From 2b25e7178ac9b43fb56c4bf57322ea6d05b91159 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Fri, 9 Aug 2024 19:26:43 +0000 Subject: [PATCH 01/11] Add virtual machine `verein' --- host_vars/emma.ccchb.de.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/host_vars/emma.ccchb.de.yml b/host_vars/emma.ccchb.de.yml index 85d929f..320672d 100644 --- a/host_vars/emma.ccchb.de.yml +++ b/host_vars/emma.ccchb.de.yml @@ -229,3 +229,19 @@ bhyve_guests: volsize: 128g volblocksize: 64k primarycache: metadata + + - name: verein + index: 10 + enabled: true + ram: 2G + cpus: 2 + image: debian-12.6.0-amd64-netinst.iso + password: foobar + order: + - DISKS + disks: + - name: disk + properties: + volsize: 128g + volblocksize: 64k + primarycache: metadata From 97bbb55052267e8656ec70bdc881e0a96209b4c2 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Sun, 8 Sep 2024 17:16:17 +0000 Subject: [PATCH 02/11] Add mail password for vorstand --- group_vars/mail | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/mail b/group_vars/mail index de756d2..79706c3 100644 --- a/group_vars/mail +++ b/group_vars/mail @@ -7,6 +7,7 @@ dovecot_users: zeltophil: '{BLF-CRYPT}$2y$05$rct9cKgRnB/X7tZW7MXNUeIfadqCRc..dCMG4DB1fZdefH1Qx6FAq' haecksen: '{BLF-CRYPT}$2y$05$e2R8ucHVPlZuI39Uy4iX3.EaRszPJ01itsPJfQa0FIeYzBuiGxUZW' ari: '{BLF-CRYPT}$2y$05$HixjVZIVDVBKy40ReKRKh.ewnuyNV/t84ANsOSjOuxz5BIgk/J7k6' + vorstand: '{BLF-CRYPT}$2y$05$Cw.dfEg54gvRIhT9bDCx1O7xS4TtWf/c7Hh9Owzaf23imfwltMd4e' mlmmj_lists: - name: 'vorstand' From 4454b87c35a099f4ca0024f3fdfdbee2fab0ee38 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Sun, 8 Sep 2024 19:32:33 +0000 Subject: [PATCH 03/11] Add user account for fritz --- group_vars/mail | 1 + roles/postfix/vars/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/group_vars/mail b/group_vars/mail index 79706c3..9e29279 100644 --- a/group_vars/mail +++ b/group_vars/mail @@ -8,6 +8,7 @@ dovecot_users: haecksen: '{BLF-CRYPT}$2y$05$e2R8ucHVPlZuI39Uy4iX3.EaRszPJ01itsPJfQa0FIeYzBuiGxUZW' ari: '{BLF-CRYPT}$2y$05$HixjVZIVDVBKy40ReKRKh.ewnuyNV/t84ANsOSjOuxz5BIgk/J7k6' vorstand: '{BLF-CRYPT}$2y$05$Cw.dfEg54gvRIhT9bDCx1O7xS4TtWf/c7Hh9Owzaf23imfwltMd4e' + fritz: '{BLF-CRYPT}$2y$05$NFh8LBoHfkazQDy3iNiuWODSP.rib.jIEDyf/JUbyBnQbJ03FglI6' mlmmj_lists: - name: 'vorstand' diff --git a/roles/postfix/vars/main.yml b/roles/postfix/vars/main.yml index 8223b27..55fdfc4 100644 --- a/roles/postfix/vars/main.yml +++ b/roles/postfix/vars/main.yml @@ -63,6 +63,7 @@ postfix_virtual_aliases: - hostmaster@ccchb.de crest@ccchb.de - thoddi@ccchb.de mail@thoddi.de - docloc@ccchb.de docloc@posteo.net + - fritz@ccchb.de fritz@grimpen.net - root@lists.ccchb.de crest@ccchb.de - crest@lists.ccchb.de crest@ccchb.de From ec110faf41c93f5cc1d4cee7b85e69862accc9ee Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 16:29:51 +0200 Subject: [PATCH 04/11] Unify file name extensions for group vars --- group_vars/{debian => debian.yml} | 0 group_vars/{freebsd => freebsd.yml} | 0 group_vars/{mail => mail.yml} | 2 -- 3 files changed, 2 deletions(-) rename group_vars/{debian => debian.yml} (100%) rename group_vars/{freebsd => freebsd.yml} (100%) rename group_vars/{mail => mail.yml} (95%) diff --git a/group_vars/debian b/group_vars/debian.yml similarity index 100% rename from group_vars/debian rename to group_vars/debian.yml diff --git a/group_vars/freebsd b/group_vars/freebsd.yml similarity index 100% rename from group_vars/freebsd rename to group_vars/freebsd.yml diff --git a/group_vars/mail b/group_vars/mail.yml similarity index 95% rename from group_vars/mail rename to group_vars/mail.yml index 9e29279..de756d2 100644 --- a/group_vars/mail +++ b/group_vars/mail.yml @@ -7,8 +7,6 @@ dovecot_users: zeltophil: '{BLF-CRYPT}$2y$05$rct9cKgRnB/X7tZW7MXNUeIfadqCRc..dCMG4DB1fZdefH1Qx6FAq' haecksen: '{BLF-CRYPT}$2y$05$e2R8ucHVPlZuI39Uy4iX3.EaRszPJ01itsPJfQa0FIeYzBuiGxUZW' ari: '{BLF-CRYPT}$2y$05$HixjVZIVDVBKy40ReKRKh.ewnuyNV/t84ANsOSjOuxz5BIgk/J7k6' - vorstand: '{BLF-CRYPT}$2y$05$Cw.dfEg54gvRIhT9bDCx1O7xS4TtWf/c7Hh9Owzaf23imfwltMd4e' - fritz: '{BLF-CRYPT}$2y$05$NFh8LBoHfkazQDy3iNiuWODSP.rib.jIEDyf/JUbyBnQbJ03FglI6' mlmmj_lists: - name: 'vorstand' From 2140a1428c99dffa2b984025daad59dd003922e2 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 16:30:44 +0200 Subject: [PATCH 05/11] debian: Do not change shell and use debian-owned facilities for networking --- roles/debian/tasks/main.yml | 64 +--------------------------- roles/debian/templates/interfaces.j2 | 16 +++++++ 2 files changed, 18 insertions(+), 62 deletions(-) create mode 100644 roles/debian/templates/interfaces.j2 diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml index 76ea1c9..2f3512e 100644 --- a/roles/debian/tasks/main.yml +++ b/roles/debian/tasks/main.yml @@ -1,39 +1,4 @@ --- -- name: Install defaults - package: - name: - - zsh - -- name: Download .zshrc from grml - get_url: - url: https://raw.githubusercontent.com/grml/grml-etc-core/v0.12.5/etc/zsh/zshrc - dest: /etc/zsh/zshrc - checksum: sha256:ad88c76951693c2f9c38773ed2602a9fd5c74431615c4a23aaff679b295919ce - validate_certs: false - -- name: Update SSH configuration - notify: reload sshd - replace: - dest: /etc/ssh/sshd_config - regexp: '^([\#\s]*)?{{ item.key }}\s+([\w_-]+)' - replace: "{{item.key}} {{item.value}}" - with_items: - - key: PermitRootLogin - value: without-password - - key: PasswordAuthentication - value: 'no' - - key: ChallengeResponseAuthentication - value: 'no' - - key: PrintLastLog - value: 'yes' - - key: UseDNS - value: 'no' - -- name: Change shell of user root - user: - name: root - shell: /usr/bin/zsh - - name: Enable sshd systemd: name: sshd @@ -44,32 +9,7 @@ notify: restart network when: ipv4 is defined or ipv6 is defined template: - src: systemd.network - dest: /etc/systemd/network/main.network + src: interfaces.j2 + dest: /etc/network/interfaces owner: root mode: 644 - -- name: enable systemd-networkd - notify: restart network - systemd: - name: systemd-networkd - state: started - enabled: yes - -- name: disable networking - systemd: - name: networking - enabled: no - -- name: start systemd-resolved - systemd: - name: systemd-resolved - state: started - enabled: yes - -- name: symling /etc/resolve - file: - src: /run/systemd/resolve/stub-resolv.conf - dest: /etc/resolv.conf - state: link - force: yes diff --git a/roles/debian/templates/interfaces.j2 b/roles/debian/templates/interfaces.j2 new file mode 100644 index 0000000..57cb9eb --- /dev/null +++ b/roles/debian/templates/interfaces.j2 @@ -0,0 +1,16 @@ +# The primary network interface +allow-hotplug enp0s3 +{% if ipv4 is defined %} +iface enp0s3 inet static + address {{ipv4}}/31 + gateway {{ipv4route}} + # dns-* options are implemented by the resolvconf