diff options
author | clarkzjw <[email protected]> | 2023-02-08 00:40:09 -0800 |
---|---|---|
committer | clarkzjw <[email protected]> | 2023-02-08 00:40:09 -0800 |
commit | 1204730924436ef9e1c7c49c9557837f9a5ed0e8 (patch) | |
tree | 129d79dfd11245751cee6d4082ff5d2f6e941610 /ansible/inventory/host_vars/mailmash | |
parent | 9635ac4dedf69de5bff65785bcc16bef80b52d75 (diff) | |
download | mail-1204730924436ef9e1c7c49c9557837f9a5ed0e8.tar.gz |
Diffstat (limited to 'ansible/inventory/host_vars/mailmash')
-rw-r--r-- | ansible/inventory/host_vars/mailmash/backup.yml | 18 | ||||
-rw-r--r-- | ansible/inventory/host_vars/mailmash/certs.yml | 13 | ||||
-rw-r--r-- | ansible/inventory/host_vars/mailmash/network.yml | 37 | ||||
-rw-r--r-- | ansible/inventory/host_vars/mailmash/sieve.yml | 9 |
4 files changed, 77 insertions, 0 deletions
diff --git a/ansible/inventory/host_vars/mailmash/backup.yml b/ansible/inventory/host_vars/mailmash/backup.yml new file mode 100644 index 0000000..aa5fcc4 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/backup.yml | |||
@@ -0,0 +1,18 @@ | |||
1 | --- | ||
2 | backup: | ||
3 | # Define a host in your ~/.ssh/config with username, host, and private key. | ||
4 | # Maintaining your ~/.ssh/config is out of scope for our implementation here. | ||
5 | host: rsn-backup | ||
6 | |||
7 | # directories to backup can be amended at any time | ||
8 | dirs: | ||
9 | - /var/mail | ||
10 | - /var/lib/fail2ban | ||
11 | - /var/lib/redis | ||
12 | |||
13 | # phrase is from: borg init --remote-path=borg1 --encryption=repokey-blake2 rsn-backup:mailmash | ||
14 | phrase: your phrase goes here | ||
15 | |||
16 | # your runAs user should be able to ssh to the backup host without a password | ||
17 | # (remote login user is configured by Host->User in this user's ~/.ssh/config) | ||
18 | runAs: root | ||
diff --git a/ansible/inventory/host_vars/mailmash/certs.yml b/ansible/inventory/host_vars/mailmash/certs.yml new file mode 100644 index 0000000..fd6dde0 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/certs.yml | |||
@@ -0,0 +1,13 @@ | |||
1 | --- | ||
2 | certs: | ||
3 | # Copy only these private keys and certs from ansible into the system | ||
4 | requested: | ||
5 | - yourmail.server.com | ||
6 | |||
7 | # we receive our certs by scp from the main cert hosting service elsewhere | ||
8 | receiver: true | ||
9 | |||
10 | # These users have ansible-controlled ssh private keys | ||
11 | # (mainly for automated backups right now) | ||
12 | sshKeysForUsers: | ||
13 | - root | ||
diff --git a/ansible/inventory/host_vars/mailmash/network.yml b/ansible/inventory/host_vars/mailmash/network.yml new file mode 100644 index 0000000..e290f7b --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/network.yml | |||
@@ -0,0 +1,37 @@ | |||
1 | --- | ||
2 | network: | ||
3 | # These interface names are used to pull IP addresses into templates. | ||
4 | # interface.public has the IP we use to open ports to the world (mail, web, etc) | ||
5 | # interface.private has the IP for private services (ssh login, reporting, etc) | ||
6 | # Right now we don't support multiple IPs per interface, we just grab the IPv4 | ||
7 | # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address' | ||
8 | interface: | ||
9 | private: ens3 | ||
10 | public: ens4 | ||
11 | hostname: | ||
12 | # network.hostname.public is used populate templates with | ||
13 | # server's public hostname, including: | ||
14 | # - TLS certs to use with this pattern: | ||
15 | # /etc/ssl/[hostname]-cert-combined.pem | ||
16 | # /etc/ssl/[hostname]-key.pem | ||
17 | # - Postfix config parameter "myhostname" | ||
18 | public: yourmail.server.com | ||
19 | |||
20 | # Below is almost (almost!) the netplan schema with three changes: | ||
21 | # - only one "interface" per system because ansible can't seem to generate multiple | ||
22 | # templates from one yaml dict? | ||
23 | # - so, the 'interface' key is added, other wise it would just be ethernets: ens4: ... | ||
24 | # - also, 'addresses' needs per-address broadcast, so addresses are now lists | ||
25 | # of dicts, so 'ip' is a new name as is 'broadcast' | ||
26 | ethernets: | ||
27 | interface: ens4 | ||
28 | macaddress: 02:00:00:7d:ca:ab | ||
29 | networks: | ||
30 | - subnet: 4.4.4.0/30 | ||
31 | gateway: 5.5.5.5 | ||
32 | addresses: | ||
33 | - 4.4.4.4/32 | ||
34 | routes: | ||
35 | - to: 0.0.0.0/0 | ||
36 | via: 5.5.5.5 | ||
37 | on-link: true | ||
diff --git a/ansible/inventory/host_vars/mailmash/sieve.yml b/ansible/inventory/host_vars/mailmash/sieve.yml new file mode 100644 index 0000000..635fb4e --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/sieve.yml | |||
@@ -0,0 +1,9 @@ | |||
1 | --- | ||
2 | sieve: | ||
3 | users: | ||
4 | # username field is the filename [username].sieve in files/ | ||
5 | # The sieve file gets stored in vmail user directory [domain]/[user]/sieve/ | ||
6 | # We could improve this because it's clearly redundant... | ||
7 | - username: [email protected] | ||
8 | domain: server.com | ||
9 | user: username | ||