171e453fc4e5edaf0f2f936326cec7deceabc930
[mirror/dsa-puppet.git] / modules / exim / manifests / init.pp
1 class exim {
2     activate_munin_check {
3             "ps_exim4": script => "ps_";
4             "exim_mailqueue":;
5             "exim_mailstats":;
6             "postfix_mailqueue":  ensure => absent;
7             "postfix_mailstats":  ensure => absent;
8             "postfix_mailvolume": ensure => absent;
9     }
10
11
12     package { exim4-daemon-heavy: ensure => installed }
13
14     file {
15         "/etc/exim4/":
16           ensure  => directory,
17           owner   => root,
18           group   => root,
19           mode    => 755,
20           purge   => true
21         ;
22         "/etc/exim4/Git":
23           ensure  => directory,
24           purge   => true,
25           force   => true,
26           recurse => true,
27           source  => "puppet:///files/empty/"
28         ;
29         "/etc/exim4/conf.d":
30           ensure  => directory,
31           purge   => true,
32           force   => true,
33           recurse => true,
34           source  => "puppet:///files/empty/"
35         ;
36         "/etc/exim4/ssl":
37           ensure  => directory,
38           owner   => root,
39           group   => Debian-exim,
40           mode    => 750,
41           require => Package["exim4-daemon-heavy"],
42           purge   => true
43         ;
44         "/etc/mailname":
45           content => template("exim/mailname.erb"),
46         ;
47         "/etc/exim4/exim4.conf":
48           content => template("exim/eximconf.erb"),
49           require => Package["exim4-daemon-heavy"],
50           notify  => Exec["exim4 reload"]
51         ;
52         "/etc/exim4/manualroute":
53           require => Package["exim4-daemon-heavy"],
54           content => template("exim/manualroute.erb")
55           ;
56         "/etc/exim4/host_blacklist":
57           require => Package["exim4-daemon-heavy"],
58           source  => [ "puppet:///exim/per-host/$fqdn/host_blacklist",
59                        "puppet:///exim/common/host_blacklist" ]
60           ;
61         "/etc/exim4/blacklist":
62           require => Package["exim4-daemon-heavy"],
63           source  => [ "puppet:///exim/per-host/$fqdn/blacklist",
64                        "puppet:///exim/common/blacklist" ]
65           ;
66         "/etc/exim4/callout_users":
67           require => Package["exim4-daemon-heavy"],
68           source  => [ "puppet:///exim/per-host/$fqdn/callout_users",
69                        "puppet:///exim/common/callout_users" ]
70           ;
71         "/etc/exim4/grey_users":
72           require => Package["exim4-daemon-heavy"],
73           source  => [ "puppet:///exim/per-host/$fqdn/grey_users",
74                        "puppet:///exim/common/grey_users" ]
75           ;
76         "/etc/exim4/helo-check":
77           require => Package["exim4-daemon-heavy"],
78           source  => [ "puppet:///exim/per-host/$fqdn/helo-check",
79                        "puppet:///exim/common/helo-check" ]
80           ;
81         "/etc/exim4/locals":
82           require => Package["exim4-daemon-heavy"],
83           content => template("exim/locals.erb")
84           ;
85         "/etc/exim4/localusers":
86           require => Package["exim4-daemon-heavy"],
87           source  => [ "puppet:///exim/per-host/$fqdn/localusers",
88                        "puppet:///exim/common/localusers" ]
89           ;
90         "/etc/exim4/rbllist":
91           require => Package["exim4-daemon-heavy"],
92           source  => [ "puppet:///exim/per-host/$fqdn/rbllist",
93                        "puppet:///exim/common/rbllist" ]
94           ;
95         "/etc/exim4/rhsbllist":
96           require => Package["exim4-daemon-heavy"],
97           source  => [ "puppet:///exim/per-host/$fqdn/rhsbllist",
98                        "puppet:///exim/common/rhsbllist" ]
99           ;
100         "/etc/exim4/virtualdomains":
101           require => Package["exim4-daemon-heavy"],
102           content => template("exim/virtualdomains.erb")
103           ;
104         "/etc/exim4/whitelist":
105           require => Package["exim4-daemon-heavy"],
106           source  => [ "puppet:///exim/per-host/$fqdn/whitelist",
107                        "puppet:///exim/common/whitelist" ]
108           ;
109         "/etc/logrotate.d/exim4-base":
110           require => Package["exim4-daemon-heavy"],
111           source  => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-base",
112                        "puppet:///exim/common/logrotate-exim4-base" ]
113           ;
114         "/etc/logrotate.d/exim4-paniclog":
115           require => Package["exim4-daemon-heavy"],
116           source  => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-paniclog",
117                        "puppet:///exim/common/logrotate-exim4-paniclog" ]
118           ;
119         "/etc/exim4/ssl/thishost.crt":
120           require => Package["exim4-daemon-heavy"],
121           source  => "puppet:///exim/certs/$fqdn.crt",
122           owner   => root,
123           group   => Debian-exim,
124           mode    => 640
125           ;
126         "/etc/exim4/ssl/thishost.key":
127           require => Package["exim4-daemon-heavy"],
128           source  => "puppet:///exim/certs/$fqdn.key",
129           owner   => root,
130           group   => Debian-exim,
131           mode    => 640
132           ;
133         "/etc/exim4/ssl/ca.crt":
134           require => Package["exim4-daemon-heavy"],
135           source  => "puppet:///exim/certs/ca.crt",
136           owner   => root,
137           group   => Debian-exim,
138           mode    => 640
139           ;
140         "/etc/exim4/ssl/ca.crl":
141           require => Package["exim4-daemon-heavy"],
142           source  => "puppet:///exim/certs/ca.crl",
143           owner   => root,
144           group   => Debian-exim,
145           mode    => 640
146           ;
147         "/var/log/exim4":
148           mode    => 2750,
149           ensure  => directory,
150           owner   => Debian-exim,
151           group   => maillog
152           ;
153     }
154
155     exec { "exim4 reload":
156         path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
157         refreshonly => true,
158     }
159
160     case extractnodeinfo($nodeinfo, 'mail_port') {
161       /^(\d+)$/: { $mail_port = $1 }
162       default: { $mail_port = 'smtp' }
163     }
164
165     @ferm::rule { "dsa-exim":
166             description     => "Allow SMTP",
167             rule            => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
168     }
169     @ferm::rule { "dsa-exim-v6":
170             description     => "Allow SMTP",
171             domain          => "ip6",
172             rule            => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
173     }
174     # Do we actually want this?  I'm only doing it because it's harmless
175     # and makes the logs quiet.  There are better ways of making logs quiet,
176     # though.
177     @ferm::rule { "dsa-ident":
178             domain          => "(ip ip6)",
179             description     => "Allow ident access",
180             rule            => "&SERVICE(tcp, 113)"
181     }
182 }