package, if installed + dns-nameservers {{ipv4route}} + dns-search emma.ccchb.de +{% endif %} + +{% if ipv6 is defined %} +iface enp0s3 inet6 static + address {{ipv6}}/127 + gateway {{ipv6route}} +{% endif %} From 08ef92627e7cfa1b21e946d8e98bf58f9dcdc78b Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 16:15:28 +0000 Subject: [PATCH 06/11] Add descriptions for playbook tasks --- bhyve.yml | 17 ++++++++--------- debian.yml | 5 +++-- dns.yml | 7 +++---- gitea.yml | 5 +++-- haproxy.yml | 7 +++---- jabber.yml | 5 +++-- mail.yml | 16 +++++++--------- nextcloud.yml | 5 +++-- ntp.yml | 7 +++---- restic.yml | 7 +++---- s6.yml | 7 +++---- users.yml | 5 +++-- wiki.yml | 5 +++-- 13 files changed, 48 insertions(+), 50 deletions(-) diff --git a/bhyve.yml b/bhyve.yml index 8b351e9..58099a9 100644 --- a/bhyve.yml +++ b/bhyve.yml @@ -1,19 +1,18 @@ --- -- hosts: - - localhost - - become: yes +- name: Install py-netaddr + hosts: + - localhost + become: true tasks: - name: Install py-netaddr package - package: + ansible.builtin.package: name: net/py-netaddr state: present -- hosts: +- name: Deploy bhyve to virtual machine hosts + hosts: - emma - - become: yes + become: true tags: bhyve - roles: - bhyve diff --git a/debian.yml b/debian.yml index a80ff5f..357aefd 100644 --- a/debian.yml +++ b/debian.yml @@ -1,5 +1,6 @@ --- -- hosts: debian - become: yes +- name: Prepare debian hosts + hosts: debian + become: true roles: - debian diff --git a/dns.yml b/dns.yml index 643ef12..c2baac9 100644 --- a/dns.yml +++ b/dns.yml @@ -1,9 +1,8 @@ --- -- hosts: +- name: Deploy DNS servers + hosts: - mail - - become: yes - + become: true roles: - nsd - unbound diff --git a/gitea.yml b/gitea.yml index 9568c18..ea40448 100644 --- a/gitea.yml +++ b/gitea.yml @@ -1,6 +1,7 @@ --- -- hosts: gitea - become: yes +- name: Deploy Forgejo + hosts: gitea + become: true roles: - gitea - gitea-ccchb diff --git a/haproxy.yml b/haproxy.yml index ec2039f..dcadf81 100644 --- a/haproxy.yml +++ b/haproxy.yml @@ -1,8 +1,7 @@ --- -- hosts: +- name: Deploy haproxy + hosts: - emma - - become: yes - + become: true roles: - haproxy diff --git a/jabber.yml b/jabber.yml index 7ecba0d..74cc4b6 100644 --- a/jabber.yml +++ b/jabber.yml @@ -1,7 +1,8 @@ --- -- hosts: +- name: Deploy XMPP server + hosts: - jabber - become: yes + become: true tags: [jabber] roles: - certbot diff --git a/mail.yml b/mail.yml index b03606c..b6ff43c 100644 --- a/mail.yml +++ b/mail.yml @@ -1,20 +1,18 @@ --- -- hosts: +- name: Install passlib + hosts: - localhost - - become: yes - + become: true tasks: - name: Install passlib - package: + ansible.builtin.package: name: py39-passlib state: present -- hosts: +- name: Deploy mail servers + hosts: - mail - - become: yes - + become: true roles: - dovecot - rspamd diff --git a/nextcloud.yml b/nextcloud.yml index a363adf..e0c978d 100644 --- a/nextcloud.yml +++ b/nextcloud.yml @@ -1,5 +1,6 @@ --- -- hosts: nextcloud - become: yes +- name: Deploy NextCloud + hosts: nextcloud + become: true roles: - nextcloud diff --git a/ntp.yml b/ntp.yml index 9c8b356..3c6afce 100644 --- a/ntp.yml +++ b/ntp.yml @@ -1,8 +1,7 @@ --- -- hosts: +- name: Deploy local NTP server + hosts: - mail - - become: yes - + become: true roles: - openntpd diff --git a/restic.yml b/restic.yml index 2a9358d..10b5802 100644 --- a/restic.yml +++ b/restic.yml @@ -1,8 +1,7 @@ --- -- hosts: +- name: Deploy restic + hosts: - mail - - become: yes - + become: true roles: - restic diff --git a/s6.yml b/s6.yml index 8b773d6..f24b005 100644 --- a/s6.yml +++ b/s6.yml @@ -1,8 +1,7 @@ --- -- hosts: +- name: Deploy s6 on FreeBSD + hosts: - emma - - become: yes - + become: true roles: - s6-rc diff --git a/users.yml b/users.yml index ea6b615..41abe04 100644 --- a/users.yml +++ b/users.yml @@ -1,6 +1,7 @@ --- -- hosts: debian frab - become: yes +- name: Perform user management + hosts: debian frab + become: true tags: [user_mgmt] roles: - user_mgmt diff --git a/wiki.yml b/wiki.yml index a42dc86..107c6c2 100644 --- a/wiki.yml +++ b/wiki.yml @@ -1,7 +1,8 @@ --- -- hosts: +- name: Deploy MediaWiki + hosts: - wiki - become: yes + become: true roles: - mediawiki - certbot From f6ccbbf5ebd7c862ab7cc06217bd9a1e2ebd4779 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 16:34:45 +0000 Subject: [PATCH 07/11] Add debian_docker role --- roles/debian_docker/defaults/main.yml | 0 roles/debian_docker/files/daemon.json | 3 +++ roles/debian_docker/handlers/main.yml | 5 ++++ roles/debian_docker/tasks/main.yml | 33 +++++++++++++++++++++++++++ 4 files changed, 41 insertions(+) create mode 100644 roles/debian_docker/defaults/main.yml create mode 100644 roles/debian_docker/files/daemon.json create mode 100644 roles/debian_docker/handlers/main.yml create mode 100644 roles/debian_docker/tasks/main.yml diff --git a/roles/debian_docker/defaults/main.yml b/roles/debian_docker/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/debian_docker/files/daemon.json b/roles/debian_docker/files/daemon.json new file mode 100644 index 0000000..194ce3b --- /dev/null +++ b/roles/debian_docker/files/daemon.json @@ -0,0 +1,3 @@ +{ + "log-driver": "journald" +} diff --git a/roles/debian_docker/handlers/main.yml b/roles/debian_docker/handlers/main.yml new file mode 100644 index 0000000..07aa0eb --- /dev/null +++ b/roles/debian_docker/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart docker + ansible.builtin.service: + name: docker + state: restarted diff --git a/roles/debian_docker/tasks/main.yml b/roles/debian_docker/tasks/main.yml new file mode 100644 index 0000000..a910155 --- /dev/null +++ b/roles/debian_docker/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: Install Docker's GPG key in apt's keyring + ansible.builtin.apt_key: + url: https://download.docker.com/linux/debian/gpg + state: present + tags: docker install + +- name: Setup Docker's apt repository + ansible.builtin.apt_repository: + repo: deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable + state: present + filename: docker + tags: docker install + +- name: Install Docker + ansible.builtin.package: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + state: present + tags: docker install + notify: + - Restart docker + +- name: Configure Docker daemon + ansible.builtin.file: + src: daemon.json + dest: /etc/docker/daemon.json + owner: root + group: root + mode: '0644' From 6c41934194761b5731677bd85f8782019b7b0034 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 16:50:09 +0000 Subject: [PATCH 08/11] Lint postfix role --- roles/postfix/handlers/main.yml | 10 +++---- roles/postfix/tasks/main.yml | 52 ++++++++++++++++----------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml index 7706fe0..833eef8 100644 --- a/roles/postfix/handlers/main.yml +++ b/roles/postfix/handlers/main.yml @@ -1,20 +1,20 @@ --- - name: Reload s6-rc - service: + ansible.builtin.service: name: s6-rc state: reloaded - name: Restart Postfix - command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix + ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix - name: Restart Postfix log - command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log + ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log - name: Reload Postfix - command: s6-svc -h {{ s6_scan_dir }}/postfix + ansible.builtin.command: s6-svc -h {{ s6_scan_dir }}/postfix - name: Rebuild Postfix maps - command: 'postmap {{ item.type }}:{{ item.name }}' + ansible.builtin.command: 'postmap {{ item.type }}:{{ item.name }}' args: chdir: /usr/local/etc/postfix when: item.type in postfix_rebuild_types diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 8827a1d..c268cd9 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -1,27 +1,27 @@ --- - name: Install Postfix - package: + ansible.builtin.package: name: postfix state: present notify: - Restart Postfix - name: Create /usr/local/etc/mail - file: + ansible.builtin.file: path: /usr/local/etc/mail state: directory owner: root group: wheel - mode: 0755 + mode: '0755' - name: Install Postfix mailer.conf - copy: + ansible.builtin.copy: dest: /usr/local/etc/mail/mailer.conf src: /usr/local/share/postfix/mailer.conf.postfix - remote_src: yes + remote_src: true owner: root group: wheel - mode: 0644 + mode: '0644' - name: Disable sendmail sysrc: @@ -29,22 +29,22 @@ value: NONE - name: Make sure sendmail is stopped - service: + ansible.builtin.service: name: sendmail state: stopped -- name: Disable sendmail periodic tasks - lineinfile: +- ansible.core.name: Disable sendmail periodic tasks + ansible.builtin.lineinfile: path: /etc/periodic.conf owner: root group: wheel - mode: 0444 + mode: '0444' regexp: '^{{ item }}=' line: '{{ item }}="NO"' with_items: '{{ sendmail_periodic }}' - name: Add /var/log/postfix to fstab - mount: + ansible.builtin.mount: path: /var/log/postfix src: tmpfs fstype: tmpfs @@ -52,19 +52,19 @@ state: mounted - name: Create Postfix service directories - file: + ansible.builtin.file: path: '{{ s6_etc_dir }}/service/{{ item }}' state: directory owner: root group: wheel - mode: 0755 + mode: '0755' with_items: '{{ postfix_service_dirs }}' - name: Generate Postfix service scripts - template: + ansible.builtin.template: dest: '{{ s6_etc_dir }}/service/{{ item }}' src: '{{ item }}.j2' - mode: 0555 + mode: '0555' owner: root group: wheel with_items: '{{ postfix_service_scripts }}' @@ -73,24 +73,24 @@ - Restart Postfix - name: Generate Postfix service configuration - copy: + ansible.builtin.copy: dest: '{{ s6_etc_dir }}/service/{{ item.name }}' content: '{{ item.content }}' - mode: 0444 + mode: '0444' owner: root group: wheel loop_control: - label: '{{ item.name }} = {{ item.content }}' + label: '{{ item.name }} = {{ item.content }}' notify: - Reload s6-rc - Restart Postfix with_items: '{{ postfix_service_config }}' - name: Generate Postfix maps - template: + ansible.builtin.template: dest: '/usr/local/etc/postfix/{{ item.name }}' src: '{{ item.name }}.j2' - mode: 0444 + mode: '0444' owner: root group: wheel with_items: '{{ postfix_maps }}' @@ -99,7 +99,7 @@ - Reload Postfix - name: Configure Postfix - postconf: + ansible.corepostconf: name: '{{ item.name }}' value: '{{ item.value | default(omit) }}' state: '{{ item.state | default(omit) }}' @@ -108,7 +108,7 @@ - Reload Postfix - name: Configure Postfix services - lineinfile: + ansible.builtin.lineinfile: path: /usr/local/etc/postfix/master.cf regexp: '^{{ item.name }} +{{ item.type }}' value: '{{ item.value }}' @@ -126,15 +126,15 @@ - Restart Postfix - name: Flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers - name: Start Postfix - command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix + ansible.builtin.command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix register: change changed_when: change.stdout | length > 0 - name: Enable Postfix - lineinfile: + ansible.builtin.lineinfile: path: '{{ s6_etc_dir }}/service/enabled/contents' regexp: "^postfix$" line: "postfix" @@ -142,4 +142,4 @@ - Reload s6-rc - name: Flush handlers (again) - meta: flush_handlers + ansible.builtin.meta: flush_handlers From ca8217859da48855179b76453b5f8dc439e08ac3 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 19:18:39 +0200 Subject: [PATCH 09/11] Fix hasty typos --- roles/postfix/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index c268cd9..ab11e1b 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -33,7 +33,7 @@ name: sendmail state: stopped -- ansible.core.name: Disable sendmail periodic tasks +- name: Disable sendmail periodic tasks ansible.builtin.lineinfile: path: /etc/periodic.conf owner: root @@ -44,7 +44,7 @@ with_items: '{{ sendmail_periodic }}' - name: Add /var/log/postfix to fstab - ansible.builtin.mount: + ansible.posix.mount: path: /var/log/postfix src: tmpfs fstype: tmpfs @@ -99,7 +99,7 @@ - Reload Postfix - name: Configure Postfix - ansible.corepostconf: + postconf: name: '{{ item.name }}' value: '{{ item.value | default(omit) }}' state: '{{ item.state | default(omit) }}' From 7784501da5806010824fb6995f65f76a475a638d Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 19:28:49 +0200 Subject: [PATCH 10/11] Add tags to mail playbook --- mail.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/mail.yml b/mail.yml index b6ff43c..c748ef1 100644 --- a/mail.yml +++ b/mail.yml @@ -14,7 +14,11 @@ - mail become: true roles: - - dovecot - - rspamd - - postfix - - mlmmj + - role: dovecot + tags: [dovecot] + - role: rspamd + tags: [rspamd] + - role: postfix + tags: [postfix] + - role: mlmmj + tags: [mlmmj] From a4f5536f12d30d683072c65c21da4afc31d95cb0 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 17 Sep 2024 16:53:39 +0000 Subject: [PATCH 11/11] Stricter TLS ciphersuites for Postfix (SMTP) --- roles/postfix/vars/main.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/postfix/vars/main.yml b/roles/postfix/vars/main.yml index 55fdfc4..5d0df07 100644 --- a/roles/postfix/vars/main.yml +++ b/roles/postfix/vars/main.yml @@ -353,6 +353,14 @@ postfix_config: value: 'aNULL' state: present + - name: smtpd_tls_mandatory_protocols + value: 'TLSv1.2 TLSv1.3' + state: present + + - name: smtpd_tls_protocols + value: 'TLSv1.2 TLSv1.3' + state: present + - name: smtpd_tls_received_header value: 'yes' state: present @@ -370,7 +378,8 @@ postfix_config: state: present - name: tls_high_cipherlist - value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' + value: |- + 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' state: present - name: tls_ssl_options