Add WIP email domain and hostname

clients/email-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "email-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDRdvMYKRjejoFsOxS6s\n4gj0Gsaxk/j25A5VPHBcEhr+NOh8W/6NnTTHuFMaorEIl/2kscgrcwriDN7xIFmO\nz/C1+spDLPMGSWd+422KSS3fjVfByLlMwxh171RDZBlZVze7H7CIV/rxCG7Ri85y\nPvyp2rT4ioyVGyYK3e8CiXwQckpFC1ex9VRk/GR8zbCYUIw+qbTFRcl/mQuxKqWK\n22vrgAR+6OL8lcyhssmKiQ1r3GtxwJusgffw4/5S8sRR1z8OB4wiwgOWR1E36EbF\nhTBjFzPiKVjVjP/TQpUoYdnBhuD223M8nPWJl1HMVQPMjL6R2BBOF+iK0Wx9SiFD\nJwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/email.json

@@ -0,0 +1,17 @@
+{
+  "id": "email",
+  "ldap_dn": {
+    "encrypted_data": "jMHHa8DeU4HCieF/ElOxrNJcHLRzjXGGFB1eJubtiARFpMYx+4hG\n",
+    "iv": "ojKHl8Va1GOj1sfr\n",
+    "auth_tag": "wkHLRyFF7WYllh+hXRIBJA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_dnpass": {
+    "encrypted_data": "mCyzownpB0Q7BW4k7E+yXIwzSzaChPTEZHAWGiEcnXo2ioQ=\n",
+    "iv": "jc9/VY7AlQ5ttMm8\n",
+    "auth_tag": "mAZuoZOIJ4zRLdYbaetiag==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

environments/production.json

@@ -19,6 +19,10 @@
     "ejabberd": {
       "turn_ip_address": "148.251.83.201"
     },
+    "email": {
+      "domain": "mail.kosmos.org",
+      "hostname": "mail.kosmos.org"
+    },
     "garage": {
       "replication_mode": "2",
       "s3_api_root_domain": "s3.kosmos.org",

nodes/draco.kosmos.org.json

@@ -26,6 +26,7 @@
     "roles": [
       "base",
       "kvm_host",
+      "email_proxy",
       "openresty_proxy",
       "openresty",
       "garage_gateway",
@@ -36,6 +37,7 @@
       "kosmos-base::default",
       "kosmos_kvm::host",
       "kosmos_kvm::backup",
+      "kosmos_email::firewall",
       "kosmos_openresty",
       "kosmos_openresty::default",
       "kosmos_openresty::firewall",
@@ -119,6 +121,7 @@
   "run_list": [
     "role[base]",
     "role[kvm_host]",
+    "role[email_proxy]",
     "role[openresty_proxy]",
     "recipe[kosmos_encfs]",
     "recipe[kosmos-ejabberd::firewall]",

nodes/ldap-4.kosmos.org.json

@@ -1,5 +1,6 @@
 {
   "name": "ldap-4.kosmos.org",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.106"

nodes/mail.kosmos.org.json

@@ -0,0 +1,67 @@
+{
+  "name": "mail.kosmos.org",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.141"
+    }
+  },
+  "automatic": {
+    "fqdn": "mail.kosmos.org",
+    "os": "linux",
+    "os_version": "5.15.0-1045-kvm",
+    "hostname": "mail",
+    "ipaddress": "192.168.122.127",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "email_server",
+      "ldap_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
+      "kosmos_email",
+      "kosmos_email::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "hostname::default",
+      "kosmos-base::letsencrypt",
+      "kosmos_email::postfix",
+      "postfix::server",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::relay_restrictions",
+      "kosmos_email::dovecot"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[email_server]"
+  ]
+}

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -36,8 +36,8 @@ action :create do
         --agree-tos \
         --manual-auth-hook '#{hook_path} auth' \
         --manual-cleanup-hook '#{hook_path} cleanup' \
-        --deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
         --email ops@kosmos.org \
+        #{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
         #{domains.map {|d| "-d #{d}" }.join(" ")}
       CMD
       not_if do

site-cookbooks/kosmos-postfix/recipes/default.rb

@@ -2,39 +2,21 @@
 # Cookbook Name:: kosmos-postfix
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
+
+node.default['postfix']['main']['smtp_tls_CAfile']  = '/etc/ssl/certs/ca-certificates.crt'
+node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
+
+return if node.run_list.roles.include?("email_server")
 
 smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
 
-node.override['postfix']['sasl']['smtp_sasl_user_name']        = smtp_credentials['user_name']
-node.override['postfix']['sasl']['smtp_sasl_passwd']           = smtp_credentials['password']
-node.override['postfix']['sasl_password_file']                 = "#{node['postfix']['conf_dir']}/sasl_passwd"
+node.default['postfix']['sasl']['smtp_sasl_user_name']        = smtp_credentials['user_name']
+node.default['postfix']['sasl']['smtp_sasl_passwd']           = smtp_credentials['password']
+node.default['postfix']['sasl_password_file']                 = "#{node['postfix']['conf_dir']}/sasl_passwd"
 # Postfix doesn't support smtps relayhost, use STARTSSL instead
-node.override['postfix']['main']['relayhost']                  = smtp_credentials['relayhost']
-node.override['postfix']['main']['smtp_sasl_auth_enable']      = 'yes'
-node.override['postfix']['main']['smtp_sasl_password_maps']    = "hash:#{node['postfix']['sasl_password_file']}"
-node.override['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
-node.override['postfix']['main']['smtp_tls_CAfile']            = '/etc/ssl/certs/ca-certificates.crt'
-node.override['postfix']['main']['smtpd_tls_CAfile']           = '/etc/ssl/certs/ca-certificates.crt'
+node.default['postfix']['main']['relayhost']                  = smtp_credentials['relayhost']
+node.default['postfix']['main']['smtp_sasl_auth_enable']      = 'yes'
+node.default['postfix']['main']['smtp_sasl_password_maps']    = "hash:#{node['postfix']['sasl_password_file']}"
+node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
 
 include_recipe 'postfix::default'