Add send_only_mailserver role and deploy Send-Only-Mailserver with it

Co-authored-by: yuri <yuri@nekover.se>
2023-05-09 23:01:57 +02:00 · 2023-05-09 23:01:57 +02:00 · b56ca3899d
commit b56ca3899d
parent f4a79fb4e2
14 changed files with 263 additions and 0 deletions
--- a/playbooks/roles/send_only_mail_server/tasks/ensure_dkim_keypair.yaml
+++ b/playbooks/roles/send_only_mail_server/tasks/ensure_dkim_keypair.yaml
@ -0,0 +1,55 @@
+- name: make sure DKIM private key exists
+  community.crypto.openssl_privatekey:
+    path: "/etc/mail-dkim/{{ item.name }}.key"
+    size: 1024
+    type: RSA
+    owner: "root"
+    group: "_rspamd"
+    mode: "0640"
+  become: true
+  notify: Restart `rspamd.service`
+
+- name: make sure DKIM public key exists
+  community.crypto.openssl_publickey:
+    path: "/etc/mail-dkim/{{ item.name }}.pub"
+    privatekey_path: "/etc/mail-dkim/{{ item.name }}.key"
+    return_content: true
+  become: true
+  notify: Restart `rspamd.service`
+  register: send_only_mail_server__dkim_public_key
+
+- name: deploy DKIM public key DNS entry  # noqa: no-handler
+  delegate_to: "{{ send_only_mail_server__bind_9_host }}"
+  when: send_only_mail_server__dkim_public_key.changed
+  block:
+    - name: Add file containing nsupdate commands for removing DKIM public key TXT records
+      ansible.builtin.template:
+        src: nsupdate_delete_dkim_public_key_txt_records.j2
+        dest: /root/nsupdate_delete_dkim_public_key_txt_records
+        owner: root
+        group: root
+        mode: "0600"
+
+    - name: Remove DNS records from BIND 9 server via nsupdate  # noqa: no-changed-when
+      ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_delete_dkim_public_key_txt_records
+
+    - name: Add file containing nsupdate commands for adding DKIM public key TXT record
+      ansible.builtin.template:
+        src: nsupdate_add_dkim_public_key_txt_record.j2
+        dest: /root/nsupdate_add_dkim_public_key_txt_record
+        owner: root
+        group: root
+        mode: "0600"
+
+    - name: Add DNS record to BIND 9 server via nsupdate  # noqa: no-changed-when
+      ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_add_dkim_public_key_txt_record
+  always:
+    - name: Remove file containing nsupdate commands for removing DKIM public key TXT records again
+      ansible.builtin.file:
+        path: /root/nsupdate_delete_dkim_public_key_txt_records
+        state: absent
+
+    - name: Remove file containing nsupdate commands for adding DKIM public key TXT record again
+      ansible.builtin.file:
+        path: /root/nsupdate_add_dkim_public_key_txt_record
+        state: absent
--- a/playbooks/roles/send_only_mail_server/tasks/main.yaml
+++ b/playbooks/roles/send_only_mail_server/tasks/main.yaml
@ -0,0 +1,65 @@
+- name: make sure packages are installed
+  ansible.builtin.apt:
+    name:
+      - opensmtpd
+      - rspamd
+      - opensmtpd-filter-rspamd
+  become: true
+
+- name: make sure certificates exist
+  ansible.builtin.include_role:
+    name: cert
+  vars:
+    cert__domains:
+      - "{{ send_only_mail_server__mail_server_fqdn }}"
+    cert__owner: root
+    cert__group: opensmtpd
+    cert__bind_9_zone: "{{ send_only_mail_server__mail_server_fqdn_zone }}"
+    cert__bind_9_host: "{{ send_only_mail_server__bind_9_host }}"
+    cert__privkey_pem_permissions: "0640"
+    cert__fullchain_pem_permissions: "0640"
+    cert__chain_pem_permissions: "0640"
+    cert__cert_pem_permissions: "0640"
+
+- name: make sure the OpenSMTPD config is deployed
+  ansible.builtin.template:
+    src: etc_smtpd.conf.j2
+    dest: /etc/smtpd.conf
+    owner: root
+    group: root
+    mode: "0600"
+  become: true
+  notify: Restart `opensmtpd.service`
+
+- name: make sure `/etc/mail-dkim` directory exists
+  ansible.builtin.file:
+    path: /etc/mail-dkim
+    state: directory
+    owner: root
+    group: root
+    mode: "755"
+  become: true
+
+- name: make sure DKIM keypairs for all domains exist
+  loop: "{{ send_only_mail_server__mail_domains }}"
+  ansible.builtin.include_tasks: ensure_dkim_keypair.yaml
+
+- name: make sure the Rspamd `dkim_signing.conf` is deployed
+  ansible.builtin.template:
+    src: etc_rspamd_dkim_signing.conf.j2
+    dest: /etc/rspamd/local.d/dkim_signing.conf
+    owner: root
+    group: root
+    mode: "0600"
+  become: true
+  notify: Restart `rspamd.service`
+
+- name: make sure the Rspamd `settings.conf` is deployed
+  ansible.builtin.copy:
+    src: etc_rspamd_settings.conf
+    dest: /etc/rspamd/local.d/settings.conf
+    owner: root
+    group: root
+    mode: "0600"
+  become: true
+  notify: Restart `rspamd.service`