Fully working opensmtp anisble/vultr provisioning

sumdog · Jul 29, 2018 · 0715507 · 0715507
1 parent 3f0409d
commit 0715507
Show file tree

Hide file tree

Showing 13 changed files with 82 additions and 27 deletions.
diff --git a/ansible/openbsd-mail.yml b/ansible/openbsd-mail.yml
@@ -7,7 +7,7 @@
   roles:
     - root-password
     - private-net
+    - ipv6
     - openbsd-basic
     - openbsd-email
-    - ipv6
     - firewall
diff --git a/ansible/roles/firewall/templates/pf.conf-freebsd.j2 b/ansible/roles/firewall/templates/pf.conf-freebsd.j2
@@ -2,6 +2,8 @@
 
 block all
 
+pass in quick on vtnet0 inet6 proto ipv6-icmp
+
 # allow all from host itself
 pass out inet all keep state
 pass out inet6 all keep state

diff --git a/ansible/roles/firewall/templates/pf.conf-openbsd.j2 b/ansible/roles/firewall/templates/pf.conf-openbsd.j2
@@ -4,6 +4,8 @@ set skip on lo
 
 block all
 
+pass in quick on egress inet6 proto ipv6-icmp
+
 # allow all from host itself
 pass out inet all keep state
 pass out inet6 all keep state
@@ -13,6 +15,7 @@ pass in on egress proto tcp from any to any port http
 pass in on egress proto tcp from any to any port smtp
 pass in on egress proto tcp from any to any port smtps
 pass in on egress proto tcp from any to any port submission
+pass in on egress proto tcp from any to any port imap
 pass in on egress proto tcp from any to any port imaps
 
 # Port build user does not need network

diff --git a/ansible/roles/openbsd-basic/tasks/main.yml b/ansible/roles/openbsd-basic/tasks/main.yml
@@ -7,16 +7,32 @@
     name: colorls
     state: present
 
+- name: Install nice to have packages
+  openbsd_pkg:
+    name: "{{ item }}"
+    state: present
+  with_items: ['colorls', 'vim--no_x11', 'fish']
+
+- name: Set Kernel open file limits
+  command: sysctl kern.maxfiles=20000
+
+- name: Kernel open file limits on reboots
+  copy:
+    content: "kern.maxfiles=20000"
+    dest: /etc/sysctl.conf
+    force: no
+
 - name: Setup colorls alias
   lineinfile:
-    dest: /root/.profile
+    dest: "{{ item }}"
     line: "alias ls='colorls -FGa'"
     regexp: "^alias ls='colorls -FGa'$"
     state: present
     insertafter: EOF
     create: True
+  with_items: ['/root/.profile', '/root/.config/fish/config.fish']
 
-- name: Install vim
-  openbsd_pkg:
-    name: vim--no_x11
-    state: present
+- name: Set Root to Fish Shell
+  user:
+    name: root
+    shell: /usr/local/bin/fish
diff --git a/ansible/roles/openbsd-email/handlers/main.yml b/ansible/roles/openbsd-email/handlers/main.yml
@@ -14,3 +14,5 @@
   command: rcctl restart smtpd
 - name: Reload dovecot
   command: rcctl restart dovecot
+- name: rebuild login.conf
+  command: cap_mkdb /etc/login.conf
diff --git a/ansible/roles/openbsd-email/tasks/dovecot.yml b/ansible/roles/openbsd-email/tasks/dovecot.yml
@@ -7,6 +7,16 @@
       - { regexp: "^#?ssl_key =", line: "ssl_key = <{{ tls_key }}" }
   notify: Reload dovecot
 
+- name: Increase file limits for dovecot
+  blockinfile:
+    path: /etc/login.conf
+    block: |
+       dovecot:\
+                :openfiles-cur=20000:\
+                :openfiles-max=20000:\
+                :tc=daemon:
+  notify: rebuild login.conf
+
 - name: Dovecot Mail storage configuration
   lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf regexp="^#?mail_location" line="mail_location = maildir:~/Mail"
   notify: Reload dovecot

diff --git a/ansible/roles/openbsd-email/tasks/main.yml b/ansible/roles/openbsd-email/tasks/main.yml
@@ -26,6 +26,7 @@
 - name: Added e-mail users to system
   user:
     name: "{{ item }}"
+    shell: /usr/local/bin/fish
   with_items: "{{ users.keys() | list }}"
 
 - name: Setup Procmail for users
@@ -49,8 +50,8 @@
 
 - name: Enable Services
   command: "rcctl enable {{ item }}"
-  with_items: ['freshclam', 'clamd', 'cron', 'clamsmtpd', 'dkimproxy_out', 'spampd_custom', 'smtpd', 'dovecot']
+  with_items: ['freshclam', 'clamd', 'cron', 'clamsmtpd', 'dkimproxy_out', 'smtpd', 'dovecot']
 
 - name: Start Services
   command: "/etc/rc.d/{{ item }} start"
-  with_items: ['freshclam', 'clamd', 'cron', 'clamsmtpd', 'dkimproxy_out', 'spampd_custom', 'smtpd', 'dovecot']
+  with_items: ['freshclam', 'clamd', 'cron', 'clamsmtpd', 'dkimproxy_out', 'spampd', 'smtpd', 'dovecot']
diff --git a/ansible/roles/openbsd-email/tasks/spam.yml b/ansible/roles/openbsd-email/tasks/spam.yml
@@ -2,6 +2,18 @@
 - name: Setup assassin
   template: src=spamassassin-local.cf.j2 dest=/etc/mail/spamassassin/local.cf
 
-- name: Custom SpamPD RC Script
-  template: src=spampd_custom.j2 dest=/etc/rc.d/spampd_custom mode=0755
+- name: Setup RC Flags for spampd
+  lineinfile:
+      dest: /etc/rc.conf.local
+      regexp: ^spampd_flags
+      line: "spampd_flags=\"--port={{ ports.spampd_in }} --relayhost=127.0.0.1:{{ ports.spampd_return }} --tagall -pid=/var/spampd/spampd.pid -aw\""
+      create: Yes
   notify: Reload spampd
+
+- name: Certbot Cron
+  cron:
+    cron_file: /etc/crontab
+    user: root
+    name: "start spampd"
+    special_time: "reboot"
+    job: "/etc/rc.d/spampd start"
diff --git a/ansible/roles/openbsd-email/templates/get_certs.sh.j2 b/ansible/roles/openbsd-email/templates/get_certs.sh.j2
@@ -2,5 +2,5 @@
 
 /usr/local/bin/certbot certonly --standalone --preferred-challenges http \
    --http-01-port 80 --agree-tos --renew-by-default --non-interactive \
-   --email {{ cert_email }} -d {{ mx }} --staging \
+   --email {{ cert_email }} -d {{ mx }} \
    --deploy-hook /usr/local/bin/certbot-deploy-hook.sh
diff --git a/ansible/roles/openbsd-email/templates/smtpd.conf.j2 b/ansible/roles/openbsd-email/templates/smtpd.conf.j2
@@ -5,15 +5,16 @@ table vdoms  "{{ vdoms_file }}"
 table vusers "{{ vusers_file }}"
 
 listen on lo0 port {{ ports.spampd_return}} tag SPAMD
-listen on lo0 port {{ ports.clam_return }} tag CLAM_IN
+listen on lo0 port {{ ports.clam_return }} tag CLAM
+listen on lo0 port {{ ports.dkim_return }} tag DKIM
 
 listen on egress port smtp tls pki {{ mx }}
 listen on egress port 465 smtps pki {{ mx }}
 listen on egress port submission tls-require pki {{ mx }} auth
 
-accept tagged CLAM_IN for domain <vdoms> virtual <vusers> deliver to mda "procmail -f -"
-#accept tagged CLAM_IN for any deliver to maildir
+accept tagged CLAM for domain <vdoms> virtual <vusers> deliver to mda "procmail -f -"
 accept tagged SPAMD for any relay via "smtp://127.0.0.1:{{ ports.clam_in }}"
 accept from any for domain <vdoms> relay via "smtp://127.0.0.1:{{ ports.spampd_in }}"
 
