diff options
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/manifests/site.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/leap_mx/manifests/init.pp | 56 | ||||
| -rw-r--r-- | puppet/modules/leap_mx/templates/mx.conf.erb | 15 | ||||
| m--------- | puppet/modules/postfix | 0 | ||||
| -rw-r--r-- | puppet/modules/site_mx/manifests/couchdb.pp | 35 | ||||
| -rw-r--r-- | puppet/modules/site_mx/manifests/haproxy.pp | 14 | ||||
| -rw-r--r-- | puppet/modules/site_mx/manifests/init.pp | 10 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 41 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 9 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/tls.pp | 31 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/mx.pp | 24 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/service/smtp.pp | 13 | ||||
| m--------- | puppet/modules/stunnel | 0 | 
14 files changed, 263 insertions, 1 deletions
| diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index bdb57c83..c7d00c61 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] }  include stdlib -import 'common'  include site_config::default  include site_config::slow @@ -41,3 +40,8 @@ if $services =~ /\bmonitor\b/ {  if $services =~ /\btor\b/ {    include site_tor  } + +if $services =~ /\bmx\b/ { +  include site_mx +} + diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp new file mode 100644 index 00000000..652eb85b --- /dev/null +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -0,0 +1,56 @@ +class leap_mx { + +  $couchdb_host     = 'localhost' +  $couchdb_port     = '4096' +  $couchdb_user     = $soledad::couchdb::user +  $couchdb_password = $soledad::couchdb::password + +  # +  # USER AND GROUP +  # + +  group { 'leap-mx': +    ensure    => present, +    allowdupe => false; +  } + +  user { 'leap-mx': +    ensure    => present, +    allowdupe => false, +    gid       => 'leap-mx', +    home      => '/etc/leap', +    require   => Group['leap-mx']; +  } + +  # +  # LEAP-MX CONFIG +  # + +  file { '/etc/leap/mx.conf': +    content => template('leap_mx/mx.conf.erb'), +    owner   => 'leap-mx', +    group   => 'leap-mx', +    mode    => '0600', +    notify  => Service['leap-mx']; +  } + +  # +  # LEAP-MX CODE +  # + +  package { 'leap-mx': +    ensure => installed; +  } + +  # +  # LEAP-MX DAEMON +  # + +  service { 'leap_mx': +    ensure     => running, +    enable     => true, +    hasstatus  => true, +    hasrestart => true, +    require    => [ Package['leap-mx'] ]; +  } +} diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb new file mode 100644 index 00000000..bf1e6421 --- /dev/null +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -0,0 +1,15 @@ +[mail1] +path=/var/mail/vmail +recursive=True + +[couchdb] +user=<%= @couchdb_user %> +password=<%= @couchdb_password %> +server=<%= @couchdb_host %> +port=<%= @couchdb_port %> + +[alias map] +port=4242 + +[check recipient] +port=2244
\ No newline at end of file diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 +Subproject 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201 diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp new file mode 100644 index 00000000..f842ceab --- /dev/null +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -0,0 +1,35 @@ +class site_mx::couchdb { + +  $stunnel = hiera('stunnel') +  $couch_client            = $stunnel['couch_client'] +  $couch_client_connect    = $couch_client['connect'] + +  include x509::variables +  $x509                    = hiera('x509') +  $key                     = $x509['key'] +  $cert                    = $x509['cert'] +  $ca                      = $x509['ca_cert'] +  $cert_name               = 'leap_couchdb' +  $ca_name                 = 'leap_ca' +  $ca_path                 = "${x509::variables::local_CAs}/${ca_name}.crt" +  $cert_path               = "${x509::variables::certs}/${cert_name}.crt" +  $key_path                = "${x509::variables::keys}/${cert_name}.key" + +  class { 'site_stunnel::setup': +    cert_name => $cert_name, +    key       => $key, +    cert      => $cert, +    ca_name   => $ca_name, +    ca        => $ca +  } + +  $couchdb_stunnel_client_defaults = { +    'connect_port' => $couch_client_connect, +    'client'     => true, +    'cafile'     => $ca_path, +    'key'        => $key_path, +    'cert'       => $cert_path, +  } + +  create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) +} diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp new file mode 100644 index 00000000..988eeaf3 --- /dev/null +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_mx::haproxy { + +  include site_haproxy + +  $haproxy     = hiera('haproxy') +  $local_ports = $haproxy['local_ports'] + +  # Template