refactor: move postfix gateway config to hiera for deep merging

- remove profiles::postfix::gateway wrapper class entirely
- move all postfix configurations to hieradata/roles/infra/mail/gateway.yaml
- add deep merge lookup options for postfix::configs, postfix::maps, and postfix::virtuals
- use hiera_include to include postfix module directly

hieradata/common.yaml

@@ -158,6 +158,15 @@ lookup_options:
   rke2::config_hash:
     merge:
       strategy: deep
+  postfix::configs:
+    merge:
+      strategy: deep
+  postfix::maps:
+    merge:
+      strategy: deep
+  postfix::virtuals:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 

hieradata/roles/infra/mail/gateway.yaml

@@ -1,5 +1,213 @@
 ---
 
+hiera_include:
+  - postfix
+
 # additional altnames
 profiles::pki::vault::alt_names:
   - in-mta.main.unkin.net
+
+# postfix configuration
+postfix::relayhost: 'direct'
+postfix::myorigin: 'main.unkin.net'
+postfix::mydestination: 'blank'
+postfix::mynetworks: '127.0.0.0/8 [::1]/128'
+postfix::alias_maps: 'hash:/etc/aliases, hash:/etc/postfix/aliases'
+postfix::mta: true
+postfix::manage_aliases: true
+postfix::master_smtp: 'smtp      inet  n       -       n       -       1       postscreen'
+postfix::master_entries:
+  - 'smtpd     pass  -       -       n       -       -       smtpd'
+  - 'dnsblog   unix  -       -       n       -       0       dnsblog'
+  - 'tlsproxy  unix  -       -       n       -       0       tlsproxy'
+
+# postfix main.cf configurations
+postfix::configs:
+  alias_database:
+    value: 'hash:/etc/aliases, hash:/etc/postfix/aliases'
+  default_destination_recipient_limit:
+    value: '1'
+  disable_vrfy_command:
+    value: 'yes'
+  enable_long_queue_ids:
+    value: 'yes'
+  error_notice_recipient:
+    value: 'root'
+  header_checks:
+    value: 'regexp:/etc/postfix/header_checks'
+  local_recipient_maps:
+    ensure: 'blank'
+  local_transport:
+    value: 'error:No local mail delivery'
+  mailbox_size_limit:
+    value: '133169152'
+  message_size_limit:
+    value: '133169152'
+  myhostname:
+    value: 'in-mta.main.unkin.net'
+  non_smtpd_milters:
+    ensure: 'blank'
+  postscreen_access_list:
+    value: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'
+  postscreen_blacklist_action:
+    value: 'enforce'
+  postscreen_cache_map:
+    value: 'btree:$data_directory/postscreen_cache'
+  postscreen_dnsbl_action:
+    value: 'enforce'
+  postscreen_dnsbl_sites:
+    value: 'zen.spamhaus.org*3, b.barracudacentral.org=127.0.0.[2..11]*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.org=127.[0..255].[0..255].[2..3]*-6'
+  postscreen_dnsbl_threshold:
+    value: '2'
+  postscreen_greet_action:
+    value: 'enforce'
+  postscreen_greet_banner:
+    value: '$smtpd_banner'
+  postscreen_greet_wait:
+    value: '${stress?2}${stress:6}s'
+  qmqpd_authorized_clients:
+    value: '127.0.0.1 [::1]'
+  recipient_canonical_maps:
+    value: 'hash:/etc/postfix/recipient_canonical'
+  recipient_delimiter:
+    value: '+'
+  relay_domains:
+    value: 'hash:/etc/postfix/relay_domains'
+  relay_recipient_maps:
+    value: 'hash:/etc/postfix/relay_recipients'
+  sender_canonical_maps:
+    value: 'hash:/etc/postfix/sender_canonical'
+  smtp_tls_CAfile:
+    value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'
+  smtp_tls_mandatory_protocols:
+    value: '!SSLv2,!SSLv3'
+  smtp_tls_note_starttls_offer:
+    value: 'yes'
+  smtp_tls_protocols:
+    value: '!SSLv2,!SSLv3'
+  smtp_tls_security_level:
+    value: 'may'
