}
+{{ alias }}: admins
+{% endfor %}
+{% endif %}
diff --git a/roles/postfix/templates/generic.j2 b/roles/postfix/templates/generic.j2
new file mode 100644
index 0000000..4a2a21f
--- /dev/null
+++ b/roles/postfix/templates/generic.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for line in postfix_generic_map %}
+{{ line }}
+{% endfor %}
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
index 2c5630d..e8a8496 100644
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -5,25 +5,40 @@ biff = no
 compatibility_level = 2
 
 myhostname = {{ inventory_hostname }}
-mydestination = localhost, $myhostname
+mydestination = {{ postfix_mydestination }}
+{% if postfix_myorigin %}
+myorigin = {{ postfix_myorigin }}
+{% endif %}
 
+show_user_unknown_table_name = no
 alias_database = hash:/etc/aliases
 alias_maps = {{ postfix_alias_maps|join(', ') }}
-{% if postfix_virtual_alias_domains %}virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}{% endif %}
-{% if postfix_virtual_alias_maps %}virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}{% endif %}
+{% if postfix_virtual_alias_domains %}
+virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}
+{% endif %}
+{% if postfix_virtual_alias_maps %}
+virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}
+{% endif %}
 
 inet_interfaces = all
 inet_protocols = ipv6, ipv4
 
+{% if rspamd_enabled %}
+smtpd_milters = inet:localhost:11332
+non_smtpd_milters = inet:localhost:11332
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_default_action = accept
+{% endif %}
+
 mailbox_size_limit = {{ postfix_mailbox_size_limit }}
 message_size_limit = {{ postfix_message_size_limit }}
-{% if opendkim_enabled %}non_smtpd_milters = inet:localhost:11332{% endif %}
 
 tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
 
 smtp_tls_security_level = may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_use_tls = yes
+smtp_generic_maps = hash:/etc/postfix/generic
 
 smtpd_banner = $myhostname loves ESMTP
 smtpd_tls_cert_file=/var/lib/acme/live/{{ inventory_hostname }}/fullchain
-- 
GitLab