uses $global_options, $defaults_options +  concat::fragment { 'leap_haproxy_webapp_couchdb': +    target  => '/etc/haproxy/haproxy.cfg', +    order   => '20', +    content => template('site_webapp/haproxy_couchdb.cfg.erb'), +  } +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp new file mode 100644 index 00000000..4cf3f41a --- /dev/null +++ b/puppet/modules/site_mx/manifests/init.pp @@ -0,0 +1,10 @@ +class site_mx { +  tag 'leap_service' + +  include site_postfix::mx +  include site_mx::haproxy +  include site_shorewall::mx +  include site_shorewall::service::smtp +  include site_mx::couchdb +  include leap_mx +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..0581f147 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,41 @@ +class site_postfix::mx { + +  $domain_hash         = hiera ('domain') +  $domain              = $domain_hash['full_suffix'] +  $mx_hash             = hiera('mx') +  $cert_name           = hiera('name') + +  $root_mail_recipient = $mx_hash['contact'] +  $postfix_smtp_listen = 'all' + +  postfix::config { +    'mydestination': +      value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; +    'smtpd_recipient_restrictions': +      value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; +    'mailbox_size_limit':   value => '0'; +    'home_mailbox':         value => 'Maildir/'; +    'virtual_alias_maps':   value => 'tcp:localhost:4242'; +    'luser_relay':          value => 'vmail'; +    'local_recipient_maps': value => ''; +    'debug_peer_list':      value => '127.0.0.1'; +  } + +  include site_postfix::mx::smtpd_checks +  include site_postfix::mx::tls + +  user { 'vmail': +    ensure     => present, +    comment    => 'Leap Mailspool', +    home       => '/var/mail/vmail', +    shell      => '/bin/false', +    managehome => true, +  } + +  class { 'postfix': +    root_mail_recipient => $root_mail_recipient, +    smtp_listen         => 'all', +    require             => [ X509::Key[$cert_name], X509::Cert[$cert_name], +                             User['vmail'] ] +  } +} diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { +  $x509 = hiera('x509') + +  postfix::config { +    'smtpd_tls_cert_file': value => $x509['client_ca_cert']; +    'smtpd_tls_key_file':  value => $x509['client_ca_key']; +    'smtpd_tls_ask_ccert': value => 'yes'; +    #'smtpd_tls_CAfile':    value => +  } +} diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..b2f2d7c2 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,9 @@ +class site_postfix::mx::smtpd_checks { + +  postfix::config { +    'smtpd_delay_reject': value => 'yes'; +    'smtpd_data_restrictions': +      value => 'permit_mynetworks, reject_unauth_pipelining, permit'; +  } + +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp new file mode 100644 index 00000000..7da38100 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -0,0 +1,31 @@ +class site_postfix::mx::tls { + +  $x509                = hiera('x509') +  $key                 = $x509['key'] +  $cert                = $x509['cert'] +  $client_ca           = $x509['client_ca_cert'] + +  include x509::variables +  $cert_name = hiera('name') +  $cert_path = "${x509::variables::certs}/${cert_name}.crt" +  $key_path  = "${x509::variables::keys}/${cert_name}.key" + +  x509::key { $cert_name: +    content => $key, +  } + +  x509::cert { $cert_name: +    content => $cert, +  } + +  postfix::config { +    'smtpd_use_tls':        value  => 'yes'; +    'smtpd_tls_CAfile':     value  => $client_ca; +    'smtpd_tls_cert_file':  value  => $cert_path; +    'smtpd_tls_key_file':   value  => $key_path; +    'smtpd_tls_req_ccert':  value  => 'yes'; +    'smtpd_tls_security_level': +      value  => 'encrypt'; +  } + +} diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + +  include site_shorewall::defaults + +  $smtpd_ports = '25' + +  # define macro for incoming services +  file { '/etc/shorewall/macro.leap_mx': +    content => "PARAM   -       -       tcp    ${smtpd_ports} ", +    notify  => Service['shorewall'], +    require => Package['shorewall'] +  } + + +  shorewall::rule { +      'net2fw-mx': +        source      => 'net', +        destination => '$FW', +        action      => 'leap_mx(ACCEPT)', +        order       => 200; +  } + +  include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + +  include site_shorewall::defaults + +  shorewall::rule { +      'fw2net-http': +        source      => '$FW', +        destination => 'net', +        action      => 'SMTP(ACCEPT)', +        order       => 200; +  } + +} diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel -Subproject fc1589a5f09d80f58d730d4e1f6a8058483f61f +Subproject 75d387fc8aff12232fdeae2efbbfccdd91f9465 | 
