18 Commits

Author SHA1 Message Date
unkinben 528fbe4190 feat: implement dovecot backend server with postfix virtual mailbox integration
- create profiles::dovecot::backend class for IMAPS server configuration
- add virtual mailbox support to profiles::postfix::gateway with enable_dovecot parameter
- restructure common hieradata elements into mail.yaml
- add virtual mailbox and alias map templates with ERB generation
- add comprehensive type validation using Stdlib::Email, Stdlib::Fqdn, Stdlib::IP types
- configure vmail user (UID/GID 5000) with shared storage on /shared/apps/maildata
- update roles::infra::mail::backend to include both dovecot and postfix profiles
2025-11-02 11:53:02 +11:00
unkinben 78adef0eee refactor: recreate profiles::postfix::gateway with parameterization and templates (#416)
- refactor profiles::postfix::gateway as parameterized class
- move base postfix parameters, transports, and virtuals to hiera for flexibility
- convert SMTP restrictions to arrays for better readability using join()
- add postscreen enable/disable boolean with conditional master.cf configuration
- add per-domain TLS policy maps (smtp_tls_policy_maps)
- convert alias_maps to array parameter for flexibility
- convert all postfix map files to ERB templates with parameter hashes
- add map parameters: sender_canonical_maps, sender_access_maps, relay_recipients_maps,
  relay_domains_maps, recipient_canonical_maps, recipient_access_maps, postscreen_access_maps, helo_access_maps
- move default map data to hiera while keeping parameters as empty hashes by default

This approach balances flexibility with data-driven configuration, allowing
easy customization through parameters while keeping transport/virtual maps
and default map data in hiera for role-specific overrides.

Reviewed-on: #416
2025-11-01 17:26:00 +11:00
unkinben 81f289a185 feat: prepare for dovecot deployment (#415)
- add dovecot role
- import dovecot module via r10k

Reviewed-on: #415
2025-11-01 01:01:55 +11:00
unkinben a2a8edb731 feat: implement comprehensive postfix gateway with eFa5 configuration (#414)
- add voxpupuli-postfix module to Puppetfile
- create profiles::postfix::gateway class with config based on efa5
- add master.cf entries for postscreen, smtpd, dnsblog, and tlsproxy services
- create postfix hash files: aliases, access controls, canonical maps
- configure TLS with system PKI certificates and strong cipher suites
- add transport and virtual alias mappings for mail routing

Reviewed-on: #414
2025-11-01 00:43:58 +11:00
unkinben e129d1cf7a feat: add mail::gateway role (#413)
- add a mail::gateway role, more to add later
- enables the build of hosts in this role immedately (config later)

Reviewed-on: #413
2025-10-19 19:09:51 +11:00
unkinben e95a59b88a feat: migrate puppetserver -> openvox-server (#412)
- enable openvox repo
- ensure puppetdb-termini and puppetserver are purged
- set openvox-server as the package to install
- set termini package to openvoxdb-termini

Reviewed-on: #412
2025-10-18 23:49:51 +11:00
unkinben 8bed80eac8 feat: migrate puppetdb -> openvoxdb (#411)
- ensure the puppetdb package is purged before openvoxdb
- ensure the openvoxdb package is installed

Reviewed-on: #411
2025-10-18 21:47:33 +11:00
unkinben 5ba483c68a feat: add ZFS facts to prevent zpool disk changes (#410)
- add zfs_zpools and zfs_datasets facts to detect existing ZFS resources
- skip zpool creation when pools already exist

Reviewed-on: #410
2025-10-18 21:24:33 +11:00
unkinben 766233c3e5 fix: check if zfs-cache exists and isnt empty (#409)
- check the cache file exists, and isnt empty
- resolves idempotence for zpool-import-cache service

Reviewed-on: #409
2025-10-18 21:15:55 +11:00
unkinben 98b866fce7 feat: migrate puppet-agent to openvox (#408)
- change from puppet-agent to openvox-agent
- upgrade version from 7.34 to 7.36
- ensure workflow of: Yumrepo -> dnf-makecache -> Package

Reviewed-on: #408
2025-10-18 19:11:38 +11:00
unkinben e724326d43 feat: allow access to runner certs (#407)
- allow access to runner certs, used for mtls auth to incus

Reviewed-on: #407
2025-10-17 22:46:45 +11:00
unkinben d8b354558d feat: add incus auto-client certificate trust (#406)
- add fact to export vault public cert from agents
- add fact to export list of trusted incus client certs
- add method for incus clients to export their client cert to be trusted

Reviewed-on: #406
2025-10-17 22:46:26 +11:00
unkinben fac90c66db feat: use vault certificates for incus (#405)
- replace default incus certificates with vault-generated ephemeral certificates
- configure incus service to restart on certificate changes

Reviewed-on: #405
2025-10-17 17:22:09 +11:00
unkinben efbbb6bcb1 feat: moderate the k8s install (#403)
- only install a base config
- wait for 3 masters before deploying helm charts
- remove cluster-domain
- manage nginx ingres via rke2 helmconfig

Reviewed-on: #403
2025-10-12 17:50:24 +11:00
unkinben 16e654fdd7 feat: use openbao (#404)
- change vault role to use openbao

Reviewed-on: #404
2025-10-11 20:55:21 +11:00
unkinben 66d8815e16 fix: ensure nginx restarts on certificate changes (#402)
Add hasrestart => true to nginx service in simpleproxy profile to ensure
nginx performs a full restart (not reload) when certificate files change.
This is required because nginx reload does not pick up SSL certificate
changes from disk.

Reviewed-on: #402
2025-09-29 22:38:00 +10:00
unkinben a9c959d924 fix: remove unicode from ceph-csi-yaml (#400)
Reviewed-on: #400
2025-09-21 00:41:06 +10:00
unkinben b224cfb516 fix: cattle-system namespace (#399)
- cattle-system namespace is created earlier than helm
- leave namespaces.yaml to manage cattle-system namespace (required
  before installing helm/rancher)

