majic-ansible-roles Changeset

Changeset - 01e9035dac41

Parent rev.

Child rev.

[Not reviewed]

0 9 0

Branko Majic (branko) - 2 years ago 2023-08-10 00:30:49
branko@majic.rs

MAR-181: Drop support for Debian 9 Stretch from mail_server role:

- Switch to using IPs from VirtualBox default allowed host-only
network subnets.
- Use Debian Buster for helper machines.
- Drop Stretch-specific code and tests.

9 files changed with 16 insertions and 172 deletions:

docs/rolereference.rst

roles/mail_server/meta/main.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/host_vars/ldap-server.yml

roles/mail_server/molecule/default/molecule.yml

roles/mail_server/molecule/default/prepare.yml

roles/mail_server/molecule/default/tests/test_default.py

roles/mail_server/molecule/default/tests/test_optional.py

roles/mail_server/templates/99-local.conf.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1234,25 +1234,24 @@ Parameters @@
 **smtp_allow_relay_from** (list, optional, [])
   List of networks from which mail relaying is allowed even without
   authentication. Each item in the list is a string defining a network. The
   format must be compatible with Postfix ``mynetworks`` setting (for example:
   ``192.168.1.0/24``, ``myhost.example.com`` etc).
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 9 (Stretch)
 - Debian 10 (Buster)
 Examples
 ~~~~~~~~
 Here is an example configuration for setting-up XMPP server using Prosody:
 .. code-block:: yaml
   ---

roles/mail_server/meta/main.yml

➞

Show inline comments

@@ @@ -7,14 +7,13 @@ dependencies: @@
     backup_patterns_filename: "mail_server"
     backup_patterns:
       - "/var/{{ mail_user }}"
 galaxy_info:
   author: Branko Majic
   description: Sets-up mail server with SMTP and IMAP services, using LDAP as source of allowed destinations (domains, mail addresses)
   license: BSD
   min_ansible_version: 2.9
   platforms:
     - name: Debian
       versions:
         - 9
         - 10

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

 imap_folder_separator: "."
 smtp_rbl:
   - bl.spamcop.net
   - zen.spamhaus.org
 mail_postmaster: "webmaster@parameters-optional"
 smtp_allow_relay_from:
   - "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"
 mail_message_size_limit: 20480001
 # Variables dependant on distribution release.
 release_based_smtp_allow_relay_from:
   stretch: "10.31.127.22"
   buster: "10.31.127.20"
   buster: "192.168.56.20"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
-# backup_client (backup username should end in -s64 for Stretch).
+# backup_client (backup username should end in -b64 for Buster).
 enable_backup: true
 backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release[0] }}64"
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
 backup_server: ldap-server
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
 backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"

roles/mail_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -34,19 +34,15 @@ ldap_client_config: @@
     value: dc=local
   - comment: URI
     option: URI
     value: ldapi:///
 # backup_server role
 backup_host_ssh_private_keys:
   rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
   ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
   ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
 backup_clients:
   - server: parameters-optional-s64
     ip: 10.31.127.33
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
   - server: parameters-optional-b64
-    ip: 10.31.127.31
+    ip: 192.168.56.31
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/mail_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -6,142 +6,86 @@ driver: @@
   name: vagrant
   provider:
     name: virtualbox
 lint:
   name: yamllint
   options:
     config-file: ../../.yamllint.yml
 platforms:
   - name: ldap-server
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.10
         network_name: private_network
         type: static
   - name: client1-stretch
     groups:
       - client
       - client-relay-allowed
       - stretch
       - smtp-server-requiring-tls
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.22
         network_name: private_network
         type: static
   - name: client2-stretch
     groups:
       - client
       - client-relay-forbidden
       - stretch
       - smtp-server-refusing-tls
     box: debian/contrib-stretch64
     box: debian/contrib-buster64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.23
         network_name: private_network
         type: static
   - name: parameters-mandatory-stretch64
     groups:
       - parameters-mandatory
       - stretch
     box: debian/contrib-stretch64
     memory: 1536
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.32
         network_name: private_network
         type: static
   - name: parameters-optional-stretch64
     groups:
       - parameters-optional
       - stretch
     box: debian/contrib-stretch64
     memory: 1536
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.33
         ip: 192.168.56.10
         network_name: private_network
         type: static
