Browse Source

first commit

Alex Payne 11 years ago
commit
080d38986c
94 changed files with 6338 additions and 0 deletions
  1. 106
    0
      README.textile
  2. 1
    0
      TODO
  3. 2
    0
      hosts
  4. 1
    0
      requirements.txt
  5. 0
    0
      roles/blog/handlers/main.yml
  6. 8
    0
      roles/blog/tasks/blog.yml
  7. 1
    0
      roles/blog/tasks/main.yml
  8. 26
    0
      roles/blog/templates/etc_apache2_sites-available_blog.j2
  9. 1
    0
      roles/blog/vars/main.yml
  10. 3
    0
      roles/common/files/etc_fail2ban_filter.d_dovecot-pop3imap.conf
  11. 36
    0
      roles/common/files/etc_ferm_ferm.conf
  12. 3
    0
      roles/common/files/root_tarsnap.key
  13. 6
    0
      roles/common/files/wildcard_ca.pem
  14. 3
    0
      roles/common/files/wildcard_private.key
  15. 3
    0
      roles/common/files/wildcard_public_cert.crt
  16. 4
    0
      roles/common/handlers/ferm.yml
  17. 13
    0
      roles/common/handlers/main.yml
  18. 11
    0
      roles/common/tasks/ferm.yml
  19. 44
    0
      roles/common/tasks/main.yml
  20. 11
    0
      roles/common/tasks/security.yml
  21. 11
    0
      roles/common/tasks/ssl.yml
  22. 28
    0
      roles/common/tasks/tarsnap.yml
  23. 2
    0
      roles/common/tasks/users.yml
  24. 34
    0
      roles/common/templates/etc_fail2ban_jail.local.j2
  25. 49
    0
      roles/common/templates/ntp.conf.j2
  26. 3
    0
      roles/common/vars/main.yml
  27. 139
    0
      roles/ircbouncer/files/etc_init.d_znc
  28. 12
    0
      roles/ircbouncer/files/etc_ssl_znc-combined.pem
  29. 2
    0
      roles/ircbouncer/handlers/main.yml
  30. 1
    0
      roles/ircbouncer/tasks/main.yml
  31. 47
    0
      roles/ircbouncer/tasks/znc.yml
  32. 71
    0
      roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2
  33. 1
    0
      roles/ircbouncer/vars/main.yml
  34. 11
    0
      roles/mailserver/files/dot_dovecot.sieve
  35. 127
    0
      roles/mailserver/files/etc_dovecot_conf.d_10-auth.conf
  36. 362
    0
      roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf
  37. 127
    0
      roles/mailserver/files/etc_dovecot_conf.d_10-master.conf
  38. 50
    0
      roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf
  39. 64
    0
      roles/mailserver/files/etc_dovecot_conf.d_20-imap.conf
  40. 26
    0
      roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf
  41. 30
    0
      roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext
  42. 99
    0
      roles/mailserver/files/etc_dovecot_dovecot.conf
  43. 43
    0
      roles/mailserver/files/etc_dspam_default.prefs
  44. 699
    0
      roles/mailserver/files/etc_dspam_dspam.conf
  45. 18
    0
      roles/mailserver/files/etc_opendkim.conf
  46. 1
    0
      roles/mailserver/files/etc_postfix_dspam_filter_access
  47. 131
    0
      roles/mailserver/files/etc_postfix_master.cf
  48. 1625
    0
      roles/mailserver/files/etc_solr_conf_solrconfig.xml
  49. 153
    0
      roles/mailserver/files/etc_tomcat6_server.xml
  50. 59
    0
      roles/mailserver/files/solr-schema.xml
  51. 11
    0
      roles/mailserver/handlers/main.yml
  52. 34
    0
      roles/mailserver/tasks/dovecot.yml
  53. 23
    0
      roles/mailserver/tasks/dspam.yml
  54. 5
    0
      roles/mailserver/tasks/main.yml
  55. 34
    0
      roles/mailserver/tasks/opendkim.yml
  56. 27
    0
      roles/mailserver/tasks/postfix.yml
  57. 16
    0
      roles/mailserver/tasks/solr.yml
  58. 48
    0
      roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2
  59. 138
    0
      roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2
  60. 3
    0
      roles/mailserver/templates/etc_opendkim_KeyTable.j2
  61. 3
    0
      roles/mailserver/templates/etc_opendkim_SigningTable.j2
  62. 8
    0
      roles/mailserver/templates/etc_opendkim_TrustedHosts.j2
  63. 108
    0
      roles/mailserver/templates/etc_postfix_main.cf.j2
  64. 5
    0
      roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2
  65. 5
    0
      roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2
  66. 5
    0
      roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2
  67. 36
    0
      roles/mailserver/templates/mailserver.sql.j2
  68. 19
    0
      roles/mailserver/vars/main.yml
  69. 8
    0
      roles/monitoring/files/etc_monit_conf.d_apache2
  70. 6
    0
      roles/monitoring/files/etc_monit_conf.d_dovecot
  71. 6
    0
      roles/monitoring/files/etc_monit_conf.d_mysql
  72. 6
    0
      roles/monitoring/files/etc_monit_conf.d_postfix
  73. 5
    0
      roles/monitoring/files/etc_monit_conf.d_sshd
  74. 8
    0
      roles/monitoring/files/etc_monit_conf.d_tomcat
  75. 8
    0
      roles/monitoring/files/etc_monit_conf.d_znc
  76. 250
    0
      roles/monitoring/files/etc_monit_monitrc
  77. 2
    0
      roles/monitoring/handlers/main.yml
  78. 1
    0
      roles/monitoring/tasks/main.yml
  79. 17
    0
      roles/monitoring/tasks/monit.yml
  80. 0
    0
      roles/monitoring/vars/main.yml
  81. 0
    0
      roles/owncloud/handlers/main.yml
  82. 3
    0
      roles/owncloud/tasks/main.yml
  83. 41
    0
      roles/owncloud/tasks/owncloud.yml
  84. 23
    0
      roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2
  85. 4
    0
      roles/owncloud/vars/main.yml
  86. 626
    0
      roles/vpn/files/etc_dnsmasq.conf
  87. 20
    0
      roles/vpn/files/etc_rc.local
  88. 5
    0
      roles/vpn/handlers/main.yml
  89. 1
    0
      roles/vpn/tasks/main.yml
  90. 63
    0
      roles/vpn/tasks/openvpn.yml
  91. 72
    0
      roles/vpn/templates/etc_openvpn_easy-rsa_2.0_vars.j2
  92. 301
    0
      roles/vpn/templates/etc_openvpn_server.conf.j2
  93. 8
    0
      roles/vpn/vars/main.yml
  94. 18
    0
      site.yml

+ 106
- 0
README.textile View File

@@ -0,0 +1,106 @@
1
+h1. Introduction
2
+
3
+Sovereign is a set of "Ansible":http://ansibleworks.com playbooks that you can use to build and maintain your own *wince* "personal cloud":http://www.urbandictionary.com/define.php?term=clown%20computing. It's based entirely on open source software, so you're in control.
4
+
5
+If you've never used Ansible before, you a) are in for a treat and b) might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
6
+
7
+h2. Background/Motivations
8
+
9
+I had been a paying Google Apps customer for personal and corporate use since the service was in beta. Until several weeks ago, that is. I was about to set up another Google Apps account for a new project when I stopped to consider what I would be funding with my USD $50 per user per year:
10
+
11
+# A "seriously questionable privacy track record":https://en.wikipedia.org/wiki/Criticism_of_Google#Privacy.
12
+# A "dwindling commitment to open standards":https://www.eff.org/deeplinks/2013/05/google-abandons-open-standards-instant-messaging.
13
+# A "lack of long-term commitment to products":http://www.quora.com/Google-Products/What-are-all-the-Google-products-that-have-been-shut-down.
14
+# Development of Google+: a cynical and "unimaginative Facebook ripoff":http://gigaom.com/2012/03/15/google-plus-the-problem-isnt-design-its-a-lack-of-demand/ that's "intruding into progressively more Google products":http://bits.blogs.nytimes.com/2012/03/06/google-defending-google-plus-shares-usage-numbers/?_r=0.
15
+
16
+To each her/his own, but personally I saw little reason to continue participating in the Google ecosystem. It had been years since I last ran my own server for email and such, but it's only gotten cheaper and easier to do so.
17
+
18
+Rather than writing up a long and hard-to-follow set of instructions, I decided to share my server setup in a format that you can more or less just clone, configure, and run. Ansible seemed like the most appropriate way to do that: it's simple, straightforward, and easy to pick up.
19
+
20
+I've been using this setup for about a month now and it's been great. It's also replaced a couple of non-Google services I used, saving me money and making me feel like I've got a little more privacy.
21
+
22
+h2. Services Provided
23
+
24
+What do you get if you point this thing at a VPS? All kinds of good stuff!
25
+
26
+* "IMAP":https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol over SSL via "Dovecot":http://dovecot.org/, complete with full text search provided by "Solr":https://lucene.apache.org/solr/.
27
+* "SMTP":https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol over SSL via Postfix, including a nice set of "DNSBLs":https://en.wikipedia.org/wiki/DNSBL to discard spam before it ever hits your filters.
28
+* Virtual domains for your email, backed by "MySQL":https://www.mysql.com/.
29
+* Secure on-disk storage for email and more via "EncFS":http://www.arg0.net/encfs.
30
+* Spam fighting via "DSPAM":http://dspam.sourceforge.net/ and "Postgrey":http://postgrey.schweikert.ch/.
31
+* Mail server verification via "OpenDKIM":http://www.opendkim.org/, so folks know you're legit.
32
+* "CalDAV":https://en.wikipedia.org/wiki/CalDAV and "CardDAV":https://en.wikipedia.org/wiki/CardDAV to keep your calendars and contacts in sync, via "ownCloud":http://owncloud.org/.
33
+* Your own private "Dropbox":https://www.dropbox.com/, also via "ownCloud":http://owncloud.org/.
34
+* Your own VPN server via "OpenVPN":http://openvpn.net/index.php/open-source.html.
35
+* An IRC bouncer via "ZNC":http://wiki.znc.in/ZNC.
36
+* "Monit":http://mmonit.com/monit/ to keep everything running smoothly (and alert you when it's not).
37
+* Web hosting (ex: for your blog) via "Apache":https://www.apache.org/.
38
+* Firewall management via "ferm":http://ferm.foo-projects.org/.
39
+* Intrusion prevention via "fail2ban":http://www.fail2ban.org/ and rootkit detection via "rkhunter":http://rkhunter.sourceforge.net.
40
+* Nightly backups to "Tarsnap":https://www.tarsnap.com/.
41
+* A bunch of nice-to-have tools like "mosh":http://mosh.mit.edu and "htop":http://htop.sourceforge.net that make life with a server a little easier.
42
+
43
+No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintainance. Set it up, SSH in every couple weeks, but mostly forget about it.
44
+
45
+Don't want one or more of the above services? Comment out the relevant role in `site.yml`. Or get more granular and comment out the associated `include:` directive in one of the playbooks.
46
+
47
+h1. Usage
48
+
49
+h2. What You'll Need
50
+
51
+# A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at "Linode":http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b. You'll probably want at least 512 MB of RAM between Apache, Solr, and MySQL. Mine has 1024.
52
+# "Debian 7":http://www.debian.org/News/2013/20130504 or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks.)
53
+# A wildcard SSL certificate. I bought one. You could self-sign if you wanna save money.
54
+# A "Tarsnap":http://www.tarsnap.com account with some credit in it. You could comment this out if you want to use a different backup service. I pay for backups at Linode in addition to the Tarsnap nightlies because you can never be too sure.
55
+
56
+h2. Manual Steps
57
+
58
+This does a lot for you automatically but there's still some stuff you have to do by hand.
59
+
60
+# Set up EncFS as per "these instructions":http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/.
61
+# Create a user account for Ansible to do its thing through. This account should be set up for passwordless sudo.
62
+# Put your Tarsnap key in `roles/common/files/root_tarsnap.key`.
63
+# Put your SSL certificate's components in the respective files that start with `wildcard_ca` in `roles/common/files`, and a combined version in `roles/ircbouncer/files/etc_ssl_znc-combined.pem`.
64
+# You should probably disable remote root login and password-based logins in `/etc/ssh/sshd_config` but that's up to you.
65
+
66
+Now, the time-consuming part: grep through the files for the string `TODO` and replace as necessary. You'll probably want to check out all the files in the respective `vars/` sub-directories in each playbook directory.
67
+
68
+h2. Running It
69
+
70
+First, make sure you've "got Ansible installed":http://ansibleworks.com/docs/gettingstarted.html#getting-ansible.
71
+
72
+To run the whole dang thing:
73
+
74
+  ansible-playbook -i ./hosts site.yml
75
+
76
+To run just one or more piece, use tags. I try to tag all my includes for easy isolated development. For example, to focus in on your firewall setup:
77
+
78
+  ansible-playbook -i ./hosts --tags=ferm site.yml
79
+
80
+You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there's no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I've tried to add comments where manual intervention is necessary. OpenVPN in particular requires a bunch of manual command line stuff to get running.
81
+
82
+h2. How I Use It
83
+
84
+I use this setup from my Mac like this:
85
+
86
+* I read email in "Airmail":https://itunes.apple.com/us/app/airmail/id573171375?mt=12.
87
+* I manage my calendar and contacts via the Apple-provided Calendar.app and Contacts.app. See "ownCloud's docs":http://doc.owncloud.com/server/5.0EE/user_manual/pim/index.html to get it set up.
88
+* I connect to the VPS via "Viscosity":http://www.sparklabs.com/viscosity/. It has some dumb DNS bug right now so I have to point my machine to "OpenDNS":https://use.opendns.com/ in order to resolve names. Despite that, it's better than the "alternative":https://code.google.com/p/tunnelblick/.
89
+* I connect to the IRC bouncer with "Textual":http://www.codeux.com/textual/.
90
+* I run the "ownCloud sync client":https://owncloud.com/download for Dropbox-like file sync.
91
+* I manage my blog and other sites with "Jekyll":http://jekyllrb.com/ locally, then push the resulting builds up to the server via "rsync":https://rsync.samba.org/ over SSH.
92
+
93
+... and from my iPhone like this:
94
+
95
+* I read email in the Apple-provided Mail app and check it quickly in "Triage":http://www.triage.cc/.
96
+* I manage my calendar and contacts with the built-in apps. Boring, effective. See the "ownCloud docs":http://doc.owncloud.com/server/5.0EE/user_manual/pim/index.html for setup instructions.
97
+* I access files stored in my ownCloud instance via "their app":https://itunes.apple.com/us/app/owncloud/id543672169?mt=8.
98
+* I connect to my IRC bouncer with "Palaver":https://itunes.apple.com/us/app/id538073623?mt=8.
99
+
100
+h1. Contributing
101
+
102
+If you improve one of the provided playbooks or add an exciting new one, send a pull request. Everyone benefits.
103
+
104
+h2. License
105
+
106
+Original content is "GPLv3":http://gplv3.fsf.org, same as Ansible. All files and templates based on third-party software should be considered under their respective licenses.

+ 1
- 0
TODO View File

@@ -0,0 +1 @@
1
+- ensure log rotation

+ 2
- 0
hosts View File

@@ -0,0 +1,2 @@
1
+[cerf]
2
+198.58.112.239

+ 1
- 0
requirements.txt View File

@@ -0,0 +1 @@
1
+ansible==1.3

+ 0
- 0
roles/blog/handlers/main.yml View File


+ 8
- 0
roles/blog/tasks/blog.yml View File

@@ -0,0 +1,8 @@
1
+- name: Create directory for blog HTML
2
+  file: state=directory path=/var/www/${blog_domain} group=www-data owner=www-data
3
+
4
+- name: Configure the Apache HTTP server for the blog
5
+  template: src=etc_apache2_sites-available_blog.j2 dest=/etc/apache2/sites-available/${blog_domain} group=www-data owner=www-data
6
+- command: a2ensite ${blog_domain}
7
+  notify: restart apache
8
+  

+ 1
- 0
roles/blog/tasks/main.yml View File

@@ -0,0 +1 @@
1
+- include: blog.yml tags=blog

+ 26
- 0
roles/blog/templates/etc_apache2_sites-available_blog.j2 View File

@@ -0,0 +1,26 @@
1
+NameVirtualHost *:80
2
+
3
+<VirtualHost *:80>
4
+    ServerName {{ blog_domain }}
5
+    ServerAlias www.{{ blog_domain }}
6
+
7
+    Redirect / https://{{ blog_domain }}/
8
+</VirtualHost>
9
+
10
+NameVirtualHost *:443
11
+
12
+<VirtualHost *:443>
13
+    ServerName {{ blog_domain }}
14
+    ServerAlias www.{{ blog_domain }}
15
+
16
+    SSLEngine on
17
+    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
18
+
19
+    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
20
+    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
21
+    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
22
+
23
+    DocumentRoot            "/var/www/{{ blog_domain }}"
24
+    DirectoryIndex          index.html
25
+    HostnameLookups         Off
26
+</VirtualHost>

+ 1
- 0
roles/blog/vars/main.yml View File

@@ -0,0 +1 @@
1
+blog_domain: TODO.com

+ 3
- 0
roles/common/files/etc_fail2ban_filter.d_dovecot-pop3imap.conf View File

@@ -0,0 +1,3 @@
1
+[Definition]
2
+failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
3
+ignoreregex =

+ 36
- 0
roles/common/files/etc_ferm_ferm.conf View File

@@ -0,0 +1,36 @@
1
+# Firewall configuration for a web and SMTP server.
2
+# See http://ferm.foo-projects.org/
3
+
4
+table filter {
5
+    chain INPUT {
6
+        policy DROP;
7
+
8
+        # connection tracking
9
+        mod state state INVALID DROP;
10
+        mod state state (ESTABLISHED RELATED) ACCEPT;
11
+
12
+        # allow local connections
13
+        interface lo ACCEPT;
14
+
15
+        # respond to ping
16
+        proto icmp icmp-type echo-request ACCEPT;
17
+
18
+        # expose our services to the world:
19
+        # web, ssh, imap + ssl, smtp + ssl, jabber/xmpp, dns, znc
20
+        proto tcp dport (53 http https ssh smtp 993 465 5222 5223 5269 6697) ACCEPT;
21
+
22
+        # openvpn
23
+        proto udp dport 1194 ACCEPT;
24
+
25
+        # mosh port range
26
+        proto udp dport 60000:61000 ACCEPT;
27
+
28
+        # the rest is dropped by the above policy
29
+    }
30
+
31
+    # outgoing connections are not limited
32
+    chain OUTPUT policy ACCEPT;
33
+
34
+    # this is not a router
35
+    chain FORWARD policy DROP;
36
+}

+ 3
- 0
roles/common/files/root_tarsnap.key View File

@@ -0,0 +1,3 @@
1
+# START OF TARSNAP KEY FILE
2
+TODO
3
+# END OF TARSNAP KEY FILE

+ 6
- 0
roles/common/files/wildcard_ca.pem View File

@@ -0,0 +1,6 @@
1
+-----BEGIN CERTIFICATE-----
2
+TODO
3
+-----END CERTIFICATE-----
4
+-----BEGIN CERTIFICATE-----
5
+TODO
6
+-----END CERTIFICATE-----

+ 3
- 0
roles/common/files/wildcard_private.key View File

@@ -0,0 +1,3 @@
1
+-----BEGIN PRIVATE KEY-----
2
+TODO
3
+-----END PRIVATE KEY-----

+ 3
- 0
roles/common/files/wildcard_public_cert.crt View File

@@ -0,0 +1,3 @@
1
+-----BEGIN CERTIFICATE-----
2
+TODO
3
+-----END CERTIFICATE-----

+ 4
- 0
roles/common/handlers/ferm.yml View File

@@ -0,0 +1,4 @@
1
+---
2
+
3
+- name: reload ferm rules
4
+  command: /etc/init.d/ferm reload

+ 13
- 0
roles/common/handlers/main.yml View File

@@ -0,0 +1,13 @@
1
+---
2
+# Defines handlers applicable across all machines in the infrastructure.
3
+
4
+- name: restart ntp
5
+  service: name=ntp state=restarted
6
+
7
+- name: restart apache
8
+  service: name=apache2 state=restarted
9
+
10
+- name: restart fail2ban
11
+  service: name=fail2ban state=restarted
12
+
13
+- include: ferm.yml

+ 11
- 0
roles/common/tasks/ferm.yml View File

@@ -0,0 +1,11 @@
1
+---
2
+# Installs and configures ferm, which in turn uses iptables for firewall management
3
+
4
+- name: Install ferm
5
+  apt: pkg=ferm state=present
6
+
7
+- name: Copy ferm firewall rules into place
8
+  file: path=/etc/ferm state=directory
9
+- copy: src=etc_ferm_ferm.conf dest=/etc/ferm/ferm.conf
10
+  notify:
11
+    - reload ferm rules

+ 44
- 0
roles/common/tasks/main.yml View File

@@ -0,0 +1,44 @@
1
+---
2
+# Defines tasks applicable across all machines in the infrastructure.
3
+
4
+- name: Install necessities and nice-to-haves
5
+  apt: pkg=$item state=installed
6
+  with_items:
7
+    - sudo
8
+    - vim
9
+    - htop
10
+    - iftop
11
+    - iotop
12
+    - mosh
13
+    - zsh
14
+    - git
15
+    - encfs
16
+    - libfuse-dev
17
+    - fuse-utils
18
+    - ruby1.9.3
19
+    - screen
20
+    - apache2
21
+    - build-essential
22
+    - apticron
23
+    - update-notifier-common
24
+    - debian-goodies
25
+
26
+- name: Install ntp
27
+  apt: pkg=ntp state=installed
28
+
29
+- name: Configure ntp
30
+  template: src=ntp.conf.j2 dest=/etc/ntp.conf
31
+  notify:
32
+    - restart ntp
33
+
34
+- name: Ensure ntpd is running and enabled
35
+  service: name=ntp state=running enabled=yes
36
+
37
+- name: Disable default Apache site
38
+  command: a2dissite default
39
+
40
+- include: users.yml tags=users
41
+- include: ssl.yml tags=ssl
42
+- include: ferm.yml tags=ferm
43
+- include: security.yml tags=security
44
+- include: tarsnap.yml tags=tarsnap

+ 11
- 0
roles/common/tasks/security.yml View File

@@ -0,0 +1,11 @@
1
+- name: Install security-related packages
2
+  apt: pkg=$item state=installed
3
+  with_items:
4
+    - fail2ban
5
+    - rkhunter
6
+    - lynis
7
+
8
+- name: Copy fail2ban configuration files into place
9
+  copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf
10
+- template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
11
+  notify: restart fail2ban

+ 11
- 0
roles/common/tasks/ssl.yml View File

@@ -0,0 +1,11 @@
1
+- name: Copy SSL private key into place
2
+  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=root owner=root
3
+
4
+- name: Copy SSL public certificate into place
5
+  copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root
6
+
7
+- name: Copy CA combined certificate into place
8
+  copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root
9
+
10
+- name: Enable Apache SSL module
11
+  command: a2enmod ssl

+ 28
- 0
roles/common/tasks/tarsnap.yml View File

@@ -0,0 +1,28 @@
1
+- name: Install dependencies for Tarsnap
2
+  apt: pkg=$item state=installed
3
+  with_items:
4
+    - libssl-dev
5
+    - zlib1g-dev
6
+    - e2fslibs-dev
7
+
8
+- name: Download Tarsnap source
9
+  get_url: url=https://www.tarsnap.com/download/tarsnap-autoconf-${tarsnap_version}.tgz dest=/root/tarsnap-autoconf-${tarsnap_version}.tgz
10
+  #sha256sum=14c0172afac47f5f7cbc58e6442a27a0755685711f9d1cec4195c4f457053811
11
+
12
+- name: Decompress Tarsnap source
13
+  command: tar xzf /root/tarsnap-autoconf-${tarsnap_version}.tgz chdir=/root creates=/root/tarsnap-autoconf-${tarsnap_version}/COPYING
14
+
15
+- name: Configure Tarsnap for local build
16
+  command: ./configure chdir=/root/tarsnap-autoconf-${tarsnap_version} creates=/root/tarsnap-autoconf-${tarsnap_version}/Makefile
17
+
18
+- name: Build and install Tarsnap
19
+  command: make all install clean chdir=/root/tarsnap-autoconf-${tarsnap_version} creates=/usr/local/bin/tarsnap
20
+
21
+- name: Copy Tarsnap key file into place
22
+  copy: src=root_tarsnap.key dest=/root/tarsnap.key owner=root group=root
23
+
24
+- name: Create Tarsnap cache directory
25
+  file: state=directory path=/usr/tarsnap-cache
26
+
27
+- name: Install nightly Tarsnap cronjob
28
+  cron: name="Tarsnap backup" hour="3" job="tarsnap --cachedir /usr/tarsnap-cache --keyfile /root/tarsnap.key -c -f backup-`date +\%Y\%m\%d` /home /root /decrypted-mail /var/www /var/log /var/lib/mysql > /dev/null"

+ 2
- 0
roles/common/tasks/users.yml View File

@@ -0,0 +1,2 @@
1
+- name: Create main user account
2
+  user: name=${main_user_name} state=present shell=/usr/bin/zsh groups=${main_user_name},sudo,fuse

+ 34
- 0
roles/common/templates/etc_fail2ban_jail.local.j2 View File

@@ -0,0 +1,34 @@
1
+[DEFAULT]
2
+ignoreip  = 127.0.0.1 198.58.112.239
3
+bantime   = 86400
4
+destemail = {{ admin_email }}
5
+banaction = iptables-multiport
6
+action    = %(action_mwl)s
7
+
8
+# JAILS
9
+[ssh]
10
+enabled   = true
11
+maxretry  = 3
12
+ 
13
+[pam-generic]
14
+enabled   = true
15
+banaction = iptables-allports
16
+ 
17
+[ssh-ddos]
18
+enabled   = true
19
+
20
+[apache]
21
+enabled = true
22
+ 
23
+[postfix]
24
+enabled  = true
25
+maxretry = 1
26
+
27
+[dovecot-pop3imap]
28
+enabled = true
29
+filter = dovecot-pop3imap
30
+action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
31
+logpath = /var/log/maillog
32
+maxretry = 20
33
+findtime = 1200
34
+bantime = 1200

+ 49
- 0
roles/common/templates/ntp.conf.j2 View File

@@ -0,0 +1,49 @@
1
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
2
+
3
+driftfile /var/lib/ntp/ntp.drift
4
+
5
+# Enable this if you want statistics to be logged.
6
+#statsdir /var/log/ntpstats/
7
+
8
+statistics loopstats peerstats clockstats
9
+filegen loopstats file loopstats type day enable
10
+filegen peerstats file peerstats type day enable
11
+filegen clockstats file clockstats type day enable
12
+
13
+# Use servers from the NTP Pool Project
14
+server 0.north-america.pool.ntp.org
15
+server 1.north-america.pool.ntp.org
16
+server 2.north-america.pool.ntp.org
17
+server 3.north-america.pool.ntp.org
18
+
19
+# fallback
20
+server tick.usno.navy.mil
21
+
22
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
23
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
24
+# might also be helpful.
25
+#
26
+# Note that "restrict" applies to both servers and clients, so a configuration
27
+# that might be intended to block requests from certain clients could also end
28
+# up blocking replies from your own upstream servers.
29
+
30
+# By default, exchange time with everybody, but don't allow configuration.
31
+restrict -4 default kod notrap nomodify nopeer noquery
32
+restrict -6 default kod notrap nomodify nopeer noquery
33
+
34
+# Local users may interrogate the ntp server more closely.
35
+restrict 127.0.0.1
36
+restrict ::1
37
+
38
+# Clients from this (example!) subnet have unlimited access, but only if
39
+# cryptographically authenticated.
40
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
41
+
42
+# If you want to provide time to your local subnet, change the next line.
43
+# (Again, the address is an example only.)
44
+#broadcast 192.168.123.255
45
+
46
+# If you want to listen to time broadcasts on your local subnet, de-comment the
47
+# next lines.  Please do this only if you trust everybody on the network!
48
+#disable auth
49
+#broadcastclient

+ 3
- 0
roles/common/vars/main.yml View File

@@ -0,0 +1,3 @@
1
+main_user_name: TODO
2
+admin_email: TODO@TODO.com
3
+tarsnap_version: 1.0.34

+ 139
- 0
roles/ircbouncer/files/etc_init.d_znc View File

@@ -0,0 +1,139 @@
1
+#! /bin/sh
2
+### BEGIN INIT INFO
3
+# Provides:          znc
4
+# Required-Start:    $remote_fs $syslog
5
+# Required-Stop:     $remote_fs $syslog
6
+# Default-Start:     2 3 4 5
7
+# Default-Stop:      0 1 6
8
+# Short-Description: ZNC IRC bouncer
9
+# Description:       ZNC is an IRC bouncer
10
+### END INIT INFO
11
+ 
12
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
13
+DESC="ZNC daemon"
14
+NAME=znc
15
+DAEMON=/usr/local/bin/$NAME
16
+DATADIR=/var/lib/znc
17
+DAEMON_ARGS="--datadir=$DATADIR"
18
+PIDDIR=/var/run/znc
19
+PIDFILE=$PIDDIR/$NAME.pid
20
+SCRIPTNAME=/etc/init.d/$NAME
21
+USER=znc
22
+GROUP=znc
23
+
24
+# Exit if the package is not installed
25
+[ -x "$DAEMON" ] || exit 0
26
+
27
+# Read configuration variable file if it is present
28
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
29
+
30
+# Load the VERBOSE setting and other rcS variables
31
+. /lib/init/vars.sh
32
+
33
+# Define LSB log_* functions.
34
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
35
+# and status_of_proc is working.
36
+. /lib/lsb/init-functions
37
+
38
+#
39
+# Function that starts the daemon/service
40
+#
41
+do_start()
42
+{
43
+  # Return
44
+  #   0 if daemon has been started
45
+  #   1 if daemon was already running
46
+  #   2 if daemon could not be started
47
+  if [ ! -d $PIDDIR ]
48
+  then
49
+    mkdir $PIDDIR
50
+  fi
51
+  chown $USER:$GROUP $PIDDIR
52
+  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1
53
+  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2
54
+}
55
+
56
+#
57
+# Function that stops the daemon/service
58
+#
59
+do_stop()
60
+{
61
+  # Return
62
+  #   0 if daemon has been stopped
63
+  #   1 if daemon was already stopped
64
+  #   2 if daemon could not be stopped
65
+  #   other if a failure occurred
66
+  start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER
67
+  RETVAL="$?"
68
+  [ "$RETVAL" = 2 ] && return 2
69
+  # Wait for children to finish too if this is a daemon that forks
70
+  # and if the daemon is only ever run from this initscript.
71
+  # If the above conditions are not satisfied then add some other code
72
+  # that waits for the process to drop all resources that could be
73
+  # needed by services started subsequently.  A last resort is to
74
+  # sleep for some time.
75
+  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER
76
+  [ "$?" = 2 ] && return 2
77
+  # Many daemons don't delete their pidfiles when they exit.
78
+  rm -f $PIDFILE
79
+  return "$RETVAL"
80
+}
81
+
82
+#
83
+# Function that sends a SIGHUP to the daemon/service
84
+#
85
+do_reload() {
86
+  start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER
87
+  return 0
88
+}
89
+
90
+case "$1" in
91
+  start)
92
+  [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
93
+  do_start
94
+  case "$?" in
95
+    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
96
+    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
97
+  esac
98
+  ;;
99
+  stop)
100
+  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
101
+  do_stop
102
+  case "$?" in
103
+    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
104
+    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
105
+  esac
106
+  ;;
107
+  status)
108
+  status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
109
+  ;;
110
+  reload)
111
+  log_daemon_msg "Reloading $DESC" "$NAME"
112
+  do_reload
113
+  log_end_msg $?
114
+  ;;
115
+  restart)
116
+  log_daemon_msg "Restarting $DESC" "$NAME"
117
+  do_stop
118
+  case "$?" in
119
+    0|1)
120
+    do_start
121
+    case "$?" in
122
+      0) log_end_msg 0 ;;
123
+      1) log_end_msg 1 ;; # Old process is still running
124
+      *) log_end_msg 1 ;; # Failed to start
125
+    esac
126
+    ;;
127
+    *)
128
+    # Failed to stop
129
+    log_end_msg 1
130
+    ;;
131
+  esac
132
+  ;;
133
+  *)
134
+  echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2
135
+  exit 3
136
+  ;;
137
+esac
138
+
139
+:

+ 12
- 0
roles/ircbouncer/files/etc_ssl_znc-combined.pem View File

@@ -0,0 +1,12 @@
1
+-----BEGIN PRIVATE KEY-----
2
+TODO
3
+-----END PRIVATE KEY-----
4
+-----BEGIN CERTIFICATE-----
5
+TODO
6
+-----END CERTIFICATE-----
7
+-----BEGIN CERTIFICATE-----
8
+TODO
9
+-----END CERTIFICATE-----
10
+-----BEGIN CERTIFICATE-----
11
+TODO
12
+-----END CERTIFICATE-----

+ 2
- 0
roles/ircbouncer/handlers/main.yml View File

@@ -0,0 +1,2 @@
1
+- name: restart znc
2
+  service: name=znc state=restarted

+ 1
- 0
roles/ircbouncer/tasks/main.yml View File

@@ -0,0 +1 @@
1
+- include: znc.yml tags=znc

+ 47
- 0
roles/ircbouncer/tasks/znc.yml View File

@@ -0,0 +1,47 @@
1
+# more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
2
+
3
+- name: Install znc dependencies
4
+  apt: pkg=$item state=installed
5
+  with_items:
6
+    - build-essential
7
+    - libssl-dev
8
+    - openssl
9
+    - swig
10
+    - automake
11
+    - libtool
12
+    - libsasl2-dev
13
+    - checkinstall
14
+    - g++
15
+    - pkg-config
16
+    - python3-dev
17
+    - libperl-dev
18
+
19
+- name: Download znc release
20
+  get_url: url=http://znc.in/releases/znc-${znc_version}.tar.gz dest=/root/znc-${znc_version}.tar.gz
21
+
22
+- name: Decompress znc source
23
+  command: tar xzf /root/znc-${znc_version}.tar.gz chdir=/root creates=/root/znc-${znc_version}/configure
24
+
25
+- name: Build and install znc
26
+  command: ./configure --enable-python ; make ; make install executable=/bin/bash chdir=/root/znc-${znc_version} creates=/usr/local/bin/znc
27
+
28
+- name: Create znc group
29
+  group: name=znc state=present
30
+
31
+- name: Create znc user
32
+  user: name=znc state=present home=/var/lib/znc system=yes group=znc
33
+
34
+- name: Copy znc init file into place
35
+  copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755
36
+
37
+- name: Copy znc combined SSL cert into place
38
+  copy: src=etc_ssl_znc-combined.pem dest=/etc/ssl/znc-combined.pem owner=znc group=znc
39
+
40
+# NOTE: you should probably just generate this using the directions above and then edit via the web panel
41
+#- name: Copy znc configuration file into place
42
+#  template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
43
+
44
+- name: Ensure znc is a system service
45
+  command: update-rc.d znc defaults
46
+  notify: restart znc
47
+

+ 71
- 0
roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2 View File

@@ -0,0 +1,71 @@
1
+// WARNING
2
+//
3
+// Do NOT edit this file while ZNC is running!
4
+// Use webadmin or *controlpanel instead.
5
+//
6
+// Buf if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.
7
+// Also check http://en.znc.in/wiki/Configuration
8
+
9
+AnonIPLimit = 10
10
+ConnectDelay = 5
11
+LoadModule = webadmin
12
+LoadModule = fail2ban
13
+LoadModule = lastseen
14
+MaxBufferSize = 500
15
+PidFile = /var/run/znc/znc.pid
16
+ProtectWebSessions = true
17
+SSLCertFile = /etc/ssl/znc-combined.pem
18
+ServerThrottle = 30
19
+Skin = _default_
20
+StatusPrefix = *
21
+Version = 1.0
22
+
23
+<Listener listener0>
24
+	AllowIRC = true
25
+	AllowWeb = true
26
+	IPv4 = true
27
+	IPv6 = false
28
+	Port = 6697
29
+	SSL = true
30
+</Listener>
31
+
32
+<User TODO>
33
+	Admin = true
34
+	Allow = *
35
+	AltNick = TODO_
36
+	AppendTimestamp = false
37
+	AutoClearChanBuffer = true
38
+	Buffer = 5000
39
+	ChanModes = +stn
40
+	DenyLoadMod = false
41
+	DenySetBindHost = false
42
+	Ident = TODO
43
+	JoinTries = 10
44
+	LoadModule = controlpanel
45
+	LoadModule = perform
46
+	LoadModule = block_motd
47
+	LoadModule = clientnotify
48
+	MaxNetworks = 1
49
+	MultiClients = true
50
+	Nick = TODO
51
+	PrependTimestamp = true
52
+	QuitMsg = TODO
53
+	RealName = TODO
54
+	TimestampFormat = [%H:%M:%S]
55
+
56
+	<Network freenode>
57
+		FloodBurst = 4
58
+		FloodRate = 1.00
59
+		IRCConnectEnabled = true
60
+		LoadModule = kickrejoin
61
+		LoadModule = nickserv
62
+		LoadModule = savebuff
63
+		Server = chat.freenode.net 6665
64
+	</Network>
65
+
66
+	<Pass password>
67
+		Hash = TODO
68
+		Method = SHA256
69
+		Salt = TODO
70
+	</Pass>
71
+</User>

+ 1
- 0
roles/ircbouncer/vars/main.yml View File

@@ -0,0 +1 @@
1
+znc_version: 1.0

+ 11
- 0
roles/mailserver/files/dot_dovecot.sieve View File

@@ -0,0 +1,11 @@
1
+require ["regex", "fileinto", "imap4flags"];
2
+# Catch mail tagged as Spam, except Spam retrained and delivered to the mailbox
3
+if allof (header :regex "X-DSPAM-Result" "^(Spam|Virus|Bl[ao]cklisted)$",
4
+          not header :contains "X-DSPAM-Reclassified" "Innocent") {
5
+  # Mark as read
6
+  setflag "\\Seen";
7
+  # Move into the Junk folder
8
+  fileinto "Spam";
9
+  # Stop processing here
10
+  stop;
11
+}

+ 127
- 0
roles/mailserver/files/etc_dovecot_conf.d_10-auth.conf View File

@@ -0,0 +1,127 @@
1
+##
2
+## Authentication processes
3
+##
4
+
5
+# Disable LOGIN command and all other plaintext authentications unless
6
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
7
+# matches the local IP (ie. you're connecting from the same computer), the
8
+# connection is considered secure and plaintext authentication is allowed.
9
+disable_plaintext_auth = yes
10
+
11
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
12
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
13
+#auth_cache_size = 0
14
+# Time to live for cached data. After TTL expires the cached record is no
15
+# longer used, *except* if the main database lookup returns internal failure.
16
+# We also try to handle password changes automatically: If user's previous
17
+# authentication was successful, but this one wasn't, the cache isn't used.
18
+# For now this works only with plaintext authentication.
19
+#auth_cache_ttl = 1 hour
20
+# TTL for negative hits (user not found, password mismatch).
21
+# 0 disables caching them completely.
22
+#auth_cache_negative_ttl = 1 hour
23
+
24
+# Space separated list of realms for SASL authentication mechanisms that need
25
+# them. You can leave it empty if you don't want to support multiple realms.
26
+# Many clients simply use the first one listed here, so keep the default realm
27
+# first.
28
+#auth_realms =
29
+
30
+# Default realm/domain to use if none was specified. This is used for both
31
+# SASL realms and appending @domain to username in plaintext logins.
32
+#auth_default_realm = 
33
+
34
+# List of allowed characters in username. If the user-given username contains
35
+# a character not listed in here, the login automatically fails. This is just
36
+# an extra check to make sure user can't exploit any potential quote escaping
37
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
38
+# set this value to empty.
39
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
40
+
41
+# Username character translations before it's looked up from databases. The
42
+# value contains series of from -> to characters. For example "#@/@" means
43
+# that '#' and '/' characters are translated to '@'.
44
+#auth_username_translation =
45
+
46
+# Username formatting before it's looked up from databases. You can use
47
+# the standard variables here, eg. %Lu would lowercase the username, %n would
48
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
49
+# "-AT-". This translation is done after auth_username_translation changes.
50
+#auth_username_format = %Lu
51
+
52
+# If you want to allow master users to log in by specifying the master
53
+# username within the normal username string (ie. not using SASL mechanism's
54
+# support for it), you can specify the separator character here. The format
55
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
56
+# separator, so that could be a good choice.
57
+#auth_master_user_separator =
58
+
59
+# Username to use for users logging in with ANONYMOUS SASL mechanism
60
+#auth_anonymous_username = anonymous
61
+
62
+# Maximum number of dovecot-auth worker processes. They're used to execute
63
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
64
+# automatically created and destroyed as needed.
65
+#auth_worker_max_count = 30
66
+
67
+# Host name to use in GSSAPI principal names. The default is to use the
68
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
69
+# entries.
70
+#auth_gssapi_hostname =
71
+
72
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
73
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
74
+# the auth service to run as root to be able to read this file.
75
+#auth_krb5_keytab = 
76
+
77
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
78
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
79
+#auth_use_winbind = no
80
+
81
+# Path for Samba's ntlm_auth helper binary.
82
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
83
+
84
+# Time to delay before replying to failed authentications.
85
+#auth_failure_delay = 2 secs
86
+
87
+# Require a valid SSL client certificate or the authentication fails.
88
+#auth_ssl_require_client_cert = no
89
+
90
+# Take the username from client's SSL certificate, using 
91
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
92
+# CommonName. 
93
+#auth_ssl_username_from_cert = no
94
+
95
+# Space separated list of wanted authentication mechanisms:
96
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
97
+#   gss-spnego
98
+# NOTE: See also disable_plaintext_auth setting.
99
+auth_mechanisms = plain login
100
+
101
+##
102
+## Password and user databases
103
+##
104
+
105
+#
106
+# Password database is used to verify user's password (and nothing more).
107
+# You can have multiple passdbs and userdbs. This is useful if you want to
108
+# allow both system users (/etc/passwd) and virtual users to login without
109
+# duplicating the system users into virtual database.
110
+#
111
+# <doc/wiki/PasswordDatabase.txt>
112
+#
113
+# User database specifies where mails are located and what user/group IDs
114
+# own them. For single-UID configuration use "static" userdb.
115
+#
116
+# <doc/wiki/UserDatabase.txt>
117
+
118
+#!include auth-deny.conf.ext
119
+#!include auth-master.conf.ext
120
+
121
+#!include auth-system.conf.ext
122
+!include auth-sql.conf.ext
123
+#!include auth-ldap.conf.ext
124
+#!include auth-passwdfile.conf.ext
125
+#!include auth-checkpassword.conf.ext
126
+#!include auth-vpopmail.conf.ext
127
+#!include auth-static.conf.ext

+ 362
- 0
roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf View File

@@ -0,0 +1,362 @@
1
+##
2
+## Mailbox locations and namespaces
3
+##
4
+
5
+# Location for users' mailboxes. The default is empty, which means that Dovecot
6
+# tries to find the mailboxes automatically. This won't work if the user
7
+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
8
+# location.
9
+#
10
+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
11
+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
12
+# kept. This is called the "root mail directory", and it must be the first
13
+# path given in the mail_location setting.
14
+#
15
+# There are a few special variables you can use, eg.:
16
+#
17
+#   %u - username
18
+#   %n - user part in user@domain, same as %u if there's no domain
19
+#   %d - domain part in user@domain, empty if there's no domain
20
+#   %h - home directory
21
+#
22
+# See doc/wiki/Variables.txt for full list. Some examples:
23
+#
24
+#   mail_location = maildir:~/Maildir
25
+#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
26
+#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
27
+#
28
+# <doc/wiki/MailLocation.txt>
29
+#
30
+mail_location = maildir:/decrypted-mail/%d/%n
31
+
32
+# If you need to set multiple mailbox locations or want to change default
33
+# namespace settings, you can do it by defining namespace sections.
34
+#
35
+# You can have private, shared and public namespaces. Private namespaces
36
+# are for user's personal mails. Shared namespaces are for accessing other
37
+# users' mailboxes that have been shared. Public namespaces are for shared
38
+# mailboxes that are managed by sysadmin. If you create any shared or public
39
+# namespaces you'll typically want to enable ACL plugin also, otherwise all
40
+# users can access all the shared mailboxes, assuming they have permissions
41
+# on filesystem level to do so.
42
+namespace inbox {
43
+  # Namespace type: private, shared or public
44
+  #type = private
45
+
46
+  # Hierarchy separator to use. You should use the same separator for all
47
+  # namespaces or some clients get confused. '/' is usually a good one.
48
+  # The default however depends on the underlying mail storage format.
49
+  #separator = 
50
+
51
+  # Prefix required to access this namespace. This needs to be different for
52
+  # all namespaces. For example "Public/".
53
+  #prefix = 
54
+
55
+  # Physical location of the mailbox. This is in same format as
56
+  # mail_location, which is also the default for it.
57
+  #location =
58
+
59
+  # There can be only one INBOX, and this setting defines which namespace
60
+  # has it.
61
+  inbox = yes
62
+
63
+  # If namespace is hidden, it's not advertised to clients via NAMESPACE
64
+  # extension. You'll most likely also want to set list=no. This is mostly
65
+  # useful when converting from another server with different namespaces which
66
+  # you want to deprecate but still keep working. For example you can create
67
+  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
68
+  #hidden = no
69
+
70
+  # Show the mailboxes under this namespace with LIST command. This makes the
71
+  # namespace visible for clients that don't support NAMESPACE extension.
72
+  # "children" value lists child mailboxes, but hides the namespace prefix.
73
+  #list = yes
74
+
75
+  # Namespace handles its own subscriptions. If set to "no", the parent
76
+  # namespace handles them (empty prefix should always have this as "yes")
77
+  #subscriptions = yes
78
+}
79
+
80
+# Example shared namespace configuration
81
+#namespace {
82
+  #type = shared
83
+  #separator = /
84
+
85
+  # Mailboxes are visible under "shared/user@domain/"
86
+  # %%n, %%d and %%u are expanded to the destination user.
87
+  #prefix = shared/%%u/
88
+
89
+  # Mail location for other users' mailboxes. Note that %variables and ~/
90
+  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
91
+  # destination user's data.
92
+  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
93
+
94
+  # Use the default namespace for saving subscriptions.
95
+  #subscriptions = no
96
+
97
+  # List the shared/ namespace only if there are visible shared mailboxes.
98
+  #list = children
99
+#}
100
+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
101
+#mail_shared_explicit_inbox = yes
102
+
103
+# System user and group used to access mails. If you use multiple, userdb
104
+# can override these by returning uid or gid fields. You can use either numbers
105
+# or names. <doc/wiki/UserIds.txt>
106
+#mail_uid =
107
+#mail_gid =
108
+
109
+# Group to enable temporarily for privileged operations. Currently this is
110
+# used only with INBOX when either its initial creation or dotlocking fails.
111
+# Typically this is set to "mail" to give access to /var/mail.
112
+mail_privileged_group = vmail
113
+
114
+# Grant access to these supplementary groups for mail processes. Typically
115
+# these are used to set up access to shared mailboxes. Note that it may be
116
+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
117
+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
118
+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
119
+#mail_access_groups =
120
+
121
+# Allow full filesystem access to clients. There's no access checks other than
122
+# what the operating system does for the active UID/GID. It works with both
123
+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
124
+# or ~user/.
125
+#mail_full_filesystem_access = no
126
+
127
+##
128
+## Mail processes
129
+##
130
+
131
+# Don't use mmap() at all. This is required if you store indexes to shared
132
+# filesystems (NFS or clustered filesystem).
133
+#mmap_disable = no
134
+
135
+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
136
+# since version 3, so this should be safe to use nowadays by default.
137
+#dotlock_use_excl = yes
138
+
139
+# When to use fsync() or fdatasync() calls:
140
+#   optimized (default): Whenever necessary to avoid losing important data
141
+#   always: Useful with e.g. NFS when write()s are delayed
142
+#   never: Never use it (best performance, but crashes can lose data)
143
+#mail_fsync = optimized
144
+
145
+# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
146
+# whenever needed. If you're using only a single mail server this isn't needed.
147
+#mail_nfs_storage = no
148
+# Mail index files also exist in NFS. Setting this to yes requires
149
+# mmap_disable=yes and fsync_disable=no.
150
+#mail_nfs_index = no
151
+
152
+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
153
+# Dotlocking uses some tricks which may create more disk I/O than other locking
154
+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
155
+#lock_method = fcntl
156
+
157
+# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
158
+#mail_temp_dir = /tmp
159
+
160
+# Valid UID range for users, defaults to 500 and above. This is mostly
161
+# to make sure that users can't log in as daemons or other system users.
162
+# Note that denying root logins is hardcoded to dovecot binary and can't
163
+# be done even if first_valid_uid is set to 0.
164
+first_valid_uid = 0
165
+#last_valid_uid = 0
166
+
167
+# Valid GID range for users, defaults to non-root/wheel. Users having
168
+# non-valid GID as primary group ID aren't allowed to log in. If user
169
+# belongs to supplementary groups with non-valid GIDs, those groups are
170
+# not set.
171
+#first_valid_gid = 1
172
+#last_valid_gid = 0
173
+
174
+# Maximum allowed length for mail keyword name. It's only forced when trying
175
+# to create new keywords.
176
+#mail_max_keyword_length = 50
177
+
178
+# ':' separated list of directories under which chrooting is allowed for mail
179
+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
180
+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
181
+# settings. If this setting is empty, "/./" in home dirs are ignored.
182
+# WARNING: Never add directories here which local users can modify, that
183
+# may lead to root exploit. Usually this should be done only if you don't
184
+# allow shell access for users. <doc/wiki/Chrooting.txt>
185
+#valid_chroot_dirs = 
186
+
187
+# Default chroot directory for mail processes. This can be overridden for
188
+# specific users in user database by giving /./ in user's home directory
189
+# (eg. /home/./user chroots into /home). Note that usually there is no real
190
+# need to do chrooting, Dovecot doesn't allow users to access files outside
191
+# their mail directory anyway. If your home directories are prefixed with
192
+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
193
+#mail_chroot = 
194
+
195
+# UNIX socket path to master authentication server to find users.
196
+# This is used by imap (for shared users) and lda.
197
+#auth_socket_path = /var/run/dovecot/auth-userdb
198
+
199
+# Directory where to look up mail plugins.
200
+#mail_plugin_dir = /usr/lib/dovecot/modules
201
+
202
+# Space separated list of plugins to load for all services. Plugins specific to
203
+# IMAP, LDA, etc. are added to this list in their own .conf files.
204
+#mail_plugins = 
205
+
206
+##
207
+## Mailbox handling optimizations
208
+##
209
+
210
+# The minimum number of mails in a mailbox before updates are done to cache
211
+# file. This allows optimizing Dovecot's behavior to do less disk writes at
212
+# the cost of more disk reads.
213
+#mail_cache_min_mail_count = 0
214
+
215
+# When IDLE command is running, mailbox is checked once in a while to see if
216
+# there are any new mails or other changes. This setting defines the minimum
217
+# time to wait between those checks. Dovecot can also use dnotify, inotify and
218
+# kqueue to find out immediately when changes occur.
219
+#mailbox_idle_check_interval = 30 secs
220
+
221
+# Save mails with CR+LF instead of plain LF. This makes sending those mails
222
+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
223
+# But it also creates a bit more disk I/O which may just make it slower.
224
+# Also note that if other software reads the mboxes/maildirs, they may handle
225
+# the extra CRs wrong and cause problems.
226
+#mail_save_crlf = no
227
+
228
+# Max number of mails to keep open and prefetch to memory. This only works with
229
+# some mailbox formats and/or operating systems.
230
+#mail_prefetch_count = 0
231
+
232
+# How often to scan for stale temporary files and delete them (0 = never).
233
+# These should exist only after Dovecot dies in the middle of saving mails.
234
+#mail_temp_scan_interval = 1w
235
+
236
+##
237
+## Maildir-specific settings
238
+##
239
+
240
+# By default LIST command returns all entries in maildir beginning with a dot.
241
+# Enabling this option makes Dovecot return only entries which are directories.
242
+# This is done by stat()ing each entry, so it causes more disk I/O.
243
+# (For systems setting struct dirent->d_type, this check is free and it's
244
+# done always regardless of this setting)
245
+#maildir_stat_dirs = no
246
+
247
+# When copying a message, do it with hard links whenever possible. This makes
248
+# the performance much better, and it's unlikely to have any side effects.
249
+#maildir_copy_with_hardlinks = yes
250
+
251
+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
252
+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
253
+#maildir_very_dirty_syncs = no
254
+
255
+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
256
+# getting the mail's physical size, except when recalculating Maildir++ quota.
257
+# This can be useful in systems where a lot of the Maildir filenames have a
258
+# broken size. The performance hit for enabling this is very small.
259
+#maildir_broken_filename_sizes = no
260
+
261
+##
262
+## mbox-specific settings
263
+##
264
+
265
+# Which locking methods to use for locking mbox. There are four available:
266
+#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
267
+#           solution. If you want to use /var/mail/ like directory, the users
268
+#           will need write access to that directory.
269
+#  dotlock_try: Same as dotlock, but if it fails because of permissions or
270
+#               because there isn't enough disk space, just skip it.
271
+#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
272
+#  flock  : May not exist in all systems. Doesn't work with NFS.
273
+#  lockf  : May not exist in all systems. Doesn't work with NFS.
274
+#
275
+# You can use multiple locking methods; if you do the order they're declared
276
+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
277
+# locking methods as well. Some operating systems don't allow using some of
278
+# them simultaneously.
279
+#mbox_read_locks = fcntl
280
+#mbox_write_locks = dotlock fcntl
281
+
282
+# Maximum time to wait for lock (all of them) before aborting.
283
+#mbox_lock_timeout = 5 mins
284
+
285
+# If dotlock exists but the mailbox isn't modified in any way, override the
286
+# lock file after this much time.
287
+#mbox_dotlock_change_timeout = 2 mins
288
+
289
+# When mbox changes unexpectedly we have to fully read it to find out what
290
+# changed. If the mbox is large this can take a long time. Since the change
291
+# is usually just a newly appended mail, it'd be faster to simply read the
292
+# new mails. If this setting is enabled, Dovecot does this but still safely
293
+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
294
+# how it's expected to be. The only real downside to this setting is that if
295
+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
296
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
297
+# commands.
298
+#mbox_dirty_syncs = yes
299
+
300
+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
301
+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
302
+#mbox_very_dirty_syncs = no
303
+
304
+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
305
+# commands and when closing the mailbox). This is especially useful for POP3
306
+# where clients often delete all mails. The downside is that our changes
307
+# aren't immediately visible to other MUAs.
308
+#mbox_lazy_writes = yes
309
+
310
+# If mbox size is smaller than this (e.g. 100k), don't write index files.
311
+# If an index file already exists it's still read, just not updated.
312
+#mbox_min_index_size = 0
313
+
314
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
315
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
316
+# algorithm, but it fails if the first Received: header isn't unique in all
317
+# mails. An alternative algorithm is "all" that selects all headers.
318
+#mbox_md5 = apop3d
319
+
320
+##
321
+## mdbox-specific settings
322
+##
323
+
324
+# Maximum dbox file size until it's rotated.
325
+#mdbox_rotate_size = 2M
326
+
327
+# Maximum dbox file age until it's rotated. Typically in days. Day begins
328
+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
329
+#mdbox_rotate_interval = 0
330
+
331
+# When creating new mdbox files, immediately preallocate their size to
332
+# mdbox_rotate_size. This setting currently works only in Linux with some
333
+# filesystems (ext4, xfs).
334
+#mdbox_preallocate_space = no
335
+
336
+##
337
+## Mail attachments
338
+##
339
+
340
+# sdbox and mdbox support saving mail attachments to external files, which
341
+# also allows single instance storage for them. Other backends don't support
342
+# this for now.
343
+
344
+# WARNING: This feature hasn't been tested much yet. Use at your own risk.
345
+
346
+# Directory root where to store mail attachments. Disabled, if empty.
347
+#mail_attachment_dir =
348
+
349
+# Attachments smaller than this aren't saved externally. It's also possible to
350
+# write a plugin to disable saving specific attachments externally.
351
+#mail_attachment_min_size = 128k
352
+
353
+# Filesystem backend to use for saving attachments:
354
+#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
355
+#  sis posix : SiS with immediate byte-by-byte comparison during saving
356
+#  sis-queue posix : SiS with delayed comparison and deduplication
357
+#mail_attachment_fs = sis posix
358
+
359
+# Hash format to use in attachment filenames. You can add any text and
360
+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
361
+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
362
+#mail_attachment_hash = %{sha1}