-accept from local for any relay
+accept tagged DKIM for any relay hostname {{ mx }}
+accept from local for any relay via smtp://127.0.0.1:{{ ports.dkim_in }}
diff --git a/ansible/roles/openbsd-email/templates/spampd_custom.j2 b/ansible/roles/openbsd-email/templates/spampd_custom.j2
diff --git a/ansible/roles/openbsd-email/vars/main.yml b/ansible/roles/openbsd-email/vars/main.yml
@@ -13,7 +13,7 @@ domains_csv: "{{ domains | join(', ') }}"
 local_dkim_key: "../{{ servers[ansible_hostname].mail.dkim_private }}"
 cert_script: /usr/local/bin/get_certs
 tls_key: /etc/letsencrypt/live/{{ mx }}/privkey.pem
-tls_cert: /etc/letsencrypt/live/{{ mx }}/chain.pem
+tls_cert: /etc/letsencrypt/live/{{ mx }}/fullchain.pem
 ports:
   spampd_in: 10025
   clam_in: 10026

diff --git a/lib/vultr.rb b/lib/vultr.rb
@@ -136,7 +136,7 @@ def write_inventory
   end
 
   private def dns_update_check(r)
-    current = request('GET', 'dns/records', {'domain' => r['domain']}).find{ |c| c['type'] == r['type'] and c['name'] == r['name'] }
+    current = request('GET', 'dns/records', {'domain' => r['domain']}).find{ |c| c['type'] == r['type'] and c['name'] == r['name'] and c['data'] == r['data'] }
     msg = "Domain: #{r['domain']}, Name: #{r['name']}, Type: #{r['type']}"
     if current.nil?
       request('POST', 'dns/create_record', r)
@@ -169,10 +169,25 @@ def mail_dns()
       # reverse DNS
       subid = @state['servers'][server]['SUBID']
       ipv4 = @state['servers'][server]['ipv4']['addr']
-      ipv6 = @state['servers'][server]['ipv6']['addr']
-      @log.info("Creating Reverse DNS for Mail records #{ipv4}/#{ipv6} to #{config['mail']['mx']}")
+
+      # Get Vult's auto assigned IPv6 Address, and our reserved on
+      rec = domain_records([config['mail']['mx']]).first
+      request('GET', 'server/list_ipv6', { 'SUBID' => subid })[subid].each { |addrs|
+        # This is really hacky. I hate how Vultr assigns you an IPv6 Address you cannot remove.
+        # For mail and only mail servers, we create a AAAA records for both of the IPs.
+
+        @log.info("Creating/Updating AAAA mail server record for IPv6 #{addrs['ip']} :: #{rec[1].first}.#{rec[0]} AAAA")
+        dns_update_check({'domain' => rec[0], 'name' => rec[1].first, 'type' => 'AAAA', 'data' => addrs['ip'] })
+
+        @log.info("Creating Reverse DNS for Mail records #{addrs['ip']} to #{config['mail']['mx']}")
+        request('POST', 'server/reverse_set_ipv6', { 'SUBID' => subid, 'ip' => addrs['ip'], 'entry' => config['mail']['mx']})
+      }
+
+      @log.info("Creating/Updating A mail server record for IPv4 #{ipv4} :: #{rec[1].first}.#{rec[0]} ")
+      dns_update_check({'domain' => rec[0], 'name' => rec[1].first, 'type' => 'A', 'data' => ipv4 })
+
+      @log.info("Creating Reverse DNS for Mail records #{ipv4} to #{config['mail']['mx']}")
       request('POST', 'server/reverse_set_ipv4', { 'SUBID' => subid, 'ip' => ipv4, 'entry' => config['mail']['mx']})
-      request('POST', 'server/reverse_set_ipv6', { 'SUBID' => subid, 'ip' => ipv6, 'entry' => config['mail']['mx']})
 
       dkim_key = OpenSSL::PKey::RSA.new(File.read(config['mail']['dkim_private']))
       b64_key = Base64.strict_encode64(dkim_key.public_key.to_der)