   - name: client1-buster
     groups:
       - client
       - client-relay-allowed
       - buster
       - smtp-server-requiring-tls
     box: debian/contrib-buster64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.20
+        ip: 192.168.56.20
         network_name: private_network
         type: static
   - name: client2-buster
     groups:
       - client
       - client-relay-forbidden
       - buster
       - smtp-server-refusing-tls
     box: debian/contrib-buster64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.21
+        ip: 192.168.56.21
         network_name: private_network
         type: static
   - name: parameters-mandatory-buster64
     groups:
       - parameters-mandatory
       - buster
     box: debian/contrib-buster64
     memory: 1536
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.30
+        ip: 192.168.56.30
         network_name: private_network
         type: static
   - name: parameters-optional-buster64
     groups:
       - parameters-optional
       - buster
     box: debian/contrib-buster64
     memory: 1536
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.31
+        ip: 192.168.56.31
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:
     cleanup: cleanup.yml
   config_options:
     defaults:
       force_valid_group_names: "ignore"
       interpreter_python: "/usr/bin/python3"
     ssh_connection:

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -17,32 +17,24 @@ @@
       args:
         chdir: "tests/data/"
         creates: ".gimmecert/server/{{ item.name }}.cert.pem"
         argv:
           - "gimmecert"
           - "server"
           - "{{ item.name }}"
           - "{{ item.fqdn }}"
           - "{{ item.fqdn[:item.fqdn.rfind('-')] }}"
       with_items:
         - name: ldap-server_ldap
           fqdn: ldap-server
         - name: parameters-mandatory-stretch64_imap
           fqdn: parameters-mandatory-stretch64
         - name: parameters-mandatory-stretch64_smtp
           fqdn: parameters-mandatory-stretch64
         - name: parameters-optional-stretch64_imap
           fqdn: parameters-optional-stretch64
         - name: parameters-optional-stretch64_smtp
           fqdn: parameters-optional-stretch64
         - name: parameters-mandatory-buster64_imap
           fqdn: parameters-mandatory-buster64
         - name: parameters-mandatory-buster64_smtp
           fqdn: parameters-mandatory-buster64
         - name: parameters-optional-buster64_imap
           fqdn: parameters-optional-buster64
         - name: parameters-optional-buster64_smtp
           fqdn: parameters-optional-buster64
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
@@ @@ -65,63 +57,43 @@ @@
     - name: Update all caches to avoid errors due to missing remote archives
       apt:
         update_cache: true
       changed_when: false
     - name: Install tools for testing
       apt:
         name:
           - gnutls-bin
           - nmap
         state: present
 - hosts: stretch
   become: true
   tasks:
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
 .31.127.10: "ldap-server backup-server"
 .31.127.22: "client1 smtp-server-requiring-tls"
 .31.127.23: "client2 smtp-server-refusing-tls"
 .31.127.32: "parameters-mandatory parameters-mandatory-stretch64"
 .31.127.33: "parameters-optional parameters-optional-stretch64"
 - hosts: buster
   become: true
   tasks:
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
 .31.127.10: "ldap-server backup-server"
 .31.127.20: "client1 smtp-server-requiring-tls"
 .31.127.21: "client2 smtp-server-refusing-tls"
 .31.127.30: "parameters-mandatory parameters-mandatory-buster64"
 .31.127.31: "parameters-optional parameters-optional-buster64"
 .168.56.10: "ldap-server backup-server"
 .168.56.20: "client1 smtp-server-requiring-tls"
 .168.56.21: "client2 smtp-server-refusing-tls"
 .168.56.30: "parameters-mandatory parameters-mandatory-buster64"
 .168.56.31: "parameters-optional parameters-optional-buster64"
 - hosts: client
   become: true
   tasks:
     - name: Install SWAKS for testing SMTP capability
       apt:
         name: swaks
         state: present
     - name: Install pip
       apt:

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -235,27 +235,25 @@ def test_postfix_delivery_to_dovecot(host): @@
     """
     hostname = host.run('hostname').stdout.strip()
     message_id = str(uuid.uuid4())
     # Virtual account.
     send = host.run('swaks --header %s --suppress-data --to john.doe@domain1 --server %s', "Message-Id: <%s>" % message_id, hostname)
     assert send.rc == 0
     with host.sudo():
         mail_log = host.file('/var/log/mail.log')
         # The (<\d+><.+?>)? pattern is for difference between Debian
         # Stretch and Debian Buster log format.
         pattern = r"dovecot: lda\(john.doe@domain1\)(<\d+><.+?>)?: msgid=<%s>: saved mail to INBOX" % message_id
         pattern = r"dovecot: lda\(john.doe@domain1\)<\d+><.+?>: msgid=<%s>: saved mail to INBOX" % message_id
         assert re.search(pattern, mail_log.content_string) is not None
 def test_dovecot_system_authentication_is_disabled(host):