Reviewed-on: #399
2025-09-21 00:21:41 +10:00
62 changed files with 1176 additions and 691 deletions
+1
View File
@@ -0,0 +1 @@
sources/
+4
View File
@@ -19,6 +19,7 @@ mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
mod 'puppetlabs-mailalias_core', '1.2.0'
# puppet
mod 'puppet-python', '7.4.0'
@@ -43,6 +44,8 @@ mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
mod 'puppet-postfix', '5.1.0'
mod 'puppet-alternatives', '6.0.0'
# other
mod 'saz-sudo', '9.0.2'
@@ -60,6 +63,7 @@ mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'cirrax-dovecot', '1.3.3'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+9 -3
View File
@@ -158,6 +158,15 @@ lookup_options:
rke2::config_hash:
merge:
strategy: deep
postfix::configs:
merge:
strategy: deep
postfix::maps:
merge:
strategy: deep
postfix::virtuals:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -176,9 +185,6 @@ profiles::ntp::client::peers:
- 2.au.pool.ntp.org
- 3.au.pool.ntp.org
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
+2 -8
View File
@@ -3,7 +3,8 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.34.0'
profiles::puppet::agent::version: '7.37.2'
profiles::puppet::agent::openvox_enable: true
hiera_include:
- profiles::almalinux::base
@@ -53,13 +54,6 @@ profiles::yum::global::repos:
baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkinben:
name: unkinben
descr: unkinben repository
+1 -1
View File
@@ -11,4 +11,4 @@ profiles::apt::components:
- main
- non-free
profiles::puppet::agent::puppet_version: '7.25.0-1bullseye'
profiles::puppet::agent::version: '7.25.0-1bullseye'
+1 -1
View File
@@ -12,4 +12,4 @@ profiles::apt::components:
- non-free
- non-free-firmware
profiles::puppet::agent::puppet_version: 'latest'
profiles::puppet::agent::version: 'latest'
+3 -1
View File
@@ -2,6 +2,7 @@
hiera_include:
- docker
- profiles::gitea::runner
- incus::client
docker::version: latest
docker::curl_ensure: false
@@ -39,7 +40,8 @@ profiles::gitea::runner::config:
privileged: false
options:
workdir_parent: /workspace
valid_volumes: []
valid_volumes:
- /etc/pki/tls/vault
docker_host: ""
force_pull: true
force_rebuild: false
+1 -1
View File
@@ -1 +1 @@
rke2::node_token: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAVPo7WjzlJQQhxefhV1bu1/+Jo/LY3gMmVGicDnDloGQd1jbdDtNz9wi6Hqqht1xQPdn22XmvvrVXtPhsdjDCGqWxmfZ0qWQVl1Ju2WIh5WsyyZgdE96k2+y7Cg5Dl0brX2m9YSZfow5BF8J8EnCDdRZncOCtFl/SU8ipPEq2uJJR+Y9sJv6aJflnFLCEYgJNbZY9ljMcs5ssJ21VpIqWYA0Z6vKVqOUeIWWKbYZUIoEml7sj3ktmw3loMYA6ED0/nzyYvRVizTvtGXl3IWGVDSt8rQ/kNhzKqURVOsgwfbt7un4n2Kxkreiydj3R6PbLdkpHdtu25dbjue8HLQkc4zCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQMmIatr2oBei35+evghIkLIBwWT6F1WPDV3PA/QYNusfYcI1KrMRYFlDYyEkg/Tf+0gOpty9rdnYL+MQO2fTU9Br+INTr1oJcxJp/Lqap2+NibmBfZcLUIMn3q1S/jZp9BGQTk6RSwODqQ2x5GxDATinrtiUR4TXIIaiaP3KWlP8A7g==]
rke2::node_token: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOD+w5nJFqEYWFj+tZQ65Oi19eDhaWtpLQ0gwEdBtMmY9sPJ63l1q2qH933NH6TOd1UlMDvGfoDLCae+yt/MAW//cJ15X3QbiVQ23DdfCOlUEZN6fjVrveEt/yIeFQmWvnkMS4pRfPbgQu2OHm37PpuPE7s6dUyGItAYjchrRhtQ7ibhXDnN7miG+oVRXP2T8b/V5WPdmA222DSV6r/AnqaWkna9W/oh/I2sNKeEm5q3f8bh8Gxt1dDy3VwaZ3lAh3uR+SUm7P/6PTYw8opxiumFBvos0mRiXIdOwUuqrAS8hafWBhxnDLlTBfz62Nc4wQmQ8gz0bHJZSipH9G6mIEDCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ2WG6ROWFlQdXx0TuO5oABoBwTDtAXIj7y6I1B3zCnFoMHETf5d7ulPGdgwZsENf0UIHpg2l0w503MUHHbu6YDFiDiTE0oDNJPVHid7TO+XwWFgh5v1MWi/XeEBgCs6nMCW8qkX0Z3UXaZdSBUll1M4sRtuqscBnoD/LLs2kKfxrqQg==]
-1
View File
@@ -1,2 +1 @@
---
rke2::csi_ceph_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEApQ371O4nGSrFB5tOZFTSJP+kJj3wJyEcWiNfonYA5LmbaMnQ6pUortec1519WHMICpSWdpq3O8frivm2CK3taYoKczeTzbsFTxvVp7s6gIZJUsCeqGHuq81YyjPtJE+Yy5IOBJjhe/8ECkEFNr0JlhwKBPWfTx5hHOzRdkGlN464weGFQtCI8UgdGe7AWEePG+u3e4RL+xCriw5tfuqMeeo+isDwVf30nK9NxsnmliOd/+jNW+GrtzycHAeokQOKnxfgrKll5Y5+npy5WueuSCEw1E+Io0NI/4Jthi7zu24UQu0KT8iRsqhuD5mr1ymvCNREnvCcVWt8VVRTGXQV+TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDS8VXZM3wEAFRALB/Fa19dgDCTRYhU8YY4g9zREP7epY9x2MRWaTT84Jx9w5Dc/XWaRrmL4yL2sK+QHSy2057jHzo=]
+1 -19
View File
@@ -9,29 +9,11 @@ rke2::helm_repos:
harbor: https://helm.goharbor.io
traefik: https://traefik.github.io/charts
hashicorp: https://helm.releases.hashicorp.com
rke2::csi_ceph_enable: true
rke2::csi_ceph_clusterid: de96a98f-3d23-465a-a899-86d3d67edab8
rke2::csi_ceph_poolname: kubernetes
rke2::csi_ceph_monitors:
- 198.18.23.9:6789
- 198.18.23.10:6789
- 198.18.23.11:6789
- 198.18.23.12:6789
- 198.18.23.13:6789
rke2::csi_ceph_files:
- ceph-csi-nodeplugin-rbac
- ceph-csi-provisioner-rbac
- ceph-csi-rbdplugin-provisioner
- ceph-csi-rbdplugin
rke2::csi_ceph_templates:
- ceph-csi-config
- ceph-csi-secret
rke2::extra_config_files:
- rke2-canal-config
- service-loadbalancer-nginx
- rke2-nginx-ingress-config
rke2::config_hash:
advertise-address: "%{hiera('networking_loopback0_ip')}"
cluster-domain: "svc.k8s.unkin.net"
tls-san:
- "join-k8s.service.consul"
- "api-k8s.service.consul"
+20
View File
@@ -0,0 +1,20 @@
---
# Common mail server configuration
# base postfix configuration (passed to postfix class)
postfix::relayhost: 'direct'
postfix::myorigin: 'main.unkin.net'
postfix::manage_aliases: true
# Common postfix virtuals for all mail servers
postfix::virtuals:
'root':
ensure: present
destination: 'ben@main.unkin.net'
'postmaster':
ensure: present
destination: 'ben@main.unkin.net'
'abuse':
ensure: present
destination: 'ben@main.unkin.net'
+87
View File
@@ -0,0 +1,87 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- mail.main.unkin.net
# manage dovecot
dovecot::install::packages:
- dovecot
- dovecot-pgsql
profiles::dovecot::server::maildir_path: "%{hiera('profiles::postfix::gateway::virtual_mailbox_base')}"
#dovecot::config:
# auth.conf:
# values:
# auth_mechanisms: 'plain login'
# auth_username_format: '%Lu'
# auth_default_realm: 'main.unkin.net'
# auth-vmail.conf:
# values:
# passdb: |
# {
# driver = pam
# }
# userdb: |
# {
# driver = passwd
# override_fields = uid=vmail gid=vmail home=/shared/apps/maildata/%u
# }
# mail.conf:
# values:
# mail_plugins: '$mail_plugins'
# namespace inbox: |
# {
# inbox = yes
# location =
# mailbox Drafts {
# special_use = \Drafts
# }
# mailbox Junk {
# special_use = \Junk
# }
# mailbox Sent {
# special_use = \Sent
# }
# mailbox "Sent Messages" {
# special_use = \Sent
# }
# mailbox Trash {
# special_use = \Trash
# }
# }
# sections:
# - name: 'namespace inbox'
# values:
# 'inbox': 'yes'
# 'seperator': '.'
# 'prefix': 'INBOX'
# backend-specific postfix configuration
postfix::mydestination: 'localhost'
postfix::mynetworks: '127.0.0.0/8 [::1]/128 10.10.12.0/24'
postfix::smtp_listen: ['0.0.0.0', '::']
postfix::use_dovecot_lda: true # use built-in dovecot LDA support
postfix::mail_user: 'vmail:vmail'
profiles::postfix::gateway::enable_postscreen: false # disable postscreen (backend doesn't need it)
profiles::postfix::gateway::myhostname: 'mail.main.unkin.net'
profiles::postfix::gateway::enable_dovecot: true # enable dovecot integration
profiles::postfix::gateway::virtual_mailbox_domains:
- 'main.unkin.net'
profiles::postfix::gateway::virtual_mailbox_base: '/shared/apps/maildata'
profiles::postfix::gateway::virtual_mailbox_maps:
'ben@main.unkin.net': 'main.unkin.net/ben/'
'root@main.unkin.net': 'main.unkin.net/ben/'
'postmaster@main.unkin.net': 'main.unkin.net/ben/'
'abuse@main.unkin.net': 'main.unkin.net/ben/'
profiles::postfix::gateway::smtpd_client_restrictions:
- 'permit_mynetworks'
- 'reject_unauth_destination'
profiles::postfix::gateway::smtpd_sender_restrictions:
- 'permit_mynetworks'
- 'reject_non_fqdn_sender'
profiles::postfix::gateway::smtpd_recipient_restrictions:
- 'permit_mynetworks'
- 'reject_non_fqdn_recipient'
- 'reject_unauth_destination'
+34
View File
@@ -0,0 +1,34 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- in-mta.main.unkin.net
# gateway-specific postfix configuration
postfix::mydestination: 'blank'
postfix::mynetworks: '127.0.0.0/8 [::1]/128'
postfix::smtp_listen: '0.0.0.0'
postfix::mta: true
profiles::postfix::gateway::myhostname: 'in-mta.main.unkin.net'
profiles::postfix::gateway::relay_recipients_maps:
'@main.unkin.net': 'OK'
profiles::postfix::gateway::relay_domains_maps:
'main.unkin.net': 'OK'
profiles::postfix::gateway::postscreen_access_maps:
'127.0.0.1/32': 'permit'
'10.10.12.200/32': 'permit'
profiles::postfix::gateway::helo_access_maps:
'.dynamic.': 'REJECT'
'.dialup.': 'REJECT'
'unknown': 'REJECT'
'localhost': 'REJECT You are not localhost'
# postfix transports
postfix::transports:
'main.unkin.net':
ensure: present
destination: 'relay'
nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
+1 -1
View File
@@ -1,3 +1,3 @@
---
profiles::packages::include:
puppetserver: {}
openvox-server: {}
+2 -1
View File
@@ -4,7 +4,8 @@ profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false
vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vault_1.15.5_linux_amd64.zip
vault::package_name: openbao
vault::package_ensure: 2.4.1
# additional altnames
profiles::pki::vault::alt_names:
@@ -0,0 +1,28 @@
# frozen_string_literal: true
# lib/facter/incus_trust_list.rb
require 'json'
Facter.add(:incus_trust_list) do
confine do
# Only run on systems that have incus installed and running
incus_path = Facter::Util::Resolution.which('incus')
incus_path && File.exist?('/var/lib/incus/server.key')
end
setcode do
incus_path = Facter::Util::Resolution.which('incus')
next {} unless incus_path
begin
# Run incus config trust list --format=json
trust_output = Facter::Core::Execution.execute("#{incus_path} config trust list --format=json")
next {} if trust_output.empty?
# Parse the JSON output
JSON.parse(trust_output)
rescue StandardError
{}
end
end
end
+16
View File
@@ -0,0 +1,16 @@
# incus::client
#
# This class configures a host as an incus client and exports its certificate
# for automatic trust management on incus servers.
#
class incus::client {
# Export this client's certificate for collection by incus servers
@@incus::client_cert { $facts['networking']['fqdn']:
hostname => $facts['networking']['fqdn'],
certificate => $facts['vault_cert_content'],
fingerprint => $facts['vault_cert_fingerprint'],
tag => 'incus_client',
}
}
+41
View File
@@ -0,0 +1,41 @@
# Define the exported resource type for incus client certificates
define incus::client_cert (
String $hostname,
Optional[String] $certificate = undef,
Optional[String] $fingerprint = undef,
) {
# Only proceed if we have both certificate and fingerprint
if $certificate and $fingerprint {
$trust_list = $facts['incus_trust_list']
$existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }
if $existing_client.empty {
# Add new certificate
exec { "incus_trust_add_${hostname}":
path => ['/bin', '/usr/bin'],
command => "echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
unless => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
}
} else {
# Check if fingerprints are different
$existing_fingerprint = $existing_client[0]['fingerprint']
if $existing_fingerprint != $fingerprint {
# Remove existing and add new certificate only if fingerprints differ
exec { "incus_trust_update_${hostname}":
path => ['/bin', '/usr/bin'],
command => "incus config trust remove ${existing_fingerprint} && \
echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
onlyif => "incus config trust list --format=json | grep '${existing_fingerprint}'",
}
}
# If fingerprints match, do nothing (certificate is already correct)
}
}
}
+25
View File
@@ -21,6 +21,10 @@ class incus (
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
File['/var/lib/incus/server.crt'],
File['/var/lib/incus/server.key'],
],
}
file_line { 'subuid_root':
@@ -55,6 +59,22 @@ class incus (
}
}
file { '/var/lib/incus/server.crt':
ensure => file,
source => '/etc/pki/tls/vault/certificate.crt',
owner => 'root',
group => 'root',
mode => '0644',
}
file { '/var/lib/incus/server.key':
ensure => file,
source => '/etc/pki/tls/vault/private.key',
owner => 'root',
group => 'root',
mode => '0600',
}
if $facts['incus'] and $facts['incus']['config'] {
# set core.https_address
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
@@ -72,5 +92,10 @@ class incus (
}
}
}
# Collect exported client certificates and manage trust
Incus::Client_cert <<| tag == 'incus_client' |>> {
require => Service['incus'],
}
}
}
@@ -0,0 +1,11 @@
# frozen_string_literal: true
# lib/facter/vault_cert_content.rb
Facter.add(:vault_cert_content) do
confine kernel: 'Linux'
setcode do
cert_path = '/etc/pki/tls/vault/certificate.crt'
File.read(cert_path) if File.exist?(cert_path) && File.readable?(cert_path)
end
end
@@ -0,0 +1,23 @@
# frozen_string_literal: true
# lib/facter/vault_cert_fingerprint.rb
Facter.add(:vault_cert_fingerprint) do
confine kernel: 'Linux'
setcode do
require 'openssl'
require 'digest'
cert_path = '/etc/pki/tls/vault/certificate.crt'
if File.exist?(cert_path) && File.readable?(cert_path)
begin
cert_content = File.read(cert_path)
cert = OpenSSL::X509::Certificate.new(cert_content)
# Calculate SHA256 fingerprint like incus does
Digest::SHA256.hexdigest(cert.to_der)
rescue StandardError
nil
end
end
end
end
@@ -1,48 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbd-csi-nodeplugin
namespace: ceph-csi
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["list", "get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin
subjects:
- kind: ServiceAccount
name: rbd-csi-nodeplugin
namespace: ceph-csi
roleRef:
kind: ClusterRole
name: rbd-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
@@ -1,125 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbd-csi-provisioner
namespace: ceph-csi
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-external-provisioner-runner
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list", "watch", "update", "patch", "create"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status"]
verbs: ["get", "list", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotcontents"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: ["replication.storage.openshift.io"]
resources: ["volumegroupreplicationcontents"]
verbs: ["get", "list", "watch"]
