From 5c4a1e169ec70767e16947217fabf25677b23892 Mon Sep 17 00:00:00 2001
From: MichiK <michik@michik.net>
Date: Thu, 26 Sep 2019 00:01:08 +0200
Subject: [PATCH] Add Postfix role and fix some bugs

---
 group_vars/all                      |  5 ++-
 roles/acmetool/defaults/main.yml    |  2 +-
 roles/acmetool/tasks/main.yml       |  2 +
 roles/nginx-http/tasks/main.yml     |  2 +
 roles/nginx-https/defaults/main.yml |  2 +-
 roles/nginx-https/tasks/main.yml    |  1 -
 roles/postfix/defaults/main.yml     | 13 ++++++
 roles/postfix/handlers/main.yml     |  7 ++++
 roles/postfix/meta/main.yml         |  2 +
 roles/postfix/tasks/main.yml        | 28 +++++++++++++
 roles/postfix/templates/aliases.j2  | 13 ++++++
 roles/postfix/templates/main.cf.j2  | 62 +++++++++++++++++++++++++++++
 services-base.yml                   |  1 +
 13 files changed, 136 insertions(+), 4 deletions(-)
 create mode 100644 roles/postfix/defaults/main.yml
 create mode 100644 roles/postfix/handlers/main.yml
 create mode 100644 roles/postfix/meta/main.yml
 create mode 100644 roles/postfix/tasks/main.yml
 create mode 100644 roles/postfix/templates/aliases.j2
 create mode 100644 roles/postfix/templates/main.cf.j2

diff --git a/group_vars/all b/group_vars/all
index 5627b34..5229bdf 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -1,11 +1,14 @@
 # This should be some e-mail address where technical messages may go.
-admin_email: "michik@michik.net"
+# The idea here is, that this email address should exist for every host if
+# the services-base.yml playbook has been run.
+admin_email: "admins@{{ inventory_hostname }}"
 
 # Please feel free to add your favorite software you need absolutely everywhere
 # here. However, please do not leave too much stuff nobody else might use or
 # stuff that could be handy for an attacker.
 apt_essential_packages:
  - vim
+ - htop
 
 # This is all the stuff we neither need nor want on our computers.
 apt_unwanted_packages:
diff --git a/roles/acmetool/defaults/main.yml b/roles/acmetool/defaults/main.yml
index 5bfba53..2cc5dd0 100644
--- a/roles/acmetool/defaults/main.yml
+++ b/roles/acmetool/defaults/main.yml
@@ -3,7 +3,7 @@
 # nginx (much simpler that way).
 
 acmetool_cert_domains:
- - "{{ ansible_fqdn }}"
+ - "{{ inventory_hostname }}"
 
 # This is the production environment. To use the staging environment, please
 # override for the host(s) in question with the following URL:
diff --git a/roles/acmetool/tasks/main.yml b/roles/acmetool/tasks/main.yml
index 6abd4a8..1aae136 100644
--- a/roles/acmetool/tasks/main.yml
+++ b/roles/acmetool/tasks/main.yml
@@ -1,6 +1,8 @@
 - name: install acmetool
   apt:
     package: acmetool
+    update_cache: yes
+    cache_valid_time: 3600
     state: present
 
 - name: create acmetool conf and webroot directories
diff --git a/roles/nginx-http/tasks/main.yml b/roles/nginx-http/tasks/main.yml
index e9f5f11..d3b74c6 100644
--- a/roles/nginx-http/tasks/main.yml
+++ b/roles/nginx-http/tasks/main.yml
@@ -1,6 +1,8 @@
 - name: install nginx
   apt:
     package: nginx
+    update_cache: yes
+    cache_valid_time: 3600
     state: present
 
 - name: enable nginx
diff --git a/roles/nginx-https/defaults/main.yml b/roles/nginx-https/defaults/main.yml
index 8f038c5..8980b55 100644
--- a/roles/nginx-https/defaults/main.yml
+++ b/roles/nginx-https/defaults/main.yml
@@ -6,7 +6,7 @@ nginx_ssl_dhparam_bits: 4096
 nginx_https_default_headers: null
 
 nginx_https_sites:
- - name: "{{ ansible_fqdn }}"
+ - name: "{{ inventory_hostname }}"
    locations:
     - location: "/"
       config: |
diff --git a/roles/nginx-https/tasks/main.yml b/roles/nginx-https/tasks/main.yml
index a27f500..4f51cf6 100644
--- a/roles/nginx-https/tasks/main.yml
+++ b/roles/nginx-https/tasks/main.yml
@@ -2,7 +2,6 @@
   command: 'openssl dhparam -out "{{ nginx_ssl_dhparam }}" {{ nginx_ssl_dhparam_bits }}'
   args:
     creates: "{{ nginx_ssl_dhparam }}"
-  when: nginx_hmi_ssl_dhparam is not none
 