+ 127
- 0
roles/mailserver/files/etc_dovecot_conf.d_10-master.conf View File

@@ -0,0 +1,127 @@
1
+#default_process_limit = 100
2
+#default_client_limit = 1000
3
+
4
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
5
+# intended to catch and kill processes that leak memory before they eat up
6
+# everything.
7
+#default_vsz_limit = 256M
8
+
9
+# Login user is internally used by login processes. This is the most untrusted
10
+# user in Dovecot system. It shouldn't have access to anything at all.
11
+#default_login_user = dovenull
12
+
13
+# Internal user is used by unprivileged processes. It should be separate from
14
+# login user, so that login processes can't disturb other processes.
15
+default_internal_user = vmail
16
+
17
+service imap-login {
18
+  inet_listener imap {
19
+    port = 0
20
+  }
21
+
22
+  inet_listener imaps {
23
+    #port = 993
24
+    #ssl = yes
25
+  }
26
+
27
+  # Number of connections to handle before starting a new process. Typically
28
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
29
+  # is faster. <doc/wiki/LoginProcess.txt>
30
+  #service_count = 1
31
+
32
+  # Number of processes to always keep waiting for more connections.
33
+  #process_min_avail = 0
34
+
35
+  # If you set service_count=0, you probably need to grow this.
36
+  #vsz_limit = $default_vsz_limit
37
+}
38
+
39
+service pop3-login {
40
+  inet_listener pop3 {
41
+    port = 0
42
+  }
43
+
44
+  inet_listener pop3s {
45
+    #port = 995
46
+    #ssl = yes
47
+  }
48
+}
49
+
50
+service lmtp {
51
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
52
+    mode = 0666
53
+    group = postfix
54
+    user = postfix
55
+  }
56
+
57
+  # Create inet listener only if you can't use the above UNIX socket
58
+  #inet_listener lmtp {
59
+    # Avoid making LMTP visible for the entire internet
60
+    #address =
61
+    #port = 
62
+  #}
63
+
64
+  user = vmail
65
+}
66
+
67
+service imap {
68
+  # Most of the memory goes to mmap()ing files. You may need to increase this
69
+  # limit if you have huge mailboxes.
70
+  #vsz_limit = $default_vsz_limit
71
+
72
+  # Max. number of IMAP processes (connections)
73
+  #process_limit = 1024
74
+}
75
+
76
+service pop3 {
77
+  # Max. number of POP3 processes (connections)
78
+  #process_limit = 1024
79
+}
80
+
81
+service auth {
82
+  # auth_socket_path points to this userdb socket by default. It's typically
83
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
84
+  # permissions make it readable only by root, but you may need to relax these
85
+  # permissions. Users that have access to this socket are able to get a list
86
+  # of all usernames and get results of everyone's userdb lookups.
87
+  unix_listener /var/spool/postfix/private/auth {
88
+    mode = 0666
89
+    user = postfix
90
+    group = postfix
91
+  }
92
+
93
+  unix_listener auth-userdb {
94
+    mode = 0660
95
+    user = vmail
96
+    group = vmail
97
+  }
98
+
99
+  # Postfix smtp-auth
100
+  #unix_listener /var/spool/postfix/private/auth {
101
+  #  mode = 0666
102
+  #}
103
+
104
+  # Auth process is run as this user.
105
+  user = vmail
106
+}
107
+
108
+service auth-worker {
109
+  # Auth worker process is run as root by default, so that it can access
110
+  # /etc/shadow. If this isn't necessary, the user should be changed to
111
+  # $default_internal_user.
112
+  #user = vmail
113
+
114
+  unix_listener auth-worker {
115
+    user = vmail # same as above, mode and group are supported too
116
+  }
117
+}
118
+
119
+service dict {
120
+  # If dict proxy is used, mail processes should have access to its socket.
121
+  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
122
+  unix_listener dict {
123
+    #mode = 0600
124
+    #user = 
125
+    #group = 
126
+  }
127
+}

+ 50
- 0
roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf View File

@@ -0,0 +1,50 @@
1
+##
2
+## SSL settings
3
+##
4
+
5
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
6
+ssl = required
7
+
8
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
9
+# dropping root privileges, so keep the key file unreadable by anyone but
10
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
11
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
12
+ssl_cert = </etc/ssl/certs/wildcard_public_cert.crt
13
+ssl_key = </etc/ssl/private/wildcard_private.key
14
+
15
+# If key file is password protected, give the password here. Alternatively
16
+# give it when starting dovecot with -p parameter. Since this file is often
17
+# world-readable, you may want to place this setting instead to a different
18
+# root owned 0600 file by using ssl_key_password = <path.
19
+#ssl_key_password =
20
+
21
+# PEM encoded trusted certificate authority. Set this only if you intend to use
22
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
23
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
24
+ssl_ca = /etc/ssl/certs/wildcard_ca.pem
25
+
26
+# Require that CRL check succeeds for client certificates.
27
+#ssl_require_crl = yes
28
+
29
+# Request client to send a certificate. If you also want to require it, set
30
+# auth_ssl_require_client_cert=yes in auth section.
31
+#ssl_verify_client_cert = no
32
+
33
+# Which field from certificate to use for username. commonName and
34
+# x500UniqueIdentifier are the usual choices. You'll also need to set
35
+# auth_ssl_username_from_cert=yes.
36
+#ssl_cert_username_field = commonName
37
+
38
+# How often to regenerate the SSL parameters file. Generation is quite CPU
39
+# intensive operation. The value is in hours, 0 disables regeneration
40
+# entirely.
41
+#ssl_parameters_regenerate = 168
42
+
43
+# SSL protocols to use
44
+#ssl_protocols = !SSLv2
45
+
46
+# SSL ciphers to use
47
+#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
48
+
49
+# SSL crypto device to use, for valid values run "openssl engine"
50
+#ssl_crypto_device =

+ 64
- 0
roles/mailserver/files/etc_dovecot_conf.d_20-imap.conf View File

@@ -0,0 +1,64 @@
1
+##
2
+## IMAP specific settings
3
+##
4
+
5
+protocol imap {
6
+  # Maximum IMAP command line length. Some clients generate very long command
7
+  # lines with huge mailboxes, so you may need to raise this if you get
8
+  # "Too long argument" or "IMAP command line too large" errors often.
9
+  #imap_max_line_length = 64k
10
+
11
+  # Maximum number of IMAP connections allowed for a user from each IP address.
12
+  # NOTE: The username is compared case-sensitively.
13
+  #mail_max_userip_connections = 10
14
+
15
+  # Space separated list of plugins to load (default is global mail_plugins).
16
+  mail_plugins = $mail_plugins antispam fts fts_solr
17
+
18
+  # IMAP logout format string:
19
+  #  %i - total number of bytes read from client
20
+  #  %o - total number of bytes sent to client
21
+  #imap_logout_format = bytes=%i/%o
22
+
23
+  # Override the IMAP CAPABILITY response. If the value begins with '+',
24
+  # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
25
+  #imap_capability = 
26
+
27
+  # How long to wait between "OK Still here" notifications when client is
28
+  # IDLEing.
29
+  #imap_idle_notify_interval = 2 mins
30
+
31
+  # ID field names and values to send to clients. Using * as the value makes
32
+  # Dovecot use the default value. The following fields have default values
33
+  # currently: name, version, os, os-version, support-url, support-email.
34
+  #imap_id_send = 
35
+
36
+  # ID fields sent by client to log. * means everything.
37
+  #imap_id_log =
38
+
39
+  # Workarounds for various client bugs:
40
+  #   delay-newmail:
41
+  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
42
+  #     and CHECK commands. Some clients ignore them otherwise, for example OSX
43
+  #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
44
+  #     may show user "Message no longer in server" errors. Note that OE6 still
45
+  #     breaks even with this workaround if synchronization is set to
46
+  #     "Headers Only".
47
+  #   tb-extra-mailbox-sep:
48
+  #     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
49
+  #     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
50
+  #     ignore the extra '/' instead of treating it as invalid mailbox name.
51
+  #   tb-lsub-flags:
52
+  #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
53
+  #     This makes Thunderbird realize they aren't selectable and show them
54
+  #     greyed out, instead of only later giving "not selectable" popup error.
55
+  #
56
+  # The list is space-separated.
57
+  #imap_client_workarounds = 
58
+}
59
+
60
+protocol lmtp {
61
+  # Space separated list of plugins to load (default is global mail_plugins).
62
+  mail_plugins = $mail_plugins sieve
63
+  postmaster_address = postmaster@syntax.cc
64
+}

+ 26
- 0
roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf View File

@@ -0,0 +1,26 @@
1
+##
2
+## Plugin settings
3
+##
4
+
5
+# All wanted plugins must be listed in mail_plugins setting before any of the
6
+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
7
+# their configuration. Note that %variable expansion is done for all values.
8
+
9
+plugin {
10
+  # Antispam (DSPAM)
11
+  antispam_backend = dspam
12
+  antispam_allow_append_to_spam = YES
13
+  antispam_spam = Spam;Junk
14
+  antispam_trash = trash;Trash
15
+  antispam_signature = X-DSPAM-Signature
16
+  antispam_signature_missing = error
17
+  antispam_dspam_binary = /usr/bin/dspam
18
+  antispam_dspam_args = --user;%u;--deliver=;--source=error
19
+  antispam_dspam_spam = --class=spam
20
+  antispam_dspam_notspam = --class=innocent
21
+  antispam_dspam_result_header = X-DSPAM-Result
22
+
23
+  # FTS (full text search with Solr)
24
+  fts = solr
25
+  fts_solr = break-imap-search url=http://localhost:8080/solr/
26
+}

+ 30
- 0
roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext View File

@@ -0,0 +1,30 @@
1
+# Authentication for SQL users. Included from auth.conf.
2
+#
3
+# <doc/wiki/AuthDatabase.SQL.txt>
4
+
5
+passdb {
6
+  driver = sql
7
+
8
+  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
9
+  args = /etc/dovecot/dovecot-sql.conf.ext
10
+}
11
+
12
+# "prefetch" user database means that the passdb already provided the
13
+# needed information and there's no need to do a separate userdb lookup.
14
+# <doc/wiki/UserDatabase.Prefetch.txt>
15
+#userdb {
16
+#  driver = prefetch
17
+#}
18
+
19
+userdb {
20
+  driver = static
21
+  args = uid=vmail gid=vmail home=/decrypted-mail/%d/%n
22
+}
23
+
24
+# If you don't have any user-specific settings, you can avoid the user_query
25
+# by using userdb static instead of userdb sql, for example:
26
+# <doc/wiki/UserDatabase.Static.txt>
27
+#userdb {
28
+  #driver = static
29
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
30
+#}

+ 99
- 0
roles/mailserver/files/etc_dovecot_dovecot.conf View File

@@ -0,0 +1,99 @@
1
+## Dovecot configuration file
2
+
3
+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
4
+
5
+# "doveconf -n" command gives a clean output of the changed settings. Use it
6
+# instead of copy&pasting files when posting to the Dovecot mailing list.
7
+
8
+# '#' character and everything after it is treated as comments. Extra spaces
9
+# and tabs are ignored. If you want to use either of these explicitly, put the
10
+# value inside quotes, eg.: key = "# char and trailing whitespace  "
11
+
12
+# Default values are shown for each setting, it's not required to uncomment
13
+# those. These are exceptions to this though: No sections (e.g. namespace {})
14
+# or plugin settings are added by default, they're listed only as examples.
15
+# Paths are also just examples with the real defaults being based on configure
16
+# options. The paths listed here are for configure --prefix=/usr
17
+# --sysconfdir=/etc --localstatedir=/var
18
+
19
+# Enable installed protocols
20
+!include_try /usr/share/dovecot/protocols.d/*.protocol
21
+
22
+# A comma separated list of IPs or hosts where to listen in for connections. 
23
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
24
+# If you want to specify non-default ports or anything more complex,
25
+# edit conf.d/master.conf.
26
+#listen = *, ::
27
+
28
+# Base directory where to store runtime data.
29
+#base_dir = /var/run/dovecot/
30
+
31
+# Name of this instance. In multi-instance setup doveadm and other commands
32
+# can use -i <instance_name> to select which instance is used (an alternative
33
+# to -c <config_path>). The instance name is also added to Dovecot processes
34
+# in ps output.
35
+#instance_name = dovecot
36
+
37
+# Greeting message for clients.
38
+#login_greeting = Dovecot ready.
39
+
40
+# Space separated list of trusted network ranges. Connections from these
41
+# IPs are allowed to override their IP addresses and ports (for logging and
42
+# for authentication checks). disable_plaintext_auth is also ignored for
43
+# these networks. Typically you'd specify your IMAP proxy servers here.
44
+#login_trusted_networks =
45
+
46
+# Sepace separated list of login access check sockets (e.g. tcpwrap)
47
+#login_access_sockets = 
48
+
49
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
50
+# proxying. This isn't necessary normally, but may be useful if the destination
51
+# IP is e.g. a load balancer's IP.
52
+#auth_proxy_self =
53
+
54
+# Show more verbose process titles (in ps). Currently shows user name and
55
+# IP address. Useful for seeing who are actually using the IMAP processes
56
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
57
+#verbose_proctitle = no
58
+
59
+# Should all processes be killed when Dovecot master process shuts down.
60
+# Setting this to "no" means that Dovecot can be upgraded without
61
+# forcing existing client connections to close (although that could also be
62
+# a problem if the upgrade is e.g. because of a security fix).
63
+#shutdown_clients = yes
64
+
65
+# If non-zero, run mail commands via this many connections to doveadm server,
66
+# instead of running them directly in the same process.
67
+#doveadm_worker_count = 0
68
+# UNIX socket or host:port used for connecting to doveadm server
69
+#doveadm_socket_path = doveadm-server
70
+
71
+# Space separated list of environment variables that are preserved on Dovecot
72
+# startup and passed down to all of its child processes. You can also give
73
+# key=value pairs to always set specific settings.
74
+#import_environment = TZ
75
+
76
+##
77
+## Dictionary server settings
78
+##
79
+
80
+# Dictionary can be used to store key=value lists. This is used by several
81
+# plugins. The dictionary can be accessed either directly or though a
82
+# dictionary server. The following dict block maps dictionary names to URIs
83
+# when the server is used. These can then be referenced using URIs in format
84
+# "proxy::<name>".
85
+
86
+dict {
87
+  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
88
+  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
89
+}
90
+
91
+# Most of the actual configuration gets included below. The filenames are
92
+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
93
+# in filenames are intended to make it easier to understand the ordering.
94
+!include conf.d/*.conf
95
+
96
+# A config file can also tried to be included without giving an error if
97
+# it's not found:
98
+!include_try /usr/share/dovecot/protocols.d/*.protocol
99
+protocols = imap lmtp

+ 43
- 0
roles/mailserver/files/etc_dspam_default.prefs View File

@@ -0,0 +1,43 @@
1
+# $Id: default.prefs,v 1.2 2011/04/19 07:17:03 sbajic Exp $
2
+# default.prefs v3.2
3
+# Default preferences for DSPAM
4
+
5
+# This file serves two purposes. First, it sets the default preferences each
6
+# user will see when using the preferences section of the DSPAM Control
7
+# Center. Second, it may be symbolically linked (or copied) into DSPAM_HOME to
8
+# set the system-wide default preferences, overriding any commandline or
9
+# dspam.conf parameters. If symlinked, an administrator can edit these options 
10
+# in the DSPAM Administrative Suite.
11
+
12
+# Training Mode: TEFT, TOE, TUM, NOTRAIN
13
+trainingMode=TEFT
14
+
15
+# Spam Action: quarantine, tag, deliver
16
+spamAction=deliver         # { quarantine | tag | deliver } -> default:quarantine
17
+
18
+# Spam Subject: the text to be prepended onto the subject line of tagged spams
19
+spamSubject=[SPAM]
20
+
21
+# Bayesian Noise Reduction: on/off
22
+enableBNR=on
23
+
24
+# Automatic Whitelisting: on/off
25
+enableWhitelist=on
26
+
27
+# Statistical Sedation: 0-10
28
+statisticalSedation=5
29
+
30
+# Signature Location: message, headers, attachment
31
+signatureLocation=headers  # { message | headers } -> default:message
32
+
33
+# Whitelist Threshold: the minimum number of innocent hits from a recipient to
34
+# be automatically whitelisted. Do not set this value too low!
35
+whitelistThreshold=10
36
+
37
+# showFactors: when set to on, the determining factors for each message will
38
+# be added to a X-DSPAM-Factors message header.
39
+showFactors=on
40
+
41
+# optIn/optOut: Depending on the opt mode set, you can also use one of these.
42
+#optIn=on
43
+#optOut=off

