kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

WIP Add initial cookbook and roles for email service

Browse Source
This commit is contained in:
Râu Cao
2023-12-01 09:50:35 +01:00
parent 158a9c2fbe
commit fbcf1ed5e7
23 changed files with 1587 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
site-cookbooks/kosmos_email/recipes/default.rb Normal file
View File

@@ -0,0 +1,25 @@
#
# Cookbook:: kosmos_email
# Recipe:: default
#
domain = node["email"]["domain"]
hostname = node["email"]["hostname"]
ip_addr = node["knife_zero"]["host"]
node.override["set_fqdn"] = hostname
include_recipe "hostname"
tls_cert_for hostname do
auth "gandi_dns"
action :create
end
firewall_rule "private network access" do
command :allow
protocol :tcp
source "10.1.1.0/24"
end
include_recipe 'kosmos_email::postfix'
include_recipe 'kosmos_email::dovecot'

84
site-cookbooks/kosmos_email/recipes/dovecot.rb Normal file
View File

@@ -0,0 +1,84 @@
#
# Cookbook:: kosmos_email
# Recipe:: dovecot
#
%w[
dovecot-core
dovecot-imapd
dovecot-ldap
dovecot-lmtpd
dovecot-pop3d
].each do |pkg|
apt_package pkg
end
domain = node["email"]["domain"]
hostname = node["email"]["hostname"]
ip_addr = node["knife_zero"]["host"]
credentials = Chef::EncryptedDataBagItem.load('credentials', 'email')
user "vmail" do
gid "mail"
system true
manage_home false
end
template "/etc/dovecot/dovecot.conf" do
source "dovecot.conf.erb"
mode 0644
# TODO variables protocols: "imap pop3 lmtp"
variables protocols: "imap lmtp",
# TODO find by email_proxy role
haproxy_trusted_networks: "10.1.1.167/32"
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/dovecot-ldap.conf.ext" do
source "dovecot-ldap.conf.ext.erb"
mode 0600
variables uris: "ldap://ldap.kosmos.local", # TODO add list of all IPs instead?
dn: credentials['ldap_dn'],
dnpass: credentials['ldap_dnpass'],
base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
user_attrs: "mailhome=home",
user_filter: "(&(objectClass=person)(cn=%u))",
pass_attrs: "cn=user,mailpassword=password",
pass_filter: "(&(objectClass=person)(cn=%u))",
default_pass_scheme: "BLF-CRYPT"
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-auth.conf" do
source "dovecot_10-auth.conf.erb"
mode 0644
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-mail.conf" do
source "dovecot_10-mail.conf.erb"
mode 0644
variables mail_uid: "vmail",
mail_gid: "mail"
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-master.conf" do
source "dovecot_10-master.conf.erb"
mode 0644
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-ssl.conf" do
source "dovecot_10-ssl.conf.erb"
mode 0644
variables ssl: "required",
ssl_cert: node['postfix']['main']['smtpd_tls_cert_file'],
ssl_key: node['postfix']['main']['smtpd_tls_key_file']
notifies :restart, "service[dovecot]", :delayed
end
service "dovecot" do
action [:enable, :start]
end

34
site-cookbooks/kosmos_email/recipes/firewall.rb Normal file
View File

@@ -0,0 +1,34 @@
#
# Cookbook:: kosmos_email
# Recipe:: firewall
#
firewall_rule "SMTP" do
command :allow
port 25
protocol :tcp
end
firewall_rule "SMTPS" do
command :allow
port 465
protocol :tcp
end
firewall_rule "SMTPS" do
command :allow
port 587
protocol :tcp
end
firewall_rule "IMAP" do
command :allow
port 143
protocol :tcp
end
firewall_rule "IMAPS" do
command :allow
port 993
protocol :tcp
end

144
site-cookbooks/kosmos_email/recipes/postfix.rb Normal file
View File

@@ -0,0 +1,144 @@
#
# Cookbook:: kosmos_email
# Recipe:: postfix
#
%w[
postfix
postfix-ldap
].each do |pkg|
apt_package pkg
end
domain = node["email"]["domain"]
hostname = node["email"]["hostname"]
ip_addr = node["knife_zero"]["host"]
credentials = Chef::EncryptedDataBagItem.load('credentials', 'email')
node.normal["postfix"]["mail_type"] = "master"
node.normal["postfix"]["use_relay_restrictions_maps"] = true
node.normal["postfix"]["relay_restrictions"] = { domain => "OK", hostname => "OK" }
node.normal['postfix']['main']['mydomain'] = domain
node.normal['postfix']['main']['myorigin'] = domain
node.normal['postfix']['main']['myhostname'] = hostname
node.normal['postfix']['main']['mynetworks'] = ["10.1.1.0/24", "127.0.0.0/8"]
node.normal['postfix']['main']['smtpd_use_tls'] = "yes"
node.normal['postfix']['main']['smtpd_tls_cert_file'] = "/etc/letsencrypt/live/#{hostname}/fullchain.pem"
node.normal['postfix']['main']['smtpd_tls_key_file'] = "/etc/letsencrypt/live/#{hostname}/privkey.pem"
node.normal['postfix']['main']['mailbox_transport'] = "lmtp:unix:private/dovecot-lmtp"
node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot-lmtp"
node.normal['postfix']['main']['smtputf8_enable'] = "no"
node.normal['postfix']['main']['recipient_delimiter'] = "+"
node.normal['postfix']['main']['alias_maps'] = "hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf"
# node.normal['postfix']['main']['virtual_mailbox_maps'] = "ldap:/etc/postfix/ldap-virtual-mailboxes.cf"
node.normal['postfix']['master'] = {
"#{ip_addr}:2525": {
"active": true,
"order": 1,
"type": "inet",
"private": false,
"maxproc": "1",
"command": "postscreen",
"args": [
"-o postscreen_upstream_proxy_protocol=haproxy",
"-o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache",
"-o syslog_name=postfix/2525"
]
},
"#{ip_addr}:10587": {
"active": true,
"order": 2,
"type": "inet",
"private": false,
"chroot": true,
"command": "smtpd",
"args": [
"-o syslog_name=postfix/10587",
"-o smtpd_tls_security_level=encrypt",
"-o smtpd_tls_wrappermode=no",
"-o smtpd_sasl_auth_enable=yes",
"-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
"-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
"-o smtpd_sasl_type=dovecot",
"-o smtpd_sasl_path=private/auth",
"-o smtpd_upstream_proxy_protocol=haproxy",
]
},
"#{ip_addr}:10465": {
"active": true,
"order": 3,
"type": "inet",
"private": false,
"chroot": true,
"command": "smtpd",
"args": [
"-o syslog_name=postfix/10465",
"-o smtpd_tls_wrappermode=yes",
"-o smtpd_sasl_auth_enable=yes",
"-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
"-o smtpd_sasl_type=dovecot",
"-o smtpd_sasl_path=private/auth",
"-o smtpd_upstream_proxy_protocol=haproxy",
]
},
"smtpd": {
"active": true,
"order": 100,
"type": "pass",
"chroot": true,
"command": "smtpd",
"args": []
},
"dnsblog": {
"active": true,
"order": 101,
"type": "unix",
"chroot": true,
"maxproc": "0",
"command": "dnsblog",
"args": []
},
"tlsproxy": {
"active": true,
"order": 102,
"type": "unix",
"chroot": true,
"maxproc": "0",
"command": "tlsproxy",
"args": []
}
}
template "/etc/postfix/ldap-aliases.cf" do
source "ldap-aliases.cf.erb"
mode 0600
variables server_host: "ldap.kosmos.local",
bind_dn: credentials['ldap_dn'],
bind_pw: credentials['ldap_dnpass'],
search_base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
query_filter: "(&(objectClass=person)(cn=%u))",
result_attribute: "maildrop"
notifies :restart, "service[postfix]", :delayed
end
# template "/etc/postfix/ldap-virtual-mailboxes.cf" do
# source "ldap-virtual-mailboxes.cf.erb"
# mode 0600
# variables server_host: "ldap.kosmos.local",
# bind_dn: credentials['ldap_dn'],
# bind_pw: credentials['ldap_dnpass'],
# search_base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
# query_filter: "maildrop=%s",
# result_attribute: "mailhome",
# result_format: "%s/mail/"
# notifies :restart, "service[postfix]", :delayed
# end
include_recipe 'postfix::server'
service "postfix" do
action [:enable, :start]
end