+  smtp_tls_session_cache_database:
+    value: 'btree:/var/lib/postfix/smtp_tls_session_cache'
+  smtp_use_tls:
+    value: 'yes'
+  smtpd_banner:
+    value: '$myhostname ESMTP $mail_name'
+  smtpd_client_restrictions:
+    value: 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org'
+  smtpd_data_restrictions:
+    value: 'reject_unauth_pipelining'
+  smtpd_delay_reject:
+    value: 'yes'
+  smtpd_discard_ehlo_keywords:
+    value: 'chunking, silent-discard'
+  smtpd_forbid_bare_newline:
+    value: 'yes'
+  smtpd_forbid_bare_newline_exclusions:
+    value: '$mynetworks'
+  smtpd_forbid_unauth_pipelining:
+    value: 'yes'
+  smtpd_helo_required:
+    value: 'yes'
+  smtpd_helo_restrictions:
+    value: 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'
+  smtpd_milters:
+    value: 'inet:127.0.0.1:33333'
+  smtpd_recipient_restrictions:
+    value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_unverified_recipient'
+  smtpd_relay_restrictions:
+    value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
+  smtpd_sender_restrictions:
+    value: 'permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain'
+  smtpd_tls_CAfile:
+    value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'
+  smtpd_tls_cert_file:
+    value: '/etc/pki/tls/vault/certificate.pem'
+  smtpd_tls_ciphers:
+    value: 'medium'
+  smtpd_tls_key_file:
+    value: '/etc/pki/tls/vault/certificate.pem'
+  smtpd_tls_loglevel:
+    value: '1'
+  smtpd_tls_mandatory_protocols:
+    value: '!SSLv2,!SSLv3'
+  smtpd_tls_protocols:
+    value: '!SSLv2,!SSLv3'
+  smtpd_tls_received_header:
+    value: 'yes'
+  smtpd_tls_security_level:
+    value: 'may'
+  smtpd_tls_session_cache_database:
+    value: 'btree:/var/lib/postfix/smtpd_tls_session_cache'
+  smtpd_tls_session_cache_timeout:
+    value: '3600s'
+  smtpd_use_tls:
+    value: 'yes'
+  tls_medium_cipherlist:
+    value: 'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
+  tls_preempt_cipherlist:
+    value: 'yes'
+  tls_random_source:
+    value: 'dev:/dev/urandom'
+  unverified_recipient_reject_code:
+    value: '550'
+  unverified_recipient_reject_reason:
+    value: 'No user at this address'
+
+# postfix maps
+postfix::maps:
+  postscreen_access:
+    ensure: present
+    type: 'cidr'
+    source: 'puppet:///modules/profiles/postfix/gateway/postscreen_access'
+  relay_recipients:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/relay_recipients'
+  relay_domains:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/relay_domains'
+  aliases:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/aliases'
+  helo_access:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/helo_access'
+  sender_access:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/sender_access'
+  recipient_access:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/recipient_access'
+  recipient_canonical:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/recipient_canonical'
+  sender_canonical:
+    ensure: present
+    type: 'hash'
+    source: 'puppet:///modules/profiles/postfix/gateway/sender_canonical'
+
+# postfix transports
+postfix::transports:
+  'main.unkin.net':
+    ensure: present
+    destination: 'relay'
+    nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
+
+# postfix virtuals
+postfix::virtuals:
+  'root':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'postmaster':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'abuse':
+    ensure: present
+    destination: 'ben@main.unkin.net'