+ 699
- 0
roles/mailserver/files/etc_dspam_dspam.conf View File

@@ -0,0 +1,699 @@
1
+## $Id: dspam.conf.in,v 1.100 2011/07/09 00:00:52 sbajic Exp $
2
+## dspam.conf -- DSPAM configuration file
3
+##
4
+
5
+#
6
+# DSPAM Home: Specifies the base directory to be used for DSPAM storage
7
+#
8
+Home /var/spool/dspam
9
+
10
+#
11
+# StorageDriver: Specifies the storage driver backend (library) to use.
12
+# You'll only need to set this if you are using dynamic storage driver plugins
13
+# from a binary distribution. The default build statically links the storage
14
+# driver (when only one is specified at configure time), overriding this
15
+# setting, which only comes into play if multiple storage drivers are specified
16
+# at configure time. When using dynamic linking, be sure to include the path
17
+# to the library if necessary, and some systems may use an extension other
18
+# than .so (e.g. OSX uses .dylib).
19
+#
20
+# Options include:
21
+#
22
+#   libmysql_drv.so     libpgsql_drv.so
23
+#   libsqlite3_drv.so   libhash_drv.so
24
+#
25
+# IMPORTANT: Switching storage drivers requires more than merely changing
26
+# this option. If you do not wish to lose all of your data, you will need to
27
+# migrate it to the new backend before making this change.
28
+#
29
+StorageDriver /usr/lib/x86_64-linux-gnu/dspam/libhash_drv.so
30
+
31
+#
32
+# Trusted Delivery Agent: Specifies the local delivery agent DSPAM should call
33
+# when delivering mail as a trusted user. Use %u to specify the user DSPAM is
34
+# processing mail for. It is generally a good idea to allow the MTA to specify
35
+# the pass-through arguments at run-time, but they may also be specified here.
36
+#
37
+# Most operating system defaults:
38
+#TrustedDeliveryAgent "/usr/bin/procmail"       # Linux
39
+#TrustedDeliveryAgent "/usr/bin/mail"           # Solaris
40
+#TrustedDeliveryAgent "/usr/libexec/mail.local" # FreeBSD
41
+#TrustedDeliveryAgent "/usr/bin/procmail"       # Cygwin
42
+#
43
+# Other popular configurations:
44
+#TrustedDeliveryAgent "/usr/cyrus/bin/deliver"	# Cyrus
45
+#TrustedDeliveryAgent "/bin/maildrop"		# Maildrop
46
+#TrustedDeliveryAgent "/usr/local/sbin/exim -oMr spam-scanned -oi" # Exim
47
+#
48
+TrustedDeliveryAgent "/usr/sbin/sendmail"
49
+
50
+#
51
+# Untrusted Delivery Agent: Specifies the local delivery agent and arguments
52
+# DSPAM should use when delivering mail and running in untrusted user mode.
53
+# Because DSPAM will not allow pass-through arguments to be specified to
54
+# untrusted users, all arguments should be specified here. Use %u to specify
55
+# the user DSPAM is processing mail for. This configuration parameter is only
56
+# necessary if you plan on allowing untrusted processing.
57
+#
58
+UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u"
59
+
60
+#
61
+# SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP
62
+# delivery to deliver your message to the mail server instead of using a
63
+# delivery agent. You will need to configure with --enable-daemon to use host
64
+# delivery, however you do not need to operate in daemon mode. Specify an IP
65
+# address or UNIX path to a domain socket below as a host.
66
+#
67
+# If you would like to set up DeliveryHost's on a per-domain basis, use
68
+# the syntax: DeliveryHost.domain.com 1.2.3.4
69
+#
70
+#DeliveryHost		127.0.0.1
71
+#DeliveryPort		2424
72
+#DeliveryIdent		localhost
73
+#DeliveryProto		LMTP
74
+
75
+#
76
+# FallbackDomains: If you want to specify certain domains as fallback domains,
77
+# enable this option. For example, you could create a user @domain.com, and
78
+# if bob@domain.com does not resolve to a known user on the system, the user
79
+# could default to your @domain.com user. NOTE: This also requires designating
80
+# fallbackDomain for the domain name;
81
+# e.g. dspam_admin ch pref domain.com fallbackDomain on
82
+#
83
+#FallbackDomains on
84
+
85
+#
86
+# Quarantine Agent: DSPAM's default behavior is to quarantine all mail it
87
+# thinks is spam. If you wish to override this behavior, you may specify
88
+# a quarantine agent which will be called with all messages DSPAM thinks is
89
+# spam. Use %u to specify the user DSPAM is processing mail for.
90
+#
91
+#QuarantineAgent	"/usr/bin/procmail -d spam"
92
+
93
+#
94
+# DSPAM can optionally process "plused users" (addresses in the user+detail
95
+# form) by truncating the username just before the "+", so all internal
96
+# processing occurs for "user", but delivery will be performed for
97
+# "user+detail". This is only useful if the LDA can handle "plused users"
98
+# (for example Cyrus IMAP) and when configured for LMTP delivery above
99
+#
100
+#EnablePlusedDetail	on
101
+
102
+#
103
+# Character to use as seperator between user names and address extensions.
104
+# If you change this value then please adjust QuarantineMailbox to use the
105
+# new specified character. The default is '+'.
106
+#
107
+#PlusedCharacter	+
108
+
109
+#
110
+# Turn this feature on if you want to force DSPAM to lowercase the "plused
111
+# users" username.
112
+#
113
+#PlusedUserLowercase	on
114
+
115
+#
116
+# Quarantine Mailbox: DSPAM's LMTP code can send spam mail using LMTP to a
117
+# "plused" mailbox (such as user+quarantine) leaving quarantine processing
118
+# for retraining or deletion to be performed by the LDA and the mail client.
119
+# "plused" mailboxes are supported by Cyrus IMAP and possibly other LDAs. If
120
+# you don't set/change PlusedCharacter then the mailbox name must have the +
121
+# since the + is the default used character.
122
+#
123
+#QuarantineMailbox	+quarantine
124
+
125
+#
126
+# OnFail: What to do if local delivery or quarantine should fail. If set
127
+# to "unlearn", DSPAM will unlearn the message prior to exiting with an
128
+# un successful return code. The default option, "error" will not unlearn
129
+# the message but return the appropriate error code. The unlearn option
130
+# is use-ful on some systems where local delivery failures will cause the
131
+# message to be requeued for delivery, and could result in the message
132
+# being processed multiple times. During a very large failure, however,
133
+# this could cause a significant load increase.
134
+#
135
+OnFail error
136
+
137
+#
138
+# Trusted Users: Only the users specified below will be allowed to perform
139
+# administrative functions in DSPAM such as setting the active user and
140
+# accessing tools. All other users attempting to run DSPAM will be restricted;
141
+# their uids will be forced to match the active username and they will not be
142
+# able to specify delivery agent privileges or use tools.
143
+#
144
+Trust root
145
+Trust dspam
146
+Trust www-data
147
+Trust mail
148
+Trust daemon
149
+Trust amavis
150
+Trust vmail
151
+#Trust nobody
152
+#Trust majordomo
153
+
154
+#
155
+# Debugging: Enables debugging for some or all users. IMPORTANT: DSPAM must
156
+# be compiled with debug support in order to use this option. DSPAM should
157
+# never be running in production with debug active unless you are
158
+# troubleshooting problems.
159
+#
160
+# DebugOpt: One or more of: process, classify, spam, fp, inoculation, corpus
161
+#   process     standard message processing
162
+#   classify    message classification using --classify
163
+#   spam        error correction of missed spam
164
+#   fp          error correction of false positives
165
+#   inoculation message inoculations (source=inoculation)
166
+#   corpus      corpusfed messages (source=corpus)
167
+#
168
+#Debug *
169
+#Debug bob bill
170
+#
171
+#DebugOpt process spam fp
172
+
173
+#
174
+# ClassAlias: Alias a particular class to spam/nonspam. This is useful if
175
+# classifying things other than spam.
176
+#
177
+#ClassAliasSpam badstuff
178
+#ClassAliasNonspam goodstuff
179
+
180
+#
181
+# Training Mode: The default training mode to use for all operations, when
182
+# one has not been specified on the commandline or in the user's preferences.
183
+# Acceptable values are:
184
+#     toe     Train on Error (Only)
185
+#     teft    Train Everything (Trains on every message)
186
+#     tum     Train Until Mature (Train only tokens without enough data)
187
+#     notrain Do not train or store signatures (large ISP systems, post-train)
188
+#
189
+TrainingMode teft
190
+
191
+#
192
+# TestConditionalTraining: By default, dspam will retrain certain errors
193
+# until the condition is no longer met. This usually accelerates learning.
194
+# Some people argue that this can increase the risk of errors, however.
195
+#
196
+TestConditionalTraining on
197
+
198
+#
199
+# Features: Specify features to activate by default; can also be specified
200
+# on the commandline. See the documentation for a list of available features.
201
+# If _any_ features are specified on the commandline, these are ignored.
202
+#
203
+#Feature noise
204
+Feature whitelist
205
+
206
+# Training Buffer: The training buffer waters down statistics during training.
207
+# It is designed to prevent false positives, but can also dramatically reduce
208
+# dspam's catch rate during initial training. This can be a number from 0
209
+# (no buffering) to 10 (maximum buffering). If you are paranoid about false
210
+# positives, you should probably enable this option.
211
+#
212
+#Feature tb=5
213
+
214
+#
215
+# Algorithms: Specify the statistical algorithms to use, overriding any
216
+# defaults configured in the build. The options are:
217
+#    naive       Naive-Bayesian (All Tokens)
218
+#    graham      Graham-Bayesian ("A Plan for Spam")
219
+#    burton      Burton-Bayesian (SpamProbe)
220
+#    robinson    Robinson's Geometric Mean Test (Obsolete)
221
+#    chi-square  Fisher-Robinson's Chi-Square Algorithm
222
+#
223
+# You may have multiple algorithms active simultaneously, but it is strongly
224
+# recommended that you group Bayesian algorithms with other Bayesian
225
+# algorithms, and any use of Chi-Square remain exclusive.
226
+#
227
+# NOTE: For standard "CRM114" Markovian weighting, use 'naive', or consider
228
+#       using 'burton' for slightly better accuracy
229
+#
230
+# Don't mess with this unless you know what you're doing
231
+#
232
+#Algorithm chi-square
233
+#Algorithm naive
234
+Algorithm graham burton
235
+
236
+#
237
+# Tokenizer: Specify the tokenizer to use. The tokenizer is the piece
238
+# responsible for parsing the message into individual tokens. Depending on
239
+# how many resources you are willing to trade off vs. accuracy, you may
240
+# choose to use a less or more detailed tokenizer:
241
+#   word    uniGram (single word) tokenizer
242
+#           Tokenizes message into single individual words/tokens
243
+#           example: "free" and "viagra"
244
+#   chain   biGram (chained tokens) tokenizer (default)
245
+#           Single words + chains adjacent tokens together
246
+#           example: "free" and "viagra" and "free viagra"
247
+#   sbph    Sparse Binary Polynomial Hashing tokenizer
248
+#           Creates sparse token patterns across sliding window of 5-tokens
249
+#           example: "the quick * fox jumped" and "the * * fox jumped"
250
+#   osb     Orthogonal Sparse biGram tokenizer
251
+#           Similar to SBPH, but only uses the biGrams
252
+#           example: "the * * fox" and "the * * * jumped"
253
+#
254
+# In general the reccomendation is to use 'osb' for new installations.
255
+# The default value of 'chain' remains here as not to surprise anyone upgrading
256
+# that has not changed from the default value.
257
+#
258
+Tokenizer chain
259
+
260
+#
261
+# PValue: Specify the technique used for calculating Probability Values,
262
+# overriding any defaults configured in the build. These options are:
263
+#    bcr         Bayesian Chain Rule (Graham's Technique - "A Plan for Spam")
264
+#    robinson    Robinson's Technique (used in Chi-Square)
265
+#    markov      Markovian Weighted Technique (for Markovian discrimination)
266
+#
267
+# Unlike the "Algorithms" property, you may only have one of these defined.
268
+# Use of the chi-square algorithm automatically changes this to robinson.
269
+#
270
+# Don't mess with this unless you know what you're doing.
271
+#
272
+#PValue robinson
273
+#PValue markov
274
+PValue bcr
275
+
276
+#
277
+# WebStats: Enable this if you are using the CGI, which writes .stats files
278
+WebStats on
279
+
280
+#
281
+# ImprobabilityDrive: Calculate odds-ratios for ham/spam, and add to
282
+# X-DSPAM-Improbability headers
283
+#
284
+#ImprobabilityDrive on
285
+
286
+#
287
+# Preferences: Specify any preferences to set by default, unless otherwise
288
+# overridden by the user (see next section) or a default.prefs file.
289
+# If user or default.prefs are found, the user's preferences will override any
290
+# defaults.
291
+#
292
+Preference "trainingMode=TEFT"		# { TOE | TUM | TEFT | NOTRAIN } -> default:teft
293
+Preference "spamAction=tag"		# { quarantine | tag | deliver } -> default:quarantine
294
+Preference "spamSubject=[SPAM]"		# { string } -> default:[SPAM]
295
+Preference "statisticalSedation=5"	# { 0 - 10 } -> default:0
296
+Preference "enableBNR=on"		# { on | off } -> default:off
297
+Preference "enableWhitelist=on"		# { on | off } -> default:on
298
+Preference "signatureLocation=headers"	# { message | headers } -> default:message
299
+Preference "tagSpam=off"		# { on | off }
300
+Preference "tagNonspam=off"		# { on | off }
301
+Preference "showFactors=off"		# { on | off } -> default:off
302
+Preference "optIn=off"			# { on | off }
303
+Preference "optOut=off"			# { on | off }
304
+Preference "whitelistThreshold=10"	# { Integer } -> default:10
305
+Preference "makeCorpus=off"		# { on | off } -> default:off
306
+Preference "storeFragments=off"		# { on | off } -> default:off
307
+Preference "localStore="		# { on | off } -> default:username
308
+Preference "processorBias=on"		# { on | off } -> default:on
309
+Preference "fallbackDomain=off"		# { on | off } -> default:off
310
+Preference "trainPristine=off"		# { on | off } -> default:off
311
+Preference "optOutClamAV=off"		# { on | off } -> default:off
312
+Preference "ignoreRBLLookups=off"	# { on | off } -> default:off
313
+Preference "RBLInoculate=off"		# { on | off } -> default:off
314
+Preference "notifications=off"		# { on | off } -> default:off
315
+
316
+#
317
+# Overrides: Specifies the user preferences which may override configuration
318
+# and commandline defaults. Any other preferences supplied by an untrusted user
319
+# will be ignored.
320
+#
321
+AllowOverride enableBNR
322
+AllowOverride enableWhitelist
323
+AllowOverride fallbackDomain
324
+AllowOverride ignoreGroups
325
+AllowOverride ignoreRBLLookups
326
+AllowOverride localStore
327
+AllowOverride makeCorpus
328
+AllowOverride optIn
329
+AllowOverride optOut
330
+AllowOverride optOutClamAV
331
+AllowOverride processorBias
332
+AllowOverride RBLInoculate
333
+AllowOverride showFactors
334
+AllowOverride signatureLocation
335
+AllowOverride spamAction
336
+AllowOverride spamSubject
337
+AllowOverride statisticalSedation
338
+AllowOverride storeFragments
339
+AllowOverride tagNonspam
340
+AllowOverride tagSpam
341
+AllowOverride trainPristine
342
+AllowOverride trainingMode
343
+AllowOverride whitelistThreshold
344
+AllowOverride dailyQuarantineSummary
345
+AllowOverride notifications
346
+
347
+# --- Profiles ---
348
+
349
+#
350
+# You can specify multiple storage profiles, and specify the server to
351
+# use on the commandline with --profile. For example:
352
+#
353
+#Profile DECAlpha
354
+#MySQLServer.DECAlpha	10.0.0.1
355
+#MySQLPort.DECAlpha	3306
356
+#MySQLUser.DECAlpha	dspam
357
+#MySQLPass.DECAlpha	changeme
358
+#MySQLDb.DECAlpha	dspam
359
+#MySQLCompress.DECAlpha	true
360
+#MySQLReconnect.DECAlpha	true
361
+#
362
+#Profile Sun420R
363
+#MySQLServer.Sun420R	10.0.0.2
364
+#MySQLPort.Sun420R	3306
365
+#MySQLUser.Sun420R	dspam
366
+#MySQLPass.Sun420R	changeme
367
+#MySQLDb.Sun420R	dspam
368
+#MySQLCompress.Sun420R	false
369
+#MySQLReconnect.Sun420R	true
370
+#
371
+#DefaultProfile	DECAlpha
372
+
373
+#
374
+# If you're using storage profiles, you can set failovers for each profile.
375
+# Of course, if you'll be failing over to another database, that database
376
+# must have the same information as the first. If you're using a global
377
+# database with no training, this should be relatively simple. If you're
378
+# configuring per-user data, however, you'll need to set up some type of
379
+# replication between databases.
380
+#
381
+#Failover.DECAlpha	SUN420R
382
+#Failover.Sun420R	DECAlpha
383
+
384
+# If the storage fails, the agent will follow each profile's failover up to
385
+# a maximum number of failover attempts. This should be set to a maximum of
386
+# the number of profiles you have, otherwise the agent could loop and try
387
+# the same profile multiple times (unless this is your desired behavior).
388
+#
389
+#FailoverAttempts	1
390
+
391
+#
392
+# Ignored headers: If DSPAM is behind other tools which may add a header to
393
+# incoming emails, it may be beneficial to ignore these headers - especially
394
+# if they are coming from another spam filter. If you are _not_ using one of
395
+# these tools, however, leaving the appropriate headers commented out will
396
+# allow DSPAM to use them as telltale signs of forged email.
397
+#
398
+#IgnoreHeader X-Spam-Status
399
+#IgnoreHeader X-Spam-Scanned
400
+#IgnoreHeader X-Virus-Scanner-Result
401
+
402
+#
403
+# Lookup: Perform lookups on streamlined blackhole list servers (see
404
+# http://www.nuclearelephant.com/projects/sbl/). The streamlined blacklist
405
+# server is machine-automated, unsupervised blacklisting system designed to
406
+# provide real-time and highly accurate blacklisting based on network spread.
407
+# When performing a lookup, DSPAM will automatically learn the inbound message
408
+# as spam if the source IP is listed. Until an official public RABL server is
409
+# available, this feature is only useful if you are running your own
410
+# streamlined blackhole list server for internal reporting among multiple mail
411
+# servers. Provide the name of the lookup zone below to use.
412
+#
413
+# This function performs standard reverse-octet.domain lookups, and while it
414
+# will function with many RBLs, it's strongly discouraged to use those
415
+# maintained by humans as they're often inaccurate and could hurt filter
416
+# learning and accuracy.
417
+#
418
+#Lookup		"sbl.yourdomain.com"
419
+
420
+#
421
+# RBLInoculate: If you want to inoculate the user from RBL'd messages it would
422
+# have otherwise missed, set this to on.
423
+#
424
+#RBLInoculate	off
425
+
426
+#
427
+# Notifications: Enable the sending of notification emails to users (first
428
+# message, quarantine full, etc.)
429
+#
430
+Notifications	off
431
+
432
+#
433
+# QuarantineWarnSize: You may specify a size when DSPAM should send a "Quarantine
434
+# Full" message to each user. This is only working if you enable notifications
435
+# (see above). Value is in bytes. Default is 2097152 -> 2MB.
436
+#
437
+#QuarantineWarnSize 2097152
438
+
439
+#
440
+# Purge configuration: Set dspam_clean purge default options, if not otherwise
441
+# specified on the commandline
442
+#
443
+PurgeSignatures 14	# Stale signatures
444
+PurgeNeutral	90	# Tokens with neutralish probabilities
445
+PurgeUnused	90	# Unused tokens
446
+PurgeHapaxes	30	# Tokens with less than 5 hits (hapaxes)
447
+PurgeHits1S	15	# Tokens with only 1 spam hit
448
+PurgeHits1I	15	# Tokens with only 1 innocent hit
449
+
450
+#
451
+# Purge configuration for SQL-based installations using purge.sql
452
+#
453
+#PurgeSignature	off	# Specified in purge.sql
454
+#PurgeNeutral	90
455
+#PurgeUnused	off	# Specified in purge.sql
456
+#PurgeHapaxes	off	# Specified in purge.sql
457
+#PurgeHits1S	off	# Specified in purge.sql
458
+#PurgeHits1I	off	# Specified in purge.sql
459
+
460
+#
461
+# Local Mail Exchangers: Used for source address tracking, tells DSPAM which
462
+# mail exchangers are local and therefore should be ignored in the Received:
463
+# header when tracking the source of an email. Note: you should use the address
464
+# of the host as appears between brackets [ ] in the Received header.
465
+# By default DSPAM is considering the following IPs always as LocalMX:
466
+#	10.0.0.0/8	- Private IP addresses (RFC 1918)
467
+#	127.0.0.0/8	- Localhost Loopback Address (RFC 1700)
468
+#	169.254.0.0/16	- Zeroconf / APIPA (RFC 3330)
469
+#	172.16.0.0/12	- Private IP addresses (RFC 1918)
470
+#	192.168.0.0/16	- Private IP addresses (RFC 1918)
471
+#
472
+LocalMX 127.0.0.1
473
+
474
+#
475
+# Logging: Disabling logging for users will make usage graphs unavailable to
476
+# them. Disabling system logging will make admin graphs unavailable.
477
+#
478
+SystemLog	on
479
+UserLog		on
480
+
481
+#
482
+# TrainPristine: for systems where the original message remains server side
483
+# and can therefore be presented in pristine format for retraining. This option
484
+# will cause DSPAM to cease all writing of signatures and DSPAM headers to the
485
+# message, and deliver the message in as pristine format as possible. This mode
486
+# REQUIRES that the original message in its pristine format (as of delivery)
487
+# be presented for retraining, as in the case of webmail, imap, or other
488
+# applications where the message is actually kept server-side during reading,
489
+# and is preserved. DO NOT use this switch unless the original message can be
490
+# presented for retraining with the ORIGINAL HEADERS and NO MODIFICATIONS.
491
+#
492
+# NOTE: You can't use this setting with dspam_trian; if you're going to use it,
493
+#       wait until after you train any corpora.
494
+#
495
+#TrainPristine on
496
+
497
+#
498
+# Opt: in or out; determines DSPAM's default filtering behavior. If this value
499
+# is set to in, users must opt-in to filtering by dropping a .dspam file in
500
+# /var/dspam/opt-in/user.dspam (or if you have homedirs configured, a .dspam
501
+# folder in their home directory).  The default is opt-out, which means all
502
+# users will be filtered unless a .nodspam file is dropped in
503
+# /var/dspam/opt-out/user.nodspam
504
+#
505
+Opt out
506
+
507
+#
508
+# TrackSources: specify which (if any) source addresses to track and report
509
+# them to syslog (mail.info). This is useful if you're running a firewall or
510
+# blacklist and would like to use this information. Spam reporting also drops
511
+# RABL blacklist files (see http://www.nuclearelephant.com/projects/rabl/).
512
+#
513
+#TrackSources spam nonspam virus
514
+
515
+#
516
+# ParseToHeaders: In lieu of setting up individual aliases for each user,
517
+# DSPAM can be configured to automatically parse the To: address for spam and
518
+# false positive forwards. From there, it can be configured to either set the
519
+# DSPAM user based on the username specified in the header and/or change the
520
+# training class and source accordingly. The options below can be used to
521
+# customize most common types of header parsing behavior to avoid the need for
522
+# multiple aliases, or if using LMTP, aliases entirely..
523
+#
524
+# ParseToHeader: Parse the To: headers of an incoming message. This must be
525
+#                set to 'on' to use either of the following features.
526
+#
527
+# ChangeModeOnParse: Automatically change the class (to spam or innocent)
528
+#   depending on whether spam- or notspam- was specified, and change the source
529
+#   to 'error'. This is convenient if you're not using aliases at all, but
530
+#   are delivering via LMTP.
531
+#
532
+# ChangeUserOnParse: Automatically change the username to match that specified
533
+#   in the To: header. For example, spam-bob@domain.tld will set the username
534
+#   to bob, ignoring any --user passed in. This may not always be desirable if
535
+#   you are using virtual email addresses as usernames. Options:
536
+#     on or user	take the portion before the @ sign only
537
+#     full		take everything after the initial {spam,notspam}-.
538
+#
539
+#ParseToHeaders on
540
+#ChangeModeOnParse on
541
+#ChangeUserOnParse on
542
+
543
+#
544
+# Broken MTA Options: Some MTAs don't support the proper functionality
545
+# necessary. In these cases you can activate certain features in DSPAM to
546
+# compensate. 'returnCodes' causes DSPAM to return an exit code of 99 if
547
+# the message is spam, 0 if not, or a negative code if an error has occured.
548
+# Specifying 'case' causes DSPAM to force the input usernames to lowercase.
549
+# Specifying 'lineStripping' causes DSPAM to strip ^M's from messages passed
550
+# in.
551
+#
552
+#Broken returnCodes
553
+#Broken case
554
+#Broken lineStripping
555
+
556
+#
557
+# MaxMessageSize: You may specify a maximum message size for DSPAM to process.
558
+# If the message is larger than the maximum size, it will be delivered
559
+# without processing. Value is in bytes.
560
+#
561
+#MaxMessageSize 4194304
562
+
563
+# --- ClamAV ---
564
+
565
+#
566
+# Virus Checking: If you are running clamd, DSPAM can perform stream-based
567
+# virus checking using TCP. Uncomment the values below to enable virus
568
+# checking.
569
+#
570
+# ClamAVResponse: reject (reject or drop the message with a permanent failure)
571
+#                 accept (accept the message and quietly drop the message)
572
+#                 spam   (treat as spam and quarantine/tag/whatever)
573
+#
574
+#ClamAVPort		3310
575
+#ClamAVHost		127.0.0.1
576
+#ClamAVResponse		accept
577
+
578
+# --- CLIENT / SERVER ---
579
+
580
+#
581
+# Daemonized Server: If you are running DSPAM as a daemonized server using
582
+# --daemon, the following parameters will override the default. Use the
583
+# ServerPass option to set up accounts for each client machine. The DSPAM
584
+# server will process and deliver the message based on the parameters
585
+# specified. If you want the client machine to perform delivery, use
586
+# the --stdout option in conjunction with a local setup.
587
+#
588
+# ServerHost: Not enabling ServerHost will bind DSPAM server to all available
589
+# interfaces.
590
+#
591
+# ServerPort: Default upstream configuration is to run dspam daemon on port
592
+# 24. On Debian, dspam being run as a unprivileged user, default port is
593
+# set to 2424.
594
+#
595
+#ServerHost		127.0.0.1
596
+#ServerPort		2424
597
+#ServerQueueSize	32
598
+#ServerPID		/var/run/dspam/dspam.pid
599
+
600
+#
601
+# ServerMode specifies the type of LMTP server to start. This can be one of:
602
+#     dspam: DSPAM-proprietary DLMTP server, for communicating with dspamc
603
+#  standard: Standard LMTP server, for communicating with Postfix or other MTA
604
+#      auto: Speak both DLMTP and LMTP; auto-detect by ServerPass.IDENT
605
+#
606
+#ServerMode dspam
607
+
608
+# If supporting DLMTP (dspam) mode, dspam clients will require authentication
609
+# as they will be passing in parameters. The idents below will be used to
610
+# determine which clients will be speaking DLMTP, so if you will be using
611
+# both LMTP and DLMTP from the same host, be sure to use something other
612
+# than the server's hostname below (which will be sent by the MTA during a
613
+# standard LMTP LHLO).
614
+#
615
+#ServerPass.Relay1	"secret"
616
+#ServerPass.Relay2	"password"
617
+
618
+# If supporting standard LMTP mode, server parameters will need to be specified
619
+# here, as they will not be passed in by the mail server. The ServerIdent
620
+# specifies the 250 response code ident sent back to connecting clients and
621
+# should be set to the hostname of your server, or an alias.
622
+#
623
+# NOTE: If you specify --user in ServerParameters, the RCPT TO will be
624
+#       used only for delivery, and not set as the active user for processing.
625
+#
626
+#ServerParameters	"--deliver=innocent -d %u"
627
+#ServerIdent		"localhost.localdomain"
628
+
629
+# If you wish to use a local domain socket instead of a TCP socket, uncomment
630
+# the following. It is strongly recommended you use local domain sockets if
631
+# you are running the client and server on the same machine, as it eliminates
632
+# much of the bandwidth overhead.
633
+#
634
+ServerDomainSocketPath	"/var/run/dspam/dspam.sock"
635
+
636
+#
637
+# Client Mode: If you are running DSPAM in client/server mode, uncomment and
638
+# set these variables. A ClientHost beginning with a / will be treated as
639
+# a domain socket.
640
+#
641
+#ClientHost	/var/run/dspam/dspam.sock
642
+#ClientIdent	"secret@Relay1"
643
+#
644
+#ClientHost	127.0.0.1
645
+#ClientPort	2424
646
+#ClientIdent	"secret@Relay1"
647
+
648
+# --- RABL ---
649
+
650
+# RABLQueue: Touch files in the RABL queue
651
+# If you are a reporting streamlined blackhole list participant, you can
652
+# touch ip addresses within the directory the rabl_client process is watching.
653
+#
654
+#RABLQueue	/var/spool/rabl
655
+
656
+# ---  ---
657
+
658
+# DataSource: If you are using any type of data source that does not include
659
+# email-like headers (such as documents), uncomment the line below. This
660
+# will cause the entire input to be treated like a message "body"
661
+#
662
+#DataSource document
663
+
664
+# ProcessorWordFrequency: By default, words are only counted once per message.
665
+# If you are classifying large documents, however, you may wish to count once
666
+# per occurrence instead.
667
+#
668
+#ProcessorWordFrequency occurrence
669
+
670
+# ProcessorURLContext: By default, a URL context is generated for URLs, which
671
+# records their tokens as separate from words found in documents. To use
672
+# URL tokens in the same context as words, turn this feature off.
673
+#
674
+ProcessorURLContext on
675
+
676
+# ProcessorBias: Bias causes the filter to lean more toward 'innocent', and
677
+# usually greatly reduces false positives. It is the default behavior of
678
+# most Bayesian filters (including dspam).
679
+#
680
+# NOTE: You probably DONT want this if you're using Markovian Weighting, unless
681
+# you are paranoid about false positives.
682
+#
683
+ProcessorBias on
684
+
685
+# StripRcptDomain: Cut the domain (including the at sign) from recipients.
686
+# This is particularly useful if the recipient name is equal to real user
687
+# accounts as recipients with domains tend to cause permission issues with
688
+# dspam-web.
689
+#
690
+StripRcptDomain off
691
+
692
+# --- Split Configuration File Support ---
693
+
694
+# Include a directory with configuration items.
695
+Include /etc/dspam/dspam.d/
696
+
697
+# ---  ---
698
+
699
+## EOF

