dani
/
ansible-roles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ansible-roles/roles/pmg/tasks/main.yml

280 lines
8.3 KiB
YAML
Raw Blame History

---
- set_fact: pmg_smtpd_milters_int={{ [] }}
tags: pmg
- name: Enable dkim signing for outgoing messages
set_fact: pmg_smtpd_milters_int={{ pmg_smtpd_milters_int + ['unix:/var/run/opendkim/signer.sock'] }}
when: pmg_dkim_sign | length > 0
tags: pmg
- name: Add PMG repository APT key
apt_key:
url: http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg
state: present
environment:
- http_proxy: "{{ system_proxy | default('') }}"
tags: pmg
- name: Remove the paid repository
apt_repository:
repo: deb https://enterprise.proxmox.com/debian/pmg stretch pmg-enterprise
state: absent
filename: pmg-enterprise
tags: pmg
- name: Configure the no-subscription PMG repository
apt_repository:
repo: deb http://download.proxmox.com/debian/pmg {{ ansible_distribution_release }} pmg-no-subscription
state: present
filename: pmg-enterprise
tags: pmg
- name: Install PMG
apt:
name:
- proxmox-mailgateway
- opendkim
- opendkim-tools
- patch # Needed to remove the subscription nag screen
- libmail-imapclient-perl # For the sa-learn script
update_cache: True
tags: pmg
- name: Remove registration nag
patch: src=remove_nag.patch dest=/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
notify: restart pmgproxy
tags: pmg
# The tracking center uses mails.{info,err,log}
- name: Ensure syslog daemon is enabled and running
service: name=rsyslog state=started enabled=True
tags: pmg
- name: Add postfix to the opendkim group
user:
name: postfix
groups: opendkim
append: True
notify: restart postfix
tags: pmg
- name: Create custom templates directory
file: path=/etc/pmg/templates state=directory
tags: pmg
- name: Check if pmg backup dir exists
stat: path=/var/lib/pmg/backup
register: pmg_backup
tags: pmg
- name: Move backup dir
command: mv /var/lib/pmg/backup /home/lbkp/pmg
when: pmg_backup.stat.isdir is defined and pmg_backup.stat.isdir
tags: pmg
- name: Link backup dir
file: src=/home/lbkp/pmg dest=/var/lib/pmg/backup state=link
tags: pmg
- name: Deploy pre/post backup scripts
template: src=pmg_{{ item }}_backup.sh.j2 dest=/etc/backup/{{ item }}.d/pmg.sh mode=755
with_items:
- pre
- post
tags: pmg
- name: Deploy dehydrated hook
template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/pmg mode=755
tags: pmg
- name: Create directories for opendkim
file: path={{ item.dir }} owner={{ item.owner | default(omit) }} mode={{ item.mode | default(omit) }} state=directory
with_items:
- dir: /etc/opendkim
- dir: /etc/opendkim/keys
owner: opendkim
mode: 700
tags: pmg
- name: Deploy opendkim signing
template: src={{ item }}.j2 dest=/etc/opendkim/{{ item }}
with_items:
- keytable
- signingtable
notify: restart opendkim-signer
tags: pmg
- name: Deploy opendkim daemon config
template: src=opendkim.conf.j2 dest=/etc/opendkim/{{ item }}.conf
with_items:
- signer
notify:
- restart opendkim-signer
tags: pmg
- name: Create DKIM dir
file: path=/etc/opendkim/keys/{{ (item.domain == '*') | ternary('default',item.domain) }} state=directory owner=opendkim group=opendkim mode=700
with_items: "{{ pmg_dkim_sign }}"
tags: pmg
- name: Create DKIM keys
command: opendkim-genkey -D /etc/opendkim/keys/{{ (item.domain == '*') | ternary('default',item.domain) }}/ -s {{ item.selector | default('default') }}
args:
creates: /etc/opendkim/keys/{{ (item.domain == '*') | ternary('default',item.domain) }}/{{ item.selector | default('default') }}.private
become_user: opendkim
with_items: "{{ pmg_dkim_sign }}"
tags: pmg
- name: Deploy opendkim service unit
template: src=opendkim.service.j2 dest=/etc/systemd/system/opendkim-{{ item }}.service
with_items:
- signer
register: pmg_opendkim_unit
tags: pmg
- name: Reload systemd
systemd: daemon_reload=True
when: pmg_opendkim_unit.results | selectattr('changed','equalto',True) | list | length > 0
tags: pmg
- name: Check if /etc/pmg/mynetworks exists
stat: path=/etc/pmg/mynetworks
register: pmg_mynetworks
tags: pmg
- name: Handle opendkim services
service: name={{ item.service }} state={{ item.enabled | ternary('started','stopped') }} enabled={{ item.enabled }}
with_items:
- service: opendkim
enabled: False
- service: opendkim-signer
enabled: "{{ pmg_dkim_sign | length > 0 }}"
tags: pmg
- name: Install imap-sa-learn script
copy: src=imap-sa-learn dest=/usr/local/bin/imap-sa-learn mode=755
tags: pmg
- name: Deploy imap-sa-learn config
template: src=imap-sa-learn.j2 dest=/etc/default/imap-sa-learn mode=600
tags: pmg
- name: Deploy imap-sa-learn systemd units
template: src=imap-sa-learn.{{ item }}.j2 dest=/etc/systemd/system/imap-sa-learn.{{ item }}
loop:
- service
- timer
register: pmg_imap_sa_learn_unit
tags: pmg
- name: Reload systemd
systemd: daemon_reload=True
when: pmg_imap_sa_learn_unit.results | selectattr('changed','equalto',True) | list | length > 0
tags: pmg
- name: Handle imap-sa-learn timer
systemd:
name: imap-sa-learn.timer
state: "{{ (pmg_bayes_imap_server is defined and pmg_bayes_imap_user is defined and pmg_bayes_imap_pass is defined) | ternary('started','stopped') }}"
enabled: "{{ (pmg_bayes_imap_server is defined and pmg_bayes_imap_user is defined and pmg_bayes_imap_pass is defined) | ternary(True,False) }}"
tags: pmg
- name: Remove imap-sa-learn wrapper
file: path={{ item }} state=absent
loop:
- /usr/local/bin/imap-sa-learn.sh
- /etc/cron.d/imap_sa_learn
tags: pmg
- name: Configure log retention
template: src=logrotate.d/{{ item }}.j2 dest=/etc/logrotate.d/{{ item }}
with_items:
- rsyslog
tags: pmg
- name: Configure additional spamassassin plugins
template: src=spamassassin/{{ item }}.j2 dest=/etc/mail/spamassassin/{{ item }}
with_items:
- hashbl.pre
- hashbl.cf
- fromnamespoof.pre
- fromnamespoof.cf
- phishing.pre
- phishing.cf
- bayes_auto_learn.cf
notify: reload pmg-smtp-filter
tags: pmg
- name: Create spamassassin data dir
file: path=/var/lib/spamassassin state=directory
tags: pmg
#- name: Download fishtank feed
# get_url:
# url: https://data.phishtank.com/data/online-valid.csv
# dest: /var/lib/spamassassin/phishtank.txt
# notify: reload pmg-smtp-filter
# environment:
# - https_proxy: "{{ system_proxy | default('') }}"
# tags: pmg
- name: Download openphish feed
get_url:
url: https://openphish.com/feed.txt
dest: /var/lib/spamassassin/openphish.txt
notify: reload pmg-smtp-filter
environment:
- https_proxy: "{{ system_proxy | default('') }}"
when: pmg_use_openphish
tags: pmg
- name: Deploy a script to update phishing feeds
template: src=update-phishing-feeds.j2 dest=/usr/local/bin/update-phishing-feeds mode=755
tags: pmg
- name: Add a cron job to update phishing feeds
cron:
name: phishing_feeds
cron_file: phishing_feeds
user: root
job: systemd-cat /usr/local/bin/update-phishing-feeds
minute: 1
hour: '*/3'
state: present
tags: pmg
- name: Handle ports in the firewall
iptables_raw:
name: "{{ item.name }}"
state: "{{ (item.src | length > 0) | ternary('present','absent') }}"
rules: "{% if 'tcp' in item.proto | default(['tcp']) or item.proto | default('tcp') == 'tcp' %}-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ item.ports | join(',') }} -s {{ item.src | join(',') }} -j ACCEPT\n{% endif %}
{% if 'udp' in item.proto | default(['tcp']) or item.proto | default('tcp') == 'udp' %}-A INPUT -m state --state NEW -p udp -m multiport --dports {{ item.ports | join(',') }} -s {{ item.src | join(',') }} -j ACCEPT{% endif %}"
when: iptables_manage | default(True)
with_items:
- ports: "{{ pmg_api_ports }}"
name: pmg_api_ports
src: "{{ pmg_api_src_ip }}"
- ports: "{{ pmg_smtp_ext_ports }}"
name: pmg_smtp_ext_ports
src: "{{ pmg_smtp_ext_src_ip }}"
- ports: "{{ pmg_smtp_int_ports }}"
name: pmg_smtp_int_ports
src: "{{ pmg_smtp_int_src_ip }}"
tags: pmg,firewall
- name: Remove obsolete firewall rules
iptables_raw:
name: "{{ item }}"
state: absent
loop:
- pmg_imap_ports
- pmg_pop_ports
tags: pmg,firewall
- include_tasks: filebeat.yml
tags: always
- include_tasks: cleanup.yml
tags: always
Reference in New Issue View Git Blame Copy Permalink