Files @ 776dde4d751e
Branch filter:

Location: majic-ansible-roles/roles/mail_server/molecule/default/prepare.yml

branko
MAR-192: Update compatibility-related entries for Postfix main configuration file:

- Default value for append_dot_mydomain has been "no" for a while now,
no need to set it explicitly.
- Prefer the whitelist/blacklist instead of allowlist/denylist
keywords in logs.
---

- name: Set-up fixtures
  hosts: localhost
  connection: local
  gather_facts: false
  tasks:

    - name: Initialise CA hierarchy
      command: "gimmecert init"
      args:
        creates: ".gimmecert/ca/level1.cert.pem"
        chdir: "tests/data/"

    - name: Generate server private keys and certificates
      command:
      args:
        chdir: "tests/data/"
        creates: ".gimmecert/server/{{ item.name }}.cert.pem"
        argv:
          - "gimmecert"
          - "server"
          - "{{ item.name }}"
          - "{{ item.fqdn }}"
          - "{{ item.fqdn[:item.fqdn.rfind('-')] }}"
      with_items:
        - name: clamav-database_https
          fqdn: database.clamav.net
        - name: ldap-server_ldap
          fqdn: ldap-server

        - name: parameters-mandatory-bullseye_imap
          fqdn: parameters-mandatory-bullseye
        - name: parameters-mandatory-bullseye_smtp
          fqdn: parameters-mandatory-bullseye
        - name: parameters-optional-bullseye_imap
          fqdn: parameters-optional-bullseye
        - name: parameters-optional-bullseye_smtp
          fqdn: parameters-optional-bullseye

    - name: Set-up link to generated X.509 material
      file:
        src: ".gimmecert"
        dest: "tests/data/x509"
        state: link

- name: Prepare
  hosts: all
  gather_facts: false
  tasks:
    - name: Install python for Ansible
      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
      become: true
      changed_when: false

- hosts: all
  become: true
  tasks:

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: true
      changed_when: false

    - name: Install tools for testing
      apt:
        name:
          - gnutls-bin
          - nmap
        state: present

- name: Set-up a local ClamAV database mirror to avoid hitting upstream rate limits
  hosts: clamav-database
  become: true
  tasks:

    - name: Install system packages for hosting the ClamAV database
      apt:
        name:
          - nginx
          - virtualenv
        state: present

    - name: Set-up directory for ClamAV database sync tool virtual environment
      file:
        path: /var/lib/cvdupdate
        state: directory
        owner: vagrant
        group: vagrant
        mode: 0755

    - name: Create virtual environment for running ClamAV database sync tool
      become_user: vagrant
      command:
        cmd: "/usr/bin/virtualenv --python /usr/bin/python3 --prompt '(cvdupdate) ' /var/lib/cvdupdate"
        creates: "/var/lib/cvdupdate"

    - name: Deploy pip requirements file for running the ClamAV database sync tool
      copy:
        src: cvdupdate-requirements.txt
        dest: /var/lib/cvdupdate/requirements.txt
        owner: vagrant
        group: vagrant
        mode: 0644

    - name: Install requirements in the pipreqcheck virtual environment
      become_user: vagrant
      pip:
        requirements: /var/lib/cvdupdate/requirements.txt
        virtualenv: /var/lib/cvdupdate

    - name: Allow traversal of Vagrant directory by the http server user
      file:
        path: /vagrant/
        mode: 0711

    - name: Create directory for storing ClamAV database files
      file:
        path: /vagrant/clamav-database
        state: directory
        owner: vagrant
        group: vagrant
        mode: 0755

    - name: Configure default location for storing ClamAV database files
      become_user: vagrant
      command: "/var/lib/cvdupdate/bin/cvd config set --dbdir /vagrant/clamav-database/"

    - name: Download/update the ClamAV database files
      become_user: vagrant
      command: "/var/lib/cvdupdate/bin/cvd update"

    - name: Allow all users to read ClamAV database files
      file:
        path: "/vagrant/clamav-database/"
        mode: "g=u-w,o=u-w"
        recurse: true

    - name: Deploy nginx TLS private key
      copy:
        dest: "/etc/ssl/private/nginx_https.key"
        content: "{{ clamav_database_http_server_tls_key }}"
        mode: 0640
        owner: root
        group: root
      notify:
        - Restart nginx

    - name: Deploy nginx TLS certificate
      copy:
        dest: "/etc/ssl/certs/nginx_https.pem"
        content: "{{ clamav_database_http_server_tls_certificate }}"
        mode: 0644
        owner: root
        group: root
      notify:
        - Restart nginx

    - name: Deploy nginx configuration for serving the ClamAV database files
      copy:
        src: clamav-database-nginx.conf
        dest: /etc/nginx/sites-available/default
        owner: root
        group: root
        mode: 0644
      notify:
        - Restart nginx

  handlers:

    - name: Restart nginx
      service:
        name: nginx
        state: restarted