     """
     Tests if Dovecot system-based authentication has been disabled.
     """
     config = host.file("/etc/dovecot/conf.d/10-auth.conf")
     assert "!include auth-system.conf.ext" not in config.content_string
@@ @@ -612,79 +610,24 @@ def test_certificate_validity_check_configuration(host): @@
     assert config.content_string == "/etc/ssl/certs/%s_imap.pem" % hostname
 def test_smtp_default_port_tls_version_and_ciphers(host):
     """
     Tests TLS configuration for SMTP default port (needs to be less
     restrictive for interoperability purposes).
     """
     expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
     expected_tls_ciphers = {
         "stretch": [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_CCM",
             "TLS_DHE_RSA_WITH_AES_128_CCM_8",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CCM",
             "TLS_DHE_RSA_WITH_AES_256_CCM_8",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
             "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
             "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
             "TLS_DH_anon_WITH_AES_128_CBC_SHA",
             "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
             "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
             "TLS_DH_anon_WITH_AES_256_CBC_SHA",
             "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
             "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
             "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
             "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
             "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
             "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",
             "TLS_DH_anon_WITH_SEED_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
             "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
             "TLS_RSA_WITH_AES_128_CBC_SHA",
             "TLS_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_RSA_WITH_AES_128_CCM",
             "TLS_RSA_WITH_AES_128_CCM_8",
             "TLS_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_RSA_WITH_AES_256_CBC_SHA",
             "TLS_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_RSA_WITH_AES_256_CCM",
             "TLS_RSA_WITH_AES_256_CCM_8",
             "TLS_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
             "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
             "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
             "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
             "TLS_RSA_WITH_SEED_CBC_SHA",
         ],
         "buster": [
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CCM',
             'TLS_DHE_RSA_WITH_AES_128_CCM_8',
             'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CCM',
             'TLS_DHE_RSA_WITH_AES_256_CCM_8',
             'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -53,27 +53,25 @@ def test_local_aliases(host): @@
     """
     Tests if local aliases are configured correctly.
     """
     message_id = str(uuid.uuid4())
     send = host.run('swaks --header %s --suppress-data --to root@localhost', "Message-Id: <%s>" % message_id)
     time.sleep(1)
     assert send.rc == 0
     with host.sudo():
         mail_log = host.file('/var/log/mail.log')
         # The (<\d+><.+?>)? pattern is for difference between Debian
         # Stretch and Debian Buster log format.
         pattern = r"dovecot: lda\(john.doe@domain1\)(<\d+><.+?>)?: msgid=<%s>: saved mail to INBOX" % message_id
         pattern = r"dovecot: lda\(john.doe@domain1\)<\d+><.+?>: msgid=<%s>: saved mail to INBOX" % message_id
         assert re.search(pattern, mail_log.content_string) is not None
 def test_dovecot_mailbox_directories(host):
     """
     Tests if mailbox directories are created correctly.
     """
     # Deliver two mails in order to make sure the directory structure is
     # created.
     send = host.run('swaks --suppress-data --to john.doe@domain1 --server localhost')
     assert send.rc == 0

roles/mail_server/templates/99-local.conf.j2

➞

Show inline comments

@@ @@ -22,31 +22,25 @@ namespace inbox { @@
 # Communication with other services.
 service auth {
   unix_listener /var/spool/postfix/private/auth {
     mode = 0660
     user = postfix
     group = postfix
+  }
+}
 # TLS configuration.
 ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
 ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
 {% if ansible_distribution_release == "stretch" %}
 ssl_dh_parameters_length = 2048
 {% elif ansible_distribution_release == "buster" %}
 ssl_dh=</etc/ssl/private/{{ inventory_hostname }}_imap.dh.pem
 {% else %}
 {{ unsupported_distribution_release }}
 {% endif %}
 ssl_protocols = {{ mail_server_tls_protocols | join(' ') }}
 ssl_cipher_list = {{ mail_server_tls_ciphers }}
 ssl = required
 # Mail delivery.
 protocol lda {
   mail_plugins = $mail_plugins sieve
   postmaster_address = {{ mail_postmaster }}
+}
 # IMAP configuration.
 protocol imap {

0 comments (0 inline, 0 general)