X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Fmanifests%2Finit.pp;h=babfa449886bcb1b5450405ca8b01780b4aa53d5;hb=ad216612f9a38a69288abbf4f2b05964467249c9;hp=0b5f7d6757f7a1de1a3400fac0e188bd528ee382;hpb=7d26e0e520afacec1f1e08112fac99b8273ac64d;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index 0b5f7d675..babfa4498 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -1,149 +1,185 @@ -class exim { - activate_munin_check { - "ps_exim4": script => "ps_"; - "exim_mailqueue":; - "exim_mailstats":; - "postfix_mailqueue": ensure => absent; - "postfix_mailstats": ensure => absent; - "postfix_mailvolume": ensure => absent; +# our exim class +# @param use_smarthost use the smarthost +# @param smarthost host to relay through (if set and use_smarthost) +# @param is_bugsmx this system handles bugs.debian.org +# @param is_mailrelay this system is a mailrelay, both in and out, for debian hosts +# @param is_rtmaster this system handles rt.debian.org +# @param is_packagesmaster this system handles packages.debian.org +# @param is_packagesqamaster this system handles packages.qa.debian.org +# @param is_trackermaster this system handles tracker.debian.org +# @param mail_port override the default incoming mailport (only applicable for hosts behind an incoming relay) +# @param smarthost_port the port on which satellites send mail to the smarthost (needs to be the same on both sides) +class exim ( + Optional[String] $smarthost, + Boolean $use_smarthost = true, + Boolean $is_bugsmx = false, + Boolean $is_mailrelay = false, + Boolean $is_rtmaster = false, + Boolean $is_packagesmaster = false, + Boolean $is_packagesqamaster = false, + Boolean $is_trackermaster = false, + Integer $smarthost_port = 587, + Optional[Integer] $mail_port = undef, +) { + if $use_smarthost { + $heavy = false + + if ! smarthost { + fail('No smarthost set but use_smarthost is true') + } + } else { + $heavy = true + if $mail_port { + fail('Cannot override mail_port in heavy/no-smarthost hosts') } + } + munin::check { 'ps_exim4': script => 'ps_' } + munin::check { 'exim_mailqueue': } + munin::check { 'exim_mailstats': } - package { exim4-daemon-heavy: ensure => installed } + munin::check { 'postfix_mailqueue': ensure => absent } + munin::check { 'postfix_mailstats': ensure => absent } + munin::check { 'postfix_mailvolume': ensure => absent } - file { - "/etc/exim4/": - ensure => directory, - owner => root, - group => root, - mode => 755, - purge => true - ; - "/etc/exim4/ssl": - ensure => directory, - owner => root, - group => Debian-exim, - mode => 750, - require => Package["exim4-daemon-heavy"], - purge => true - ; - "/etc/mailname": - content => template("exim/mailname.erb"), - ; - "/etc/exim4/exim4.conf": - content => template("exim/eximconf.erb"), - require => Package["exim4-daemon-heavy"], - notify => Exec["exim4 reload"] - ; - "/etc/exim4/manualroute": - require => Package["exim4-daemon-heavy"], - content => template("exim/manualroute.erb") - ; - "/etc/exim4/host_blacklist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/host_blacklist", - "puppet:///exim/common/host_blacklist" ] - ; - "/etc/exim4/blacklist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/blacklist", - "puppet:///exim/common/blacklist" ] - ; - "/etc/exim4/callout_users": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/callout_users", - "puppet:///exim/common/callout_users" ] - ; - "/etc/exim4/grey_users": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/grey_users", - "puppet:///exim/common/grey_users" ] - ; - "/etc/exim4/helo-check": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/helo-check", - "puppet:///exim/common/helo-check" ] - ; - "/etc/exim4/locals": - require => Package["exim4-daemon-heavy"], - content => template("exim/locals.erb") - ; - "/etc/exim4/localusers": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/localusers", - "puppet:///exim/common/localusers" ] - ; - "/etc/exim4/rbllist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/rbllist", - "puppet:///exim/common/rbllist" ] - ; - "/etc/exim4/rcpthosts": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/rcpthosts", - "puppet:///exim/common/rcpthosts" ] - ; - "/etc/exim4/rhsbllist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/rhsbllist", - "puppet:///exim/common/rhsbllist" ] - ; - "/etc/exim4/virtualdomains": - require => Package["exim4-daemon-heavy"], - content => template("exim/virtualdomains.erb") - ; - "/etc/exim4/whitelist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/whitelist", - "puppet:///exim/common/whitelist" ] - ; - "/etc/logrotate.d/exim4-base": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-base", - "puppet:///exim/common/logrotate-exim4-base" ] - ; - "/etc/logrotate.d/exim4-paniclog": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-paniclog", - "puppet:///exim/common/logrotate-exim4-paniclog" ] - ; - "/etc/exim4/local-auto.conf": - require => Package["exim4-daemon-heavy"], - content => template("exim-local-auto.erb"), - notify => Exec["exim4 reload"] - ; - "/etc/exim4/ssl/thishost.crt": - require => Package["exim4-daemon-heavy"], - source => "puppet:///exim/certs/$fqdn.crt", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/thishost.key": - require => Package["exim4-daemon-heavy"], - source => "puppet:///exim/certs/$fqdn.key", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/ca.crt": - require => Package["exim4-daemon-heavy"], - source => "puppet:///exim/certs/ca.crt", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/ca.crl": - require => Package["exim4-daemon-heavy"], - source => "puppet:///exim/certs/ca.crl", - owner => root, - group => Debian-exim, - mode => 640 - ; - } + package { 'exim4-daemon-heavy': ensure => installed } - exec { "exim4 reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + Package['exim4-daemon-heavy']->Mailalias<| |> + + service { 'exim4': + ensure => running, + require => [ + File['/etc/exim4/exim4.conf'], + Package['exim4-daemon-heavy'], + ] + } + + file { '/etc/exim4/': + ensure => directory, + mode => '0755', + require => Package['exim4-daemon-heavy'], + purge => true, + } + file { '/etc/exim4/conf.d': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/exim4/ssl': + ensure => directory, + group => 'Debian-exim', + mode => '0750', + purge => true, + } + file { '/etc/exim4/exim4.conf': + content => template('exim/eximconf.erb'), + require => File['/etc/exim4/ssl/thishost.crt'], + notify => Service['exim4'], + } + file { '/etc/mailname': + content => template('exim/mailname.erb'), + } + + concat { '/etc/exim4/virtualdomains': } + concat::fragment { 'virtualdomains_header': + target => '/etc/exim4/virtualdomains', + content => template('exim/virtualdomains.header.erb'), + order => '00', + } + + file { '/etc/exim4/locals': + content => template('exim/locals.erb') + } + + concat { '/etc/exim4/submission-domains': + ensure_newline => true, + warn => @(EOF), + ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. + | EOF + } + + file { '/etc/exim4/host_blacklist': + source => 'puppet:///modules/exim/common/host_blacklist', + } + file { '/etc/exim4/blacklist': + source => 'puppet:///modules/exim/common/blacklist', + } + file { '/etc/exim4/callout_users': + source => 'puppet:///modules/exim/common/callout_users', + } + file { '/etc/exim4/grey_users': + source => 'puppet:///modules/exim/common/grey_users', + } + file { '/etc/exim4/helo-check': + source => 'puppet:///modules/exim/common/helo-check', + } + file { '/etc/exim4/localusers': + source => 'puppet:///modules/exim/common/localusers', + } + file { '/etc/exim4/rbllist': + source => 'puppet:///modules/exim/common/rbllist', + } + file { '/etc/exim4/rhsbllist': + source => 'puppet:///modules/exim/common/rhsbllist', + } + file { '/etc/exim4/whitelist': + source => 'puppet:///modules/exim/common/whitelist', + } + file { '/etc/logrotate.d/exim4-base': + source => 'puppet:///modules/exim/common/logrotate-exim4-base', + } + file { '/etc/logrotate.d/exim4-paniclog': + source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog' + } + file { '/etc/exim4/ssl/thishost.crt': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/etc/exim4/ssl/thishost.key': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crt': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crl': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crl") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/var/log/exim4': + ensure => directory, + mode => '2750', + owner => 'Debian-exim', + group => maillog, + } + + # Do we actually want this? I'm only doing it because it's harmless + # and makes the logs quiet. There are better ways of making logs quiet, + # though. + ferm::rule { 'dsa-ident': + domain => '(ip ip6)', + description => 'Allow ident access', + rule => '&SERVICE(tcp, 113)' + } + + # These only affect the alias @$fqdn, not say, @debian.org + + mailalias { [ + 'postmaster', + 'hostmaster', + 'usenet', + 'webmaster', + 'abuse', + 'noc', + 'security', + ]: + ensure => absent + } }