site/profiles/manifests/postfix/gateway.pp

@@ -1,250 +0,0 @@
-class profiles::postfix::gateway (
-  $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
-  $tls_key_file  = '/etc/pki/tls/vault/certificate.pem',
-  $tls_ca_file   = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
-) {
-
-  $alias_maps = 'hash:/etc/aliases, hash:/etc/postfix/aliases'
-
-  class { 'postfix':
-    relayhost      => 'direct',
-    myorigin       => 'main.unkin.net',
-    mydestination  => 'blank',
-    mynetworks     => '127.0.0.0/8 [::1]/128',
-    alias_maps     => $alias_maps,
-    mta            => true,
-    manage_aliases => true,
-    master_smtp    => 'smtp      inet  n       -       n       -       1       postscreen',
-    master_entries => [
-      # Postscreen backend services
-      'smtpd     pass  -       -       n       -       -       smtpd',
-      'dnsblog   unix  -       -       n       -       0       dnsblog',
-      'tlsproxy  unix  -       -       n       -       0       tlsproxy',
-    ],
-  }
-
-  postfix::config {
-    'alias_database':
-      value => $alias_maps;
-    'default_destination_recipient_limit':
-      value => '1';
-    'disable_vrfy_command':
-      value => 'yes';
-    'enable_long_queue_ids':
-      value => 'yes';
-    'error_notice_recipient':
-      value => 'root';
-    'header_checks':
-      value => 'regexp:/etc/postfix/header_checks';
-    'local_recipient_maps':
-      ensure => 'blank';      # no local mailboxes
-    'local_transport':
-      value => 'error:No local mail delivery';
-    'mailbox_size_limit':
-      value => '133169152';   # ~127MB
-    'message_size_limit':
-      value => '133169152';   # ~127MB
-    'myhostname':
-      value => 'in-mta.main.unkin.net';
-    'non_smtpd_milters':
-      ensure => 'blank';
-    'postscreen_access_list':
-      value => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access';
-    'postscreen_blacklist_action':
-      value => 'enforce';
-    'postscreen_cache_map':
-      value => 'btree:$data_directory/postscreen_cache';
-    'postscreen_dnsbl_action':
-      value => 'enforce';
-    'postscreen_dnsbl_sites':
-      value => join([
-        'zen.spamhaus.org*3',
-        'b.barracudacentral.org=127.0.0.[2..11]*2',
-        'bl.spameatingmonkey.net*2',
-        'bl.spamcop.net',
-        'dnsbl.sorbs.net',
-        'swl.spamhaus.org*-4',
-        'list.dnswl.org=127.[0..255].[0..255].0*-2',
-        'list.dnswl.org=127.[0..255].[0..255].1*-4',
-        'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6'
-      ], ', ');
-    'postscreen_dnsbl_threshold':
-      value => '2';
-    'postscreen_greet_action':
-      value => 'enforce';
-    'postscreen_greet_banner':
-      value => '$smtpd_banner';
-    'postscreen_greet_wait':
-      value => "\${stress?2}\${stress:6}s";
-    'qmqpd_authorized_clients':
-      value => '127.0.0.1 [::1]';
-    'recipient_canonical_maps':
-      value => 'hash:/etc/postfix/recipient_canonical';
-    'recipient_delimiter':
-      value => '+';
-    'relay_domains':
-      value => 'hash:/etc/postfix/relay_domains';
-    'relay_recipient_maps':
-      value => 'hash:/etc/postfix/relay_recipients';
-    'sender_canonical_maps':
-      value => 'hash:/etc/postfix/sender_canonical';
-    'smtp_tls_CAfile':
-      value => $tls_ca_file;
-    'smtp_tls_mandatory_protocols':
-      value => '!SSLv2,!SSLv3';
-    'smtp_tls_note_starttls_offer':
-      value => 'yes';
-    'smtp_tls_protocols':
-      value => '!SSLv2,!SSLv3';
-    'smtp_tls_security_level':
-      value => 'may';
-    'smtp_tls_session_cache_database':
-      value => 'btree:/var/lib/postfix/smtp_tls_session_cache';
-    'smtp_use_tls':
-      value => 'yes';
-    'smtpd_banner':
-      value => '$myhostname ESMTP $mail_name';
-    'smtpd_client_restrictions':
-      value => 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org';
-    'smtpd_data_restrictions':
-      value => 'reject_unauth_pipelining';
-    'smtpd_delay_reject':
-      value => 'yes';
-    'smtpd_discard_ehlo_keywords':
-      value => 'chunking, silent-discard';
-    'smtpd_forbid_bare_newline':
-      value => 'yes';