- apiGroups: ["replication.storage.openshift.io"]
resources: ["volumegroupreplicationclasses"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-provisioner-role
subjects:
- kind: ServiceAccount
name: rbd-csi-provisioner
namespace: ceph-csi
roleRef:
kind: ClusterRole
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-external-provisioner-cfg
namespace: ceph-csi
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-provisioner-role-cfg
namespace: ceph-csi
subjects:
- kind: ServiceAccount
name: rbd-csi-provisioner
namespace: ceph-csi
roleRef:
kind: Role
name: rbd-external-provisioner-cfg
apiGroup: rbac.authorization.k8s.io
@@ -1,124 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: csi-rbdplugin-provisioner
namespace: ceph-csi
labels:
app: csimetrics
spec:
selector:
app: csirbdpluginprovisioner
ports:
- name: httpmetrics
port: 8080
protocol: TCP
targetPort: 8680
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: csirbdpluginprovisioner
namespace: ceph-csi
spec:
replicas: 3
selector:
matchLabels:
app: csirbdpluginprovisioner
template:
metadata:
labels:
app: csirbdpluginprovisioner
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- csirbdpluginprovisioner
topologyKey: "kubernetes.io/hostname"
serviceAccountName: rbdcsiprovisioner
priorityClassName: systemclustercritical
containers:
- name: csirbdplugin
image: quay.io/cephcsi/cephcsi:v3.15
args:
- "--nodeid=$(NODE_ID)"
- "--type=rbd"
- "--controllerserver=true"
- "--endpoint=$(CSI_ENDPOINT)"
- "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)"
- "--v=5"
- "--drivername=rbd.csi.ceph.com"
- "--pidlimit=-1"
- "--rbdhardmaxclonedepth=8"
- "--rbdsoftmaxclonedepth=4"
- "--enableprofiling=false"
- "--setmetadata=true"
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CSI_ENDPOINT
value: unix:///csi/csi-provisioner.sock
- name: CSI_ADDONS_ENDPOINT
value: unix:///csi/csi-addons.sock
imagePullPolicy: IfNotPresent
volumeMounts:
- name: socket-dir
mountPath: /csi
- name: host-dev
mountPath: /dev
- name: host-sys
mountPath: /sys
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: ceph-csi-config
mountPath: /etc/ceph-csi-config/
- name: ceph-csi-encryption-kms-config
mountPath: /etc/ceph-csi-encryption-kms-config/
- name: ceph-config
mountPath: /etc/ceph/
- name: keys-tmp-dir
mountPath: /tmp/csi/keys
# snapshotter & other sidecars omitted in this snippet for brevity
volumes:
- name: socket-dir
emptyDir:
medium: Memory
- name: host-dev
hostPath:
path: /dev
- name: host-sys
hostPath:
path: /sys
- name: lib-modules
hostPath:
path: /lib/modules
- name: ceph-csi-config
configMap:
name: ceph-csi-config
- name: ceph-csi-encryption-kms-config
configMap:
name: ceph-csi-encryption-kms-config
- name: ceph-config
configMap:
name: ceph-config
- name: keys-tmp-dir
emptyDir:
medium: Memory
# and other volumes as in the original
-155
View File
@@ -1,155 +0,0 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: csirbdplugin
namespace: ceph-csi
spec:
selector:
matchLabels:
app: csirbdplugin
template:
metadata:
labels:
app: csirbdplugin
spec:
serviceAccountName: rbdcsinodeplugin
hostNetwork: true
hostPID: true
priorityClassName: systemnodecritical
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: csirbdplugin
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
image: quay.io/cephcsi/cephcsi:v3.15
args:
- "--nodeid=$(NODE_ID)"
- "--pluginpath=/var/lib/kubelet/plugins"
- "--stagingpath=/var/lib/kubelet/plugins/kubernetes.io/csi/"
- "--type=rbd"
- "--nodeserver=true"
- "--endpoint=$(CSI_ENDPOINT)"
- "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)"
- "--v=5"
- "--drivername=rbd.csi.ceph.com"
- "--enableprofiling=false"
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: CSI_ADDONS_ENDPOINT
value: unix:///csi/csi-addons.sock
imagePullPolicy: IfNotPresent
volumeMounts:
- name: socket-dir
mountPath: /csi
- name: host-dev
mountPath: /dev
- name: host-sys
mountPath: /sys
- name: host-mount
mountPath: /run/mount
- name: etc-selinux
mountPath: /etc/selinux
readOnly: true
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: plugin-dir
mountPath: /var/lib/kubelet/plugins
mountPropagation: "Bidirectional"
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: "Bidirectional"
- name: keys-tmp-dir
mountPath: /tmp/csi/keys
- name: ceph-logdir
mountPath: /var/log/ceph
- name: ceph-config
mountPath: /etc/ceph/
- name: ceph-csi-config
mountPath: /etc/ceph-csi-config/
- name: ceph-csi-encryption-kms-config
mountPath: /etc/ceph-csi-encryption-kms-config/
- name: oidc-token
mountPath: /run/secrets/tokens
readOnly: true
# possibly sidecars like driverregistrar, liveness, etc.
volumes:
- name: socket-dir
hostPath:
path: /var/lib/kubelet/plugins/rbd.csi.ceph.com
type: DirectoryOrCreate
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins
type: Directory
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
type: DirectoryOrCreate
- name: ceph-logdir
hostPath:
path: /var/log/ceph
type: DirectoryOrCreate
- name: host-dev
hostPath:
path: /dev
- name: host-sys
hostPath:
path: /sys
- name: etc-selinux
hostPath:
path: /etc/selinux
type: DirectoryOrCreate
- name: host-mount
hostPath:
path: /run/mount
- name: lib-modules
hostPath:
path: /lib/modules
type: DirectoryOrCreate
- name: ceph-config
configMap:
name: ceph-config
- name: ceph-csi-config
configMap:
name: ceph-csi-config
- name: ceph-csi-encryption-kms-config
configMap:
name: ceph-csi-encryption-kms-config
- name: keys-tmp-dir
emptyDir:
medium: Memory
---
apiVersion: v1
kind: Service
metadata:
name: csi-metrics-rbdplugin
namespace: ceph-csi
labels:
app: csimetrics
spec:
ports:
- name: httpmetrics
port: 8080
protocol: TCP
targetPort: 8680
selector:
app: csirbdplugin
@@ -1,3 +1,4 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
@@ -0,0 +1,20 @@
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
hostPort:
enabled: false
service:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerClass: purelb.io/purelb
allocateLoadBalancerNodePorts: false
annotations:
purelb.io/service-group: common
purelb.io/addresses: "198.18.200.0"
@@ -1,41 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: rke2-ingress-nginx-controller
namespace: kube-system
annotations:
purelb.io/service-group: common
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
- name: https
port: 443
targetPort: https
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
app.kubernetes.io/instance: rke2-ingress-nginx
loadBalancerIP: 198.18.200.0
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
hostPort:
enabled: false
service:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
purelb.io/service-group: common
+39
View File
@@ -0,0 +1,39 @@
# frozen_string_literal: true
require 'json'
require 'open3'
Facter.add(:k8s_masters) do
confine do
File.exist?('/etc/rancher/rke2/rke2.yaml') &&
File.executable?('/usr/bin/kubectl')
end
setcode do
env = { 'KUBECONFIG' => '/etc/rancher/rke2/rke2.yaml' }
cmd = ['/usr/bin/kubectl', 'get', 'nodes', '-o', 'json']
stdout, stderr, status = Open3.capture3(env, *cmd)
if status.success?
