From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- ansible/inventory/host_vars/mailmash/backup.yml | 18 ++++++++++++ ansible/inventory/host_vars/mailmash/certs.yml | 13 +++++++++ ansible/inventory/host_vars/mailmash/network.yml | 37 ++++++++++++++++++++++++ ansible/inventory/host_vars/mailmash/sieve.yml | 9 ++++++ 4 files changed, 77 insertions(+) create mode 100644 ansible/inventory/host_vars/mailmash/backup.yml create mode 100644 ansible/inventory/host_vars/mailmash/certs.yml create mode 100644 ansible/inventory/host_vars/mailmash/network.yml create mode 100644 ansible/inventory/host_vars/mailmash/sieve.yml (limited to 'ansible/inventory/host_vars/mailmash') diff --git a/ansible/inventory/host_vars/mailmash/backup.yml b/ansible/inventory/host_vars/mailmash/backup.yml new file mode 100644 index 0000000..aa5fcc4 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/backup.yml @@ -0,0 +1,18 @@ +--- +backup: + # Define a host in your ~/.ssh/config with username, host, and private key. + # Maintaining your ~/.ssh/config is out of scope for our implementation here. + host: rsn-backup + + # directories to backup can be amended at any time + dirs: + - /var/mail + - /var/lib/fail2ban + - /var/lib/redis + + # phrase is from: borg init --remote-path=borg1 --encryption=repokey-blake2 rsn-backup:mailmash + phrase: your phrase goes here + + # your runAs user should be able to ssh to the backup host without a password + # (remote login user is configured by Host->User in this user's ~/.ssh/config) + runAs: root diff --git a/ansible/inventory/host_vars/mailmash/certs.yml b/ansible/inventory/host_vars/mailmash/certs.yml new file mode 100644 index 0000000..fd6dde0 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/certs.yml @@ -0,0 +1,13 @@ +--- +certs: + # Copy only these private keys and certs from ansible into the system + requested: + - yourmail.server.com + + # we receive our certs by scp from the main cert hosting service elsewhere + receiver: true + + # These users have ansible-controlled ssh private keys + # (mainly for automated backups right now) + sshKeysForUsers: + - root diff --git a/ansible/inventory/host_vars/mailmash/network.yml b/ansible/inventory/host_vars/mailmash/network.yml new file mode 100644 index 0000000..e290f7b --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/network.yml @@ -0,0 +1,37 @@ +--- +network: + # These interface names are used to pull IP addresses into templates. + # interface.public has the IP we use to open ports to the world (mail, web, etc) + # interface.private has the IP for private services (ssh login, reporting, etc) + # Right now we don't support multiple IPs per interface, we just grab the IPv4 + # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address' + interface: + private: ens3 + public: ens4 + hostname: + # network.hostname.public is used populate templates with + # server's public hostname, including: + # - TLS certs to use with this pattern: + # /etc/ssl/[hostname]-cert-combined.pem + # /etc/ssl/[hostname]-key.pem + # - Postfix config parameter "myhostname" + public: yourmail.server.com + + # Below is almost (almost!) the netplan schema with three changes: + # - only one "interface" per system because ansible can't seem to generate multiple + # templates from one yaml dict? + # - so, the 'interface' key is added, other wise it would just be ethernets: ens4: ... + # - also, 'addresses' needs per-address broadcast, so addresses are now lists + # of dicts, so 'ip' is a new name as is 'broadcast' + ethernets: + interface: ens4 + macaddress: 02:00:00:7d:ca:ab + networks: + - subnet: 4.4.4.0/30 + gateway: 5.5.5.5 + addresses: + - 4.4.4.4/32 + routes: + - to: 0.0.0.0/0 + via: 5.5.5.5 + on-link: true diff --git a/ansible/inventory/host_vars/mailmash/sieve.yml b/ansible/inventory/host_vars/mailmash/sieve.yml new file mode 100644 index 0000000..635fb4e --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/sieve.yml @@ -0,0 +1,9 @@ +--- +sieve: + users: + # username field is the filename [username].sieve in files/ + # The sieve file gets stored in vmail user directory [domain]/[user]/sieve/ + # We could improve this because it's clearly redundant... + - username: username@server.com + domain: server.com + user: username -- cgit v1.2.3