 - name: configure the https sites
   template:
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
new file mode 100644
index 0000000..39e9ae3
--- /dev/null
+++ b/roles/postfix/defaults/main.yml
@@ -0,0 +1,13 @@
+postfix_alias_maps:
+ - "hash:/etc/aliases"
+postfix_virtual_alias_domains: []
+postfix_virtual_alias_maps: []
+postfix_mailbox_size_limit: 0
+postfix_message_size_limit: 102400000
+postfix_tls_high_cipherlist: "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
+postfix_smtpd_tls_mandatory_protocols: "TLSv1.2"
+postfix_ssl_dhparam: "/etc/postfix/dh_2048.pem"
+postfix_ssl_dhparam_bits: 2048
+
+opendkim_enabled: false
+
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
new file mode 100644
index 0000000..3c53c32
--- /dev/null
+++ b/roles/postfix/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: restart postfix
+  systemd:
+    name: postfix
+    state: restarted
+
+- name: newaliases
+  command: newaliases
diff --git a/roles/postfix/meta/main.yml b/roles/postfix/meta/main.yml
new file mode 100644
index 0000000..20563e0
--- /dev/null
+++ b/roles/postfix/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+ - acmetool
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
new file mode 100644
index 0000000..4c8b976
--- /dev/null
+++ b/roles/postfix/tasks/main.yml
@@ -0,0 +1,28 @@
+- name: install postfix
+  apt:
+    package: postfix
+    update_cache: yes
+    cache_valid_time: 3600
+    state: present
+
+- name: create dh parameters
+  command: 'openssl dhparam -out "{{ postfix_ssl_dhparam }}" {{ postfix_ssl_dhparam_bits }}'
+  args:
+    creates: "{{ postfix_ssl_dhparam }}"
+
+- name: configure postfix
+  template:
+    src: "main.cf.j2"
+    dest: "/etc/postfix/main.cf"
+  notify: restart postfix
+
+- name: load user info
+  include_vars:
+    file: "files/users/users.yml"
+    name: "user_info"
+
+- name: create aliases
+  template:
+    src: "aliases.j2"
+    dest: "/etc/aliases"
+  notify: newaliases
diff --git a/roles/postfix/templates/aliases.j2 b/roles/postfix/templates/aliases.j2
new file mode 100644
index 0000000..89a3919
--- /dev/null
+++ b/roles/postfix/templates/aliases.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+# admin email addresses from git
+admins: {% for user in user_info.users if 'email_address' in user and 'wants_admin_emails' in user and user['wants_admin_emails'] %}{{ user['email_address'] }}{{ "," if not loop.last else '' }}{% endfor %}
+
+
+# rfc 2142 and other role addresses
+abuse: admins
+noc: admins
+security: admins
+postmaster: admins
+webmaster: admins
+root: admins
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
new file mode 100644
index 0000000..2c5630d
--- /dev/null
+++ b/roles/postfix/templates/main.cf.j2
@@ -0,0 +1,62 @@
+# {{ ansible_managed }}
+
+biff = no
+
+compatibility_level = 2
+
+myhostname = {{ inventory_hostname }}
+mydestination = localhost, $myhostname
+
+alias_database = hash:/etc/aliases
+alias_maps = {{ postfix_alias_maps|join(', ') }}
+{% if postfix_virtual_alias_domains %}virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}{% endif %}
+{% if postfix_virtual_alias_maps %}virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}{% endif %}
+
+inet_interfaces = all
+inet_protocols = ipv6, ipv4
+
+mailbox_size_limit = {{ postfix_mailbox_size_limit }}
+message_size_limit = {{ postfix_message_size_limit }}
+{% if opendkim_enabled %}non_smtpd_milters = inet:localhost:11332{% endif %}
+
+tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
+
+smtp_tls_security_level = may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_use_tls = yes
+
+smtpd_banner = $myhostname loves ESMTP
+smtpd_tls_cert_file=/var/lib/acme/live/{{ inventory_hostname }}/fullchain
+smtpd_tls_key_file=/var/lib/acme/live/{{ inventory_hostname }}/privkey
+smtpd_tls_dh1024_param_file = {{ postfix_ssl_dhparam }}
+smtpd_tls_eecdh_grade = ultra
+smtpd_tls_loglevel = 0
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_protocols = {{ postfix_smtpd_tls_mandatory_protocols }}
+smtpd_tls_received_header = yes
+smtpd_tls_security_level = may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_use_tls=yes
+
+smtpd_helo_restrictions =
+ permit_mynetworks,
+ reject_invalid_helo_hostname,
+ reject_non_fqdn_helo_hostname
+
+smtpd_sender_restrictions =
+ permit_mynetworks,
+ reject_non_fqdn_sender,
+ reject_unauth_pipelining
+
+smtpd_relay_restrictions =
+ permit_mynetworks,
+ reject_unauth_pipelining,
+ reject_unauth_destination
+
+smtpd_recipient_restrictions =
+ permit_mynetworks,
+ reject_unauth_pipelining
+
+smtpd_data_restrictions =
+ permit_mynetworks,
+ reject_unauth_pipelining
diff --git a/services-base.yml b/services-base.yml
index 631d869..e5070ed 100644
--- a/services-base.yml
+++ b/services-base.yml
@@ -8,3 +8,4 @@
    - nginx-http
    - acmetool
    - nginx-https
+   - postfix
-- 
GitLab