- hosts: bullseye
  become: true
  tasks:

    - name: Set-up the hosts file
      lineinfile:
        path: /etc/hosts
        regexp: "^{{ item.key }}"
        line: "{{ item.key }} {{ item.value }}"
        owner: root
        group: root
        mode: 0644
        state: present
      with_dict:
        # Force mail servers to use local ClamAV database mirror.
        192.168.56.11: "db.local.clamav.net database.clamav.net"
        192.168.56.12: "ldap-server backup-server"
        192.168.56.41: "client1 smtp-server-requiring-tls"
        192.168.56.42: "client2 smtp-server-refusing-tls"
        192.168.56.51: "parameters-mandatory parameters-mandatory-bullseye"
        192.168.56.52: "parameters-optional parameters-optional-bullseye"

- hosts: client
  become: true
  tasks:

    - name: Install SWAKS for testing SMTP capability
      apt:
        name: swaks
        state: present

    - name: Install pip
      apt:
        name: python3-pip
        state: present

    - name: Install IMAP CLI tool
      pip:
        name: Imap-CLI==0.7
        state: present

    - name: Install tool for testing SIEVE
      apt:
        name: sieve-connect
        state: present

    - name: Install tool for testing TCP connectivity
      apt:
        name: hping3
        state: present

    - name: Deploy IMAP CLI configuration
      copy:
        src: "tests/data/{{ item }}"
        dest: "/home/vagrant/{{ item }}"
        owner: vagrant
        group: vagrant
        mode: 0600
      with_items:
        - imapcli-parameters-mandatory-john_doe.conf
        - imapcli-parameters-mandatory-jane_doe.conf
        - imapcli-parameters-optional-john_doe.conf
        - imapcli-parameters-optional-jane_doe.conf

    - name: Deploy CA certificate
      copy:
        src: tests/data/x509/ca/level1.cert.pem
        dest: /usr/local/share/ca-certificates/testca.crt
        owner: root
        group: root
        mode: 0644
      notify:
        - Update CA certificate cache

    - name: Install and configure Postfix for testing mail sending from managed servers
      block:

        - name: Install Postfix
          apt:
            name: postfix
            state: present

        - name: Purge Exim
          apt:
            name: "exim4*"
            state: absent
            purge: true

        - name: Configure Postfix
          template:
            src: "helper_smtp_main.cf.j2"
            dest: "/etc/postfix/main.cf"
            owner: root
            group: root
            mode: 0644
          notify:
            - Restart Postfix

        - name: Enable Postfix service
          service:
            name: postfix
            state: started
            enabled: true

  handlers:

    - name: Update CA certificate cache
      command: /usr/sbin/update-ca-certificates --fresh

    - name: Restart Postfix
      service:
        name: postfix
        state: restarted

- hosts: ldap-server
  become: true
  roles:
    - ldap_server
    - backup_server

- hosts: ldap-server
  become: true
  tasks:

    - name: Create LDAP accounts for testing
      ldap_entry:
        dn: "{{ item.dn }}"
        objectClass: "{{ item.objectClass }}"
        attributes: "{{ item.attributes }}"
      with_items:

        # Users.
        - dn: uid=john,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: johnpassword
            uid: john
            cn: John Doe
            sn: Doe
            mail: john.doe@domain1

        - dn: uid=jane,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: janepassword
            uid: jane
            cn: Jane Doe
            sn: Doe
            mail: jane.doe@domain2

        - dn: uid=nomail,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: nomailpassword
            uid: nomail
            cn: No Mail
            sn: Mail
            mail: nomail@domain1

        # Domains
        - dn: dc=domain1,ou=domains,ou=mail,ou=services,dc=local
          objectClass: dNSDomain
          attributes:
            dc: domain1

        - dn: dc=domain2,ou=domains,ou=mail,ou=services,dc=local
          objectClass: dNSDomain
          attributes:
            dc: domain2

        # Aliases
        - dn: cn=postmaster@domain1,ou=aliases,ou=mail,ou=services,dc=local
          objectClass: nisMailAlias
          attributes:
            cn: postmaster@domain1
            rfc822MailMember: john.doe@domain1

        - dn: cn=webmaster@domain2,ou=aliases,ou=mail,ou=services,dc=local
          objectClass: nisMailAlias
          attributes:
            cn: webmaster@domain2
            rfc822MailMember: jane.doe@domain2

    - name: Add test accounts to correct group
      ldap_attr:
        dn: "cn=mail,ou=groups,dc=local"
        name: uniqueMember
        state: exact
        values:
          - uid=john,ou=people,dc=local
          - uid=jane,ou=people,dc=local

- hosts: parameters-mandatory,parameters-optional
  become: true
  tasks:

    - name: Create group for user used for local mail delivery testing
      group:
        name: localuser

    - name: Create user for local mail delivery testing
      user:
        name: localuser
        group: localuser