forked from linux-system-roles/postfix
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use the firewall role and the selinux role from the postfix role (lin…
…ux-system-roles#56) * Use the firewall role and the selinux role from the postfix role - Introduce postfix_manage_firewall to use the firewall role to manage the smtp services. Default to false - means the firewall role is not used. - Introduce postfix_manage_selinux to use the selinux role to manage the ports in the smtp services. Assign smtp_port_t to the smtp service ports. Default to false - means the selinux role is not used. - Add the test check task tasks/check_firewall_selinux.yml for verify the ports status. - Add meta/collection-requirements.yml. * Updated the requirements section for fedora.linux_system_roles.
- Loading branch information
Showing
11 changed files
with
210 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# SPDX-License-Identifier: MIT | ||
collections: | ||
- fedora.linux_system_roles |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# SPDX-License-Identifier: MIT | ||
--- | ||
- name: Ensure the postfix ports status with the firewall role | ||
include_role: | ||
name: fedora.linux_system_roles.firewall | ||
vars: | ||
firewall: | ||
- {'service': 'smtp', 'state': 'enabled' } | ||
- {'service': 'smtps', 'state': 'enabled' } | ||
- {'service': 'smtp-submission', 'state': 'enabled' } | ||
when: | ||
- postfix_manage_firewall | bool | ||
- ansible_facts['os_family'] == 'RedHat' | ||
- ansible_facts['distribution_version'] is version('7', '>=') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# SPDX-License-Identifier: MIT | ||
--- | ||
- block: | ||
- block: | ||
- name: Get the smtp related tcp service ports | ||
shell: |- | ||
set -euo pipefail | ||
firewall-cmd --info-service="{{ item }}" | \ | ||
egrep " +ports: +" | sed -e "s/ *ports: //" | ||
register: __ports | ||
changed_when: false | ||
loop: | ||
- "smtp" | ||
- "smtps" | ||
- "smtp-submission" | ||
|
||
- name: Initialize _postfix_selinux | ||
set_fact: | ||
_postfix_selinux: [] | ||
|
||
- name: Add the smtp related service ports to _postfix_selinux | ||
set_fact: | ||
_postfix_selinux: "{{ _postfix_selinux + | ||
[{'ports': _pair[0], 'proto': _pair[1], 'setype': 'smtp_port_t', | ||
'state': 'present', 'local': 'true'}] }}" | ||
vars: | ||
_pair: "{{ item.stdout.split('/') | list }}" | ||
when: | ||
- _pair | length > 0 | ||
loop: "{{ __ports.results }}" | ||
|
||
when: | ||
- postfix_manage_firewall | bool | ||
- ansible_facts['os_family'] == 'RedHat' | ||
- ansible_facts['distribution_version'] is version('7', '>=') | ||
|
||
- name: "Set hardcoded ports to _postfix_selinux for | ||
no firewall or rhel-6 or not redhat" | ||
set_fact: | ||
_postfix_selinux: | ||
- {'ports': 25, 'proto': 'tcp', 'setype': 'smtp_port_t', | ||
'state': 'present', 'local': 'true'} | ||
- {'ports': 465, 'proto': 'tcp', 'setype': 'smtp_port_t', | ||
'state': 'present', 'local': 'true'} | ||
- {'ports': 587, 'proto': 'tcp', 'setype': 'smtp_port_t', | ||
'state': 'present', 'local': 'true'} | ||
when: | ||
- (not postfix_manage_firewall | bool) or | ||
(ansible_facts['os_family'] != 'RedHat') or | ||
(ansible_facts['distribution_version'] is version('7', '<')) | ||
|
||
- name: Ensure the service and the ports status with the selinux role | ||
include_role: | ||
name: fedora.linux_system_roles.selinux | ||
vars: | ||
selinux_ports: "{{ _postfix_selinux }}" | ||
when: | ||
- postfix_manage_selinux | bool |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# SPDX-License-Identifier: MIT | ||
--- | ||
# Assume firewalld and selinux are not manually configured. | ||
- block: | ||
- name: Get the firewall services | ||
shell: |- | ||
set -euo pipefail | ||
firewall-cmd --list-services | ||
register: __services | ||
changed_when: false | ||
|
||
- name: Assert the expected services are configured | ||
assert: | ||
that: "'{{ item }}' in {{ __service_list }}" | ||
vars: | ||
__service_list: "{{ __services.stdout.split(' ') }}" | ||
loop: | ||
- "smtp" | ||
- "smtps" | ||
- "smtp-submission" | ||
when: | ||
- postfix_manage_firewall | bool | ||
- ansible_facts['os_family'] == 'RedHat' | ||
- ansible_facts['distribution_version'] is version('7', '>=') | ||
|
||
- block: | ||
- name: Ensure smtp ports are retrieved | ||
assert: | ||
that: "{{ _postfix_selinux | length > 0 }}" | ||
|
||
- name: Check associated selinux | ||
shell: |- | ||
set -euo pipefail | ||
semanage port --list -C | grep "smtp_port_t" | \ | ||
grep "{{ item['proto'] }}" | grep "{{ item['ports'] }}" | ||
changed_when: false | ||
loop: "{{ _postfix_selinux }}" | ||
when: | ||
- postfix_manage_selinux | bool |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,15 @@ | ||
- name: Ensure that the rule runs with default parameters | ||
hosts: all | ||
gather_facts: false | ||
roles: | ||
- linux-system-roles.postfix | ||
|
||
tasks: | ||
- name: Run the postfix role | ||
include_role: | ||
name: linux-system-roles.postfix | ||
public: true | ||
vars: | ||
postfix_manage_firewall: true | ||
postfix_manage_selinux: true | ||
|
||
- name: Check firewall and selinux status | ||
include_tasks: check_firewall_selinux.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters