X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/388687b7120815bc61f49de6c5dd0ea793dad67b..22bfa5e6f8152e492f21ae2c972a164474cfdd61:/cookbooks/exim/recipes/default.rb diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb index 6b20f5181..a9f6472e6 100644 --- a/cookbooks/exim/recipes/default.rb +++ b/cookbooks/exim/recipes/default.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: exim +# Cookbook:: exim # Recipe:: default # -# Copyright 2011, OpenStreetMap Foundation +# Copyright:: 2011, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +17,7 @@ # limitations under the License. # +include_recipe "munin" include_recipe "networking" package %w[ @@ -25,7 +26,9 @@ package %w[ ssl-cert ] -package "exim4-daemon-heavy" if File.exist?("/var/run/clamav/clamd.ctl") +package "exim4-daemon-heavy" do + only_if { ::File.exist?("/var/run/clamav/clamd.ctl") } +end group "ssl-cert" do action :modify @@ -33,21 +36,35 @@ group "ssl-cert" do append true end -openssl_x509_certificate "/etc/ssl/certs/exim.pem" do - key_file "/etc/ssl/private/exim.key" - owner "root" - group "ssl-cert" - mode 0o640 - org "OpenStreetMap" - email "postmaster@openstreetmap.org" - common_name node[:fqdn] - expire 3650 +if node[:exim][:certificate_names] + include_recipe "apache" + + apache_site node[:exim][:certificate_names].first do + template "apache.erb" + variables :aliases => node[:exim][:certificate_names].drop(1) + end + + ssl_certificate node[:exim][:certificate_names].first do + domains node[:exim][:certificate_names] + notifies :restart, "service[exim4]" + end +else + openssl_x509_certificate "/etc/ssl/certs/exim.pem" do + key_file "/etc/ssl/private/exim.key" + owner "root" + group "ssl-cert" + mode 0o640 + org "OpenStreetMap" + email "postmaster@openstreetmap.org" + common_name node[:fqdn] + expire 3650 + notifies :restart, "service[exim4]" + end end service "exim4" do action [:enable, :start] supports :status => true, :restart => true, :reload => true - subscribes :restart, "execute[/etc/ssl/certs/exim.pem]" end relay_to_domains = node[:exim][:relay_to_domains] @@ -62,6 +79,36 @@ if node[:exim][:smarthost_name] search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host| relay_from_hosts |= host.ipaddresses(:role => :external) end + + domains = node[:exim][:certificate_names].select { |c| c =~ /^a\.mx\./ }.collect { |c| c.sub(/^a\.mx./, "") } + primary_domain = domains.first + + directory "/srv/mta-sts.#{primary_domain}" do + owner "root" + group "root" + mode 0o755 + end + + domains.each do |domain| + template "/srv/mta-sts.#{primary_domain}/#{domain}.txt" do + source "mta-sts.erb" + owner "root" + group "root" + mode 0o644 + variables :domain => domain + end + end + + ssl_certificate "mta-sts.#{primary_domain}" do + domains domains.collect { |d| "mta-sts.#{d}" } + notifies :reload, "service[apache2]" + end + + apache_site "mta-sts.#{primary_domain}" do + template "apache-mta-sts.erb" + directory "/srv/mta-sts.#{primary_domain}" + variables :domains => domains + end end file "/etc/exim4/blocked-senders" do @@ -70,6 +117,39 @@ file "/etc/exim4/blocked-senders" do mode 0o644 end +if node[:exim][:dkim_selectors] + keys = data_bag_item("exim", "dkim") + + template "/etc/exim4/dkim-domains" do + owner "root" + source "dkim-domains.erb" + group "Debian-exim" + mode 0o644 + end + + template "/etc/exim4/dkim-selectors" do + owner "root" + source "dkim-selectors.erb" + group "Debian-exim" + mode 0o644 + end + + directory "/etc/exim4/dkim-keys" do + owner "root" + group "Debian-exim" + mode 0o755 + end + + node[:exim][:dkim_selectors].each do |domain, _selector| + file "/etc/exim4/dkim-keys/#{domain}" do + content keys[domain].join("\n") + owner "root" + group "Debian-exim" + mode 0o640 + end + end +end + template "/etc/exim4/exim4.conf" do source "exim4.conf.erb" owner "root" @@ -142,7 +222,7 @@ else end end -if node[:exim][:smarthost_via] # ~FC023 +if node[:exim][:smarthost_via] firewall_rule "deny-outbound-smtp" do action :reject source "fw"