From 3f0409df1dcde2a0c75adf2ea23f778414a0eccf Mon Sep 17 00:00:00 2001
From: Sumit Khanna <sumit@example.com>
Date: Sun, 8 Jul 2018 22:52:08 -0500
Subject: [PATCH] OpenBSD e-mail on startup

---
 ansible/openbsd-mail.yml                       |  5 +++--
 ansible/roles/ipv6/handler/main.yml            |  2 ++
 ansible/roles/ipv6/tasks/main.yml              | 17 +++++++++++++++++
 ansible/roles/ipv6/vars/main.yml               |  2 ++
 ansible/roles/openbsd-basic/tasks/main.yml     |  9 ++++-----
 ansible/roles/openbsd-email/tasks/clamav.yml   |  3 ++-
 ansible/roles/openbsd-email/tasks/main.yml     |  6 +++++-
 ansible/roles/openbsd-email/tasks/spam.yml     |  9 +++------
 .../openbsd-email/templates/get_certs.sh.j2    |  3 ++-
 .../openbsd-email/templates/spampd_custom.j2   |  7 +++++++
 ansible/roles/openbsd-email/vars/main.yml      |  2 +-
 lib/vultr.rb                                   | 18 +++++++++++++-----
 12 files changed, 61 insertions(+), 22 deletions(-)
 create mode 100644 ansible/roles/ipv6/handler/main.yml
 create mode 100644 ansible/roles/ipv6/tasks/main.yml
 create mode 100644 ansible/roles/ipv6/vars/main.yml
 create mode 100644 ansible/roles/openbsd-email/templates/spampd_custom.j2

diff --git a/ansible/openbsd-mail.yml b/ansible/openbsd-mail.yml
index b01f133..29da921 100644
--- a/ansible/openbsd-mail.yml
+++ b/ansible/openbsd-mail.yml
@@ -7,6 +7,7 @@
   roles:
     - root-password
     - private-net
-    - firewall
     - openbsd-basic
-    - openbsd-email
\ No newline at end of file
+    - openbsd-email
+    - ipv6
+    - firewall
diff --git a/ansible/roles/ipv6/handler/main.yml b/ansible/roles/ipv6/handler/main.yml
new file mode 100644
index 0000000..4b6d213
--- /dev/null
+++ b/ansible/roles/ipv6/handler/main.yml
@@ -0,0 +1,2 @@
+- name: run netstart
+  command: sh /etc/netstart
diff --git a/ansible/roles/ipv6/tasks/main.yml b/ansible/roles/ipv6/tasks/main.yml
new file mode 100644
index 0000000..1356d5d
--- /dev/null
+++ b/ansible/roles/ipv6/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+# - name: FreeBSD IPv6
+#   block:
+#     - set_fact: private_eth=vtnet1
+#     - include_tasks: freebsd.yml
+#   when: ansible_distribution == 'FreeBSD'
+- name: Load State for IPv6
+  include_vars:
+    file: "{{ provisioner_state_file }}"
+    name: state
+
+- name: OpenBSD IPv6
+  lineinfile:
+    dest: /etc/hostname.vio0
+    regexp: ^inet6 alias"
+    line: "inet6 alias {{ ipv6_alias }} 64"
+  notify: run netstart
diff --git a/ansible/roles/ipv6/vars/main.yml b/ansible/roles/ipv6/vars/main.yml
new file mode 100644
index 0000000..20bcf26
--- /dev/null
+++ b/ansible/roles/ipv6/vars/main.yml
@@ -0,0 +1,2 @@
+provisioner_state_file: "../{{ provisioner.state_file }}"
+ipv6_alias: "{{ state.servers[ansible_hostname].ipv6.addr }}"
diff --git a/ansible/roles/openbsd-basic/tasks/main.yml b/ansible/roles/openbsd-basic/tasks/main.yml
index 9e32c92..1a65848 100644
--- a/ansible/roles/openbsd-basic/tasks/main.yml
+++ b/ansible/roles/openbsd-basic/tasks/main.yml
@@ -16,8 +16,7 @@
     insertafter: EOF
     create: True
 
-# - name: Install tools
-#   openbsd_pkg:
-#     name: "{{ item }}"
-#     state: present
-#   with_items: ['vim']
+- name: Install vim
+  openbsd_pkg:
+    name: vim--no_x11
+    state: present
diff --git a/ansible/roles/openbsd-email/tasks/clamav.yml b/ansible/roles/openbsd-email/tasks/clamav.yml
index 02cf1ff..ab538ac 100644
--- a/ansible/roles/openbsd-email/tasks/clamav.yml
+++ b/ansible/roles/openbsd-email/tasks/clamav.yml
@@ -5,7 +5,8 @@
 
 - name: Run Freshcalm if there's no AV database
   command: /usr/local/bin/freshclam
-  creates: /var/db/clamav/main.cvd
+  args:
+    creates: /var/db/clamav/main.cvd
 
 - name: Create Clamsmtpd RC script
   template: src=clamsmtpd.rc dest=/etc/rc.d/clamsmtpd mode=0555
diff --git a/ansible/roles/openbsd-email/tasks/main.yml b/ansible/roles/openbsd-email/tasks/main.yml
index 0d8c552..747e45a 100644
--- a/ansible/roles/openbsd-email/tasks/main.yml
+++ b/ansible/roles/openbsd-email/tasks/main.yml
@@ -49,4 +49,8 @@
 
 - name: Enable Services
   command: "rcctl enable {{ item }}"
-  with_items: ['freshclam', 'clamd', 'cron', 'clamsmtpd', 'dkimproxy_out', 'spampd', 'smtpd', 'dovecot']
+  with_items: ['freshclam', 'clamd', 'cron', 'clamsmtpd', 'dkimproxy_out', 'spampd_custom', 'smtpd', 'dovecot']
+
+- name: Start Services
+  command: "/etc/rc.d/{{ item }} start"
+  with_items: ['freshclam', 'clamd', 'cron', 'clamsmtpd', 'dkimproxy_out', 'spampd_custom', 'smtpd', 'dovecot']
diff --git a/ansible/roles/openbsd-email/tasks/spam.yml b/ansible/roles/openbsd-email/tasks/spam.yml
index b2ffae8..24f1a7b 100644
--- a/ansible/roles/openbsd-email/tasks/spam.yml
+++ b/ansible/roles/openbsd-email/tasks/spam.yml
@@ -1,10 +1,7 @@
+---
 - name: Setup assassin
   template: src=spamassassin-local.cf.j2 dest=/etc/mail/spamassassin/local.cf
 
-- name: Setup RC Flags for spampd
-  lineinfile:
-      dest: /etc/rc.conf.local
-      regexp: ^spampd_flags
-      line: "spampd_flags=\"--port={{ ports.spampd_in }} --relayhost=127.0.0.1:{{ ports.spampd_return }} --tagall -aw\""
-      create: Yes
+- name: Custom SpamPD RC Script
+  template: src=spampd_custom.j2 dest=/etc/rc.d/spampd_custom mode=0755
   notify: Reload spampd
diff --git a/ansible/roles/openbsd-email/templates/get_certs.sh.j2 b/ansible/roles/openbsd-email/templates/get_certs.sh.j2
index 37485aa..d85c516 100644
--- a/ansible/roles/openbsd-email/templates/get_certs.sh.j2
+++ b/ansible/roles/openbsd-email/templates/get_certs.sh.j2
@@ -2,4 +2,5 @@
 
 /usr/local/bin/certbot certonly --standalone --preferred-challenges http \
    --http-01-port 80 --agree-tos --renew-by-default --non-interactive \
-   --email {{ cert_email }} -d {{ mx }} --deploy-hook /usr/local/bin/certbot-deploy-hook.sh
+   --email {{ cert_email }} -d {{ mx }} --staging \
+   --deploy-hook /usr/local/bin/certbot-deploy-hook.sh
diff --git a/ansible/roles/openbsd-email/templates/spampd_custom.j2 b/ansible/roles/openbsd-email/templates/spampd_custom.j2
new file mode 100644
index 0000000..5abd829
--- /dev/null
+++ b/ansible/roles/openbsd-email/templates/spampd_custom.j2
@@ -0,0 +1,7 @@
+#!/bin/ksh
+
+daemon="/usr/local/sbin/spampd --port={{ ports.spampd_in }} --relayhost=127.0.0.1:{{ ports.spampd_return }} --tagall -aw"
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1
diff --git a/ansible/roles/openbsd-email/vars/main.yml b/ansible/roles/openbsd-email/vars/main.yml
index 60b4343..1f3bb5c 100644
--- a/ansible/roles/openbsd-email/vars/main.yml
+++ b/ansible/roles/openbsd-email/vars/main.yml
@@ -10,7 +10,7 @@ cert_email: "{{ servers[ansible_hostname].mail.cert_email }}"
 vusers_file: /etc/mail/vusers
 vdoms_file: /etc/mail/vdomains
 domains_csv: "{{ domains | join(', ') }}"
-local_dkim_key: "{{ servers[ansible_hostname].mail.dkim_private }}"
+local_dkim_key: "../{{ servers[ansible_hostname].mail.dkim_private }}"
 cert_script: /usr/local/bin/get_certs
 tls_key: /etc/letsencrypt/live/{{ mx }}/privkey.pem
 tls_cert: /etc/letsencrypt/live/{{ mx }}/chain.pem
diff --git a/lib/vultr.rb b/lib/vultr.rb
index 9646ab9..9361dae 100644
--- a/lib/vultr.rb
+++ b/lib/vultr.rb
@@ -5,6 +5,8 @@
 require 'uri'
 require 'cgi'
 require 'json'
+require 'openssl'
+require 'base64'
 
 class VultrProvisioner
 
@@ -172,11 +174,15 @@ def mail_dns()
       request('POST', 'server/reverse_set_ipv4', { 'SUBID' => subid, 'ip' => ipv4, 'entry' => config['mail']['mx']})
       request('POST', 'server/reverse_set_ipv6', { 'SUBID' => subid, 'ip' => ipv6, 'entry' => config['mail']['mx']})
 
+      dkim_key = OpenSSL::PKey::RSA.new(File.read(config['mail']['dkim_private']))
+      b64_key = Base64.strict_encode64(dkim_key.public_key.to_der)
+      dkim_dns = "k=rsa; t=s; p=#{b64_key}"
+
       config['mail']['domains'].each { |domain|
         [
-          {'domain' => domain, 'name' => 'mail', 'type' => 'MX', 'data' => config['mail']['mx'], 'priority' => 10 },
+          {'domain' => domain, 'name' => '', 'type' => 'MX', 'data' => config['mail']['mx'], 'priority' => 10 },
           {'domain' => domain, 'name' => '_dmarc', 'type' => 'TXT', 'data' => "\"#{config['mail']['dmarc']}\"" },
-          {'domain' => domain, 'name' => 'dkim1._domainkey', 'type' => 'TXT', 'data' => "\"#{config['mail']['dkim']}\"" },
+          {'domain' => domain, 'name' => 'dkim1._domainkey', 'type' => 'TXT', 'data' => "\"#{dkim_dns}\"" },
           {'domain' => domain, 'name' => '', 'type' => 'TXT', 'data' => "\"#{config['mail']['spf']}\"" }
         ].each { |d|
           @log.info("Creating/Updating Mail Record #{d['name']}.#{d['domain']} #{d['type']} #{d['data']}")
@@ -226,9 +232,11 @@ def update_dns
           domain_records(records).each { |domain, subdomains|
             request('GET', 'dns/records', {'domain' => domain}, -> {
               @log.info("Domain #{domain} exists")
-
-              dns_update_check({'domain' => domain, 'name' => '', 'type' => 'A', 'data' => ipv4 })
-              dns_update_check({'domain' => domain, 'name' => '', 'type' => 'AAAA', 'data' => ipv6 })
+              if ds_type == 'web'
+                  dns_update_check({'domain' => domain, 'name' => '', 'type' => 'A', 'data' => ipv4 })
+                  dns_update_check({'domain' => domain, 'name' => '', 'type' => 'AAAA', 'data' => ipv6 })
+                  create_subdomains(['www'], domain, config, ['ipv4', 'ipv6-web'])
+              end
               create_subdomains(subdomains, domain, config, typ_cfg)
             }, 412, -> {
               @log.info("No records for #{domain}. Creating Base Record.")