From 368e147f10b8e748f7e171a15568a94d79599039 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 21 Sep 2019 18:40:18 +0200 Subject: [PATCH] move exim vs. postfix, heavy vs. not, into hiera --- data/common.yaml | 1 + data/nodes/bendel.debian.org.yaml | 1 + data/nodes/buxtehude.debian.org.yaml | 1 + data/nodes/draghi.debian.org.yaml | 2 ++ data/nodes/godard.debian.org.yaml | 1 + data/nodes/mailly.debian.org.yaml | 5 +--- data/nodes/muffat.debian.org.yaml | 5 +--- data/nodes/nono.debian.org.yaml | 2 ++ data/nodes/picconi.debian.org.yaml | 1 + data/nodes/pinel.debian.org.yaml | 4 +++- data/nodes/quantz.debian.org.yaml | 2 ++ data/nodes/reger.debian.org.yaml | 2 ++ data/nodes/tye.debian.org.yaml | 2 ++ data/nodes/vento.debian.org.yaml | 2 ++ data/nodes/wuiet.debian.org.yaml | 1 + hieradata/nodes/master.debian.org.yaml | 2 ++ manifests/site.pp | 12 ---------- modules/base/manifests/includes.pp | 2 ++ modules/exim/manifests/init.pp | 15 ++++++++++++ modules/exim/manifests/mx.pp | 7 +++++- modules/exim/templates/eximconf.erb | 32 +++++++++++--------------- modules/nagios/manifests/server.pp | 4 ++++ modules/roles/manifests/mailrelay.pp | 2 ++ modules/roles/manifests/mta.pp | 27 ++++++++++++++++++++++ 24 files changed, 94 insertions(+), 41 deletions(-) create mode 100644 hieradata/nodes/master.debian.org.yaml create mode 100644 modules/roles/manifests/mta.pp diff --git a/data/common.yaml b/data/common.yaml index e53f7e4c7..e724e5fdd 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -12,6 +12,7 @@ resolv::nameservers: [] resolv::searchpaths: ['debian.org'] staticsync::user: 'staticsync' staticsync::basedir: '/srv/static.debian.org' +exim::smarthost: 'mailout.debian.org' roles::dns_primary::allow_access: # easydns diff --git a/data/nodes/bendel.debian.org.yaml b/data/nodes/bendel.debian.org.yaml index 079643587..7b8c89627 100644 --- a/data/nodes/bendel.debian.org.yaml +++ b/data/nodes/bendel.debian.org.yaml @@ -2,4 +2,5 @@ classes: - roles::lists +roles::mta::type: 'postfix' postfix::manage_maincf: false diff --git a/data/nodes/buxtehude.debian.org.yaml b/data/nodes/buxtehude.debian.org.yaml index b93b9648d..498ea1454 100644 --- a/data/nodes/buxtehude.debian.org.yaml +++ b/data/nodes/buxtehude.debian.org.yaml @@ -6,4 +6,5 @@ apache2::smaller_number_of_threads: true # debbugs cgis like to fork and don't deal well with EAGAIN apache2::rlimitnproc: 450 +roles::mta::heavy: true exim::is_bugsmx: true diff --git a/data/nodes/draghi.debian.org.yaml b/data/nodes/draghi.debian.org.yaml index a2da6fda0..22dd9cf0b 100644 --- a/data/nodes/draghi.debian.org.yaml +++ b/data/nodes/draghi.debian.org.yaml @@ -1,3 +1,5 @@ --- classes: - roles::dbmaster + +roles::mta::heavy: true diff --git a/data/nodes/godard.debian.org.yaml b/data/nodes/godard.debian.org.yaml index 65baf3d7d..bc631fe87 100644 --- a/data/nodes/godard.debian.org.yaml +++ b/data/nodes/godard.debian.org.yaml @@ -2,3 +2,4 @@ classes: - salsa ssl::insecure_ssl: true +roles::mta::type: 'postfix' diff --git a/data/nodes/mailly.debian.org.yaml b/data/nodes/mailly.debian.org.yaml index 806a80296..1d9d610d7 100644 --- a/data/nodes/mailly.debian.org.yaml +++ b/data/nodes/mailly.debian.org.yaml @@ -1,5 +1,2 @@ --- -classes: - - roles::mailrelay - -exim::is_mailrelay: true +roles::mta::mailrelay: true diff --git a/data/nodes/muffat.debian.org.yaml b/data/nodes/muffat.debian.org.yaml index 806a80296..1d9d610d7 100644 --- a/data/nodes/muffat.debian.org.yaml +++ b/data/nodes/muffat.debian.org.yaml @@ -1,5 +1,2 @@ --- -classes: - - roles::mailrelay - -exim::is_mailrelay: true +roles::mta::mailrelay: true diff --git a/data/nodes/nono.debian.org.yaml b/data/nodes/nono.debian.org.yaml index 50b093514..fa2ac0eea 100644 --- a/data/nodes/nono.debian.org.yaml +++ b/data/nodes/nono.debian.org.yaml @@ -2,3 +2,5 @@ classes: - roles::contributors - roles::nm + +roles::mta::heavy: true diff --git a/data/nodes/picconi.debian.org.yaml b/data/nodes/picconi.debian.org.yaml index 96e5afa81..fbb0873c0 100644 --- a/data/nodes/picconi.debian.org.yaml +++ b/data/nodes/picconi.debian.org.yaml @@ -3,3 +3,4 @@ classes: - roles::packages exim::is_packagesmaster: true +roles::mta::heavy: true diff --git a/data/nodes/pinel.debian.org.yaml b/data/nodes/pinel.debian.org.yaml index d8342f799..08a63277e 100644 --- a/data/nodes/pinel.debian.org.yaml +++ b/data/nodes/pinel.debian.org.yaml @@ -1,4 +1,6 @@ --- -apache2::smaller_number_of_threads: true classes: - roles::popcon + +apache2::smaller_number_of_threads: true +roles::mta::heavy: true diff --git a/data/nodes/quantz.debian.org.yaml b/data/nodes/quantz.debian.org.yaml index 1b9003781..7d117b075 100644 --- a/data/nodes/quantz.debian.org.yaml +++ b/data/nodes/quantz.debian.org.yaml @@ -7,3 +7,5 @@ apache2::mpm: prefork apache2::rlimitmem: 314572800 exim::is_packagesqamaster: true + +roles::mta::heavy: true diff --git a/data/nodes/reger.debian.org.yaml b/data/nodes/reger.debian.org.yaml index dc19277a9..8271be5af 100644 --- a/data/nodes/reger.debian.org.yaml +++ b/data/nodes/reger.debian.org.yaml @@ -1,4 +1,6 @@ --- classes: - roles::rtmaster + exim::is_rtmaster: true +roles::mta::heavy: true diff --git a/data/nodes/tye.debian.org.yaml b/data/nodes/tye.debian.org.yaml index b8e7d383b..72d13e083 100644 --- a/data/nodes/tye.debian.org.yaml +++ b/data/nodes/tye.debian.org.yaml @@ -2,3 +2,5 @@ classes: - roles::i18n - roles::l10n + +roles::mta::heavy: true diff --git a/data/nodes/vento.debian.org.yaml b/data/nodes/vento.debian.org.yaml index 796f4e3ef..3b4fcedf7 100644 --- a/data/nodes/vento.debian.org.yaml +++ b/data/nodes/vento.debian.org.yaml @@ -1,3 +1,5 @@ --- classes: - roles::vote + +roles::mta::heavy: true diff --git a/data/nodes/wuiet.debian.org.yaml b/data/nodes/wuiet.debian.org.yaml index 21baec76d..94ee4da0f 100644 --- a/data/nodes/wuiet.debian.org.yaml +++ b/data/nodes/wuiet.debian.org.yaml @@ -3,3 +3,4 @@ classes: - roles::buildd_master apache2::mpm: prefork +roles::mta::heavy: true diff --git a/hieradata/nodes/master.debian.org.yaml b/hieradata/nodes/master.debian.org.yaml new file mode 100644 index 000000000..891db1fa0 --- /dev/null +++ b/hieradata/nodes/master.debian.org.yaml @@ -0,0 +1,2 @@ +--- +roles::mta::heavy: true diff --git a/manifests/site.pp b/manifests/site.pp index 6ff112d29..29ac94ff4 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -41,18 +41,6 @@ node default { include acpi } - if $::mta == 'exim4' { - if getfromhash($deprecated::nodeinfo, 'heavy_exim') { - include exim::mx - } else { - include exim - } - } elsif $::mta == 'postfix' { - include postfix - } else { - include exim - } - if $::apache2 { include apache2 } diff --git a/modules/base/manifests/includes.pp b/modules/base/manifests/includes.pp index d87354423..9102c2c0d 100644 --- a/modules/base/manifests/includes.pp +++ b/modules/base/manifests/includes.pp @@ -1,4 +1,6 @@ class base::includes { + include mta + include munin include syslog_ng include sudo diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index