json = JSON.parse(stdout)
master_count = json['items'].count do |item|
roles = item.dig('metadata', 'labels') || {}
# Look for well-known labels assigned to control-plane nodes
roles.any? do |key, _|
key =~ %r{node-role\.kubernetes\.io/(control-plane|master|etcd)}
end
end
master_count
else
Facter.debug("kubectl error: #{stderr}")
0
end
rescue StandardError => e
Facter.debug("Exception in k8s_masters fact: #{e.message}")
0
end
end
+2 -38
View File
@@ -7,13 +7,6 @@ class rke2::config (
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
String $node_token = $rke2::node_token,
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
Boolean $csi_ceph_enable = $rke2::csi_ceph_enable,
Array[String] $csi_ceph_files = $rke2::csi_ceph_files,
Array[String] $csi_ceph_templates = $rke2::csi_ceph_templates,
Optional[String[1]] $csi_ceph_key = $rke2::csi_ceph_key,
Optional[String[1] ] $csi_ceph_clusterid = $rke2::csi_ceph_clusterid,
Optional[Array[String]] $csi_ceph_monitors = $rke2::csi_ceph_monitors,
Optional[String[1]] $csi_ceph_poolname = $rke2::csi_ceph_poolname,
){
# if its not the bootstrap node, add join path to config
@@ -24,9 +17,7 @@ class rke2::config (
token => $node_token,
} )
}else{
$config = merge($config_hash, {
token => $node_token,
} )
$config = merge($config_hash, {})
}
} elsif $node_type == 'agent' {
$config = merge($config_hash, {
@@ -75,7 +66,7 @@ class rke2::config (
}
# on the controller nodes only
if $node_type == 'server' {
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
# wait for purelb helm to setup namespace
if 'purelb' in $facts['k8s_namespaces'] {
@@ -114,32 +105,5 @@ class rke2::config (
}
}
# manage ceph files
if $csi_ceph_enable {
$csi_ceph_files.each |$file| {
file {"/var/lib/rancher/rke2/server/manifests/${file}.yaml":
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => "puppet:///modules/rke2/${file}.yaml",
require => Service['rke2-server'],
}
}
$csi_ceph_templates.each |$file| {
file {"/var/lib/rancher/rke2/server/manifests/${file}.yaml":
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template("rke2/${file}.yaml.erb"),
require => Service['rke2-server'],
}
}
}
}
}
+2 -2
View File
@@ -20,8 +20,8 @@ class rke2::helm (
mode => '0755',
}
# on the controller nodes only
if $node_type == 'server' {
# on the controller nodes only, and after 3 master nodes exist
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
# check if the repo already exists
$helm_repos.each | String $repo, Stdlib::HTTPSUrl $url | {
-7
View File
@@ -12,13 +12,6 @@ class rke2 (
Hash $helm_repos = $rke2::params::helm_repos,
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
Boolean $csi_ceph_enable = $rke2::params::csi_ceph_enable,
Array[String] $csi_ceph_files = $rke2::params::csi_ceph_files,
Array[String] $csi_ceph_templates = $rke2::params::csi_ceph_templates,
Optional[String[1]] $csi_ceph_key = $rke2::params::csi_ceph_key,
Optional[String[1] ] $csi_ceph_clusterid = $rke2::params::csi_ceph_clusterid,
Optional[Array[String]] $csi_ceph_monitors = $rke2::params::csi_ceph_monitors,
Optional[String[1]] $csi_ceph_poolname = $rke2::params::csi_ceph_poolname,
) inherits rke2::params {
include rke2::install
-7
View File
@@ -12,11 +12,4 @@ class rke2::params (
Hash $helm_repos = {},
Array[String[1]] $extra_config_files = [],
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
Boolean $csi_ceph_enable = false,
Array[String] $csi_ceph_files = [],
Array[String] $csi_ceph_templates = [],
Optional[String[1]] $csi_ceph_key = undef,
Optional[String[1] ] $csi_ceph_clusterid = undef,
Optional[Array[String]] $csi_ceph_monitors = undef,
Optional[String[1]] $csi_ceph_poolname = undef,
) {}
@@ -1,65 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ceph-csi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-csi-config
namespace: ceph-csi
data:
config.json: |-
[
{
"clusterID": "<%= @csi_ceph_clusterid %>",
"monitors": [
<% @csi_ceph_monitors.each_with_index do |mon, index| -%>
"<%= mon %>"<% if index < @csi_ceph_monitors.length - 1 %>,<% end %>
<% end -%>
]
}
]
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-csi-encryption-kms-config
namespace: ceph-csi
data:
config.json: |-
{}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-config
namespace: ceph-csi
data:
ceph.conf: |
[global]
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
keyring: |
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csi-rbd-sc
provisioner: rbd.csi.ceph.com
parameters:
clusterID: <%= @csi_ceph_clusterid %>
pool: <%= @csi_ceph_poolname %>
imageFeatures: layering
csi.storage.k8s.io/provisioner-secret-name: csi-rbd-secret
csi.storage.k8s.io/provisioner-secret-namespace: ceph-csi
csi.storage.k8s.io/controller-expand-secret-name: csi-rbd-secret
csi.storage.k8s.io/controller-expand-secret-namespace: ceph-csi
csi.storage.k8s.io/node-stage-secret-name: csi-rbd-secret
csi.storage.k8s.io/node-stage-secret-namespace: ceph-csi
reclaimPolicy: Delete
allowVolumeExpansion: true
mountOptions:
- discard
@@ -1,10 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: csi-rbd-secret
namespace: ceph-csi
stringData:
userID: kubernetes
userKey: <%= @csi_ceph_key %>
+19
View File
@@ -0,0 +1,19 @@
# frozen_string_literal: true
Facter.add(:zfs_datasets) do
confine kernel: 'Linux'
setcode do
datasets = []
if Facter::Core::Execution.which('zfs')
begin
output = Facter::Core::Execution.execute('zfs list -H -o name 2>/dev/null', on_fail: nil)
datasets = output.strip.split("\n") if output && !output.empty?
rescue StandardError => e
Facter.debug("Error getting zfs dataset information: #{e.message}")
end
end
datasets.empty? ? nil : datasets
end
end
@@ -3,7 +3,8 @@
Facter.add('zfs_zpool_cache_present') do
confine kernel: 'Linux'
setcode do
File.exist?('/etc/zfs/zpool.cache')
cache_file = '/etc/zfs/zpool.cache'
File.exist?(cache_file) && File.size(cache_file).positive?
end
end
+19
View File
@@ -0,0 +1,19 @@
# frozen_string_literal: true
Facter.add(:zfs_zpools) do
confine kernel: 'Linux'
setcode do
zpools = []
if Facter::Core::Execution.which('zpool')
begin
output = Facter::Core::Execution.execute('zpool list -H -o name 2>/dev/null', on_fail: nil)
zpools = output.strip.split("\n") if output && !output.empty?
rescue StandardError => e
Facter.debug("Error getting zpool information: #{e.message}")
end
end
zpools.empty? ? nil : zpools
end
end
+5 -2
View File
@@ -38,8 +38,11 @@ class zfs (
# create zpools
$zpools.each | $zpool, $data | {
zpool { $zpool:
* => $data
# Only create zpool if it doesn't already exist
if $facts['zfs_zpools'] == undef or !($zpool in $facts['zfs_zpools']) {
zpool { $zpool:
* => $data
}
}
}
@@ -0,0 +1,54 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
postmaster: root
# Many mailers use this address to represent the empty SMTP return path
MAILER-DAEMON: postmaster
# Common aliases for system accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
foo: root
falken: root
# Well-known aliases.
admin: root
manager: root
dumper: root
operator: root
# traps to catch security attacks
decode: root
moof: root
moog: root