+ 18
- 0
roles/mailserver/files/etc_opendkim.conf View File

@@ -0,0 +1,18 @@
1
+##
2
+## opendkim.conf -- configuration file for OpenDKIM filter
3
+##
4
+Canonicalization        relaxed/relaxed
5
+ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
6
+InternalHosts           refile:/etc/opendkim/TrustedHosts
7
+KeyTable                refile:/etc/opendkim/KeyTable
8
+LogWhy                  Yes
9
+MinimumKeyBits          1024
10
+Mode                    sv
11
+PidFile                 /var/run/opendkim/opendkim.pid
12
+SigningTable            refile:/etc/opendkim/SigningTable
13
+Socket                  inet:8891@localhost
14
+Syslog                  Yes
15
+SyslogSuccess           Yes
16
+TemporaryDirectory      /var/tmp
17
+UMask                   022
18
+UserID                  opendkim:opendkim

+ 1
- 0
roles/mailserver/files/etc_postfix_dspam_filter_access View File

@@ -0,0 +1 @@
1
+/./   FILTER dspam:unix:/run/dspam/dspam.sock

+ 131
- 0
roles/mailserver/files/etc_postfix_master.cf View File

@@ -0,0 +1,131 @@
1
+#
2
+# Postfix master process configuration file.  For details on the format
3
+# of the file, see the master(5) manual page (command: "man 5 master").
4
+#
5
+# Do not forget to execute "postfix reload" after editing this file.
6
+#
7
+# ==========================================================================
8
+# service type  private unpriv  chroot  wakeup  maxproc command + args
9
+#               (yes)   (yes)   (yes)   (never) (100)
10
+# ==========================================================================
11
+smtp       inet  n       -       -       -       -       smtpd
12
+#smtp      inet  n       -       -       -       1       postscreen
13
+#smtpd     pass  -       -       -       -       -       smtpd
14
+#dnsblog   unix  -       -       -       -       0       dnsblog
15
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
16
+#submission inet  n       -       -       -       -       smtpd
17
+#  -o syslog_name=postfix/submission
18
+#  -o smtpd_tls_security_level=encrypt
19
+#   -o smtpd_sasl_auth_enable=yes
20
+#   -o smtpd_enforce_tls=yes
21
+#  -o smtpd_etrn_restrictions=reject
22
+#   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
23
+#  -o milter_macro_daemon_name=ORIGINATING
24
+#smtps     inet  n       -       -       -       -       smtpd
25
+#  -o syslog_name=postfix/smtps
26
+#  -o smtpd_tls_wrappermode=yes
27
+#  -o smtpd_sasl_auth_enable=yes
28
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
29
+#  -o milter_macro_daemon_name=ORIGINATING
30
+
31
+# SMTP over SSL on port 465.
32
+smtps     inet  n       -       -       -       -       smtpd
33
+  -o syslog_name=postfix/smtps
34
+  -o smtpd_tls_wrappermode=yes
35
+  -o smtpd_sasl_auth_enable=yes
36
+  -o smtpd_tls_auth_only=yes
37
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
38
+  -o smtpd_sasl_security_options=noanonymous,noplaintext
39
+  -o smtpd_sasl_tls_security_options=noanonymous
40
+
41
+
42
+#628       inet  n       -       -       -       -       qmqpd
43
+pickup    fifo  n       -       -       60      1       pickup
44
+cleanup   unix  n       -       -       -       0       cleanup
45
+qmgr      fifo  n       -       n       300     1       qmgr
46
+#qmgr     fifo  n       -       n       300     1       oqmgr
47
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
48
+rewrite   unix  -       -       -       -       -       trivial-rewrite
49
+bounce    unix  -       -       -       -       0       bounce
50
+defer     unix  -       -       -       -       0       bounce
51
+trace     unix  -       -       -       -       0       bounce
52
+verify    unix  -       -       -       -       1       verify
53
+flush     unix  n       -       -       1000?   0       flush
54
+proxymap  unix  -       -       n       -       -       proxymap
55
+proxywrite unix -       -       n       -       1       proxymap
56
+smtp      unix  -       -       -       -       -       smtp
57
+relay     unix  -       -       -       -       -       smtp
58
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
59
+showq     unix  n       -       -       -       -       showq
60
+error     unix  -       -       -       -       -       error
61
+retry     unix  -       -       -       -       -       error
62
+discard   unix  -       -       -       -       -       discard
63
+local     unix  -       n       n       -       -       local
64
+virtual   unix  -       n       n       -       -       virtual
65
+lmtp      unix  -       -       -       -       -       lmtp
66
+anvil     unix  -       -       -       -       1       anvil
67
+scache    unix  -       -       -       -       1       scache
68
+#
69
+# ====================================================================
70
+# Interfaces to non-Postfix software. Be sure to examine the manual
71
+# pages of the non-Postfix software to find out what options it wants.
72
+#
73
+# Many of the following services use the Postfix pipe(8) delivery
74
+# agent.  See the pipe(8) man page for information about ${recipient}
75
+# and other message envelope options.
76
+# ====================================================================
77
+#
78
+# maildrop. See the Postfix MAILDROP_README file for details.
79
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
80
+#
81
+maildrop  unix  -       n       n       -       -       pipe
82
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
83
+#
84
+# ====================================================================
85
+#
86
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
87
+#
88
+# Specify in cyrus.conf:
89
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
90
+#
91
+# Specify in main.cf one or more of the following:
92
+#  mailbox_transport = lmtp:inet:localhost
93
+#  virtual_transport = lmtp:inet:localhost
94
+#
95
+# ====================================================================
96
+#
97
+# Cyrus 2.1.5 (Amos Gouaux)
98
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
99
+#
100
+#cyrus     unix  -       n       n       -       -       pipe
101
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
102
+#
103
+# ====================================================================
104
+# Old example of delivery via Cyrus.
105
+#
106
+#old-cyrus unix  -       n       n       -       -       pipe
107
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
108
+#
109
+# ====================================================================
110
+#
111
+# See the Postfix UUCP_README file for configuration details.
112
+#
113
+uucp      unix  -       n       n       -       -       pipe
114
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
115
+#
116
+# Other external delivery methods.
117
+#
118
+ifmail    unix  -       n       n       -       -       pipe
119
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
120
+bsmtp     unix  -       n       n       -       -       pipe
121
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
122
+scalemail-backend unix	-	n	n	-	2	pipe
123
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
124
+mailman   unix  -       n       n       -       -       pipe
125
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
126
+  ${nexthop} ${user}
127
+# spam protection
128
+dspam     unix  -       n       n       -       10      pipe
129
+  flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user $recipient -i -f $sender -- $recipient
130
+dovecot   unix  -       n       n       -       -       pipe
131
+  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

+ 1625
- 0
roles/mailserver/files/etc_solr_conf_solrconfig.xml
File diff suppressed because it is too large
View File


+ 153
- 0
roles/mailserver/files/etc_tomcat6_server.xml View File

@@ -0,0 +1,153 @@
1
+<?xml version='1.0' encoding='utf-8'?>
2
+<!--
3
+  Licensed to the Apache Software Foundation (ASF) under one or more
4
+  contributor license agreements.  See the NOTICE file distributed with
5
+  this work for additional information regarding copyright ownership.
6
+  The ASF licenses this file to You under the Apache License, Version 2.0
7
+  (the "License"); you may not use this file except in compliance with
8
+  the License.  You may obtain a copy of the License at
9
+
10
+      http://www.apache.org/licenses/LICENSE-2.0
11
+
12
+  Unless required by applicable law or agreed to in writing, software
13
+  distributed under the License is distributed on an "AS IS" BASIS,
14
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
+  See the License for the specific language governing permissions and
16
+  limitations under the License.
17
+-->
18
+<!-- Note:  A "Server" is not itself a "Container", so you may not
19
+     define subcomponents such as "Valves" at this level.
20
+     Documentation at /docs/config/server.html
21
+ -->
22
+<Server port="8005" shutdown="SHUTDOWN">
23
+
24
+  <!--APR library loader. Documentation at /docs/apr.html -->
25
+  <!--
26
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
27
+  -->
28
+  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
29
+  <Listener className="org.apache.catalina.core.JasperListener" />
30
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
31
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
32
+  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
33
+  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
34
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
35
+
36
+  <!-- Global JNDI resources
37
+       Documentation at /docs/jndi-resources-howto.html
38
+  -->
39
+  <GlobalNamingResources>
40
+    <!-- Editable user database that can also be used by
41
+         UserDatabaseRealm to authenticate users
42
+    -->
43
+    <Resource name="UserDatabase" auth="Container"
44
+              type="org.apache.catalina.UserDatabase"
45
+              description="User database that can be updated and saved"
46
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
47
+              pathname="conf/tomcat-users.xml" />
48
+  </GlobalNamingResources>
49
+
50
+  <!-- A "Service" is a collection of one or more "Connectors" that share
51
+       a single "Container" Note:  A "Service" is not itself a "Container", 
52
+       so you may not define subcomponents such as "Valves" at this level.
53
+       Documentation at /docs/config/service.html
54
+   -->
55
+  <Service name="Catalina">
56
+  
57
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
58
+    <!--
59
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" 
60
+        maxThreads="150" minSpareThreads="4"/>
61
+    -->
62
+    
63
+    
64
+    <!-- A "Connector" represents an endpoint by which requests are received
65
+         and responses are returned. Documentation at :
66
+         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
67
+         Java AJP  Connector: /docs/config/ajp.html
68
+         APR (HTTP/AJP) Connector: /docs/apr.html
69
+         Define a non-SSL HTTP/1.1 Connector on port 8080
70
+    -->
71
+    <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1" 
72
+               connectionTimeout="20000" 
73
+               URIEncoding="UTF-8"
74
+               redirectPort="8443" />
75
+    <!-- A "Connector" using the shared thread pool-->
76
+    <!--
77
+    <Connector executor="tomcatThreadPool"
78
+               port="8080" protocol="HTTP/1.1" 
79
+               connectionTimeout="20000" 
80
+               redirectPort="8443" />
81
+    -->           
82
+    <!-- Define a SSL HTTP/1.1 Connector on port 8443
83
+         This connector uses the JSSE configuration, when using APR, the 
84
+         connector should be using the OpenSSL style configuration
85
+         described in the APR documentation -->
86
+    <!--
87
+    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
88
+               maxThreads="150" scheme="https" secure="true"
89
+               clientAuth="false" sslProtocol="TLS" />
90
+    -->
91
+
92
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
93
+    <!--
94
+    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
95
+    -->
96
+
97
+
98
+    <!-- An Engine represents the entry point (within Catalina) that processes
99
+         every request.  The Engine implementation for Tomcat stand alone
100
+         analyzes the HTTP headers included with the request, and passes them
101
+         on to the appropriate Host (virtual host).
102
+         Documentation at /docs/config/engine.html -->
103
+
104
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
105
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">         
106
+    --> 
107
+    <Engine name="Catalina" defaultHost="localhost">
108
+
109
+      <!--For clustering, please take a look at documentation at:
110
+          /docs/cluster-howto.html  (simple how to)
111
+          /docs/config/cluster.html (reference documentation) -->
112
+      <!--
113
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
114
+      -->        
115
+
116
+      <!-- The request dumper valve dumps useful debugging information about
117
+           the request and response data received and sent by Tomcat.
118
+           Documentation at: /docs/config/valve.html -->
119
+      <!--
120
+      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
121
+      -->
122
+
123
+      <!-- This Realm uses the UserDatabase configured in the global JNDI
124
+           resources under the key "UserDatabase".  Any edits
125
+           that are performed against this UserDatabase are immediately
126
+           available for use by the Realm.  -->
127
+      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
128
+             resourceName="UserDatabase"/>
129
+
130
+      <!-- Define the default virtual host
131
+           Note: XML Schema validation will not work with Xerces 2.2.
132
+       -->
133
+      <Host name="localhost"  appBase="webapps"
134
+            unpackWARs="true" autoDeploy="true"
135
+            xmlValidation="false" xmlNamespaceAware="false">
136
+
137
+        <!-- SingleSignOn valve, share authentication between web applications
138
+             Documentation at: /docs/config/valve.html -->
139
+        <!--
140
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
141
+        -->
142
+
143
+        <!-- Access log processes all example.
144
+             Documentation at: /docs/config/valve.html -->
145
+        <!--
146
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
147
+               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
148
+        -->
149
+
150
+      </Host>
151
+    </Engine>
152
+  </Service>
153
+</Server>

+ 59
- 0
roles/mailserver/files/solr-schema.xml View File

@@ -0,0 +1,59 @@
1
+<?xml version="1.0" encoding="UTF-8" ?>
2
+
3
+<!--
4
+For fts-solr:
5
+
6
+This is the Solr schema file, place it into solr/conf/schema.xml. You may
7
+want to modify the tokenizers and filters.
8
+-->
9
+<schema name="dovecot" version="1.4">
10
+  <types>
11
+    <!-- IMAP has 32bit unsigned ints but java ints are signed, so use longs -->
12
+    <fieldType name="string" class="solr.StrField" omitNorms="true"/>
13
+    <fieldType name="long" class="solr.LongField" omitNorms="true"/>
14
+    <fieldType name="slong" class="solr.SortableLongField" omitNorms="true"/>
15
+    <fieldType name="float" class="solr.FloatField" omitNorms="true"/>
16
+    <fieldType name="boolean" class="solr.BoolField" omitNorms="true"/>
17
+
18
+    <fieldType name="text" class="solr.TextField" positionIncrementGap="100">
19
+      <analyzer type="index">
20
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
21
+        <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords.txt"/>
22
+        <filter class="solr.WordDelimiterFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
23
+        <filter class="solr.LowerCaseFilterFactory"/>
24
+        <filter class="solr.EnglishPorterFilterFactory" protected="protwords.txt"/>
25
+        <filter class="solr.RemoveDuplicatesTokenFilterFactory"/>
26
+      </analyzer>
27
+      <analyzer type="query">
28
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
29
+        <filter class="solr.SynonymFilterFactory" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
30
+        <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords.txt"/>
31
+        <filter class="solr.WordDelimiterFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0"/>
32
+        <filter class="solr.LowerCaseFilterFactory"/>
33
+        <filter class="solr.EnglishPorterFilterFactory" protected="protwords.txt"/>
34
+        <filter class="solr.RemoveDuplicatesTokenFilterFactory"/>
35
+      </analyzer>
36
+    </fieldType>
37
+ </types>
38
+
39
+
40
+ <fields>
41
+   <field name="id" type="string" indexed="true" stored="true" required="true" />
42
+   <field name="uid" type="slong" indexed="true" stored="true" required="true" />
43
+   <field name="box" type="string" indexed="true" stored="true" required="true" />
44
+   <field name="user" type="string" indexed="true" stored="true" required="true" />
45
+
46
+   <field name="hdr" type="text" indexed="true" stored="false" />
47
+   <field name="body" type="text" indexed="true" stored="false" />
48
+
49
+   <field name="from" type="text" indexed="true" stored="false" />
50
+   <field name="to" type="text" indexed="true" stored="false" />
51
+   <field name="cc" type="text" indexed="true" stored="false" />
52
+   <field name="bcc" type="text" indexed="true" stored="false" />
53
+   <field name="subject" type="text" indexed="true" stored="false" />
54
+ </fields>
55
+
56
+ <uniqueKey>id</uniqueKey>
57
+ <defaultSearchField>body</defaultSearchField>
58
+ <solrQueryParser defaultOperator="AND" />
59
+</schema>

+ 11
- 0
roles/mailserver/handlers/main.yml View File

@@ -0,0 +1,11 @@
1
+- name: restart postfix
2
+  service: name=postfix state=restarted
3
+
4
+- name: restart dovecot
5
+  service: name=dovecot state=restarted
6
+
7
+- name: restart opendkim
8
+  service: name=opendkim state=restarted
9
+
10
+- name: restart solr
11
+  service: name=tomcat6 state=restarted

+ 34
- 0
roles/mailserver/tasks/dovecot.yml View File

@@ -0,0 +1,34 @@
1
+- name: Install Dovecot and related packages
2
+  apt: pkg=$item state=installed
3
+  with_items:
4
+    - dovecot-core
5
+    - dovecot-imapd
6
+    - mysql-server
7
+    - dovecot-mysql
8
+    - dovecot-lmtpd
9
+
10
+- name: Create vmail group
11
+  group: name=vmail state=present gid=5000
12
+
13
+- name: Create vmail user
14
+  user: name=vmail group=vmail state=present uid=5000 home=/decrypted-mail
15
+
16
+- name: Ensure mail directories are in place
17
+  file: state=directory path=/decrypted-mail/${item.name}/${item.primary_user} owner=vmail group=dovecot
18
+  with_items:
19
+    - ${mail_virtual_domains}
20
+
21
+- name: Put Dovecot configuration files in place
22
+  copy: src=etc_dovecot_dovecot.conf dest=/etc/dovecot/dovecot.conf
23
+- copy: src=etc_dovecot_conf.d_10-mail.conf dest=/etc/dovecot/conf.d/10-mail.conf
24
+- copy: src=etc_dovecot_conf.d_10-auth.conf dest=/etc/dovecot/conf.d/10-auth.conf
25
+- copy: src=etc_dovecot_conf.d_auth-sql.conf.ext dest=/etc/dovecot/conf.d/auth-sql.conf.ext
26
+- copy: src=etc_dovecot_conf.d_10-master.conf dest=/etc/dovecot/conf.d/10-master.conf
27
+- copy: src=etc_dovecot_conf.d_10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
28
+- template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
29
+- template: src=etc_dovecot_dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext
30
+
31
+- name: Ensure correct permissions on Dovecot config directory
32
+  shell: chown -R vmail:dovecot /etc/dovecot
33
+- shell: chmod -R o-rwx /etc/dovecot
34
+  notify: restart dovecot

+ 23
- 0
roles/mailserver/tasks/dspam.yml View File

@@ -0,0 +1,23 @@
1
+- name: Install dspam and related packages
2
+  apt: pkg=$item state=installed
3
+  with_items:
4
+    - dspam
5
+    - dovecot-antispam
6
+    - postfix-pcre
7
+    - dovecot-sieve
8
+
9
+- name: Create dspam directory 
10
+  file: state=directory path=/decrypted-mail/dspam group=dspam owner=dspam
11
+
12
+- name: Put dspam configuration files in place
13
+  copy: src=etc_dspam_default.prefs dest=/etc/dspam/default.prefs owner=dspam group=dspam
14
+- copy: src=etc_dspam_dspam.conf dest=/etc/dspam/dspam.conf owner=dspam group=dspam
15
+- copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
16
+- copy: src=etc_dovecot_conf.d_20-imap.conf dest=/etc/dovecot/conf.d/20-imap.conf owner=vmail group=dovecot
17
+- copy: src=etc_dovecot_conf.d_90-plugin.conf dest=/etc/dovecot/conf.d/90-plugin.conf owner=vmail group=dovecot
18
+- copy: src=dot_dovecot.sieve dest=/decrypted-mail/${item.name}/${item.primary_user}/.dovecot.sieve owner=vmail group=dovecot
19
+  with_items:
20
+    - ${mail_virtual_domains}
21
+  notify:
22
+    - restart postfix
23
+    - restart dovecot

+ 5
- 0
roles/mailserver/tasks/main.yml View File

@@ -0,0 +1,5 @@
1
+- include: postfix.yml tags=postfix
2
+- include: dovecot.yml tags=dovecot
3
+- include: opendkim.yml tags=opendkim
4
+- include: dspam.yml tags=dspam
5
+- include: solr.yml tags=solr

+ 34
- 0
roles/mailserver/tasks/opendkim.yml View File

@@ -0,0 +1,34 @@
1
+---
2
+# Handy reference: http://stevejenkins.com/blog/2010/09/how-to-get-dkim-domainkeys-identified-mail-working-on-centos-5-5-and-postfix-using-opendkim/
3
+
4
+- name: Install OpenDKIM and related packages
5
+  apt: pkg=$item state=installed
6
+  with_items:
7
+    - opendkim
8
+    - opendkim-tools
9
+
10
+- name: Create OpenDKIM config directory 
11
+  file: state=directory path=/etc/opendkim group=opendkim owner=opendkim
12
+
13
+- name: Create OpenDKIM key directories
14
+  file: state=directory path=/etc/opendkim/keys/${item.name} group=opendkim owner=opendkim
15
+  with_items:
16
+    - ${mail_virtual_domains}
17
+
18
+- name: Generate OpenDKIM keys
19
+  command: opendkim-genkey -r -d ${item.name} -D /etc/opendkim/keys/${item.name}/ creates=/etc/opendkim/keys/${item.name}/default.private
20
+  with_items:
21
+    - ${mail_virtual_domains}
22
+
23
+- name: Put OpenDKIM configuration files into place
24
+  template: src=etc_opendkim_KeyTable.j2 dest=/etc/opendkim/KeyTable owner=opendkim group=opendkim
25
+- template: src=etc_opendkim_SigningTable.j2 dest=/etc/opendkim/SigningTable owner=opendkim group=opendkim
26
+- template: src=etc_opendkim_TrustedHosts.j2 dest=/etc/opendkim/TrustedHosts owner=opendkim group=opendkim
27
+- copy: src=etc_opendkim.conf dest=/etc/opendkim.conf owner=opendkim group=opendkim
28
+
29
+- name: Set OpenDKIM config directory permissions
30
+  command: chmod -R go-rwx /etc/opendkim
31
+- command: chown -R opendkim:opendkim /etc/opendkim
32
+  notify:
33
+    - restart opendkim
34
+    - restart postfix

+ 27
- 0
roles/mailserver/tasks/postfix.yml View File

@@ -0,0 +1,27 @@
1
+- name: Install Postfix and related packages
2
+  apt: pkg=$item state=installed
3
+  with_items:
4
+    - postfix
5
+    - mysql-server
6
+    - postfix-mysql
7
+    - python-mysqldb
8
+    - libsasl2-modules
9
+    - sasl2-bin
10
+    - postgrey
11
+
12
+- name: Create database user for mail server
13
+  mysql_user: user={{ mail_mysql_username }} password={{ mail_mysql_password }} state=present priv="mailserver.*:ALL"
14
+
15
+- name: Create database for mail server
16
+  mysql_db: name={{ mail_mysql_database }} state=present
17
+
18
+  # i don't know why this import is failing but it is, so did this manually
19
+  # mysql_db: name={{ mail_mysql_database }} state=import target=templates/mailserver.sql.j2
20
+
21
+- name: Copy Postfix config files into place
22
+  template: src=etc_postfix_main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root
23
+- copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root
24
+- template: src=etc_postfix_mysql-virtual-mailbox-domains.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-domains.cf owner=root group=root
25
+- template: src=etc_postfix_mysql-virtual-mailbox-maps.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-maps.cf owner=root group=root
26
+- template: src=etc_postfix_mysql-virtual-alias-maps.cf.j2 dest=/etc/postfix/mysql-virtual-alias-maps.cf owner=root group=root
27
+  notify: restart postfix

