e133db8643b862dee29ae6b8eadf89d31c6a2537
[mirror/dsa-puppet.git] / modules / exim / manifests / init.pp
1 class exim {
2
3         include exim::vdomain::setup
4
5         munin::check { 'ps_exim4': script => 'ps_' }
6         munin::check { 'exim_mailqueue': }
7         munin::check { 'exim_mailstats': }
8
9         munin::check { 'postfix_mailqueue':  ensure => absent }
10         munin::check { 'postfix_mailstats':  ensure => absent }
11         munin::check { 'postfix_mailvolume': ensure => absent }
12
13         package { 'exim4-daemon-heavy': ensure => installed }
14
15         Package['exim4-daemon-heavy']->Mailalias<| |>
16
17         concat::fragment { 'virtual_domain_template':
18                 target  => '/etc/exim4/virtualdomains',
19                 content => template('exim/virtualdomains.erb'),
20                 order   => 05,
21         }
22
23         service { 'exim4':
24                 ensure  => running,
25                 require => [
26                         File['/etc/exim4/exim4.conf'],
27                         Package['exim4-daemon-heavy'],
28                 ]
29         }
30
31         file { '/etc/exim4/':
32                 ensure  => directory,
33                 mode    => '0755',
34                 require => Package['exim4-daemon-heavy'],
35                 purge   => true,
36         }
37         file { '/etc/exim4/Git':
38                 ensure  => absent,
39         }
40         # git checkouts through puppet.  yummy.
41         file { '/etc/exim4/email-virtualdomains':
42                 recurse => true,
43                 source => 'puppet:///modules/exim/email-virtualdomains',
44         }
45         file { '/etc/exim4/conf.d':
46                 ensure  => directory,
47                 purge   => true,
48                 force   => true,
49                 recurse => true,
50                 source  => 'puppet:///files/empty/',
51         }
52         file { '/etc/exim4/ssl':
53                 ensure  => directory,
54                 group   => Debian-exim,
55                 mode    => '0750',
56                 purge   => true,
57         }
58         file { '/etc/exim4/exim4.conf':
59                 content => template('exim/eximconf.erb'),
60                 require => File['/etc/exim4/ssl/thishost.crt'],
61                 notify  => Service['exim4'],
62         }
63         file { '/etc/mailname':
64                 content => template('exim/mailname.erb'),
65         }
66         file { '/etc/exim4/manualroute':
67                 content => template('exim/manualroute.erb')
68         }
69         file { '/etc/exim4/locals':
70                 content => template('exim/locals.erb')
71         }
72         file { '/etc/exim4/submission-domains':
73                 content => template('exim/submission-domains.erb'),
74         }
75         file { '/etc/exim4/host_blacklist':
76                 source => 'puppet:///modules/exim/common/host_blacklist',
77         }
78         file { '/etc/exim4/blacklist':
79                 source => 'puppet:///modules/exim/common/blacklist',
80         }
81         file { '/etc/exim4/callout_users':
82                 source => 'puppet:///modules/exim/common/callout_users',
83         }
84         file { '/etc/exim4/grey_users':
85                 source => 'puppet:///modules/exim/common/grey_users',
86         }
87         file { '/etc/exim4/helo-check':
88                 source => 'puppet:///modules/exim/common/helo-check',
89         }
90         file { '/etc/exim4/localusers':
91                 source => 'puppet:///modules/exim/common/localusers',
92         }
93         file { '/etc/exim4/rbllist':
94                 source => 'puppet:///modules/exim/common/rbllist',
95         }
96         file { '/etc/exim4/rhsbllist':
97                 source => 'puppet:///modules/exim/common/rhsbllist',
98         }
99         file { '/etc/exim4/whitelist':
100                 source => 'puppet:///modules/exim/common/whitelist',
101         }
102         file { '/etc/logrotate.d/exim4-base':
103                 source => 'puppet:///modules/exim/common/logrotate-exim4-base',
104         }
105         file { '/etc/logrotate.d/exim4-paniclog':
106                 source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
107         }
108         file { '/etc/exim4/ssl/thishost.crt':
109                 source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
110                 group   => Debian-exim,
111                 mode    => '0640',
112         }
113         file { '/etc/exim4/ssl/thishost.key':
114                 source  => "puppet:///modules/exim/certs/${::fqdn}.key",
115                 group   => Debian-exim,
116                 mode    => '0640',
117         }
118         file { '/etc/exim4/ssl/ca.crt':
119                 source  => 'puppet:///modules/exim/certs/ca.crt',
120                 group   => Debian-exim,
121                 mode    => '0640',
122         }
123         file { '/etc/exim4/ssl/ca.crl':
124                 source  => 'puppet:///modules/exim/certs/ca.crl',
125                 group   => Debian-exim,
126                 mode    => '0640',
127         }
128         file { '/var/log/exim4':
129                 ensure  => directory,
130                 mode    => '2750',
131                 owner   => Debian-exim,
132                 group   => maillog,
133         }
134
135         case getfromhash($site::nodeinfo, 'mail_port') {
136                 /^(\d+)$/: { $mail_port = $1 }
137                 default: { $mail_port = '25' }
138         }
139
140         @ferm::rule { 'dsa-exim':
141                 description => 'Allow SMTP',
142                 rule        => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
143         }
144
145         @ferm::rule { 'dsa-exim-v6':
146                 description => 'Allow SMTP',
147                 domain      => 'ip6',
148                 rule        => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
149         }
150         dnsextras::tlsa_record{ "tlsa-mailport":
151                 zone => 'debian.org',
152                 certfile => "/etc/puppet/modules/exim/files/certs/${::fqdn}.crt",
153                 port => "$mail_port",
154                 hostname => "$::fqdn",
155         }
156
157         # Do we actually want this?  I'm only doing it because it's harmless
158         # and makes the logs quiet.  There are better ways of making logs quiet,
159         # though.
160         @ferm::rule { 'dsa-ident':
161                 domain      => '(ip ip6)',
162                 description => 'Allow ident access',
163                 rule        => '&SERVICE(tcp, 113)'
164         }
165
166 }