# Standard aliases also defined by RFC 2142
abuse: postmaster
# reports of network infrastructure difficulties
noc: root
# address to report secuirty problems
security: root
# DNS administrator (DNS soa records should use this)
hostmaster: root
# Usenet news service administrator
news: usenet
usenet: root
# http/web service administrator
www: webmaster
webmaster: root
# UUCP service administrator
uucp: root
# FTP administrator (especially anon FTP)
ftp: root
+2 -8
View File
@@ -1,7 +1,5 @@
# this is the base class, which will be used by all servers
class profiles::base (
Array $puppet_servers,
) {
class profiles::base () {
# run a limited set of classes on the first run aimed at bootstrapping the new node
if $facts['firstrun'] {
@@ -13,11 +11,7 @@ class profiles::base (
# manage the puppet agent
include profiles::puppet::agent
# manage puppet clients
if ! member($puppet_servers, $trusted['certname']) {
include profiles::puppet::client
}
include profiles::puppet::client
# include the base profiles
include profiles::base::repos
+1
View File
@@ -11,6 +11,7 @@ class profiles::defaults {
ensure => present,
require => [
Class['profiles::base::repos'],
Exec['dnf_makecache'],
]
}
+99
View File
@@ -0,0 +1,99 @@
class profiles::dovecot::server (
Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_key_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
Stdlib::Absolutepath $maildir_path = '/var/vmail',
String $maildir_var = '%d/%n',
String $hostname = $trusted['certname'],
Array[String] $listen = ['*', '::'],
Array[String] $protocols = ['imap'],
) {
# Ensure the maildata directory exists
file { $maildir_path:
ensure => directory,
owner => 'vmail',
group => 'vmail',
mode => '0755',
}
# Create vmail user for dovecot
user { 'vmail':
ensure => present,
uid => 5000,
gid => 5000,
home => $maildir_path,
shell => '/usr/sbin/nologin',
managehome => false,
system => true,
}
group { 'vmail':
ensure => present,
gid => 5000,
system => true,
}
# Main dovecot configuration
$main_config = {
values => {
'listen' => join($listen, ', '),
'protocols' => join($protocols, ' '),
'default_login_user' => 'vmail',
'default_internal_user' => 'vmail',
'first_valid_uid' => '5000',
'last_valid_uid' => '5000',
'first_valid_gid' => '5000',
'last_valid_gid' => '5000',
'mail_uid' => 'vmail',
'mail_gid' => 'vmail',
'mail_location' => "maildir:${maildir_path}/${maildir_var}/Maildir",
'login_trusted_networks' => '10.0.0.0/8 127.0.0.0/8 [::1]/128',
'disable_plaintext_auth' => 'no',
'auth_mechanisms' => 'cram-md5 plain login',
'ssl' => 'required',
'ssl_cert' => $tls_cert_file,
'ssl_key' => $tls_key_file,
'ssl_ca' => $tls_ca_file,
'ssl_min_protocol' => 'TLSv1.2',
'ssl_cipher_list' => join([
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES',
'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
], ':'),
'ssl_prefer_server_ciphers' => 'yes',
},
sections => [
{
name => 'passdb',
values => {
'driver' => 'passwd-file',
'args' => 'scheme=CRAM-MD5 username_format=%u /etc/dovecot/users',
},
},
{
name => 'userdb',
values => {
'driver' => 'static',
'args' => "uid=vmail gid=vmail home=${maildir_path}/${maildir_var}",
},
},
],
}
# # Postfix smtp-auth
# unix_listener /var/spool/postfix/private/auth {
# mode = 0666
# user = postfix
# group = postfix
# }
# Configure dovecot
class { 'dovecot':
main_config => $main_config,
include_sysdefault => false,
require => [User['vmail'], Group['vmail'], File[$maildir_path]],
}
}
+4 -3
View File
@@ -136,9 +136,10 @@ class profiles::nginx::simpleproxy (
}
service { 'nginx':
ensure => true,
enable => true,
subscribe => [
ensure => true,
enable => true,
hasrestart => true,
subscribe => [
File[$selected_ssl_cert],
File[$selected_ssl_key],
Nginx::Resource::Server[$nginx_vhost]
+392
View File
@@ -0,0 +1,392 @@
class profiles::postfix::gateway (
Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_key_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
String $myhostname = $trusted['certname'],
String $message_size_limit = '133169152',
String $mailbox_size_limit = '133169152',
String $local_transport = 'error:No local mail delivery',
Boolean $enable_postscreen = true,
Array[String] $alias_maps = [
'hash:/etc/aliases',
'hash:/etc/postfix/aliases',
],
Array[String] $postscreen_dnsbl_sites = [
'zen.spamhaus.org*3',
'b.barracudacentral.org=127.0.0.[2..11]*2',
'bl.spameatingmonkey.net*2',
'bl.spamcop.net',
'dnsbl.sorbs.net',
'swl.spamhaus.org*-4',
'list.dnswl.org=127.[0..255].[0..255].0*-2',
'list.dnswl.org=127.[0..255].[0..255].1*-4',
'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6',
],
Array[String] $smtpd_client_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_rbl_client zen.spamhaus.org',
],
Array[String] $smtpd_sender_restrictions = [
'permit_sasl_authenticated',
'check_sender_access hash:/etc/postfix/sender_access',
'reject_non_fqdn_sender',
'reject_unknown_sender_domain',
],
Array[String] $smtpd_recipient_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
'reject_non_fqdn_recipient',
'reject_unknown_recipient_domain',
'check_recipient_access hash:/etc/postfix/recipient_access',
'reject_unverified_recipient',
],
Array[String] $smtpd_relay_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
],
Hash[Stdlib::Fqdn, String] $smtp_tls_policy_maps = {},
Hash[String, String] $sender_canonical_maps = {},
Hash[Stdlib::Email, String] $sender_access_maps = {},
Hash[String, String] $relay_recipients_maps = {},
Hash[Stdlib::Fqdn, String] $relay_domains_maps = {},
Hash[String, String] $recipient_canonical_maps = {},
Hash[Stdlib::Email, String] $recipient_access_maps = {},
Hash[Variant[Stdlib::IP::Address, Stdlib::IP::Address::CIDR], String] $postscreen_access_maps = {},
Hash[String, String] $helo_access_maps = {},
Hash[Stdlib::Email, String] $virtual_mailbox_maps = {},
Hash[Variant[Stdlib::Email, Pattern[/^@.+$/]], Stdlib::Email] $virtual_alias_maps = {},
# Dovecot integration
Boolean $enable_dovecot = false,
Array[Stdlib::Fqdn] $virtual_mailbox_domains = [],
String $virtual_uid_maps = 'static:5000',
String $virtual_gid_maps = 'static:5000',
Stdlib::Absolutepath $virtual_mailbox_base = '/var/vmail',
String $virtual_transport = 'dovecot',
) {
$alias_maps_string = join($alias_maps, ', ')
# Set master.cf configuration based on postscreen setting
if $enable_postscreen {
$master_smtp = 'smtp inet n - n - 1 postscreen'
$master_entries = [
'smtpd pass - - n - - smtpd',
'dnsblog unix - - n - 0 dnsblog',
'tlsproxy unix - - n - 0 tlsproxy',
]
$postscreen_configs = {
'postscreen_access_list' => {
'value' => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'
},
'postscreen_blacklist_action' => {
'value' => 'enforce'
},
'postscreen_cache_map' => {
'value' => 'btree:$data_directory/postscreen_cache'
},
'postscreen_dnsbl_action' => {
'value' => 'enforce'
},
'postscreen_dnsbl_sites' => {
'value' => join($postscreen_dnsbl_sites, ', ')
},
'postscreen_dnsbl_threshold' => {
'value' => '2'
},
'postscreen_greet_action' => {
'value' => 'enforce'
},
'postscreen_greet_banner' => {
'value' => '$smtpd_banner'
},
