summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/inventory/host_vars/mailmash')
-rw-r--r--ansible/inventory/host_vars/mailmash/backup.yml18
-rw-r--r--ansible/inventory/host_vars/mailmash/certs.yml13
-rw-r--r--ansible/inventory/host_vars/mailmash/network.yml37
-rw-r--r--ansible/inventory/host_vars/mailmash/sieve.yml9
4 files changed, 77 insertions, 0 deletions
diff --git a/ansible/inventory/host_vars/mailmash/backup.yml b/ansible/inventory/host_vars/mailmash/backup.yml
new file mode 100644
index 0000000..aa5fcc4
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/backup.yml
@@ -0,0 +1,18 @@
1---
2backup:
3 # Define a host in your ~/.ssh/config with username, host, and private key.
4 # Maintaining your ~/.ssh/config is out of scope for our implementation here.
5 host: rsn-backup
6
7 # directories to backup can be amended at any time
8 dirs:
9 - /var/mail
10 - /var/lib/fail2ban
11 - /var/lib/redis
12
13 # phrase is from: borg init --remote-path=borg1 --encryption=repokey-blake2 rsn-backup:mailmash
14 phrase: your phrase goes here
15
16 # your runAs user should be able to ssh to the backup host without a password
17 # (remote login user is configured by Host->User in this user's ~/.ssh/config)
18 runAs: root
diff --git a/ansible/inventory/host_vars/mailmash/certs.yml b/ansible/inventory/host_vars/mailmash/certs.yml
new file mode 100644
index 0000000..fd6dde0
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/certs.yml
@@ -0,0 +1,13 @@
1---
2certs:
3 # Copy only these private keys and certs from ansible into the system
4 requested:
5 - yourmail.server.com
6
7 # we receive our certs by scp from the main cert hosting service elsewhere
8 receiver: true
9
10 # These users have ansible-controlled ssh private keys
11 # (mainly for automated backups right now)
12 sshKeysForUsers:
13 - root
diff --git a/ansible/inventory/host_vars/mailmash/network.yml b/ansible/inventory/host_vars/mailmash/network.yml
new file mode 100644
index 0000000..e290f7b
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/network.yml
@@ -0,0 +1,37 @@
1---
2network:
3 # These interface names are used to pull IP addresses into templates.
4 # interface.public has the IP we use to open ports to the world (mail, web, etc)
5 # interface.private has the IP for private services (ssh login, reporting, etc)
6 # Right now we don't support multiple IPs per interface, we just grab the IPv4
7 # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address'
8 interface:
9 private: ens3
10 public: ens4
11 hostname:
12 # network.hostname.public is used populate templates with
13 # server's public hostname, including:
14 # - TLS certs to use with this pattern:
15 # /etc/ssl/[hostname]-cert-combined.pem
16 # /etc/ssl/[hostname]-key.pem
17 # - Postfix config parameter "myhostname"
18 public: yourmail.server.com
19
20 # Below is almost (almost!) the netplan schema with three changes:
21 # - only one "interface" per system because ansible can't seem to generate multiple
22 # templates from one yaml dict?
23 # - so, the 'interface' key is added, other wise it would just be ethernets: ens4: ...
24 # - also, 'addresses' needs per-address broadcast, so addresses are now lists
25 # of dicts, so 'ip' is a new name as is 'broadcast'
26 ethernets:
27 interface: ens4
28 macaddress: 02:00:00:7d:ca:ab
29 networks:
30 - subnet: 4.4.4.0/30
31 gateway: 5.5.5.5
32 addresses:
33 - 4.4.4.4/32
34 routes:
35 - to: 0.0.0.0/0
36 via: 5.5.5.5
37 on-link: true
diff --git a/ansible/inventory/host_vars/mailmash/sieve.yml b/ansible/inventory/host_vars/mailmash/sieve.yml
new file mode 100644
index 0000000..635fb4e
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/sieve.yml
@@ -0,0 +1,9 @@
1---
2sieve:
3 users:
4 # username field is the filename [username].sieve in files/
5 # The sieve file gets stored in vmail user directory [domain]/[user]/sieve/
6 # We could improve this because it's clearly redundant...
7 - username: [email protected]
8 domain: server.com
9 user: username
Powered by cgit v1.2.3 (git 2.41.0)