+ 16
- 0
roles/mailserver/tasks/solr.yml View File

@@ -0,0 +1,16 @@
1
+- name: Install Solr and related packages
2
+  apt: pkg=$item state=installed
3
+  with_items:
4
+    - solr-tomcat
5
+    - dovecot-solr
6
+
7
+- name: Work around Debian bug and copy Solr schema file into place
8
+  copy: src=solr-schema.xml dest=/etc/solr/conf/schema.xml group=root owner=root
9
+
10
+- name: Copy tweaked Solr/Tomcat config files into place
11
+  copy: src=etc_tomcat6_server.xml dest=/etc/tomcat6/server.xml group=tomcat6 owner=root
12
+- copy: src=etc_solr_conf_solrconfig.xml dest=/etc/solr/conf/solrconfig.xml group=root owner=root
13
+
14
+- name: Create Solr index directory
15
+  file: state=directory path=/decrypted-mail/solr group=tomcat6 owner=tomcat6
16
+  notify: restart solr

+ 48
- 0
roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2 View File

@@ -0,0 +1,48 @@
1
+##
2
+## LDA specific settings (also used by LMTP)
3
+##
4
+
5
+# Address to use when sending rejection mails.
6
+# Default is postmaster@<your domain>.
7
+postmaster_address = postmaster@syntax.cc
8
+
9
+# Hostname to use in various parts of sent mails, eg. in Message-Id.
10
+# Default is the system's real hostname.
11
+hostname = {{ mail_server_hostname }}
12
+
13
+# If user is over quota, return with temporary failure instead of
14
+# bouncing the mail.
15
+#quota_full_tempfail = no
16
+
17
+# Binary to use for sending mails.
18
+#sendmail_path = /usr/sbin/sendmail
19
+
20
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
21
+#submission_host =
22
+
23
+# Subject: header to use for rejection mails. You can use the same variables
24
+# as for rejection_reason below.
25
+#rejection_subject = Rejected: %s
26
+
27
+# Human readable error message for rejection mails. You can use variables:
28
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
29
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
30
+
31
+# Delimiter character between local-part and detail in email address.
32
+#recipient_delimiter = +
33
+
34
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
35
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
36
+# A commonly used header for this is X-Original-To.
37
+#lda_original_recipient_header =
38
+
39
+# Should saving a mail to a nonexistent mailbox automatically create it?
40
+#lda_mailbox_autocreate = no
41
+
42
+# Should automatically created mailboxes be also automatically subscribed?
43
+#lda_mailbox_autosubscribe = no
44
+
45
+protocol lda {
46
+  # Space separated list of plugins to load (default is global mail_plugins).
47
+  #mail_plugins = $mail_plugins
48
+}

+ 138
- 0
roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2 View File

@@ -0,0 +1,138 @@
1
+# This file is opened as root, so it should be owned by root and mode 0600.
2
+#
3
+# http://wiki2.dovecot.org/AuthDatabase/SQL
4
+#
5
+# For the sql passdb module, you'll need a database with a table that
6
+# contains fields for at least the username and password. If you want to
7
+# use the user@domain syntax, you might want to have a separate domain
8
+# field as well.
9
+#
10
+# If your users all have the same uig/gid, and have predictable home
11
+# directories, you can use the static userdb module to generate the home
12
+# dir based on the username and domain. In this case, you won't need fields
13
+# for home, uid, or gid in the database.
14
+#
15
+# If you prefer to use the sql userdb module, you'll want to add fields
16
+# for home, uid, and gid. Here is an example table:
17
+#
18
+# CREATE TABLE users (
19
+#     username VARCHAR(128) NOT NULL,
20
+#     domain VARCHAR(128) NOT NULL,
21
+#     password VARCHAR(64) NOT NULL,
22
+#     home VARCHAR(255) NOT NULL,
23
+#     uid INTEGER NOT NULL,
24
+#     gid INTEGER NOT NULL,
25
+#     active CHAR(1) DEFAULT 'Y' NOT NULL
26
+# );
27
+
28
+# Database driver: mysql, pgsql, sqlite
29
+driver = mysql
30
+
31
+# Database connection string. This is driver-specific setting.
32
+#
33
+# HA / round-robin load-balancing is supported by giving multiple host
34
+# settings, like: host=sql1.host.org host=sql2.host.org
35
+#
36
+# pgsql:
37
+#   For available options, see the PostgreSQL documention for the
38
+#   PQconnectdb function of libpq.
39
+#   Use maxconns=n (default 5) to change how many connections Dovecot can
40
+#   create to pgsql.
41
+#
42
+# mysql:
43
+#   Basic options emulate PostgreSQL option names:
44
+#     host, port, user, password, dbname
45
+#
46
+#   But also adds some new settings:
47
+#     client_flags        - See MySQL manual
48
+#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
49
+#     ssl_cert, ssl_key   - For sending client-side certificates to server
50
+#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
51
+#     option_file         - Read options from the given file instead of
52
+#                           the default my.cnf location
53
+#     option_group        - Read options from the given group (default: client)
54
+# 
55
+#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
56
+#   Note that currently you can't use spaces in parameters.
57
+#
58
+# sqlite:
59
+#   The path to the database file.
60
+#
61
+# Examples:
62
+#   connect = host=192.168.1.1 dbname=users
63
+#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
64
+#   connect = /etc/dovecot/authdb.sqlite
65
+#
66
+connect = host=127.0.0.1 dbname={{ mail_mysql_database }} user={{ mail_mysql_username }} password={{ mail_mysql_password }}
67
+
68
+# Default password scheme.
69
+#
70
+# List of supported schemes is in
71
+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
72
+#
73
+default_pass_scheme = SHA512-CRYPT
74
+
75
+# passdb query to retrieve the password. It can return fields:
76
+#   password - The user's password. This field must be returned.
77
+#   user - user@domain from the database. Needed with case-insensitive lookups.
78
+#   username and domain - An alternative way to represent the "user" field.
79
+#
80
+# The "user" field is often necessary with case-insensitive lookups to avoid
81
+# e.g. "name" and "nAme" logins creating two different mail directories. If
82
+# your user and domain names are in separate fields, you can return "username"
83
+# and "domain" fields instead of "user".
84
+#
85
+# The query can also return other fields which have a special meaning, see
86
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
87
+#
88
+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
89
+# for full list):
90
+#   %u = entire user@domain
91
+#   %n = user part of user@domain
92
+#   %d = domain part of user@domain
93
+# 
94
+# Note that these can be used only as input to SQL query. If the query outputs
95
+# any of these substitutions, they're not touched. Otherwise it would be
96
+# difficult to have eg. usernames containing '%' characters.
97
+#
98
+# Example:
99
+#   password_query = SELECT userid AS user, pw AS password \
100
+#     FROM users WHERE userid = '%u' AND active = 'Y'
101
+#
102
+#password_query = \
103
+#  SELECT username, domain, password \
104
+#  FROM users WHERE username = '%n' AND domain = '%d'
105
+
106
+password_query = SELECT email AS user, password FROM virtual_users WHERE email = '%u';
107
+
108
+# userdb query to retrieve the user information. It can return fields:
109
+#   uid - System UID (overrides mail_uid setting)
110
+#   gid - System GID (overrides mail_gid setting)
111
+#   home - Home directory
112
+#   mail - Mail location (overrides mail_location setting)
113
+#
114
+# None of these are strictly required. If you use a single UID and GID, and
115
+# home or mail directory fits to a template string, you could use userdb static
116
+# instead. For a list of all fields that can be returned, see
117
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
118
+#
119
+# Examples:
120
+#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
121
+#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
122
+#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
123
+#
124
+#user_query = \
125
+#  SELECT home, uid, gid \
126
+#  FROM users WHERE username = '%n' AND domain = '%d'
127
+
128
+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
129
+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
130
+# also have to return userdb fields in password_query prefixed with "userdb_"
131
+# string. For example:
132
+#password_query = \
133
+#  SELECT userid AS user, password, \
134
+#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
135
+#  FROM users WHERE userid = '%u'
136
+
137
+# Query to get a list of all usernames.
138
+#iterate_query = SELECT username AS user FROM users

+ 3
- 0
roles/mailserver/templates/etc_opendkim_KeyTable.j2 View File

@@ -0,0 +1,3 @@
1
+{% for domain in mail_virtual_domains %}
2
+default._domainkey.{{ domain.name }} {{ domain.name }}:default:/etc/opendkim/keys/{{ domain.name}}/default.private
3
+{% endfor %}

+ 3
- 0
roles/mailserver/templates/etc_opendkim_SigningTable.j2 View File

@@ -0,0 +1,3 @@
1
+{% for domain in mail_virtual_domains %}
2
+*@{{ domain.name }} default._domainkey.{{ domain.name }}
3
+{% endfor %}

+ 8
- 0
roles/mailserver/templates/etc_opendkim_TrustedHosts.j2 View File

@@ -0,0 +1,8 @@
1
+127.0.0.1
2
+# TODO add your server's IP and DNS hosts
3
+{% for domain in mail_virtual_domains %}
4
+{{ domain.name }}
5
+{% endfor %}
6
+{% for domain in mail_virtual_domains %}
7
+mail.{{ domain.name }}
8
+{% endfor %}

+ 108
- 0
roles/mailserver/templates/etc_postfix_main.cf.j2 View File

@@ -0,0 +1,108 @@
1
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
2
+# Modified as per http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
3
+ 
4
+# Debian specific:  Specifying a file name will cause the first
5
+# line of that file to be used as the name.  The Debian default
6
+# is /etc/mailname.
7
+#myorigin = /etc/mailname
8
+ 
9
+smtpd_banner = $myhostname ESMTP $mail_name
10
+biff = no
11
+ 
12
+# appending .domain is the MUA's job.
13
+append_dot_mydomain = no
14
+ 
15
+# Uncomment the next line to generate "delayed mail" warnings
16
+#delay_warning_time = 4h
17
+ 
18
+readme_directory = no
19
+
20
+# antispam
21
+smtpd_helo_required = yes
22
+smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
23
+smtpd_sender_restrictions = reject_unknown_address
24
+disable_vrfy_command = yes
25
+strict_rfc821_envelopes = yes
26
+invalid_hostname_reject_code = 554
27
+multi_recipient_bounce_reject_code = 554
28
+non_fqdn_reject_code = 554
29
+relay_domains_reject_code = 554
30
+unknown_address_reject_code = 554
31
+unknown_client_reject_code = 554
32
+unknown_hostname_reject_code = 554
33
+unknown_local_recipient_reject_code = 554
34
+unknown_relay_recipient_reject_code = 554
35
+unknown_virtual_alias_reject_code = 554
36
+unknown_virtual_mailbox_reject_code = 554
37
+unverified_recipient_reject_code = 554
38
+unverified_sender_reject_code = 554
39
+ 
40
+# TLS parameters
41
+smtpd_tls_cert_file=/etc/ssl/certs/wildcard_public_cert.crt
42
+smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
43
+smtpd_use_tls=yes
44
+#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
45
+#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
46
+smtpd_tls_auth_only = yes
47
+smtp_tls_security_level = may
48
+smtp_tls_loglevel = 2
49
+smtpd_tls_received_header = yes
50
+smtp_tls_note_starttls_offer = yes
51
+
52
+smtpd_sasl_type = dovecot
53
+smtpd_sasl_path = private/auth
54
+smtpd_sasl_auth_enable = yes
55
+broken_sasl_auth_clients = yes
56
+smtpd_sasl_security_options = noanonymous
57
+
58
+smtpd_recipient_restrictions =
59
+  permit_sasl_authenticated,
60
+  permit_mynetworks,
61
+  reject_unauth_pipelining,
62
+  reject_unauth_destination,
63
+  reject_invalid_hostname,
64
+  reject_non_fqdn_hostname,
65
+  reject_non_fqdn_recipient,
66
+  reject_unknown_recipient_domain,
67
+  reject_rbl_client multihop.dsbl.org,
68
+  reject_rbl_client zen.spamhaus.org,
69
+  reject_rbl_client cbl.abuseat.org,
70
+  reject_rbl_client bl.spamcop.net,
71
+  reject_rbl_client dnsbl.sorbs.net,
72
+  reject_rbl_client all.spamrats.com=127.0.0.36,
73
+  reject_rbl_client all.spamrats.com=127.0.0.38,
74
+  reject_rbl_client dnsbl.ahbl.org,
75
+  check_policy_service inet:127.0.0.1:10023,
76
+  permit
77
+
78
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
79
+# information on enabling SSL in the smtp client.
80
+ 
81
+myhostname = {{ mail_server_hostname }}
82
+alias_maps = hash:/etc/aliases
83
+alias_database = hash:/etc/aliases
84
+mydestination = localhost
85
+relayhost = 
86
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
87
+#mailbox_command = procmail -a "$EXTENSION"
88
+mailbox_size_limit = 0
89
+recipient_delimiter = +
90
+inet_interfaces = all
91
+
92
+# dovecot mysql
93
+virtual_transport = lmtp:unix:private/dovecot-lmtp
94
+virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
95
+virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
96
+virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
97
+local_recipient_maps = $virtual_mailbox_maps
98
+
99
+# OpenDKIM
100
+smtpd_milters = inet:127.0.0.1:8891
101
+non_smtpd_milters = $smtpd_milters
102
+milter_default_action = accept
103
+
104
+# new settings for dspam: only scan one mail at a time, localhost doesn't get scanned, everything else does
105
+dspam_destination_recipient_limit = 1
106
+smtpd_client_restrictions =
107
+  permit_sasl_authenticated
108
+  check_client_access pcre:/etc/postfix/dspam_filter_access

+ 5
- 0
roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2 View File

@@ -0,0 +1,5 @@
1
+user = {{ mail_mysql_username }}
2
+password = {{ mail_mysql_password }}
3
+hosts = 127.0.0.1
4
+dbname = {{ mail_mysql_database }}
5
+query = SELECT destination FROM virtual_aliases WHERE source='%s'

+ 5
- 0
roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2 View File

@@ -0,0 +1,5 @@
1
+user = {{ mail_mysql_username }}
2
+password = {{ mail_mysql_password }}
3
+hosts = 127.0.0.1
4
+dbname = {{ mail_mysql_database }}
5
+query = SELECT 1 FROM virtual_domains WHERE name='%s'

+ 5
- 0
roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2 View File

@@ -0,0 +1,5 @@
1
+user = {{ mail_mysql_username }}
2
+password = {{ mail_mysql_password }}
3
+hosts = 127.0.0.1
4
+dbname = {{ mail_mysql_database }}
5
+query = SELECT 1 FROM virtual_users WHERE email='%s'

+ 36
- 0
roles/mailserver/templates/mailserver.sql.j2 View File

@@ -0,0 +1,36 @@
1
+CREATE TABLE `virtual_domains` (
2
+	`id` int(11) NOT NULL auto_increment,
3
+	`name` varchar(50) NOT NULL,
4
+	PRIMARY KEY (`id`)
5
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
6
+
7
+CREATE TABLE `virtual_users` (
8
+	`id` int(11) NOT NULL auto_increment,
9
+	`domain_id` int(11) NOT NULL,
10
+	`password` varchar(106) NOT NULL,
11
+	`email` varchar(100) NOT NULL,
12
+	PRIMARY KEY (`id`),
13
+	UNIQUE KEY `email` (`email`),
14
+	FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
15
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
16
+
17
+CREATE TABLE `virtual_aliases` (
18
+	`id` int(11) NOT NULL auto_increment,
19
+	`domain_id` int(11) NOT NULL,
20
+	`source` varchar(100) NOT NULL,
21
+	`destination` varchar(100) NOT NULL,
22
+	PRIMARY KEY (`id`),
23
+	FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
24
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
25
+
26
+{% for virtual_domain in mail_virtual_domains %}
27
+	INSERT INTO `mailserver`.`virtual_domains` (`id`, `name`)
28
+	VALUES
29
+		('{{ virtual_domain.pk_id }}', '{{ virtual_domain.name }}');
30
+{% endfor %}
31
+
32
+{% for virtual_user in mail_virtual_users %}
33
+	INSERT INTO `mailserver`.`virtual_users`  (`domain_id`, `password` , `email`)
34
+	VALUES
35
+  	('{{ virtual_domain.domain_pk_id }}', '{{ virtual_user.password_hash }}', '{{ virtual_user.address }}');
36
+{% endfor %}

+ 19
- 0
roles/mailserver/vars/main.yml View File

@@ -0,0 +1,19 @@
1
+---
2
+mail_server_hostname: mail.TODO.com
3
+mail_mysql_username: mailuser
4
+mail_mysql_password: TODO
5
+mail_mysql_database: mailserver
6
+mail_virtual_domains:
7
+  - name: TODO
8
+    pk_id: 1
9
+    primary_user: TODO
10
+  - name: TODO
11
+    pk_id: 2
12
+    primary_user: TODO
13
+mail_virtual_users:
14
+  - address: TODO@TODO.com
15
+    password_hash: TODO
16
+    domain_pk_id: 1
17
+  - address: TODO@TODO.com
18
+    password_hash: TODO@TODO.com
19
+    domain_pk_id: 2

+ 8
- 0
roles/monitoring/files/etc_monit_conf.d_apache2 View File

@@ -0,0 +1,8 @@
1
+check process apache2 with pidfile /var/run/apache2.pid
2
+  group www
3
+  start program = "/etc/init.d/apache2 start"
4
+  stop program = "/etc/init.d/apache2 stop"
5
+  if failed host localhost port 80 protocol http
6
+    with timeout 10 seconds
7
+    then restart
8
+  if 5 restarts within 5 cycles then timeout

+ 6
- 0
roles/monitoring/files/etc_monit_conf.d_dovecot View File

@@ -0,0 +1,6 @@
1
+check process dovecot with pidfile /var/run/dovecot/master.pid
2
+  group mail
3
+  start program = "/etc/init.d/dovecot start"
4
+  stop program = "/etc/init.d/dovecot stop"
5
+  if failed port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
6
+  if 3 restarts within 5 cycles then timeout

+ 6
- 0
roles/monitoring/files/etc_monit_conf.d_mysql View File

@@ -0,0 +1,6 @@
1
+check process mysqld with pidfile /var/run/mysqld/mysqld.pid
2
+  group database
3
+  start program = "/etc/init.d/mysql start"
4
+  stop program = "/etc/init.d/mysql stop"
5
+  if failed host localhost port 3306 protocol mysql then restart
6
+  if 5 restarts within 5 cycles then timeout

+ 6
- 0
roles/monitoring/files/etc_monit_conf.d_postfix View File

@@ -0,0 +1,6 @@
1
+check process postfix with pidfile /var/spool/postfix/pid/master.pid
2
+  group mail
3
+  start program = "/etc/init.d/postfix start"
4
+  stop  program = "/etc/init.d/postfix stop"
5
+  if failed port 25 protocol smtp then restart
6
+  if 5 restarts within 5 cycles then timeout

+ 5
- 0
roles/monitoring/files/etc_monit_conf.d_sshd View File

@@ -0,0 +1,5 @@
1
+check process sshd with pidfile /var/run/sshd.pid
2
+  start program "/etc/init.d/ssh start"
3
+  stop program "/etc/init.d/ssh stop"
4
+  if failed host 127.0.0.1 port 22 protocol ssh then restart
5
+  if 5 restarts within 5 cycles then timeout

+ 8
- 0
roles/monitoring/files/etc_monit_conf.d_tomcat View File

@@ -0,0 +1,8 @@
1
+check process tomcat with pidfile "/var/run/tomcat6.pid"
2
+  group mail
3
+  start program = "/etc/init.d/tomcat6 start"
4
+  as uid6 tomcat gid tomcat6
5
+  stop program = "/etc/init.d/tomcat6 stop"
6
+  as uid6 tomcat gid tomcat6
7
+  if failed port 8080 then alert
8
+  if failed port 8080 for 5 cycles then restart

+ 8
- 0
roles/monitoring/files/etc_monit_conf.d_znc View File

@@ -0,0 +1,8 @@
1
+check process znc with pidfile /var/run/znc/znc.pid
2
+  group irc
3
+  start program = "/etc/init.d/znc start"
4
+  stop program = "/etc/init.d/znc stop"
5
+  if failed host localhost port 6697 type tcpSSL protocol http
6
+    with timeout 10 seconds
7
+    then restart
8
+  if 5 restarts within 5 cycles then timeout

+ 250
- 0
roles/monitoring/files/etc_monit_monitrc View File

@@ -0,0 +1,250 @@
1
+###############################################################################
2
+## Monit control file
3
+###############################################################################
4
+##
5
+## Comments begin with a '#' and extend through the end of the line. Keywords
6
+## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
7
+##
8
+## Below you will find examples of some frequently used statements. For 
9
+## information about the control file and a complete list of statements and 
10
+## options, please have a look in the Monit manual.
11
+##
12
+##
13
+###############################################################################
14
+## Global section
15
+###############################################################################
16
+##
17
+## Start Monit in the background (run as a daemon):
18
+#
19
+  set daemon 120            # check services at 2-minute intervals
20
+#   with start delay 240    # optional: delay the first check by 4-minutes (by 
21
+#                           # default Monit check immediately after Monit start)
22
+#
23
+#
24
+## Set syslog logging with the 'daemon' facility. If the FACILITY option is
25
+## omitted, Monit will use 'user' facility by default. If you want to log to 
26
+## a standalone log file instead, specify the full path to the log file
27
+#
28
+# set logfile syslog facility log_daemon                       
29
+  set logfile /var/log/monit.log
30
+#
31
+#
32
+## Set the location of the Monit id file which stores the unique id for the
33
+## Monit instance. The id is generated and stored on first Monit start. By 
34
+## default the file is placed in $HOME/.monit.id.
35
+#
36
+# set idfile /var/.monit.id
37
+  set idfile /var/lib/monit/id
38
+#
39
+## Set the location of the Monit state file which saves monitoring states
40
+## on each cycle. By default the file is placed in $HOME/.monit.state. If
41
+## the state file is stored on a persistent filesystem, Monit will recover
42
+## the monitoring state across reboots. If it is on temporary filesystem, the
43
+## state will be lost on reboot which may be convenient in some situations.
44
+#
45
+  set statefile /var/lib/monit/state
46
+#
47
+## Set the list of mail servers for alert delivery. Multiple servers may be 
48
+## specified using a comma separator. If the first mail server fails, Monit 
49
+# will use the second mail server in the list and so on. By default Monit uses 
50
+# port 25 - it is possible to override this with the PORT option.
51
+#
52
+# set mailserver mail.bar.baz,               # primary mailserver
53
+#                backup.bar.baz port 10025,  # backup mailserver on port 10025
54
+#                localhost                   # fallback relay
55
+#
56
+
57
+set mailserver localhost
58
+
59
+## By default Monit will drop alert events if no mail servers are available. 
60
+## If you want to keep the alerts for later delivery retry, you can use the 
61
+## EVENTQUEUE statement. The base directory where undelivered alerts will be 
62
+## stored is specified by the BASEDIR option. You can limit the maximal queue
63
+## size using the SLOTS option (if omitted, the queue is limited by space 
64
+## available in the back end filesystem).
65
+#
66
+  set eventqueue
67
+      basedir /var/lib/monit/events # set the base directory where events will be stored
68
+      slots 100                     # optionally limit the queue size
69
+#
70
+#
71
+## Send status and events to M/Monit (for more informations about M/Monit 
72
+## see http://mmonit.com/). By default Monit registers credentials with 
73
+## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
74
+## have to register Monit credentials manually in M/Monit. It is possible to
75
+## disable credential registration using the commented out option below. 
76
+## Though, if safety is a concern we recommend instead using https when
77
+## communicating with M/Monit and send credentials encrypted.
78
+#
79
+# set mmonit http://monit:monit@192.168.1.10:8080/collector
80
+#     # and register without credentials     # Don't register credentials
81
+#
82
+#
83
+## Monit by default uses the following format for alerts if the the mail-format
84
+## statement is missing::
85
+## --8<--
86
+## set mail-format {
87
+##      from: monit@$HOST
88
+##   subject: monit alert --  $EVENT $SERVICE
89
+##   message: $EVENT Service $SERVICE
90
+##                 Date:        $DATE
91
+##                 Action:      $ACTION
92
+##                 Host:        $HOST
93
+##                 Description: $DESCRIPTION
94
+##
95
+##            Your faithful employee,
96
+##            Monit
97
+## }
98
+## --8<--
99
+##
100
+## You can override this message format or parts of it, such as subject
101
+## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
102
+## are expanded at runtime. For example, to override the sender, use:
103
+#
104
+# set mail-format { from: monit@foo.bar }
105
+#
106
+#
107
+## You can set alert recipients whom will receive alerts if/when a 
108
+## service defined in this file has errors. Alerts may be restricted on 
109
+## events by using a filter as in the second example below. 
110
+#
111
+# set alert sysadm@foo.bar                       # receive all alerts
112
+# set alert manager@foo.bar only on { timeout }  # receive just service-
113
+#                                                # timeout alert
114
+#
115
+#
116
+## Monit has an embedded web server which can be used to view status of 
117
+## services monitored and manage services from a web interface. See the
118
+## Monit Wiki if you want to enable SSL for the web server. 
119
+#
120
+# set httpd port 2812 and
121
+#     use address localhost  # only accept connection from localhost
122
+#     allow localhost        # allow localhost to connect to the server and
123
+#    allow admin:monit      # require user 'admin' with password 'monit'
124
+#    allow @monit           # allow users of group 'monit' to connect (rw)
125
+#    allow @users readonly  # allow users of group 'users' to connect readonly
126
+#
127
+###############################################################################
128
+## Services
129
+###############################################################################
130
+##
131
+## Check general system resources such as load average, cpu and memory
132
+## usage. Each test specifies a resource, conditions and the action to be
133
+## performed should a test fail.
134
+#
135
+#  check system myhost.mydomain.tld
136
+#    if loadavg (1min) > 4 then alert
137
+#    if loadavg (5min) > 2 then alert
138
+#    if memory usage > 75% then alert
139
+#    if swap usage > 25% then alert
140
+#    if cpu usage (user) > 70% then alert
141
+#    if cpu usage (system) > 30% then alert
142
+#    if cpu usage (wait) > 20% then alert
143
+#
144
+#    
145
+## Check if a file exists, checksum, permissions, uid and gid. In addition
146
+## to alert recipients in the global section, customized alert can be sent to 
147
+## additional recipients by specifying a local alert handler. The service may 
148
+## be grouped using the GROUP option. More than one group can be specified by
149
+## repeating the 'group name' statement.
150
+#    
151
+#  check file apache_bin with path /usr/local/apache/bin/httpd
152
+#    if failed checksum and 
153
+#       expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
154
+#    if failed permission 755 then unmonitor
155
+#    if failed uid root then unmonitor
156
+#    if failed gid root then unmonitor
157
+#    alert security@foo.bar on {
158
+#           checksum, permission, uid, gid, unmonitor
159
+#        } with the mail-format { subject: Alarm! }
160
+#    group server
161
+#
162
+#    
163
+## Check that a process is running, in this case Apache, and that it respond
164
+## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
165
+## and number of children. If the process is not running, Monit will restart 
166
+## it by default. In case the service is restarted very often and the 
167
+## problem remains, it is possible to disable monitoring using the TIMEOUT
168
+## statement. This service depends on another service (apache_bin) which
169
+## is defined above.
170
+#    
171
+#  check process apache with pidfile /usr/local/apache/logs/httpd.pid
172
+#    start program = "/etc/init.d/httpd start" with timeout 60 seconds
173
+#    stop program  = "/etc/init.d/httpd stop"
174
+#    if cpu > 60% for 2 cycles then alert
175
+#    if cpu > 80% for 5 cycles then restart
176
+#    if totalmem > 200.0 MB for 5 cycles then restart
177
+#    if children > 250 then restart
178
+#    if loadavg(5min) greater than 10 for 8 cycles then stop
179
+#    if failed host www.tildeslash.com port 80 protocol http 
180
+#       and request "/somefile.html"
181
+#       then restart
182
+#    if failed port 443 type tcpssl protocol http
183
+#       with timeout 15 seconds
184
+#       then restart
185
+#    if 3 restarts within 5 cycles then timeout
186
+#    depends on apache_bin
187
+#    group server
188
+#    
189
+#    
190
+## Check filesystem permissions, uid, gid, space and inode usage. Other services,
191
+## such as databases, may depend on this resource and an automatically graceful
192
+## stop may be cascaded to them before the filesystem will become full and data
193
+## lost.
194
+#
195
+#  check filesystem datafs with path /dev/sdb1
196
+#    start program  = "/bin/mount /data"
197
+#    stop program  = "/bin/umount /data"
198
+#    if failed permission 660 then unmonitor
199
+#    if failed uid root then unmonitor
200
+#    if failed gid disk then unmonitor
201
+#    if space usage > 80% for 5 times within 15 cycles then alert
202
+#    if space usage > 99% then stop
203
+#    if inode usage > 30000 then alert
204
+#    if inode usage > 99% then stop
205
+#    group server
206
+#
207
+#
208
+## Check a file's timestamp. In this example, we test if a file is older 
209
+## than 15 minutes and assume something is wrong if its not updated. Also,
210
+## if the file size exceed a given limit, execute a script
211
+#
212
+#  check file database with path /data/mydatabase.db
213
+#    if failed permission 700 then alert
214
+#    if failed uid data then alert
215
+#    if failed gid data then alert
216
+#    if timestamp > 15 minutes then alert
217
+#    if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
218
+#
219
+#
220
+## Check directory permission, uid and gid.  An event is triggered if the 
221
+## directory does not belong to the user with uid 0 and gid 0.  In addition, 
222
+## the permissions have to match the octal description of 755 (see chmod(1)).
223
+#
224
+#  check directory bin with path /bin
225
+#    if failed permission 755 then unmonitor
226
+#    if failed uid 0 then unmonitor
227
+#    if failed gid 0 then unmonitor
228
+#
229
+#
230
+## Check a remote host availability by issuing a ping test and check the 
231
+## content of a response from a web server. Up to three pings are sent and 
232
+## connection to a port and an application level network check is performed.
233
+#
234
+#  check host myserver with address 192.168.1.1
235
+#    if failed icmp type echo count 3 with timeout 3 seconds then alert
236
+#    if failed port 3306 protocol mysql with timeout 15 seconds then alert
237
+#    if failed url http://user:password@www.foo.bar:8080/?querystring
238
+#       and content == 'action="j_security_check"'
239
+#       then alert
240
+#
241
+#
242
+###############################################################################
243
+## Includes
244
+###############################################################################
245
+##
246
+## It is possible to include additional configuration parts from other files or
247
+## directories.
248
+#
249
+   include /etc/monit/conf.d/*
250
+