'postscreen_greet_wait' => {
'value' => "\${stress?2}\${stress:6}s"
},
}
} else {
$master_smtp = undef
$master_entries = []
$postscreen_configs = {}
}
# Base postfix configuration
$base_configs = {
'alias_database' => {
'value' => $alias_maps_string
},
'default_destination_recipient_limit' => {
'value' => '1'
},
'disable_vrfy_command' => {
'value' => 'yes'
},
'enable_long_queue_ids' => {
'value' => 'yes'
},
'error_notice_recipient' => {
'value' => 'root'
},
'header_checks' => {
'value' => 'regexp:/etc/postfix/header_checks'
},
'local_recipient_maps' => {
'ensure' => 'blank'
},
'local_transport' => {
'value' => $local_transport
},
'mailbox_size_limit' => {
'value' => $mailbox_size_limit
},
'message_size_limit' => {
'value' => $message_size_limit
},
'myhostname' => {
'value' => $myhostname
},
'non_smtpd_milters' => {
'ensure' => 'blank'
},
'qmqpd_authorized_clients' => {
'value' => '127.0.0.1 [::1]'
},
'recipient_canonical_maps' => {
'value' => 'hash:/etc/postfix/recipient_canonical'
},
'recipient_delimiter' => {
'value' => '+'
},
'relay_domains' => {
'value' => 'hash:/etc/postfix/relay_domains'
},
'relay_recipient_maps' => {
'value' => 'hash:/etc/postfix/relay_recipients'
},
'sender_canonical_maps' => {
'value' => 'hash:/etc/postfix/sender_canonical'
},
'smtp_tls_CAfile' => {
'value' => $tls_ca_file
},
'smtp_tls_mandatory_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtp_tls_note_starttls_offer' => {
'value' => 'yes'
},
'smtp_tls_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtp_tls_security_level' => {
'value' => 'may'
},
'smtp_tls_session_cache_database' => {
'value' => 'btree:/var/lib/postfix/smtp_tls_session_cache'
},
'smtp_use_tls' => {
'value' => 'yes'
},
'smtpd_banner' => {
'value' => '$myhostname ESMTP $mail_name'
},
'smtpd_client_restrictions' => {
'value' => join($smtpd_client_restrictions, ', ')
},
'smtpd_data_restrictions' => {
'value' => 'reject_unauth_pipelining'
},
'smtpd_delay_reject' => {
'value' => 'yes'
},
'smtpd_discard_ehlo_keywords' => {
'value' => 'chunking, silent-discard'
},
'smtpd_forbid_bare_newline' => {
'value' => 'yes'
},
'smtpd_forbid_bare_newline_exclusions' => {
'value' => '$mynetworks'
},
'smtpd_forbid_unauth_pipelining' => {
'value' => 'yes'
},
'smtpd_helo_required' => {
'value' => 'yes'
},
'smtpd_helo_restrictions' => {
'value' => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'
},
'smtpd_milters' => {
'value' => 'inet:127.0.0.1:33333'
},
'smtpd_recipient_restrictions' => {
'value' => join($smtpd_recipient_restrictions, ', ')
},
'smtpd_relay_restrictions' => {
'value' => join($smtpd_relay_restrictions, ', ')
},
'smtpd_sender_restrictions' => {
'value' => join($smtpd_sender_restrictions, ', ')
},
'smtpd_tls_CAfile' => {
'value' => $tls_ca_file
},
'smtpd_tls_cert_file' => {
'value' => $tls_cert_file
},
'smtpd_tls_ciphers' => {
'value' => 'medium'
},
'smtpd_tls_key_file' => {
'value' => $tls_key_file
},
'smtpd_tls_loglevel' => {
'value' => '1'
},
'smtpd_tls_mandatory_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtpd_tls_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtpd_tls_received_header' => {
'value' => 'yes'
},
'smtpd_tls_security_level' => {
'value' => 'may'
},
'smtpd_tls_session_cache_database' => {
'value' => 'btree:/var/lib/postfix/smtpd_tls_session_cache'
},
'smtpd_tls_session_cache_timeout' => {
'value' => '3600s'
},
'smtpd_use_tls' => {
'value' => 'yes'
},
'tls_medium_cipherlist' => {
'value' => join([
'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES',
'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
], ':')
},
'tls_preempt_cipherlist' => {
'value' => 'yes'
},
'tls_random_source' => {
'value' => 'dev:/dev/urandom'
},
'unverified_recipient_reject_code' => {
'value' => '550'
},
'unverified_recipient_reject_reason' => {
'value' => 'No user at this address'
},
'smtp_tls_policy_maps' => {
'value' => 'hash:/etc/postfix/smtp_tls_policy_maps'
},
}
# Postfix maps (all using templates now)
$postfix_maps = {
'postscreen_access' => {
'ensure' => 'present',
'type' => 'cidr',
'content' => template('profiles/postfix/gateway/postscreen_access.erb')
},
'relay_recipients' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/relay_recipients.erb')
},
'relay_domains' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/relay_domains.erb')
},
'aliases' => {
'ensure' => 'present',
'type' => 'hash',
'source' => 'puppet:///modules/profiles/postfix/gateway/aliases'
},
'helo_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/helo_access.erb')
},
'sender_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/sender_access.erb')
},
'recipient_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/recipient_access.erb')
},
'recipient_canonical' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/recipient_canonical.erb')
},
'sender_canonical' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/sender_canonical.erb')
},
'smtp_tls_policy_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/smtp_tls_policy_maps.erb')
},
'virtual_mailbox_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/virtual_mailbox_maps.erb')
},
'virtual_alias_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/virtual_alias_maps.erb')
},
}
if $enable_dovecot {
postfix::config {
'virtual_mailbox_domains': value => join($virtual_mailbox_domains, ', ');
'virtual_mailbox_maps': value => 'hash:/etc/postfix/virtual_mailbox_maps';
'virtual_alias_maps': value => 'hash:/etc/postfix/virtual_alias_maps';
'virtual_uid_maps': value => $virtual_uid_maps;
'virtual_gid_maps': value => $virtual_gid_maps;
'virtual_mailbox_base': value => $virtual_mailbox_base;
'virtual_transport': value => $virtual_transport;
'home_mailbox': value => "${virtual_mailbox_base}/%d/%n/Maildir";
}
} else {
postfix::config {
'virtual_mailbox_domains': ensure => 'absent';
'virtual_mailbox_maps': ensure => 'absent';
'virtual_uid_maps': ensure => 'absent';
'virtual_gid_maps': ensure => 'absent';
'virtual_mailbox_base': ensure => 'absent';
'virtual_transport': ensure => 'absent';
'home_mailbox': ensure => 'absent';
}
}
# Merge base configs with postscreen configs
$all_configs = $base_configs + $postscreen_configs
class { 'postfix':
master_smtp => $master_smtp,
master_entries => $master_entries,
alias_maps => $alias_maps_string,
configs => $all_configs,
maps => $postfix_maps,
}
}
+47 -17
View File
@@ -1,37 +1,68 @@
# profiles::puppet::agent
# This class manages Puppet agent package and service.
class profiles::puppet::agent (
String $puppet_version = 'latest',
String $version = 'latest',
Boolean $openvox_enable = false,
) {
# if puppet-version is anything other than latest, set a versionlock
$puppet_versionlock_ensure = $puppet_version ? {
# set openvox package, yumrepo, service
if $openvox_enable {
$use_package = 'openvox-agent'
$use_yumrepo = 'openvox'
$use_service = 'puppet'
}else{
$use_package = 'puppet-agent'
$use_yumrepo = 'puppet'
$use_service = 'puppet'
}
# manage the yumrepo for the given package
if $openvox_enable and $facts['os']['family'] == 'RedHat' {
yumrepo { 'openvox':
ensure => 'present',
baseurl => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
descr => 'openvox repository',
gpgkey => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/GPG-KEY-openvox.pub",
notify => Exec['dnf_makecache'],
}
}else{
yumrepo { 'puppet':
ensure => 'present',
baseurl => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
descr => 'puppet repository',
gpgkey => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/RPM-GPG-KEY-puppet-20250406",
notify => Exec['dnf_makecache'],
}
}
# if agent-version is anything other than latest, set a versionlock
$agent_versionlock_ensure = $version ? {
'latest' => 'absent',
default => 'present',
}
$puppet_versionlock_version = $puppet_version ? {
$agent_versionlock_version = $version ? {
'latest' => undef,
default => $puppet_version,
default => $version,
}
case $facts['os']['family'] {
'RedHat': {
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Yumrepo['puppet'],
# Ensure the agent package is installed and locked to a specific version
package { $use_package:
ensure => $version,
require => Yumrepo[$use_yumrepo],
}
# versionlock puppet-agent
yum::versionlock{'puppet-agent':
ensure => $puppet_versionlock_ensure,
version => $puppet_versionlock_version,
yum::versionlock{$use_package:
ensure => $agent_versionlock_ensure,
version => $agent_versionlock_version,
}
}
'Debian': {
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
package { $use_package:
ensure => $version,
require => Class['profiles::apt::puppet7'],
}
}
@@ -39,12 +70,11 @@ class profiles::puppet::agent (
}
# Ensure the puppet service is running
service { 'puppet':
service { $use_service:
ensure => 'running',
enable => true,
hasrestart => true,
require => Package['puppet-agent'],
require => Package[$use_package],
}
}
@@ -26,6 +26,12 @@ class profiles::puppet::puppetdb_api (
before => Class['puppetdb::server'],
}
# cleanup puppetdb first, this isnt replaced by openvoxdb (conflicts)
package { 'puppetdb':
ensure => 'purged',
before => Class['puppetdb::server'],
}
class { 'puppetdb::server':
manage_firewall => false,
ssl_listen_address => $listen_address,
@@ -44,6 +50,7 @@ class profiles::puppet::puppetdb_api (
database_name => $database_name,
database_password => Sensitive($database_password),
database_validate => $database_validate,
puppetdb_package => 'openvoxdb',
}
contain ::puppetdb::server
+12 -1
View File
@@ -20,12 +20,23 @@ class profiles::puppet::puppetmaster (
include profiles::puppet::puppetca
include profiles::puppet::eyaml
# migration to openvox, cleanup puppetserver/puppetdb-termini
package {'puppetdb-termini':
ensure => purged,
before => Package['openvoxdb-termini'],
}
package {'puppetserver':
ensure => purged,
before => Package['openvox-server'],
}
class { 'puppetdb::master::config':
puppetdb_server => $puppetdb_host,
manage_storeconfigs => false,
terminus_package => 'openvoxdb-termini',
}
Package['puppetserver']
Package['openvox-server']
-> Class['profiles::puppet::gems']
-> Class['profiles::puppet::r10k']
-> Class['profiles::puppet::g10k']
+3
View File
@@ -55,4 +55,7 @@ class profiles::yum::global (
# setup dnf-autoupdate
include profiles::yum::autoupdater
# ensure dnf makecache runs before packages
Yumrepo <| |> -> Exec['dnf_makecache'] -> Package <| |>
}
@@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on HELO/EHLO hostnames to block spam patterns
# HELO/EHLO access controls
# Format: pattern action
# Example: .dynamic.example.com REJECT
# Example: localhost REJECT You are not localhost
<% @helo_access_maps.each do |pattern, action| -%>
<%= pattern %> <%= action %>
<% end -%>
@@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls which IP addresses/networks are allowed through postscreen
# Postscreen access controls (CIDR format)
# Format: network/mask action
# Example: 192.168.1.0/24 permit
<% @postscreen_access_maps.each do |network, action| -%>
<%= network %> <%= action %>
<% end -%>
@@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on recipient email addresses or domains
# Recipient access controls
# Format: recipient_pattern action
# Example: @example.com OK
# Example: admin@foo.net REJECT
<% @recipient_access_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>
@@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites recipient addresses before delivery (address normalization)
# Recipient canonical address mapping
# Format: original_address canonical_address
# Example: user@olddomain.com user@example.com
<% @recipient_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>
@@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which domains are allowed for mail relaying
# Relay domains control
# Format: domain action
# Example: example.com OK
<% @relay_domains_maps.each do |domain, action| -%>
<%= domain %> <%= action %>
<% end -%>
@@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which recipient addresses are allowed for mail relaying
# Relay recipients control
# Format: recipient_pattern action
# Example: @example.com OK
<% @relay_recipients_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>
@@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on sender email addresses or domains
# Sender access controls
# Format: sender_pattern action
# Example: spammer@foo.net REJECT
# Example: @badspammer.com REJECT
<% @sender_access_maps.each do |sender, action| -%>
<%= sender %> <%= action %>
<% end -%>
@@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites sender addresses before sending (address masquerading)
# Sender canonical address mapping
# Format: original_address canonical_address
# Example: user@internal.local user@example.com
<% @sender_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>
@@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Enforces TLS security policies for outbound mail per destination domain
# SMTP TLS policy map for outbound connections
# Format: destination policy
# Example: gmail.com encrypt
# Example: secure-bank.example.com secure
<% @smtp_tls_policy_maps.each do |destination, policy| -%>
<%= destination %> <%= policy %>
<% end -%>
@@ -0,0 +1,9 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines virtual alias mappings
# Maps email addresses or patterns to target addresses
# Format: alias@foo.net real@corp.foo.net
<% @virtual_alias_maps.each do |source, target| -%>
<%= source %> <%= target %>
<% end -%>
@@ -0,0 +1,9 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines virtual mailbox mappings for dovecot delivery
# Maps email addresses to maildir paths
# Format: user@domain maildir/path/
<% @virtual_mailbox_maps.each do |email, path| -%>
<%= email %> <%= path %>
<% end -%>
@@ -0,0 +1,12 @@
# a role to deploy a imap/pop3 backend for mail services
class roles::infra::mail::backend {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dovecot::server
include profiles::postfix::gateway
}
}
@@ -0,0 +1,11 @@
# a role to deploy a dmz mx gateway for mail services
class roles::infra::mail::gateway {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::postfix::gateway
}
}