Move TLSA for submission port from exim::mx role to the mailrelay role

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index bcee6aa..bf7fd5e 100644 (file)
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -23,13 +23,6 @@ class exim::mx(
     notify => Service['exim4'],
   }
 
-  $autocertdir = hiera('paths.auto_certs_dir')
-  dnsextras::tlsa_record{ 'tlsa-submission':
-    zone     => 'debian.org',
-    certfile => "${autocertdir}/${::fqdn}.crt",
-    port     => 587,
-    hostname => $::fqdn,
-  }
   package { 'monitoring-plugins-standard':
     ensure => installed,
   }

diff --git a/modules/roles/manifests/mailrelay.pp b/modules/roles/manifests/mailrelay.pp
index 87b9263..6be074e 100644 (file)
--- a/modules/roles/manifests/mailrelay.pp
+++ b/modules/roles/manifests/mailrelay.pp
@@ -37,4 +37,12 @@ class roles::mailrelay {
     port   => 'submission',
   }
   Ferm::Rule::Simple <<| tag == 'smtp::server::submission::to::mail-relay' |>>
+
+  $autocertdir = hiera('paths.auto_certs_dir')
+  dnsextras::tlsa_record{ 'tlsa-submission':
+    zone     => 'debian.org',
+    certfile => "${autocertdir}/${::fqdn}.crt",
+    port     => 587,
+    hostname => $::fqdn,
+  }
 }