+ 2
- 0
roles/monitoring/handlers/main.yml View File

@@ -0,0 +1,2 @@
1
+- name: restart monit
2
+  service: name=monit state=restarted

+ 1
- 0
roles/monitoring/tasks/main.yml View File

@@ -0,0 +1 @@
1
+- include: monit.yml tags=monit

+ 17
- 0
roles/monitoring/tasks/monit.yml View File

@@ -0,0 +1,17 @@
1
+- name: Install monit
2
+  apt: pkg=monit state=installed
3
+
4
+- name: Copy monit master config file into place
5
+  copy: src=etc_monit_monitrc dest=/etc/monit/monitrc
6
+
7
+- name: Copy monit service config files into place
8
+  copy: src=etc_monit_conf.d_${item} dest=/etc/monit/conf.d/${item}
9
+  with_items:
10
+    - apache2
11
+    - dovecot
12
+    - mysql
13
+    - postfix
14
+    - sshd
15
+    - tomcat
16
+    - znc
17
+  notify: restart monit

+ 0
- 0
roles/monitoring/vars/main.yml View File


+ 0
- 0
roles/owncloud/handlers/main.yml View File


+ 3
- 0
roles/owncloud/tasks/main.yml View File

@@ -0,0 +1,3 @@
1
+---
2
+
3
+- include: owncloud.yml tags=owncloud

+ 41
- 0
roles/owncloud/tasks/owncloud.yml View File

@@ -0,0 +1,41 @@
1
+---
2
+# Installs the ownCloud personal cloud software
3
+# as per http://www.debiantutorials.com/how-to-install-owncloud-on-wheezy/
4
+
5
+- name: Create database user for ownCloud
6
+  mysql_user: user={{ owncloud_mysql_username }} password={{ owncloud_mysql_password }} state=present priv="owncloud.*:ALL"
7
+
8
+- name: Create database for ownCloud
9
+  mysql_db: name={{ owncloud_mysql_database }} state=present
10
+
11
+- name: Install ownCloud dependencies
12
+  apt: pkg=python-software-properties
13
+
14
+- name: Ensure repository key for ownCloud is in place
15
+  apt_key: url=http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/Release.key state=present
16
+
17
+- name: Add ownCloud OpenSuSE repository
18
+  apt_repository: repo='deb http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/ /'
19
+
20
+- name: Install ownCloud from OpenSuSE repository
21
+  apt: pkg=owncloud update_cache=yes
22
+
23
+- name: Store ownCloud data securely
24
+  command: mv /var/www/owncloud/data /decrypted-mail/owncloud-data creates=/decrypted-mail/owncloud-data
25
+- file: src=/decrypted-mail/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
26
+
27
+- name: Enable Apache module dependencies for ownCloud
28
+  command: a2enmod $item
29
+  with_items:
30
+    - rewrite
31
+    - headers
32
+  notify: restart apache
33
+
34
+- name: Configure the Apache HTTP server for ownCloud
35
+  template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud group=www-data owner=www-data
36
+- command: a2ensite owncloud
37
+  notify: restart apache
38
+
39
+- name: Install ownCloud cronjob
40
+  cron: name="ownCloud" user="www-data" minute="*/5" job="php -f /var/www/owncloud/cron.php > /dev/null"
41
+

+ 23
- 0
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 View File

@@ -0,0 +1,23 @@
1
+NameVirtualHost *:443
2
+
3
+<VirtualHost *:443>
4
+    ServerName {{ owncloud_domain }}
5
+
6
+    SSLEngine on
7
+    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
8
+
9
+    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
10
+    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
11
+    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
12
+
13
+    DocumentRoot            /var/www/owncloud
14
+
15
+    ErrorLog                /var/log/apache2/owncloud.info-error_log
16
+    CustomLog               /var/log/apache2/owncloud.info-access_log common
17
+
18
+    <Directory /var/www/owncloud>
19
+        AllowOverride All
20
+        Order allow,deny
21
+        allow from all
22
+    </Directory>
23
+</VirtualHost>

+ 4
- 0
roles/owncloud/vars/main.yml View File

@@ -0,0 +1,4 @@
1
+owncloud_domain: cloud.TODO.com
2
+owncloud_mysql_username: owncloud
3
+owncloud_mysql_password: TODO
4
+owncloud_mysql_database: owncloud

+ 626
- 0
roles/vpn/files/etc_dnsmasq.conf View File

@@ -0,0 +1,626 @@
1
+# Configuration file for dnsmasq.
2
+#
3
+# Format is one option per line, legal options are the same
4
+# as the long options legal on the command line. See
5
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
6
+
7
+# Listen on this specific port instead of the standard DNS port
8
+# (53). Setting this to zero completely disables DNS function,
9
+# leaving only DHCP and/or TFTP.
10
+#port=5353
11
+
12
+# The following two options make you a better netizen, since they
13
+# tell dnsmasq to filter out queries which the public DNS cannot
14
+# answer, and which load the servers (especially the root servers)
15
+# unnecessarily. If you have a dial-on-demand link they also stop
16
+# these requests from bringing up the link unnecessarily.
17
+
18
+# Never forward plain names (without a dot or domain part)
19
+domain-needed
20
+
21
+# Never forward addresses in the non-routed address spaces.
22
+bogus-priv
23
+
24
+
25
+# Uncomment this to filter useless windows-originated DNS requests
26
+# which can trigger dial-on-demand links needlessly.
27
+# Note that (amongst other things) this blocks all SRV requests,
28
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
29
+# This option only affects forwarding, SRV records originating for
30
+# dnsmasq (via srv-host= lines) are not suppressed by it.
31
+#filterwin2k
32
+
33
+# Change this line if you want dns to get its upstream servers from
34
+# somewhere other that /etc/resolv.conf
35
+#resolv-file=
36
+
37
+# By  default,  dnsmasq  will  send queries to any of the upstream
38
+# servers it knows about and tries to favour servers to are  known
39
+# to  be  up.  Uncommenting this forces dnsmasq to try each query
40
+# with  each  server  strictly  in  the  order  they   appear   in
41
+# /etc/resolv.conf
42
+#strict-order
43
+
44
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
45
+# file, getting its servers from this file instead (see below), then
46
+# uncomment this.
47
+#no-resolv
48
+
49
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
50
+# files for changes and re-read them then uncomment this.
51
+#no-poll
52
+
53
+# Add other name servers here, with domain specs if they are for
54
+# non-public domains.
55
+#server=/localnet/192.168.0.1
56
+
57
+# Example of routing PTR queries to nameservers: this will send all
58
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
59
+#server=/3.168.192.in-addr.arpa/10.1.2.3
60
+
61
+# Add local-only domains here, queries in these domains are answered
62
+# from /etc/hosts or DHCP only.
63
+#local=/localnet/
64
+
65
+# Add domains which you want to force to an IP address here.
66
+# The example below send any host in double-click.net to a local
67
+# web-server.
68
+#address=/double-click.net/127.0.0.1
69
+
70
+# --address (and --server) work with IPv6 addresses too.
71
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
72
+
73
+# You can control how dnsmasq talks to a server: this forces
74
+# queries to 10.1.2.3 to be routed via eth1
75
+# server=10.1.2.3@eth1
76
+
77
+# and this sets the source (ie local) address used to talk to
78
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
79
+# IP on the machine, obviously).
80
+# server=10.1.2.3@192.168.1.1#55
81
+
82
+# If you want dnsmasq to change uid and gid to something other
83
+# than the default, edit the following lines.
84
+#user=
85
+#group=
86
+
87
+# If you want dnsmasq to listen for DHCP and DNS requests only on
88
+# specified interfaces (and the loopback) give the name of the
89
+# interface (eg eth0) here.
90
+# Repeat the line for more than one interface.
91
+#interface=
92
+# Or you can specify which interface _not_ to listen on
93
+#except-interface=
94
+# Or which to listen on by address (remember to include 127.0.0.1 if
95
+# you use this.)
96
+#listen-address=
97
+listen-address=127.0.0.1,10.8.0.1
98
+
99
+# If you want dnsmasq to provide only DNS service on an interface,
100
+# configure it as shown above, and then use the following line to
101
+# disable DHCP and TFTP on it.
102
+#no-dhcp-interface=
103
+
104
+# On systems which support it, dnsmasq binds the wildcard address,
105
+# even when it is listening on only some interfaces. It then discards
106
+# requests that it shouldn't reply to. This has the advantage of
107
+# working even when interfaces come and go and change address. If you
108
+# want dnsmasq to really bind only the interfaces it is listening on,
109
+# uncomment this option. About the only time you may need this is when
110
+# running another nameserver on the same machine.
111
+bind-interfaces
112
+
113
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
114
+# following line.
115
+#no-hosts
116
+# or if you want it to read another file, as well as /etc/hosts, use
117
+# this.
118
+#addn-hosts=/etc/banner_add_hosts
119
+
120
+# Set this (and domain: see below) if you want to have a domain
121
+# automatically added to simple names in a hosts-file.
122
+#expand-hosts
123
+
124
+# Set the domain for dnsmasq. this is optional, but if it is set, it
125
+# does the following things.
126
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
127
+#     as the domain part matches this setting.
128
+# 2) Sets the "domain" DHCP option thereby potentially setting the
129
+#    domain of all systems configured by DHCP
130
+# 3) Provides the domain part for "expand-hosts"
131
+#domain=thekelleys.org.uk
132
+
133
+# Set a different domain for a particular subnet
134
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
135
+
136
+# Same idea, but range rather then subnet
137
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
138
+
139
+# Uncomment this to enable the integrated DHCP server, you need
140
+# to supply the range of addresses available for lease and optionally
141
+# a lease time. If you have more than one network, you will need to
142
+# repeat this for each network on which you want to supply DHCP
143
+# service.
144
+#dhcp-range=192.168.0.50,192.168.0.150,12h
145
+
146
+# This is an example of a DHCP range where the netmask is given. This
147
+# is needed for networks we reach the dnsmasq DHCP server via a relay
148
+# agent. If you don't know what a DHCP relay agent is, you probably
149
+# don't need to worry about this.
150
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
151
+
152
+# This is an example of a DHCP range which sets a tag, so that
153
+# some DHCP options may be set only for this network.
154
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
155
+
156
+# Use this DHCP range only when the tag "green" is set.
157
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
158
+
159
+# Specify a subnet which can't be used for dynamic address allocation,
160
+# is available for hosts with matching --dhcp-host lines. Note that
161
+# dhcp-host declarations will be ignored unless there is a dhcp-range
162
+# of some type for the subnet in question.
163
+# In this case the netmask is implied (it comes from the network
164
+# configuration on the machine running dnsmasq) it is possible to give
165
+# an explicit netmask instead.
166
+#dhcp-range=192.168.0.0,static
167
+
168
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
169
+# and defaults to 64 if missing/
170
+#dhcp-range=1234::2, 1234::500, 64, 12h
171
+
172
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
173
+#dhcp-range=1234::, ra-only 
174
+
175
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
176
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
177
+# hosts. Use the DHCPv4 lease to derive the name, network segment and 
178
+# MAC address and assume that the host will also have an
179
+# IPv6 address calculated using the SLAAC alogrithm.
180
+#dhcp-range=1234::, ra-names
181
+
182
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
183
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
184
+#dhcp-range=1234::, ra-only, 48h
185
+
186
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
187
+# so that clients can use SLAAC addresses as well as DHCP ones.
188
+#dhcp-range=1234::2, 1234::500, slaac
189
+
190
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
191
+# not get addresses from DHCP, but they will get other configuration information.
192
+# They will use SLAAC for addresses.
193
+#dhcp-range=1234::, ra-stateless
194
+
195
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
196
+# from DHCPv4 leases.
197
+#dhcp-range=1234::, ra-stateless, ra-names
198
+
199
+# Do router advertisements for all subnets where we're doing DHCPv6
200
+# Unless overriden by ra-stateless, ra-names, et al, the router 
201
+# advertisements will have the M and O bits set, so that the clients
202
+# get addresses and configuration from DHCPv6, and the A bit reset, so the 
203
+# clients don't use SLAAC addresses.
204
+#enable-ra
205
+
206
+# Supply parameters for specified hosts using DHCP. There are lots
207
+# of valid alternatives, so we will give examples of each. Note that
208
+# IP addresses DO NOT have to be in the range given above, they just
209
+# need to be on the same network. The order of the parameters in these
210
+# do not matter, it's permissible to give name, address and MAC in any
211
+# order.
212
+
213
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
214
+# The IP address 192.168.0.60
215
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
216
+
217
+# Always set the name of the host with hardware address
218
+# 11:22:33:44:55:66 to be "fred"
219
+#dhcp-host=11:22:33:44:55:66,fred
220
+
221
+# Always give the host with Ethernet address 11:22:33:44:55:66
222
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
223
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
224
+
225
+# Give a host with Ethernet address 11:22:33:44:55:66 or
226
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
227
+# that these two Ethernet interfaces will never be in use at the same
228
+# time, and give the IP address to the second, even if it is already
229
+# in use by the first. Useful for laptops with wired and wireless
230
+# addresses.
231
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
232
+
233
+# Give the machine which says its name is "bert" IP address
234
+# 192.168.0.70 and an infinite lease
235
+#dhcp-host=bert,192.168.0.70,infinite
236
+
237
+# Always give the host with client identifier 01:02:02:04
238
+# the IP address 192.168.0.60
239
+#dhcp-host=id:01:02:02:04,192.168.0.60
240
+
241
+# Always give the host with client identifier "marjorie"
242
+# the IP address 192.168.0.60
243
+#dhcp-host=id:marjorie,192.168.0.60
244
+
245
+# Enable the address given for "judge" in /etc/hosts
246
+# to be given to a machine presenting the name "judge" when
247
+# it asks for a DHCP lease.
248
+#dhcp-host=judge
249
+
250
+# Never offer DHCP service to a machine whose Ethernet
251
+# address is 11:22:33:44:55:66
252
+#dhcp-host=11:22:33:44:55:66,ignore
253
+
254
+# Ignore any client-id presented by the machine with Ethernet
255
+# address 11:22:33:44:55:66. This is useful to prevent a machine
256
+# being treated differently when running under different OS's or
257
+# between PXE boot and OS boot.
258
+#dhcp-host=11:22:33:44:55:66,id:*
259
+
260
+# Send extra options which are tagged as "red" to
261
+# the machine with Ethernet address 11:22:33:44:55:66
262
+#dhcp-host=11:22:33:44:55:66,set:red
263
+
264
+# Send extra options which are tagged as "red" to
265
+# any machine with Ethernet address starting 11:22:33:
266
+#dhcp-host=11:22:33:*:*:*,set:red
267
+
268
+# Give a fixed IPv6 address and name to client with 
269
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
270
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
271
+# Note also the they [] around the IPv6 address are obilgatory.
272
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 
273
+
274
+# Ignore any clients which are not specified in dhcp-host lines
275
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
276
+# This relies on the special "known" tag which is set when
277
+# a host is matched.
278
+#dhcp-ignore=tag:!known
279
+
280
+# Send extra options which are tagged as "red" to any machine whose
281
+# DHCP vendorclass string includes the substring "Linux"
282
+#dhcp-vendorclass=set:red,Linux
283
+
284
+# Send extra options which are tagged as "red" to any machine one
285
+# of whose DHCP userclass strings includes the substring "accounts"
286
+#dhcp-userclass=set:red,accounts
287
+
288
+# Send extra options which are tagged as "red" to any machine whose
289
+# MAC address matches the pattern.
290
+#dhcp-mac=set:red,00:60:8C:*:*:*
291
+
292
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
293
+# on the ethernet-address/IP pairs found there just as if they had
294
+# been given as --dhcp-host options. Useful if you keep
295
+# MAC-address/host mappings there for other purposes.
296
+#read-ethers
297
+
298
+# Send options to hosts which ask for a DHCP lease.
299
+# See RFC 2132 for details of available options.
300
+# Common options can be given to dnsmasq by name:
301
+# run "dnsmasq --help dhcp" to get a list.
302
+# Note that all the common settings, such as netmask and
303
+# broadcast address, DNS server and default route, are given
304
+# sane defaults by dnsmasq. You very likely will not need
305
+# any dhcp-options. If you use Windows clients and Samba, there
306
+# are some options which are recommended, they are detailed at the
307
+# end of this section.
308
+
309
+# Override the default route supplied by dnsmasq, which assumes the
310
+# router is the same machine as the one running dnsmasq.
311
+#dhcp-option=3,1.2.3.4
312
+
313
+# Do the same thing, but using the option name
314
+#dhcp-option=option:router,1.2.3.4
315
+
316
+# Override the default route supplied by dnsmasq and send no default
317
+# route at all. Note that this only works for the options sent by
318
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
319
+# for all other option numbers.
320
+#dhcp-option=3
321
+
322
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
323
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
324
+
325
+# Send DHCPv6 option. Note [] around IPv6 addresses.
326
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
327
+
328
+# Send DHCPv6 option for namservers as the machine running 
329
+# dnsmasq and another.
330
+#dhcp-option=option6:dns-server,[::],[1234::88]
331
+
332
+# Set the NTP time server address to be the same machine as
333
+# is running dnsmasq
334
+#dhcp-option=42,0.0.0.0
335
+
336
+# Set the NIS domain name to "welly"
337
+#dhcp-option=40,welly
338
+
339
+# Set the default time-to-live to 50
340
+#dhcp-option=23,50
341
+
342
+# Set the "all subnets are local" flag
343
+#dhcp-option=27,1
344
+
345
+# Send the etherboot magic flag and then etherboot options (a string).
346
+#dhcp-option=128,e4:45:74:68:00:00
347
+#dhcp-option=129,NIC=eepro100
348
+
349
+# Specify an option which will only be sent to the "red" network
350
+# (see dhcp-range for the declaration of the "red" network)
351
+# Note that the tag: part must precede the option: part.
352
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
353
+
354
+# The following DHCP options set up dnsmasq in the same way as is specified
355
+# for the ISC dhcpcd in
356
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
357
+# adapted for a typical dnsmasq installation where the host running
358
+# dnsmasq is also the host running samba.
359
+# you may want to uncomment some or all of them if you use
360
+# Windows clients and Samba.
361
+#dhcp-option=19,0           # option ip-forwarding off
362
+#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
363
+#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
364
+#dhcp-option=46,8           # netbios node type
365
+
366
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
367
+#dhcp-option=252,"\n"
368
+
369
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
370
+# probably doesn't support this......
371
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
372
+
373
+# Send RFC-3442 classless static routes (note the netmask encoding)
374
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
375
+
376
+# Send vendor-class specific options encapsulated in DHCP option 43.
377
+# The meaning of the options is defined by the vendor-class so
378
+# options are sent only when the client supplied vendor class
379
+# matches the class given here. (A substring match is OK, so "MSFT"
380
+# matches "MSFT" and "MSFT 5.0"). This example sets the
381
+# mtftp address to 0.0.0.0 for PXEClients.
382
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
383
+
384
+# Send microsoft-specific option to tell windows to release the DHCP lease
385
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
386
+# value as a four-byte integer - that's what microsoft wants. See
387
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
388
+#dhcp-option=vendor:MSFT,2,1i
389
+
390
+# Send the Encapsulated-vendor-class ID needed by some configurations of
391
+# Etherboot to allow is to recognise the DHCP server.
392
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
393
+
394
+# Send options to PXELinux. Note that we need to send the options even
395
+# though they don't appear in the parameter request list, so we need
396
+# to use dhcp-option-force here.
397
+# See http://syslinux.zytor.com/pxe.php#special for details.
398
+# Magic number - needed before anything else is recognised
399
+#dhcp-option-force=208,f1:00:74:7e
400
+# Configuration file name
401
+#dhcp-option-force=209,configs/common
402
+# Path prefix
403
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
404
+# Reboot time. (Note 'i' to send 32-bit value)
405
+#dhcp-option-force=211,30i
406
+
407
+# Set the boot filename for netboot/PXE. You will only need
408
+# this is you want to boot machines over the network and you will need
409
+# a TFTP server; either dnsmasq's built in TFTP server or an
410
+# external one. (See below for how to enable the TFTP server.)
411
+#dhcp-boot=pxelinux.0
412
+
413
+# The same as above, but use custom tftp-server instead machine running dnsmasq
414
+#dhcp-boot=pxelinux,server.name,192.168.1.100
415
+
416
+# Boot for Etherboot gPXE. The idea is to send two different
417
+# filenames, the first loads gPXE, and the second tells gPXE what to
418
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
419
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
420
+#dhcp-boot=tag:!gpxe,undionly.kpxe
421
+#dhcp-boot=mybootimage
422
+
423
+# Encapsulated options for Etherboot gPXE. All the options are
424
+# encapsulated within option 175
425
+#dhcp-option=encap:175, 1, 5b         # priority code
426
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
427
+#dhcp-option=encap:175, 177, string   # bus-id
428
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
429
+#dhcp-option=encap:175, 190, user     # iSCSI username
430
+#dhcp-option=encap:175, 191, pass     # iSCSI password
431
+
432
+# Test for the architecture of a netboot client. PXE clients are
433
+# supposed to send their architecture as option 93. (See RFC 4578)
434
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
435
+#dhcp-match=itanics, option:client-arch, 2 #IA64
436
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
437
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
438
+
439
+# Do real PXE, rather than just booting a single file, this is an
440
+# alternative to dhcp-boot.
441
+#pxe-prompt="What system shall I netboot?"
442
+# or with timeout before first available action is taken:
443
+#pxe-prompt="Press F8 for menu.", 60
444
+
445
+# Available boot services. for PXE.
446
+#pxe-service=x86PC, "Boot from local disk"
447
+
448
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
449
+#pxe-service=x86PC, "Install Linux", pxelinux
450
+
451
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
452
+# Beware this fails on old PXE ROMS.
453
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
454
+
455
+# Use bootserver on network, found my multicast or broadcast.
456
+#pxe-service=x86PC, "Install windows from RIS server", 1
457
+
458
+# Use bootserver at a known IP address.
459
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
460
+
461
+# If you have multicast-FTP available,
462
+# information for that can be passed in a similar way using options 1
463
+# to 5. See page 19 of
464
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
465
+
466
+
467
+# Enable dnsmasq's built-in TFTP server
468
+#enable-tftp
469
+
470
+# Set the root directory for files available via FTP.
471
+#tftp-root=/var/ftpd
472
+
473
+# Make the TFTP server more secure: with this set, only files owned by
474
+# the user dnsmasq is running as will be send over the net.
475
+#tftp-secure
476
+
477
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
478
+# transfers. It will slow things down, but may rescue some broken TFTP
479
+# clients.
480
+#tftp-no-blocksize
481
+
482
+# Set the boot file name only when the "red" tag is set.
483
+#dhcp-boot=net:red,pxelinux.red-net
484
+
485
+# An example of dhcp-boot with an external TFTP server: the name and IP
486
+# address of the server are given after the filename.
487
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
488
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
489
+
490
+# If there are multiple external tftp servers having a same name
491
+# (using /etc/hosts) then that name can be specified as the
492
+# tftp_servername (the third option to dhcp-boot) and in that
493
+# case dnsmasq resolves this name and returns the resultant IP
494
+# addresses in round robin fasion. This facility can be used to
495
+# load balance the tftp load among a set of servers.
496
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
497
+
498
+# Set the limit on DHCP leases, the default is 150
499
+#dhcp-lease-max=150
500
+
501
+# The DHCP server needs somewhere on disk to keep its lease database.
502
+# This defaults to a sane location, but if you want to change it, use
503
+# the line below.
504
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
505
+
506
+# Set the DHCP server to authoritative mode. In this mode it will barge in
507
+# and take over the lease for any client which broadcasts on the network,
508
+# whether it has a record of the lease or not. This avoids long timeouts
509
+# when a machine wakes up on a new network. DO NOT enable this if there's
510
+# the slightest chance that you might end up accidentally configuring a DHCP
511
+# server for your campus/company accidentally. The ISC server uses
512
+# the same option, and this URL provides more information:
513
+# http://www.isc.org/files/auth.html
514
+#dhcp-authoritative
515
+
516
+# Run an executable when a DHCP lease is created or destroyed.
517
+# The arguments sent to the script are "add" or "del",
518
+# then the MAC address, the IP address and finally the hostname
519
+# if there is one.
520
+#dhcp-script=/bin/echo
521
+
522
+# Set the cachesize here.
523
+#cache-size=150
524
+
525
+# If you want to disable negative caching, uncomment this.
526
+#no-negcache
527
+
528
+# Normally responses which come form /etc/hosts and the DHCP lease
529
+# file have Time-To-Live set as zero, which conventionally means
530
+# do not cache further. If you are happy to trade lower load on the
531
+# server for potentially stale date, you can set a time-to-live (in
532
+# seconds) here.
533
+#local-ttl=
534
+
535
+# If you want dnsmasq to detect attempts by Verisign to send queries
536
+# to unregistered .com and .net hosts to its sitefinder service and
537
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
538
+# this line. You can add similar lines to do the same for other
539
+# registries which have implemented wildcard A records.
540
+#bogus-nxdomain=64.94.110.11
541
+
542
+# If you want to fix up DNS results from upstream servers, use the
543
+# alias option. This only works for IPv4.
544
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
545
+#alias=1.2.3.4,5.6.7.8
546
+# and this maps 1.2.3.x to 5.6.7.x
547
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
548
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
549
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
550
+
551
+# Change these lines if you want dnsmasq to serve MX records.
552
+
553
+# Return an MX record named "maildomain.com" with target
554
+# servermachine.com and preference 50
555
+#mx-host=maildomain.com,servermachine.com,50
556
+
557
+# Set the default target for MX records created using the localmx option.
558
+#mx-target=servermachine.com
559
+
560
+# Return an MX record pointing to the mx-target for all local
561
+# machines.
562
+#localmx
563
+
564
+# Return an MX record pointing to itself for all local machines.
565
+#selfmx
566
+
567
+# Change the following lines if you want dnsmasq to serve SRV
568
+# records.  These are useful if you want to serve ldap requests for
569
+# Active Directory and other windows-originated DNS requests.
570
+# See RFC 2782.
571
+# You may add multiple srv-host lines.
572
+# The fields are <name>,<target>,<port>,<priority>,<weight>
573
+# If the domain part if missing from the name (so that is just has the
574
+# service and protocol sections) then the domain given by the domain=
575
+# config option is used. (Note that expand-hosts does not need to be
576
+# set for this to work.)
577
+
578
+# A SRV record sending LDAP for the example.com domain to
579
+# ldapserver.example.com port 389
580
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
581
+
582
+# A SRV record sending LDAP for the example.com domain to
583
+# ldapserver.example.com port 389 (using domain=)
584
+#domain=example.com
585
+#srv-host=_ldap._tcp,ldapserver.example.com,389
586
+
587
+# Two SRV records for LDAP, each with different priorities
588
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
589
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
590
+
591
+# A SRV record indicating that there is no LDAP server for the domain
592
+# example.com
593
+#srv-host=_ldap._tcp.example.com
594
+
595
+# The following line shows how to make dnsmasq serve an arbitrary PTR
596
+# record. This is useful for DNS-SD. (Note that the
597
+# domain-name expansion done for SRV records _does_not
598
+# occur for PTR records.)
599
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
600
+
601
+# Change the following lines to enable dnsmasq to serve TXT records.
602
+# These are used for things like SPF and zeroconf. (Note that the
603
+# domain-name expansion done for SRV records _does_not
604
+# occur for TXT records.)
605
+
606
+#Example SPF.
607
+#txt-record=example.com,"v=spf1 a -all"
608
+
609
+#Example zeroconf
610
+#txt-record=_http._tcp.example.com,name=value,paper=A4
611
+
612
+# Provide an alias for a "local" DNS name. Note that this _only_ works
613
+# for targets which are names from DHCP or /etc/hosts. Give host
614
+# "bert" another name, bertrand
615
+#cname=bertand,bert
616
+
617
+# For debugging purposes, log each DNS query as it passes through
618
+# dnsmasq.
619
+#log-queries
620
+
621
+# Log lots of extra information about DHCP transactions.
622
+#log-dhcp
623
+
624
+# Include a another lot of configuration options.
625
+#conf-file=/etc/dnsmasq.more.conf
626
+#conf-dir=/etc/dnsmasq.d

