exim: allow a host to indicate that it is the master for tracker.d.o
[mirror/dsa-puppet.git] / modules / exim / manifests / init.pp
index 1857b61..babfa44 100644 (file)
-class exim {
-    activate_munin_check {
-            "ps_exim4": script => "ps_";
-            "exim_mailqueue":;
-            "exim_mailstats":;
-            "postfix_mailqueue":  ensure => absent;
-            "postfix_mailstats":  ensure => absent;
-            "postfix_mailvolume": ensure => absent;
+# our exim class
+# @param use_smarthost use the smarthost
+# @param smarthost host to relay through (if set and use_smarthost)
+# @param is_bugsmx this system handles bugs.debian.org
+# @param is_mailrelay this system is a mailrelay, both in and out, for debian hosts
+# @param is_rtmaster this system handles rt.debian.org
+# @param is_packagesmaster this system handles packages.debian.org
+# @param is_packagesqamaster this system handles packages.qa.debian.org
+# @param is_trackermaster this system handles tracker.debian.org
+# @param mail_port override the default incoming mailport (only applicable for hosts behind an incoming relay)
+# @param smarthost_port the port on which satellites send mail to the smarthost (needs to be the same on both sides)
+class exim (
+  Optional[String] $smarthost,
+  Boolean $use_smarthost = true,
+  Boolean $is_bugsmx = false,
+  Boolean $is_mailrelay = false,
+  Boolean $is_rtmaster = false,
+  Boolean $is_packagesmaster = false,
+  Boolean $is_packagesqamaster = false,
+  Boolean $is_trackermaster = false,
+  Integer $smarthost_port = 587,
+  Optional[Integer] $mail_port = undef,
+) {
+  if $use_smarthost {
+    $heavy = false
+
+    if ! smarthost {
+      fail('No smarthost set but use_smarthost is true')
+    }
+  } else {
+    $heavy = true
+    if $mail_port {
+      fail('Cannot override mail_port in heavy/no-smarthost hosts')
     }
+  }
 
+  munin::check { 'ps_exim4': script => 'ps_' }
+  munin::check { 'exim_mailqueue': }
+  munin::check { 'exim_mailstats': }
 
-    package { exim4-daemon-heavy: ensure => installed }
+  munin::check { 'postfix_mailqueue':  ensure => absent }
+  munin::check { 'postfix_mailstats':  ensure => absent }
+  munin::check { 'postfix_mailvolume': ensure => absent }
 
-    file {
-        "/etc/exim4/":
-          ensure  => directory,
-          owner   => root,
-          group   => root,
-          mode    => 755,
-          purge   => true
-        ;
-        "/etc/exim4/ssl":
-          ensure  => directory,
-          owner   => root,
-          group   => Debian-exim,
-          mode    => 750,
-          require => Package["exim4-daemon-heavy"],
-          purge   => true
-        ;
-        "/etc/mailname":
-          content => template("exim/mailname.erb"),
-        ;
-        "/etc/exim4/exim4.conf":
-          content => template("exim/eximconf.erb"),
-          require => Package["exim4-daemon-heavy"],
-          notify  => Exec["exim4 reload"]
-        ;
-        "/etc/exim4/manualroute":
-          require => Package["exim4-daemon-heavy"],
-          content => template("exim/manualroute.erb")
-          ;
-        "/etc/exim4/host_blacklist":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/host_blacklist",
-                       "puppet:///exim/common/host_blacklist" ]
-          ;
-        "/etc/exim4/blacklist":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/blacklist",
-                       "puppet:///exim/common/blacklist" ]
-          ;
-        "/etc/exim4/callout_users":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/callout_users",
-                       "puppet:///exim/common/callout_users" ]
-          ;
-        "/etc/exim4/grey_users":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/grey_users",
-                       "puppet:///exim/common/grey_users" ]
-          ;
-        "/etc/exim4/helo-check":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/helo-check",
-                       "puppet:///exim/common/helo-check" ]
-          ;
-        "/etc/exim4/locals":
-          require => Package["exim4-daemon-heavy"],
-          content => template("exim/locals.erb")
-          ;
-        "/etc/exim4/localusers":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/localusers",
-                       "puppet:///exim/common/localusers" ]
-          ;
-        "/etc/exim4/rbllist":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/rbllist",
-                       "puppet:///exim/common/rbllist" ]
-          ;
-        "/etc/exim4/rcpthosts":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/rcpthosts",
-                       "puppet:///exim/common/rcpthosts" ]
-          ;
-        "/etc/exim4/rhsbllist":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/rhsbllist",
-                       "puppet:///exim/common/rhsbllist" ]
-          ;
-        "/etc/exim4/virtualdomains":
-          require => Package["exim4-daemon-heavy"],
-          content => template("exim/virtualdomains.erb")
-          ;
-        "/etc/exim4/whitelist":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/whitelist",
-                       "puppet:///exim/common/whitelist" ]
-          ;
-        "/etc/logrotate.d/exim4-base":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-base",
-                       "puppet:///exim/common/logrotate-exim4-base" ]
-          ;
-        "/etc/logrotate.d/exim4-paniclog":
-          require => Package["exim4-daemon-heavy"],
-          source  => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-paniclog",
-                       "puppet:///exim/common/logrotate-exim4-paniclog" ]
-          ;
-        "/etc/exim4/ssl/thishost.crt":
-          require => Package["exim4-daemon-heavy"],
-          source  => "puppet:///exim/certs/$fqdn.crt",
-          owner   => root,
-          group   => Debian-exim,
-          mode    => 640
-          ;
-        "/etc/exim4/ssl/thishost.key":
-          require => Package["exim4-daemon-heavy"],
-          source  => "puppet:///exim/certs/$fqdn.key",
-          owner   => root,
-          group   => Debian-exim,
-          mode    => 640
-          ;
-        "/etc/exim4/ssl/ca.crt":
-          require => Package["exim4-daemon-heavy"],
-          source  => "puppet:///exim/certs/ca.crt",
-          owner   => root,
-          group   => Debian-exim,
-          mode    => 640
-          ;
-        "/etc/exim4/ssl/ca.crl":
-          require => Package["exim4-daemon-heavy"],
-          source  => "puppet:///exim/certs/ca.crl",
-          owner   => root,
-          group   => Debian-exim,
-          mode    => 640
-          ;
-    }
+  package { 'exim4-daemon-heavy': ensure => installed }
 