fec2db555..fd4173273 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -1,4 +1,13 @@ +# our exim class +# @param smarthost host to relay through (if unset) +# @param is_bugsmx this system handles bugs.debian.org +# @param is_mailrelay this system is a mailrelay, both in and out, for debian hosts +# @param is_rtmaster this system handles rt.debian.org +# @param is_packagesmaster this system handles packagesrt.debian.org +# @param is_packagesqamaster this system handles packages.qa.debian.org +# @param smarthost_port the port on which satellites send mail to the smarthost class exim ( + Optional[String] $smarthost, Boolean $is_bugsmx = false, Boolean $is_mailrelay = false, Boolean $is_rtmaster = false, @@ -9,6 +18,12 @@ class exim ( include exim::vdomain::setup include debian_org::mail_incoming_port + if $smarthost { + $heavy = false + } else { + $heavy = true + } + munin::check { 'ps_exim4': script => 'ps_' } munin::check { 'exim_mailqueue': } munin::check { 'exim_mailstats': } diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index 833ba262c..fa36ec8c1 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -1,4 +1,9 @@ -class exim::mx inherits exim { +# our heavy exim class +class exim::mx { + class { 'exim': + smarthost => Undef, + } + include clamav include postgrey include fail2ban::exim diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 27f06b997..7cd6738a2 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -76,7 +76,7 @@ # MAIN CONFIGURATION SETTINGS # ###################################################################### -<%- if scope.lookupvar('deprecated::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('deprecated::nodeinfo')['heavy_exim'] -%> +<%- if @heavy -%> perl_startup = do '/etc/exim4/exim_surbl.pl' <%- end -%> @@ -87,7 +87,7 @@ acl_smtp_helo = check_helo acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}} acl_smtp_data = check_message -<%- if scope.lookupvar('deprecated::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('deprecated::nodeinfo')['heavy_exim'] -%> +<%- if @heavy -%> acl_smtp_mime = acl_check_mime <%- end -%> acl_smtp_predata = acl_check_predata @@ -174,7 +174,7 @@ timeout_frozen_after=14d message_size_limit = 100M message_logs = false smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}} -<%- if scope.lookupvar('deprecated::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('deprecated::nodeinfo')['heavy_exim'] -%> +<%- if @heavy -%> smtp_accept_max = 300 smtp_accept_queue = 200 smtp_accept_queue_per_connection = 50 @@ -193,7 +193,7 @@ check_spool_space = 20M delay_warning = -<%- if scope.lookupvar('deprecated::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('deprecated::nodeinfo')['heavy_exim'] -%> +<%- if @heavy -%> message_body_visible = 5000 queue_run_max = 50 deliver_queue_load_max = 50 @@ -409,7 +409,7 @@ check_helo: accept verify = certificate <%- end -%> -<%- if scope.lookupvar('deprecated::nodeinfo')['smarthost'].empty? -%> +<%- unless @smarthost -%> # These are in HELO acl so that they are only run once. They increment a counter, # so we don't want it to increment per rcpt to. @@ -817,7 +817,7 @@ check_recipient: accept local_parts = +postmasterish domains = +virtual_domains : +bsmtp_domains -<%- if scope.lookupvar('deprecated::nodeinfo')['smarthost'].empty? -%> +<%- unless @smarthost -%> deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ @@ -837,7 +837,7 @@ check_recipient: domains = +handled_domains !hosts = +debianhosts : WHITELIST -<%- if scope.lookupvar('deprecated::nodeinfo')['smarthost'].empty? -%> +<%- unless @smarthost -%> deny domains = +handled_domains local_parts = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\ @@ -865,7 +865,7 @@ check_recipient: deny message = relay not permitted -<%- if scope.lookupvar('deprecated::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('deprecated::nodeinfo')['heavy_exim'] -%> +<%- if @heavy -%> acl_check_mime: accept verify = certificate @@ -980,7 +980,7 @@ check_message: message = X-malware detected: $malware_name <%- end -%> -<%- if scope.lookupvar('deprecated::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('deprecated::nodeinfo')['heavy_exim'] -%> +<%- if @heavy -%> discard condition = ${if <{$message_size}{256000}} condition = ${if eq {$acl_m_prf}{blackhole}} set acl_m_srb = ${perl{surblspamcheck}} @@ -1083,23 +1083,17 @@ ipliteral: transport = remote_smtp ignore_target_hosts = +reservedaddrs -<%= -out = "" -if not scope.lookupvar('deprecated::nodeinfo')['smarthost'].empty? -out = " +<%- if @smarthost -%> smarthost: debug_print = \"R: smarthost for $local_part@$domain\" driver = manualroute domains = !+handled_domains transport = remote_smtp_smarthost - route_list = * #{scope.lookupvar('deprecated::nodeinfo')['smarthost']} + route_list = * <%= @smarthost %> host_find_failed = defer same_domain_copy_routing = yes no_more -" -end -out -%> +<%- end -%> # This router routes to remote hosts over SMTP using a DNS lookup. # Ignore reserved network responses, including localhost. @@ -1577,7 +1571,7 @@ remote_smtp: tls_certificate = /etc/exim4/ssl/thishost.crt tls_privatekey = /etc/exim4/ssl/thishost.key -<%- if not scope.lookupvar('deprecated::nodeinfo')['smarthost'].empty? -%> +<%- if @smarthost -%> remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp index a8c1f6351..2e7b1eba0 100644 --- a/modules/nagios/manifests/server.pp +++ b/modules/nagios/manifests/server.pp @@ -1,3 +1,7 @@ +# our nagios server class +# +# it includes stored ferm configs for all the things it needs to access +# which are then collected by the monitored services class nagios::server { include apache2 include apache2::ssl diff --git a/modules/roles/manifests/mailrelay.pp b/modules/roles/manifests/mailrelay.pp index b84b13fbf..a888531e1 100644 --- a/modules/roles/manifests/mailrelay.pp +++ b/modules/roles/manifests/mailrelay.pp @@ -7,6 +7,8 @@ # include roles::mailrelay # class roles::mailrelay { + include exim::mx + include roles::pubsub::parameters $rabbit_password = $roles::pubsub::parameters::rabbit_password diff --git a/modules/roles/manifests/mta.pp b/modules/roles/manifests/mta.pp new file mode 100644 index 000000000..3ce44436a --- /dev/null +++ b/modules/roles/manifests/mta.pp @@ -0,0 +1,27 @@ +# Every one of our hosts has an MTA +# +# @param type exim4 or postfix. exim4 is our default MTA +# @param heavy receive email from the internet and thus do spam filtering etc +# @param mailrelay receive mail on other hosts' behalf. implies heavy +class roles::mta( + Enum['exim4', 'postfix'] $type = 'exim4', + Boolean $heavy = false, + Boolean $mailrelay = false, +) { + if $type == 'exim4' { + if $mailrelay { + include roles::mailrelay + } elsif $heavy { + include exim::mx + } else { + include exim + } + } elsif $type == 'postfix' { + if $mailrelay { + fail("Unsupported: mailrelay on type ${type}") + } + include postfix + } else { + fail("Unexpected mta type ${type}") + } +} -- 2.20.1