-    'smtpd_forbid_bare_newline_exclusions':
-      value => '$mynetworks';
-    'smtpd_forbid_unauth_pipelining':
-      value => 'yes';
-    'smtpd_helo_required':
-      value => 'yes';
-    'smtpd_helo_restrictions':
-      value => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname';
-    'smtpd_milters':
-      value => 'inet:127.0.0.1:33333';
-    'smtpd_recipient_restrictions':
-      value => join([
-        'permit_sasl_authenticated',
-        'permit_mynetworks',
-        'reject_unauth_destination',
-        'reject_non_fqdn_recipient',
-        'reject_unknown_recipient_domain',
-        'check_recipient_access hash:/etc/postfix/recipient_access',
-        'check_policy_service inet:127.0.0.1:2501',
-        'reject_unverified_recipient'
-      ], ', ');
-    'smtpd_relay_restrictions':
-      value => 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination';
-    'smtpd_sender_restrictions':
-      value => join([
-        'permit_sasl_authenticated',
-        'check_sender_access hash:/etc/postfix/sender_access',
-        'reject_non_fqdn_sender',
-        'reject_unknown_sender_domain'
-      ], ', ');
-    'smtpd_tls_CAfile':
-      value => $tls_ca_file;
-    'smtpd_tls_cert_file':
-      value => $tls_cert_file;
-    'smtpd_tls_ciphers':
-      value => 'medium';
-    'smtpd_tls_key_file':
-      value => $tls_key_file;
-    'smtpd_tls_loglevel':
-      value => '1';
-    'smtpd_tls_mandatory_protocols':
-      value => '!SSLv2,!SSLv3';
-    'smtpd_tls_protocols':
-      value => '!SSLv2,!SSLv3';
-    'smtpd_tls_received_header':
-      value => 'yes';
-    'smtpd_tls_security_level':
-      value => 'may';
-    'smtpd_tls_session_cache_database':
-      value => 'btree:/var/lib/postfix/smtpd_tls_session_cache';
-    'smtpd_tls_session_cache_timeout':
-      value => '3600s';
-    'smtpd_use_tls':
-      value => 'yes';
-    'tls_medium_cipherlist':
-      value => join([
-        'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES',
-        'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
-      ], ':');
-    'tls_preempt_cipherlist':
-      value => 'yes';
-    'tls_random_source':
-      value => 'dev:/dev/urandom';
-    'unverified_recipient_reject_code':
-      value => '550';
-    'unverified_recipient_reject_reason':
-      value => 'No user at this address';
-  }
-
-  postfix::map { 'postscreen_access':
-    ensure => present,
-    type   => 'cidr',
-    source => 'puppet:///modules/profiles/postfix/gateway/postscreen_access'
-  }
-  postfix::map { 'relay_recipients':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/relay_recipients'
-  }
-  postfix::map { 'relay_domains':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/relay_domains'
-  }
-  postfix::map { 'aliases':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/aliases'
-  }
-  postfix::map { 'helo_access':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/helo_access'
-  }
-  postfix::map { 'sender_access':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/sender_access'
-  }
-  postfix::map { 'recipient_access':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/recipient_access'
-  }
-  postfix::map { 'recipient_canonical':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/recipient_canonical'
-  }
-  postfix::map { 'sender_canonical':
-    ensure => present,
-    type   => 'hash',
-    source => 'puppet:///modules/profiles/postfix/gateway/sender_canonical'
-  }
-
-  postfix::transport {
-    'main.unkin.net':
-      ensure      => present,
-      destination => 'relay',
-      nexthop     => 'ausyd1nxvm2120.main.unkin.net:25';
-  }
-  postfix::virtual {
-    'root':
-      ensure      => present,
-      destination => 'ben@main.unkin.net';
-    'postmaster':
-      ensure      => present,
-      destination => 'ben@main.unkin.net';
-    'abuse':
-      ensure      => present,
-      destination => 'ben@main.unkin.net';
-  }
-
-}

site/roles/manifests/infra/mail/gateway.pp

@@ -6,6 +6,5 @@ class roles::infra::mail::gateway {
   }else{
     include profiles::defaults
     include profiles::base
-    include profiles::postfix::gateway
   }
 }