+ 20
- 0
roles/vpn/files/etc_rc.local View File

@@ -0,0 +1,20 @@
1
+#!/bin/sh -e
2
+# 
3
+# rc.local
4
+# 
5
+# This script is executed at the end of each multiuser runlevel.
6
+# Make sure that the script will "exit 0" on success or any other
7
+# value on error.
8
+# 
9
+# In order to enable or disable this script just change the execution
10
+# bits.
11
+# 
12
+  
13
+iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
14
+iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
15
+iptables -A FORWARD -j REJECT
16
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
17
+
18
+/etc/init.d/dnsmasq restart
19
+
20
+exit 0

+ 5
- 0
roles/vpn/handlers/main.yml View File

@@ -0,0 +1,5 @@
1
+- name: restart dnsmasq
2
+  service: name=dnsmasq state=restarted
3
+
4
+- name: restart openvpn
5
+  service: name=openvpn state=restarted

+ 1
- 0
roles/vpn/tasks/main.yml View File

@@ -0,0 +1 @@
1
+- include: openvpn.yml tags=openvpn

+ 63
- 0
roles/vpn/tasks/openvpn.yml View File

@@ -0,0 +1,63 @@
1
+---
2
+# Installs the OpenVPN virtual private network server.
3
+# ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
4
+
5
+- name: Install OpenVPN and dependencies from apt
6
+  apt: pkg=$item state=installed
7
+  with_items:
8
+    - openvpn
9
+    - udev
10
+    - dnsmasq
11
+
12
+- name: Copy setup scripts into place
13
+  command: cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
14
+
15
+- name: Put easy-rsa parameter settings in place
16
+  template: src=etc_openvpn_easy-rsa_2.0_vars.j2 dest=/etc/openvpn/easy-rsa/2.0/vars
17
+
18
+###### manually:
19
+# cd /etc/openvpn/easy-rsa/2.0/
20
+# . /etc/openvpn/easy-rsa/2.0/vars
21
+# . /etc/openvpn/easy-rsa/2.0/clean-all
22
+# . /etc/openvpn/easy-rsa/2.0/build-ca
23
+# . /etc/openvpn/easy-rsa/2.0/build-key-server server
24
+#
25
+# for each client:
26
+# . /etc/openvpn/easy-rsa/2.0/build-key $client_name
27
+#####
28
+
29
+- name: Generate Diffie-Hellman parameters
30
+  command: . /etc/openvpn/easy-rsa/2.0/build-dh creates=/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
31
+
32
+- name: Copy certificates and key files into place
33
+  command: cp /etc/openvpn/easy-rsa/2.0/keys/$item /etc/openvpn creates=/etc/openvpn/$item
34
+  with_items:
35
+    - ca.crt
36
+    - ca.key
37
+    - dh1024.pem
38
+    - server.crt
39
+    - server.key
40
+
41
+- name: Copy rc.local with firewall and dnsmasq rules into place
42
+  copy: src=etc_rc.local dest=/etc/rc.local
43
+
44
+- name: Enable IPv4 traffic forwarding
45
+  lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv4.ip_forward" line="net.ipv4.ip_forward=1"
46
+- command: echo 1 > /proc/sys/net/ipv4/ip_forward
47
+
48
+- name: Allow OpenVPN through firewall
49
+  command: $item
50
+  with_items:
51
+    - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
52
+    - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
53
+    - iptables -A FORWARD -j REJECT
54
+    - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
55
+
56
+- name: Copy OpenVPN configuration file into place
57
+  template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
58
+  notify: restart openvpn
59
+
60
+- name: Copy dnsmasq configuration file into place
61
+  copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
62
+  notify: restart dnsmasq
63
+

+ 72
- 0
roles/vpn/templates/etc_openvpn_easy-rsa_2.0_vars.j2 View File

@@ -0,0 +1,72 @@
1
+# easy-rsa parameter settings
2
+
3
+# NOTE: If you installed from an RPM,
4
+# don't edit this file in place in
5
+# /usr/share/openvpn/easy-rsa --
6
+# instead, you should copy the whole
7
+# easy-rsa directory to another location
8
+# (such as /etc/openvpn) so that your
9
+# edits will not be wiped out by a future
10
+# OpenVPN package upgrade.
11
+
12
+# This variable should point to
13
+# the top level of the easy-rsa
14
+# tree.
15
+export EASY_RSA="`pwd`"
16
+
17
+#
18
+# This variable should point to
19
+# the requested executables
20
+#
21
+export OPENSSL="openssl"
22
+export PKCS11TOOL="pkcs11-tool"
23
+export GREP="grep"
24
+
25
+# This variable should point to
26
+# the openssl.cnf file included
27
+# with easy-rsa.
28
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
29
+
30
+# Edit this variable to point to
31
+# your soon-to-be-created key
32
+# directory.
33
+#
34
+# WARNING: clean-all will do
35
+# a rm -rf on this directory
36
+# so make sure you define
37
+# it correctly!
38
+export KEY_DIR="$EASY_RSA/keys"
39
+
40
+# Issue rm -rf warning
41
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
42
+
43
+# PKCS11 fixes
44
+export PKCS11_MODULE_PATH="dummy"
45
+export PKCS11_PIN="dummy"
46
+
47
+# Increase this to 2048 if you
48
+# are paranoid.  This will slow
49
+# down TLS negotiation performance
50
+# as well as the one-time DH parms
51
+# generation process.
52
+export KEY_SIZE=1024
53
+
54
+# In how many days should the root CA key expire?
55
+export CA_EXPIRE=3650
56
+
57
+# In how many days should certificates expire?
58
+export KEY_EXPIRE=3650
59
+
60
+# These are the default values for fields
61
+# which will be placed in the certificate.
62
+# Don't leave any of these fields blank.
63
+export KEY_COUNTRY="{{ key_country }}"
64
+export KEY_PROVINCE="{{ key_province }}"
65
+export KEY_CITY="{{ key_city }}"
66
+export KEY_ORG="{{ key_org }}"
67
+export KEY_EMAIL="{{ key_email }}"
68
+export KEY_CN={{ key_cn }}
69
+export KEY_NAME={{ key_name }}
70
+export KEY_OU={{ key_ou }}
71
+export PKCS11_MODULE_PATH=changeme
72
+export PKCS11_PIN=1234

+ 301
- 0
roles/vpn/templates/etc_openvpn_server.conf.j2 View File

@@ -0,0 +1,301 @@
1
+#################################################
2
+# Sample OpenVPN 2.0 config file for            #
3
+# multi-client server.                          #
4
+#                                               #
5
+# This file is for the server side              #
6
+# of a many-clients <-> one-server              #
7
+# OpenVPN configuration.                        #
8
+#                                               #
9
+# OpenVPN also supports                         #
10
+# single-machine <-> single-machine             #
11
+# configurations (See the Examples page         #
12
+# on the web site for more info).               #
13
+#                                               #
14
+# This config should work on Windows            #
15
+# or Linux/BSD systems.  Remember on            #
16
+# Windows to quote pathnames and use            #
17
+# double backslashes, e.g.:                     #
18
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
19
+#                                               #
20
+# Comments are preceded with '#' or ';'         #
21
+#################################################
22
+
23
+# Which local IP address should OpenVPN
24
+# listen on? (optional)
25
+;local a.b.c.d
26
+
27
+# Which TCP/UDP port should OpenVPN listen on?
28
+# If you want to run multiple OpenVPN instances
29
+# on the same machine, use a different port
30
+# number for each one.  You will need to
31
+# open up this port on your firewall.
32
+port 1194
33
+
34
+# TCP or UDP server?
35
+;proto tcp
36
+proto udp
37
+
38
+# "dev tun" will create a routed IP tunnel,
39
+# "dev tap" will create an ethernet tunnel.
40
+# Use "dev tap0" if you are ethernet bridging
41
+# and have precreated a tap0 virtual interface
42
+# and bridged it with your ethernet interface.
43
+# If you want to control access policies
44
+# over the VPN, you must create firewall
45
+# rules for the the TUN/TAP interface.
46
+# On non-Windows systems, you can give
47
+# an explicit unit number, such as tun0.
48
+# On Windows, use "dev-node" for this.
49
+# On most systems, the VPN will not function
50
+# unless you partially or fully disable
51
+# the firewall for the TUN/TAP interface.
52
+;dev tap
53
+dev tun
54
+
55
+# Windows needs the TAP-Win32 adapter name
56
+# from the Network Connections panel if you
57
+# have more than one.  On XP SP2 or higher,
58
+# you may need to selectively disable the
59
+# Windows firewall for the TAP adapter.
60
+# Non-Windows systems usually don't need this.
61
+;dev-node MyTap
62
+
63
+# SSL/TLS root certificate (ca), certificate
64
+# (cert), and private key (key).  Each client
65
+# and the server must have their own cert and
66
+# key file.  The server and all clients will
67
+# use the same ca file.
68
+#
69
+# See the "easy-rsa" directory for a series
70
+# of scripts for generating RSA certificates
71
+# and private keys.  Remember to use
72
+# a unique Common Name for the server
73
+# and each of the client certificates.
74
+#
75
+# Any X509 key management system can be used.
76
+# OpenVPN can also use a PKCS #12 formatted key file
77
+# (see "pkcs12" directive in man page).
78
+ca ca.crt
79
+cert server.crt
80
+key server.key  # This file should be kept secret
81
+
82
+# Diffie hellman parameters.
83
+# Generate your own with:
84
+#   openssl dhparam -out dh1024.pem 1024
85
+# Substitute 2048 for 1024 if you are using
86
+# 2048 bit keys. 
87
+dh dh1024.pem
88
+
89
+# Configure server mode and supply a VPN subnet
90
+# for OpenVPN to draw client addresses from.
91
+# The server will take 10.8.0.1 for itself,
92
+# the rest will be made available to clients.
93
+# Each client will be able to reach the server
94
+# on 10.8.0.1. Comment this line out if you are
95
+# ethernet bridging. See the man page for more info.
96
+server 10.8.0.0 255.255.255.0
97
+
98
+# Maintain a record of client <-> virtual IP address
99
+# associations in this file.  If OpenVPN goes down or
100
+# is restarted, reconnecting clients can be assigned
101
+# the same virtual IP address from the pool that was
102
+# previously assigned.
103
+ifconfig-pool-persist ipp.txt
104
+
105
+# Configure server mode for ethernet bridging.
106
+# You must first use your OS's bridging capability
107
+# to bridge the TAP interface with the ethernet
108
+# NIC interface.  Then you must manually set the
109
+# IP/netmask on the bridge interface, here we
110
+# assume 10.8.0.4/255.255.255.0.  Finally we
111
+# must set aside an IP range in this subnet
112
+# (start=10.8.0.50 end=10.8.0.100) to allocate
113
+# to connecting clients.  Leave this line commented
114
+# out unless you are ethernet bridging.
115
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
116
+
117
+# Configure server mode for ethernet bridging
118
+# using a DHCP-proxy, where clients talk
119
+# to the OpenVPN server-side DHCP server
120
+# to receive their IP address allocation
121
+# and DNS server addresses.  You must first use
122
+# your OS's bridging capability to bridge the TAP
123
+# interface with the ethernet NIC interface.
124
+# Note: this mode only works on clients (such as
125
+# Windows), where the client-side TAP adapter is
126
+# bound to a DHCP client.
127
+;server-bridge
128
+
129
+# Push routes to the client to allow it
130
+# to reach other private subnets behind
131
+# the server.  Remember that these
132
+# private subnets will also need
133
+# to know to route the OpenVPN client
134
+# address pool (10.8.0.0/255.255.255.0)
135
+# back to the OpenVPN server.
136
+;push "route 192.168.10.0 255.255.255.0"
137
+;push "route 192.168.20.0 255.255.255.0"
138
+
139
+# To assign specific IP addresses to specific
140
+# clients or if a connecting client has a private
141
+# subnet behind it that should also have VPN access,
142
+# use the subdirectory "ccd" for client-specific
143
+# configuration files (see man page for more info).
144
+
145
+# EXAMPLE: Suppose the client
146
+# having the certificate common name "Thelonious"
147
+# also has a small subnet behind his connecting
148
+# machine, such as 192.168.40.128/255.255.255.248.
149
+# First, uncomment out these lines:
150
+;client-config-dir ccd
151
+;route 192.168.40.128 255.255.255.248
152
+# Then create a file ccd/Thelonious with this line:
153
+#   iroute 192.168.40.128 255.255.255.248
154
+# This will allow Thelonious' private subnet to
155
+# access the VPN.  This example will only work
156
+# if you are routing, not bridging, i.e. you are
157
+# using "dev tun" and "server" directives.
158
+
159
+# EXAMPLE: Suppose you want to give
160
+# Thelonious a fixed VPN IP address of 10.9.0.1.
161
+# First uncomment out these lines:
162
+;client-config-dir ccd
163
+;route 10.9.0.0 255.255.255.252
164
+# Then add this line to ccd/Thelonious:
165
+#   ifconfig-push 10.9.0.1 10.9.0.2
166
+
167
+# Suppose that you want to enable different
168
+# firewall access policies for different groups
169
+# of clients.  There are two methods:
170
+# (1) Run multiple OpenVPN daemons, one for each
171
+#     group, and firewall the TUN/TAP interface
172
+#     for each group/daemon appropriately.
173
+# (2) (Advanced) Create a script to dynamically
174
+#     modify the firewall in response to access
175
+#     from different clients.  See man
176
+#     page for more info on learn-address script.
177
+;learn-address ./script
178
+
179
+# If enabled, this directive will configure
180
+# all clients to redirect their default
181
+# network gateway through the VPN, causing
182
+# all IP traffic such as web browsing and
183
+# and DNS lookups to go through the VPN
184
+# (The OpenVPN server machine may need to NAT
185
+# or bridge the TUN/TAP interface to the internet
186
+# in order for this to work properly).
187
+;push "redirect-gateway def1 bypass-dhcp"
188
+push "redirect-gateway def1"
189
+push "dhcp-option DNS 10.8.0.1"
190
+
191
+# Certain Windows-specific network settings
192
+# can be pushed to clients, such as DNS
193
+# or WINS server addresses.  CAVEAT:
194
+# http://openvpn.net/faq.html#dhcpcaveats
195
+# The addresses below refer to the public
196
+# DNS servers provided by opendns.com.
197
+;push "dhcp-option DNS 208.67.222.222"
198
+;push "dhcp-option DNS 208.67.220.220"
199
+
200
+# Uncomment this directive to allow different
201
+# clients to be able to "see" each other.
202
+# By default, clients will only see the server.
203
+# To force clients to only see the server, you
204
+# will also need to appropriately firewall the
205
+# server's TUN/TAP interface.
206
+client-to-client
207
+
208
+# Uncomment this directive if multiple clients
209
+# might connect with the same certificate/key
210
+# files or common names.  This is recommended
211
+# only for testing purposes.  For production use,
212
+# each client should have its own certificate/key
213
+# pair.
214
+#
215
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
216
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
217
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
218
+# UNCOMMENT THIS LINE OUT.
219
+;duplicate-cn
220
+
221
+# The keepalive directive causes ping-like
222
+# messages to be sent back and forth over
223
+# the link so that each side knows when
224
+# the other side has gone down.
225
+# Ping every 10 seconds, assume that remote
226
+# peer is down if no ping received during
227
+# a 120 second time period.
228
+keepalive 10 120
229
+
230
+# For extra security beyond that provided
231
+# by SSL/TLS, create an "HMAC firewall"
232
+# to help block DoS attacks and UDP port flooding.
233
+#
234
+# Generate with:
235
+#   openvpn --genkey --secret ta.key
236
+#
237
+# The server and each client must have
238
+# a copy of this key.
239
+# The second parameter should be '0'
240
+# on the server and '1' on the clients.
241
+;tls-auth ta.key 0 # This file is secret
242
+
243
+# Select a cryptographic cipher.
244
+# This config item must be copied to
245
+# the client config file as well.
246
+;cipher BF-CBC        # Blowfish (default)
247
+;cipher AES-128-CBC   # AES
248
+;cipher DES-EDE3-CBC  # Triple-DES
249
+
250
+# Enable compression on the VPN link.
251
+# If you enable it here, you must also
252
+# enable it in the client config file.
253
+comp-lzo
254
+
255
+# The maximum number of concurrently connected
256
+# clients we want to allow.
257
+;max-clients 100
258
+
259
+# It's a good idea to reduce the OpenVPN
260
+# daemon's privileges after initialization.
261
+#
262
+# You can uncomment this out on
263
+# non-Windows systems.
264
+;user nobody
265
+;group nogroup
266
+
267
+# The persist options will try to avoid
268
+# accessing certain resources on restart
269
+# that may no longer be accessible because
270
+# of the privilege downgrade.
271
+persist-key
272
+persist-tun
273
+
274
+# Output a short status file showing
275
+# current connections, truncated
276
+# and rewritten every minute.
277
+status openvpn-status.log
278
+
279
+# By default, log messages will go to the syslog (or
280
+# on Windows, if running as a service, they will go to
281
+# the "\Program Files\OpenVPN\log" directory).
282
+# Use log or log-append to override this default.
283
+# "log" will truncate the log file on OpenVPN startup,
284
+# while "log-append" will append to it.  Use one
285
+# or the other (but not both).
286
+;log         openvpn.log
287
+;log-append  openvpn.log
288
+
289
+# Set the appropriate level of log
290
+# file verbosity.
291
+#
292
+# 0 is silent, except for fatal errors
293
+# 4 is reasonable for general usage
294
+# 5 and 6 can help to debug connection problems
295
+# 9 is extremely verbose
296
+verb 3
297
+
298
+# Silence repeating messages.  At most 20
299
+# sequential messages of the same message
300
+# category will be output to the log.
301
+;mute 20

+ 8
- 0
roles/vpn/vars/main.yml View File

@@ -0,0 +1,8 @@
1
+key_country: TODO
2
+key_province: TODO
3
+key_city: TODO
4
+key_org: TODO
5
+key_email: TODO
6
+key_ou: TODO
7
+key_cn: TODO
8
+key_name: TODO

+ 18
- 0
site.yml View File

@@ -0,0 +1,18 @@
1
+---
2
+# This is the top-level playbook that defines our entire infrastructure.
3
+
4
+- hosts: all
5
+  user: TODO
6
+  sudo: True
7
+  gather_facts: False
8
+
9
+  roles:
10
+    - common
11
+    - mailserver
12
+    - blog
13
+    - ircbouncer
14
+    - monitoring
15
+    - owncloud
16
+    - vpn
17
+
18
+

Loading…
Cancel
Save