From dd5869a62d7c175e7d07367fe63d0f46b3e3a14e Mon Sep 17 00:00:00 2001 From: Pijus Kamandulis Date: Tue, 28 May 2024 23:03:37 +0300 Subject: [PATCH] Added ansible playbook for secondary MX server --- README.md | 8 +++++++- ansible/01-initial_setup.yml | 4 +++- ansible/02-ssl.yml | 10 ++++++---- ansible/03-mail.yml | 3 ++- ansible/04-secondary-mail.yml | 25 +++++++++++++++++++++++++ ansible/templates/acme-client.conf | 2 +- ansible/templates/httpd.conf | 2 +- ansible/templates/secondary-smtpd.conf | 16 ++++++++++++++++ ansible/templates/smtpd.conf | 1 + 9 files changed, 62 insertions(+), 9 deletions(-) create mode 100644 ansible/04-secondary-mail.yml create mode 100644 ansible/templates/secondary-smtpd.conf diff --git a/README.md b/README.md index 93b8196..94a3058 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,10 @@ Ansible is used for configuration. The playbooks use a `vars.yml` file for setti ssh_public_key: "ssh-rsa AAAAB3...ak4EsUU=" mx1_domains: - mx1.pikami.org -mx1_mail_domain: "mx1.pikami.org" +mx2_domains: + - mx2.pikami.org +mx1_mail_domain: mx1.pikami.org +mx2_mail_domain: mx2.pikami.org mail_domains: - pikami.net - pikami.org @@ -36,6 +39,8 @@ all: hosts: mx1: ansible_host: 51.158.215.227 + mx2: + ansible_host: 89.58.5.252 ``` ## Environment setup @@ -71,3 +76,4 @@ Current ansible playbooks: - adds ssh public key - 02-ssl.yml - generates ssl certificates and adds a renew cron job - 03-mail.yml - installs and configures dovecot and opensmtpd +- 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver diff --git a/ansible/01-initial_setup.yml b/ansible/01-initial_setup.yml index ed1d9da..aa73256 100644 --- a/ansible/01-initial_setup.yml +++ b/ansible/01-initial_setup.yml @@ -1,5 +1,7 @@ - name: Initial System Setup - hosts: mx1 + hosts: + - mx1 + - mx2 remote_user: root become: true become_method: su diff --git a/ansible/02-ssl.yml b/ansible/02-ssl.yml index 994fb5a..6a9b5da 100644 --- a/ansible/02-ssl.yml +++ b/ansible/02-ssl.yml @@ -1,5 +1,7 @@ - name: SSL Setup - hosts: mx1 + hosts: + - mx1 + - mx2 remote_user: root vars_files: - vars.yml @@ -9,7 +11,7 @@ path: "/var/www/vhosts/{{ item }}" state: directory owner: www - with_items: "{{ mx1_domains }}" + with_items: "{{ lookup('vars', inventory_hostname + '_domains') }}" - name: Install httpd.conf template: @@ -31,7 +33,7 @@ command: "/usr/sbin/acme-client {{ item }}" args: creates: "/etc/ssl/{{ item }}.fullchain.pem" - with_items: "{{ mx1_domains }}" + with_items: "{{ lookup('vars', inventory_hostname + '_domains') }}" notify: - reload httpd @@ -41,7 +43,7 @@ minute: "0" job: "sleep $((RANDOM \\% 2048)) && acme-client {{ item }} && rcctl reload httpd" user: root - with_items: "{{ mx1_domains }}" + with_items: "{{ lookup('vars', inventory_hostname + '_domains') }}" handlers: - name: reload httpd diff --git a/ansible/03-mail.yml b/ansible/03-mail.yml index 1dc6c03..e70ef1f 100644 --- a/ansible/03-mail.yml +++ b/ansible/03-mail.yml @@ -1,5 +1,6 @@ - name: OpenSMTPD Installation and Configuration - hosts: mx1 + hosts: + - mx1 remote_user: root vars_files: - vars.yml diff --git a/ansible/04-secondary-mail.yml b/ansible/04-secondary-mail.yml new file mode 100644 index 0000000..af72e71 --- /dev/null +++ b/ansible/04-secondary-mail.yml @@ -0,0 +1,25 @@ +- name: Secondary MX OpenSMTPD Configuration + hosts: + - mx2 + remote_user: root + vars_files: + - vars.yml + tasks: + - name: Configure OpenSMTPD smtpd.conf + template: + src: "templates/secondary-smtpd.conf" + dest: /etc/mail/smtpd.conf + notify: + - reload smtpd + + - name: Enable and start OpenSMTPD service + service: + name: smtpd + enabled: yes + state: started + + handlers: + - name: reload smtpd + service: + name: smtpd + state: restarted diff --git a/ansible/templates/acme-client.conf b/ansible/templates/acme-client.conf index 1a54b30..a2f2329 100644 --- a/ansible/templates/acme-client.conf +++ b/ansible/templates/acme-client.conf @@ -3,7 +3,7 @@ authority letsencrypt { account key "/etc/acme/letsencrypt-privkey.pem" } -{% for domain in mx1_domains %} +{% for domain in lookup('vars', inventory_hostname + '_domains') %} domain "{{ domain }}" { domain key "/etc/ssl/private/{{ domain }}.key" domain full chain certificate "/etc/ssl/{{ domain }}.fullchain.pem" diff --git a/ansible/templates/httpd.conf b/ansible/templates/httpd.conf index ce006e5..761fb4c 100644 --- a/ansible/templates/httpd.conf +++ b/ansible/templates/httpd.conf @@ -9,7 +9,7 @@ server "{{ inventory_hostname }}" { } } -{% for vhost in mx1_domains %} +{% for vhost in lookup('vars', inventory_hostname + '_domains') %} server "{{ vhost }}" { listen on * tls port 443 tls { diff --git a/ansible/templates/secondary-smtpd.conf b/ansible/templates/secondary-smtpd.conf new file mode 100644 index 0000000..7a9c3c2 --- /dev/null +++ b/ansible/templates/secondary-smtpd.conf @@ -0,0 +1,16 @@ +{% set _mx_domain = lookup('vars', inventory_hostname + '_mail_domain') %} +pki {{ _mx_domain }} cert "/etc/ssl/{{ _mx_domain }}.fullchain.pem" +pki {{ _mx_domain }} key "/etc/ssl/private/{{ _mx_domain }}.key" + +listen on all tls pki {{ _mx_domain }} + +table aliases file:/etc/mail/aliases + +action "local" mbox alias +action "relay" relay host {{ mx1_mail_domain }} + +{% for domain in mail_domains %} +match from any for domain {{ domain }} action "relay" +{% endfor %} +match from local for local action "local" +match from local for any action "relay" diff --git a/ansible/templates/smtpd.conf b/ansible/templates/smtpd.conf index 894d27d..e1a4837 100644 --- a/ansible/templates/smtpd.conf +++ b/ansible/templates/smtpd.conf @@ -21,3 +21,4 @@ match from any for domain {{ domain }} action "local_mail" {% endfor %} match from local for local action "local_mail" match from local for any action "outbound" +match auth from any for any action "outbound"