X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Fmanifests%2Finit.pp;h=babfa449886bcb1b5450405ca8b01780b4aa53d5;hb=ad216612f9a38a69288abbf4f2b05964467249c9;hp=4a213f9aa51c9aaccb96403cff136c2c213615d9;hpb=215ea6ef7a868fe83c46a02fa84a06e3e2631ed6;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index 4a213f9aa..babfa4498 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -1,148 +1,185 @@ -class exim { +# our exim class +# @param use_smarthost use the smarthost +# @param smarthost host to relay through (if set and use_smarthost) +# @param is_bugsmx this system handles bugs.debian.org +# @param is_mailrelay this system is a mailrelay, both in and out, for debian hosts +# @param is_rtmaster this system handles rt.debian.org +# @param is_packagesmaster this system handles packages.debian.org +# @param is_packagesqamaster this system handles packages.qa.debian.org +# @param is_trackermaster this system handles tracker.debian.org +# @param mail_port override the default incoming mailport (only applicable for hosts behind an incoming relay) +# @param smarthost_port the port on which satellites send mail to the smarthost (needs to be the same on both sides) +class exim ( + Optional[String] $smarthost, + Boolean $use_smarthost = true, + Boolean $is_bugsmx = false, + Boolean $is_mailrelay = false, + Boolean $is_rtmaster = false, + Boolean $is_packagesmaster = false, + Boolean $is_packagesqamaster = false, + Boolean $is_trackermaster = false, + Integer $smarthost_port = 587, + Optional[Integer] $mail_port = undef, +) { + if $use_smarthost { + $heavy = false - munin::check { 'ps_exim4': script => 'ps_' } - munin::check { 'exim_mailqueue': } - munin::check { 'exim_mailstats': } + if ! smarthost { + fail('No smarthost set but use_smarthost is true') + } + } else { + $heavy = true + if $mail_port { + fail('Cannot override mail_port in heavy/no-smarthost hosts') + } + } - munin::check { 'postfix_mailqueue': ensure => absent } - munin::check { 'postfix_mailstats': ensure => absent } - munin::check { 'postfix_mailvolume': ensure => absent } + munin::check { 'ps_exim4': script => 'ps_' } + munin::check { 'exim_mailqueue': } + munin::check { 'exim_mailstats': } - package { 'exim4-daemon-heavy': ensure => installed } + munin::check { 'postfix_mailqueue': ensure => absent } + munin::check { 'postfix_mailstats': ensure => absent } + munin::check { 'postfix_mailvolume': ensure => absent } - service { 'exim4': - ensure => running, - require => File['/etc/exim4/exim4.conf'], - } + package { 'exim4-daemon-heavy': ensure => installed } - file { '/etc/exim4/': - ensure => directory, - mode => '0755', - require => Package['exim4-daemon-heavy'], - purge => true, - } - file { '/etc/exim4/Git': - ensure => directory, - purge => true, - force => true, - recurse => true, - source => 'puppet:///files/empty/', - } - file { '/etc/exim4/conf.d': - ensure => directory, - purge => true, - force => true, - recurse => true, - source => 'puppet:///files/empty/', - } - file { '/etc/exim4/ssl': - ensure => directory, - group => Debian-exim, - mode => '0750', - purge => true, - } - file { '/etc/exim4/exim4.conf': - content => template('exim/eximconf.erb'), - notify => Service['exim4'], - } - file { '/etc/mailname': - content => template('exim/mailname.erb'), - } - file { '/etc/exim4/manualroute': - content => template('exim/manualroute.erb') - } - file { '/etc/exim4/locals': - content => template('exim/locals.erb') - } - file { '/etc/exim4/virtualdomains': - content => template('exim/virtualdomains.erb'), - } - file { '/etc/exim4/submission-domains': - content => template('exim/submission-domains.erb'), - } - file { '/etc/exim4/host_blacklist': - source => 'puppet:///modules/exim/common/host_blacklist', - } - file { '/etc/exim4/blacklist': - source => 'puppet:///modules/exim/common/blacklist', - } - file { '/etc/exim4/callout_users': - source => 'puppet:///modules/exim/common/callout_users', - } - file { '/etc/exim4/grey_users': - source => 'puppet:///modules/exim/common/grey_users', - } - file { '/etc/exim4/helo-check': - source => 'puppet:///modules/exim/common/helo-check', - } - file { '/etc/exim4/localusers': - source => 'puppet:///modules/exim/common/localusers', - } - file { '/etc/exim4/rbllist': - source => 'puppet:///modules/exim/common/rbllist', - } - file { '/etc/exim4/rhsbllist': - source => 'puppet:///modules/exim/common/rhsbllist', - } - file { '/etc/exim4/whitelist': - source => 'puppet:///modules/exim/common/whitelist', - } - file { '/etc/logrotate.d/exim4-base': - source => 'puppet:///modules/exim/common/logrotate-exim4-base', - } - file { '/etc/logrotate.d/exim4-paniclog': - source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog' - } - file { '/etc/exim4/ssl/thishost.crt': - source => "puppet:///modules/exim/certs/${::fqdn}.crt", - group => Debian-exim, - mode => '0640', - } - file { '/etc/exim4/ssl/thishost.key': - source => "puppet:///modules/exim/certs/${::fqdn}.key", - group => Debian-exim, - mode => '0640', - } - file { '/etc/exim4/ssl/ca.crt': - source => 'puppet:///modules/exim/certs/ca.crt', - group => Debian-exim, - mode => '0640', - } - file { '/etc/exim4/ssl/ca.crl': - source => 'puppet:///modules/exim/certs/ca.crl', - group => Debian-exim, - mode => '0640', - } - file { '/var/log/exim4': - ensure => directory, - mode => '2750', - owner => Debian-exim, - group => maillog, - } + Package['exim4-daemon-heavy']->Mailalias<| |> - case getfromhash($site::nodeinfo, 'mail_port') { - /^(\d+)$/: { $mail_port = $1 } - default: { $mail_port = 'smtp' } - } + service { 'exim4': + ensure => running, + require => [ + File['/etc/exim4/exim4.conf'], + Package['exim4-daemon-heavy'], + ] + } - @ferm::rule { 'dsa-exim': - description => 'Allow SMTP', - rule => '&SERVICE_RANGE(tcp, $mail_port, $SMTP_SOURCES)' - } + file { '/etc/exim4/': + ensure => directory, + mode => '0755', + require => Package['exim4-daemon-heavy'], + purge => true, + } + file { '/etc/exim4/conf.d': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/exim4/ssl': + ensure => directory, + group => 'Debian-exim', + mode => '0750', + purge => true, + } + file { '/etc/exim4/exim4.conf': + content => template('exim/eximconf.erb'), + require => File['/etc/exim4/ssl/thishost.crt'], + notify => Service['exim4'], + } + file { '/etc/mailname': + content => template('exim/mailname.erb'), + } - @ferm::rule { 'dsa-exim-v6': - description => 'Allow SMTP', - domain => 'ip6', - rule => '&SERVICE_RANGE(tcp, $mail_port, $SMTP_V6_SOURCES)' - } + concat { '/etc/exim4/virtualdomains': } + concat::fragment { 'virtualdomains_header': + target => '/etc/exim4/virtualdomains', + content => template('exim/virtualdomains.header.erb'), + order => '00', + } - # Do we actually want this? I'm only doing it because it's harmless - # and makes the logs quiet. There are better ways of making logs quiet, - # though. - @ferm::rule { 'dsa-ident': - domain => '(ip ip6)', - description => 'Allow ident access', - rule => '&SERVICE(tcp, 113)' - } + file { '/etc/exim4/locals': + content => template('exim/locals.erb') + } + concat { '/etc/exim4/submission-domains': + ensure_newline => true, + warn => @(EOF), + ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. + | EOF + } + + file { '/etc/exim4/host_blacklist': + source => 'puppet:///modules/exim/common/host_blacklist', + } + file { '/etc/exim4/blacklist': + source => 'puppet:///modules/exim/common/blacklist', + } + file { '/etc/exim4/callout_users': + source => 'puppet:///modules/exim/common/callout_users', + } + file { '/etc/exim4/grey_users': + source => 'puppet:///modules/exim/common/grey_users', + } + file { '/etc/exim4/helo-check': + source => 'puppet:///modules/exim/common/helo-check', + } + file { '/etc/exim4/localusers': + source => 'puppet:///modules/exim/common/localusers', + } + file { '/etc/exim4/rbllist': + source => 'puppet:///modules/exim/common/rbllist', + } + file { '/etc/exim4/rhsbllist': + source => 'puppet:///modules/exim/common/rhsbllist', + } + file { '/etc/exim4/whitelist': + source => 'puppet:///modules/exim/common/whitelist', + } + file { '/etc/logrotate.d/exim4-base': + source => 'puppet:///modules/exim/common/logrotate-exim4-base', + } + file { '/etc/logrotate.d/exim4-paniclog': + source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog' + } + file { '/etc/exim4/ssl/thishost.crt': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/etc/exim4/ssl/thishost.key': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crt': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crl': + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crl") %>'), + group => 'Debian-exim', + mode => '0640', + } + file { '/var/log/exim4': + ensure => directory, + mode => '2750', + owner => 'Debian-exim', + group => maillog, + } + + # Do we actually want this? I'm only doing it because it's harmless + # and makes the logs quiet. There are better ways of making logs quiet, + # though. + ferm::rule { 'dsa-ident': + domain => '(ip ip6)', + description => 'Allow ident access', + rule => '&SERVICE(tcp, 113)' + } + + # These only affect the alias @$fqdn, not say, @debian.org + + mailalias { [ + 'postmaster', + 'hostmaster', + 'usenet', + 'webmaster', + 'abuse', + 'noc', + 'security', + ]: + ensure => absent + } }