-    exec { "exim4 reload":
-        path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-        refreshonly => true,
-    }
+  Package['exim4-daemon-heavy']->Mailalias<| |>
+
+  service { 'exim4':
+    ensure  => running,
+    require => [
+      File['/etc/exim4/exim4.conf'],
+      Package['exim4-daemon-heavy'],
+    ]
+  }
+
+  file { '/etc/exim4/':
+    ensure  => directory,
+    mode    => '0755',
+    require => Package['exim4-daemon-heavy'],
+    purge   => true,
+  }
+  file { '/etc/exim4/conf.d':
+    ensure  => directory,
+    purge   => true,
+    force   => true,
+    recurse => true,
+    source  => 'puppet:///files/empty/',
+  }
+  file { '/etc/exim4/ssl':
+    ensure => directory,
+    group  => 'Debian-exim',
+    mode   => '0750',
+    purge  => true,
+  }
+  file { '/etc/exim4/exim4.conf':
+    content => template('exim/eximconf.erb'),
+    require => File['/etc/exim4/ssl/thishost.crt'],
+    notify  => Service['exim4'],
+  }
+  file { '/etc/mailname':
+    content => template('exim/mailname.erb'),
+  }
+
+  concat { '/etc/exim4/virtualdomains': }
+  concat::fragment { 'virtualdomains_header':
+    target  => '/etc/exim4/virtualdomains',
+    content => template('exim/virtualdomains.header.erb'),
+    order   => '00',
+  }
+
+  file { '/etc/exim4/locals':
+    content => template('exim/locals.erb')
+  }
+
+  concat { '/etc/exim4/submission-domains':
+    ensure_newline => true,
+    warn           => @(EOF),
+    ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+    | EOF
+  }
+
+  file { '/etc/exim4/host_blacklist':
+    source => 'puppet:///modules/exim/common/host_blacklist',
+  }
+  file { '/etc/exim4/blacklist':
+    source => 'puppet:///modules/exim/common/blacklist',
+  }
+  file { '/etc/exim4/callout_users':
+    source => 'puppet:///modules/exim/common/callout_users',
+  }
+  file { '/etc/exim4/grey_users':
+    source => 'puppet:///modules/exim/common/grey_users',
+  }
+  file { '/etc/exim4/helo-check':
+    source => 'puppet:///modules/exim/common/helo-check',
+  }
+  file { '/etc/exim4/localusers':
+    source => 'puppet:///modules/exim/common/localusers',
+  }
+  file { '/etc/exim4/rbllist':
+    source => 'puppet:///modules/exim/common/rbllist',
+  }
+  file { '/etc/exim4/rhsbllist':
+    source => 'puppet:///modules/exim/common/rhsbllist',
+  }
+  file { '/etc/exim4/whitelist':
+    source => 'puppet:///modules/exim/common/whitelist',
+  }
+  file { '/etc/logrotate.d/exim4-base':
+    source => 'puppet:///modules/exim/common/logrotate-exim4-base',
+  }
+  file { '/etc/logrotate.d/exim4-paniclog':
+    source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
+  }
+  file { '/etc/exim4/ssl/thishost.crt':
+    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
+    group   => 'Debian-exim',
+    mode    => '0640',
+  }
+  file { '/etc/exim4/ssl/thishost.key':
+    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
+    group   => 'Debian-exim',
+    mode    => '0640',
+  }
+  file { '/etc/exim4/ssl/ca.crt':
+    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>'),
+    group   => 'Debian-exim',
+    mode    => '0640',
+  }
+  file { '/etc/exim4/ssl/ca.crl':
+    content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crl") %>'),
+    group   => 'Debian-exim',
+    mode    => '0640',
+  }
+  file { '/var/log/exim4':
+    ensure => directory,
+    mode   => '2750',
+    owner  => 'Debian-exim',
+    group  => maillog,
+  }
+
+  # Do we actually want this?  I'm only doing it because it's harmless
+  # and makes the logs quiet.  There are better ways of making logs quiet,
+  # though.
+  ferm::rule { 'dsa-ident':
+    domain      => '(ip ip6)',
+    description => 'Allow ident access',
+    rule        => '&SERVICE(tcp, 113)'
+  }
+
+  # These only affect the alias @$fqdn, not say, @debian.org
+
+  mailalias { [
+    'postmaster',
+    'hostmaster',
+    'usenet',
+    'webmaster',
+    'abuse',
+    'noc',
+    'security',
+  ]:
+    ensure => absent
+  }
 }