projects / mirror / dsa-puppet.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Generate the apache ACL for draghi's "restricted" repo (RT#7962)
[mirror/dsa-puppet.git] / modules / roles / manifests / mailrelay.pp
diff --git a/modules/roles/manifests/mailrelay.pp b/modules/roles/manifests/mailrelay.pp
index 388370a..6be074e 100644 (file)
--- a/modules/roles/manifests/mailrelay.pp
+++ b/modules/roles/manifests/mailrelay.pp
@@ -7,17 +7,42 @@
 #   include roles::mailrelay
 #
 class roles::mailrelay {
-       include roles::pubsub::parameters
+  include exim::mailrelay
 
-       $rabbit_password = $roles::pubsub::parameters::rabbit_password
+  include roles::pubsub::parameters
 
-       roles::pubsub::config { 'emailvdomains':
-               key      => 'dsa-emailvdomains-receive',
-               exchange => dsa,
-               queue    => "email-${::fqdn}",
-               topic    => 'dsa.email.update',
-               vhost    => dsa,
-               username => $::fqdn,
-               password => $rabbit_password
-       }
+  $rabbit_password = $roles::pubsub::parameters::rabbit_password
+
+  roles::pubsub::config { 'emailvdomains':
+    key      => 'dsa-emailvdomains-receive',
+    exchange => dsa,
+    queue    => "email-${::fqdn}",
+    topic    => 'dsa.email.update',
+    vhost    => dsa,
+    username => $::fqdn,
+    password => $rabbit_password
+  }
+
+  # smtp firewalling setup
+  ###
+  @@ferm::rule::simple { "dsa-smtp-from-mailrelay-${::fqdn}":
+    tag         => 'smtp::server::to::mail-satellite',
+    description => 'Allow smtp access from a mailrelay',
+    port        => '7', # will be overwritten on collection
+    saddr       => $base::public_addresses,
+  }
+
+  ferm::rule::simple { 'submission-from-satellites':
+    target => 'submission',
+    port   => 'submission',
+  }
+  Ferm::Rule::Simple <<| tag == 'smtp::server::submission::to::mail-relay' |>>
+
+  $autocertdir = hiera('paths.auto_certs_dir')
+  dnsextras::tlsa_record{ 'tlsa-submission':
+    zone     => 'debian.org',
+    certfile => "${autocertdir}/${::fqdn}.crt",
+    port     => 587,
+    hostname => $::fqdn,
+  }
 }
Unnamed repository; edit this file 'description' to name the repository.