Added ansible playbook for secondary MX server

2025-11-04 00:30:10 +00:00 · 2024-05-28 23:03:37 +03:00 · 2024-05-28 23:03:37 +03:00 · dd5869a62d
commit dd5869a62d
parent fcfd816548
9 changed files with 62 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -13,7 +13,10 @@ Ansible is used for configuration. The playbooks use a `vars.yml` file for setti
 ssh_public_key: "ssh-rsa AAAAB3...ak4EsUU="
 mx1_domains:
  - mx1.pikami.org
-mx1_mail_domain: "mx1.pikami.org"
+mx2_domains:
+  - mx2.pikami.org
+mx1_mail_domain: mx1.pikami.org
+mx2_mail_domain: mx2.pikami.org
 mail_domains:
  - pikami.net
  - pikami.org
@ -36,6 +39,8 @@ all:
  hosts:
    mx1:
      ansible_host: 51.158.215.227
+    mx2:
+      ansible_host: 89.58.5.252
 ```

 ## Environment setup
@ -71,3 +76,4 @@ Current ansible playbooks:
  - adds ssh public key
 - 02-ssl.yml - generates ssl certificates and adds a renew cron job
 - 03-mail.yml - installs and configures dovecot and opensmtpd
+- 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver
--- a/ansible/01-initial_setup.yml
+++ b/ansible/01-initial_setup.yml
@ -1,5 +1,7 @@
 - name: Initial System Setup
-  hosts: mx1
+  hosts:
+    - mx1
+    - mx2
  remote_user: root
  become: true
  become_method: su
--- a/ansible/02-ssl.yml
+++ b/ansible/02-ssl.yml
@ -1,5 +1,7 @@
 - name: SSL Setup
-  hosts: mx1
+  hosts:
+    - mx1
+    - mx2
  remote_user: root
  vars_files:
    - vars.yml
@ -9,7 +11,7 @@
        path: "/var/www/vhosts/{{ item }}"
        state: directory
        owner: www
-      with_items: "{{ mx1_domains }}"
+      with_items: "{{ lookup('vars', inventory_hostname + '_domains') }}"

    - name: Install httpd.conf
      template:
@ -31,7 +33,7 @@
      command: "/usr/sbin/acme-client {{ item }}"
      args:
        creates: "/etc/ssl/{{ item }}.fullchain.pem"
-      with_items: "{{ mx1_domains }}"
+      with_items: "{{ lookup('vars', inventory_hostname + '_domains') }}"
      notify:
        - reload httpd

@ -41,7 +43,7 @@
        minute: "0"
        job: "sleep $((RANDOM \\% 2048)) && acme-client {{ item }} && rcctl reload httpd"
        user: root
-      with_items: "{{ mx1_domains }}"
+      with_items: "{{ lookup('vars', inventory_hostname + '_domains') }}"

  handlers:
    - name: reload httpd
--- a/ansible/03-mail.yml
+++ b/ansible/03-mail.yml
@ -1,5 +1,6 @@
 - name: OpenSMTPD Installation and Configuration
-  hosts: mx1
+  hosts:
+    - mx1
  remote_user: root
  vars_files:
    - vars.yml
--- a/ansible/04-secondary-mail.yml
+++ b/ansible/04-secondary-mail.yml
@ -0,0 +1,25 @@
+- name: Secondary MX OpenSMTPD Configuration
+  hosts:
+    - mx2
+  remote_user: root
+  vars_files:
+    - vars.yml
+  tasks:
+    - name: Configure OpenSMTPD smtpd.conf
+      template:
+        src: "templates/secondary-smtpd.conf"
+        dest: /etc/mail/smtpd.conf
+      notify:
+        - reload smtpd
+
+    - name: Enable and start OpenSMTPD service
+      service:
+        name: smtpd
+        enabled: yes
+        state: started
+
+  handlers:
+    - name: reload smtpd
+      service:
+        name: smtpd
+        state: restarted
--- a/ansible/templates/acme-client.conf
+++ b/ansible/templates/acme-client.conf
@ -3,7 +3,7 @@ authority letsencrypt {
    account key "/etc/acme/letsencrypt-privkey.pem"
 }

-{% for domain in mx1_domains %}
+{% for domain in lookup('vars', inventory_hostname + '_domains') %}
 domain "{{ domain }}" {
    domain key "/etc/ssl/private/{{ domain }}.key"
    domain full chain certificate "/etc/ssl/{{ domain }}.fullchain.pem"
--- a/ansible/templates/httpd.conf
+++ b/ansible/templates/httpd.conf
@ -9,7 +9,7 @@ server "{{ inventory_hostname }}" {
    }
 }

-{% for vhost in mx1_domains %}
+{% for vhost in lookup('vars', inventory_hostname + '_domains') %}
 server "{{ vhost }}" {
    listen on * tls port 443
    tls {
--- a/ansible/templates/secondary-smtpd.conf
+++ b/ansible/templates/secondary-smtpd.conf
@ -0,0 +1,16 @@
+{% set _mx_domain = lookup('vars', inventory_hostname + '_mail_domain') %}
+pki {{ _mx_domain }} cert "/etc/ssl/{{ _mx_domain }}.fullchain.pem"
+pki {{ _mx_domain }} key "/etc/ssl/private/{{ _mx_domain }}.key"
+
+listen on all tls pki {{ _mx_domain }}
+
+table aliases file:/etc/mail/aliases
+
+action "local" mbox alias <aliases>
+action "relay" relay host {{ mx1_mail_domain }}
+
+{% for domain in mail_domains %}
+match from any for domain {{ domain }} action "relay"
+{% endfor %}
+match from local for local action "local"
+match from local for any action "relay"
--- a/ansible/templates/smtpd.conf
+++ b/ansible/templates/smtpd.conf
@ -21,3 +21,4 @@ match from any for domain {{ domain }} action "local_mail"
 {% endfor %}
 match from local for local action "local_mail"
 match from local for any action "outbound"
+match auth from any for any action "outbound"