diff options
18 files changed, 103 insertions, 156 deletions
diff --git a/bin/helpers/launch-mail b/bin/helpers/launch-mail index 4e28bae..ff7fb8c 100755 --- a/bin/helpers/launch-mail +++ b/bin/helpers/launch-mail @@ -11,7 +11,7 @@ data=$(doctl \ --region nyc3 \ --size s-1vcpu-1gb \ --ssh-keys 23160354 \ - --volumes ef47eab9-d497-11e8-a1fd-0a58ac146edf \ + --volumes 5e4d8c7b-f840-11e8-b59e-0a58ac1467fb \ --format ID,PublicIPv4 \ --no-header \ --wait) @@ -35,23 +35,20 @@ doctl \ tozt.net \ --record-id "$record_id" \ --record-type A \ - --record-name newsmtp2 \ + --record-name newsmtp \ --record-data "$ip" \ - --record-ttl 60 + --record-ttl 600 echo "Done creating DNS entry" echo "Provisioning droplet..." +host="${1:-tozt.net}" conf_location="/usr/local/share/puppet-tozt" conf_repo="git://github.com/doy/puppet-tozt" remote() { # shellcheck disable=SC2029 - ssh root@"$ip" "$@" -} - -apt() { - remote env DEBIAN_FRONTEND=noninteractive apt-get -yq "$@" + ssh root@"$host" "$@" } ensure_conf_exists() { @@ -68,24 +65,32 @@ while ! remote true; do sleep 5 done -apt update -apt upgrade -apt install git puppet +if remote test ! -e /usr/bin/pacman; then + remote apt-get -y update + remote apt-get -y install git + ensure_conf_exists + remote "cd '$conf_location/digitalocean-debian-to-arch' && bash install.sh --i_understand_that_this_droplet_will_be_completely_wiped --extra_packages 'puppet git ruby-shadow'" + sleep 30 + while ! remote true; do + sleep 30 + done +fi ensure_conf_exists -remote "cd '$conf_location' && puppet apply --modulepath=./mail -e 'include mail'" +scp -r /mnt/puppet/tozt/ root@"$host":/usr/local/share/puppet-tozt/modules/secret/files +remote "cd '$conf_location' && puppet apply --modulepath=./modules manifests" echo "Done provisioning" echo "Creating DKIM entry" -dkim=$(remote "perl -pe'chomp; s/.*\"(.*)\".*/\$1/' /mailu/dkim/new2.tozt.net.dkim.pub") +dkim=$(remote "perl -pe'chomp; s/.*\"(.*)\".*/\$1/' /mailu/dkim/new.tozt.net.dkim.pub") dkim_record_id=$(doctl \ -t "$(cat /mnt/digitalocean)" \ compute domain records list \ tozt.net \ --format Name,Type,ID \ --no-header \ - | grep '^dkim._domainkey.new2 \+TXT ' \ + | grep '^dkim._domainkey.new \+TXT ' \ | awk '{print $3}' ) doctl \ @@ -94,9 +99,9 @@ doctl \ tozt.net \ --record-id "$dkim_record_id" \ --record-type TXT \ - --record-name dkim._domainkey.new2 \ + --record-name dkim._domainkey.new \ --record-data "$dkim" \ - --record-ttl 60 + --record-ttl 600 echo "Done creating DKIM entry" echo "Done" diff --git a/mail/docker/manifests/init.pp b/mail/docker/manifests/init.pp deleted file mode 100644 index e40f93f..0000000 --- a/mail/docker/manifests/init.pp +++ /dev/null @@ -1,44 +0,0 @@ -class docker { - package { - [ - "apt-transport-https", - "ca-certificates", - "curl", - "gnupg2", - "software-properties-common", - ]: - ensure => installed; - } - - exec { "install docker apt repository": - provider => shell, - command => " - curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - - add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable\" - apt-get -yq update - ", - unless => "grep -q download.docker.com /etc/apt/sources.list", - require => [ - Package["apt-transport-https"], - Package["ca-certificates"], - Package["curl"], - Package["gnupg2"], - Package["software-properties-common"], - ]; - } - - package { "docker-ce": - ensure => installed, - require => Exec["install docker apt repository"]; - } - - exec { "install docker-compose": - provider => shell, - command => " - curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose - chmod +x /usr/local/bin/docker-compose - ", - creates => "/usr/local/bin/docker-compose", - require => Package["curl"]; - } -} diff --git a/mail/mail/files/puppet-tozt b/mail/mail/files/puppet-tozt deleted file mode 100644 index 91d06e5..0000000 --- a/mail/mail/files/puppet-tozt +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash -set -eu -set -o pipefail - -(cd /usr/local/share/puppet-tozt && sudo git pull) -sudo puppet apply --show_diff --modulepath=/usr/local/share/puppet-tozt/mail -e 'include mail' diff --git a/mail/mail/manifests/bootstrap.pp b/mail/mail/manifests/bootstrap.pp deleted file mode 100644 index 7866562..0000000 --- a/mail/mail/manifests/bootstrap.pp +++ /dev/null @@ -1,14 +0,0 @@ -class mail::bootstrap { - package { - [ - "puppet", - "rsync", - ]: - ensure => installed, - } - - file { '/usr/local/bin/puppet-tozt': - source => 'puppet:///modules/mail/puppet-tozt', - mode => '0755'; - } -} diff --git a/mail/mail/manifests/init.pp b/mail/mail/manifests/init.pp deleted file mode 100644 index f69f569..0000000 --- a/mail/mail/manifests/init.pp +++ /dev/null @@ -1,4 +0,0 @@ -class mail { - include mail::bootstrap - include mail::mailu -} diff --git a/mail/mail/manifests/persistent.pp b/mail/mail/manifests/persistent.pp deleted file mode 100644 index 3dfafb6..0000000 --- a/mail/mail/manifests/persistent.pp +++ /dev/null @@ -1,24 +0,0 @@ -class mail::persistent { - file { - "/mailu": - ensure => directory; - } - - $fstab_line = "/dev/disk/by-id/scsi-0DO_Volume_mail-persistent /mailu ext4 rw,relatime 0 2" - exec { "populate fstab": - provider => shell, - command => "echo '${fstab_line}' >> /etc/fstab", - unless => "grep -qF '${fstab_line}' /etc/fstab", - require => File["/mailu"]; - } - - exec { "mount /mailu": - provider => shell, - command => "mount /mailu", - unless => "grep ' /mailu ' /proc/mounts", - require => [ - File["/mailu"], - Exec["populate fstab"], - ]; - } -} diff --git a/mail/secret/manifests/init.pp b/mail/secret/manifests/init.pp deleted file mode 100644 index 054a71d..0000000 --- a/mail/secret/manifests/init.pp +++ /dev/null @@ -1,9 +0,0 @@ -define secret($source, $path=$name, $owner=undef, $group=undef, $mode='0600') { - file { "$path": - source => "puppet:///modules/secret/$source", - owner => $owner, - group => $group, - mode => $mode, - show_diff => false, - } -} diff --git a/mail/systemd/manifests/init.pp b/mail/systemd/manifests/init.pp deleted file mode 100644 index 5e04229..0000000 --- a/mail/systemd/manifests/init.pp +++ /dev/null @@ -1,6 +0,0 @@ -class systemd { - exec { "systemctl daemon-reload": - command => "/bin/systemctl daemon-reload", - refreshonly => true; - } -} diff --git a/manifests/mail.pp b/manifests/mail.pp new file mode 100644 index 0000000..d91d47e --- /dev/null +++ b/manifests/mail.pp @@ -0,0 +1,12 @@ +node 'mail', 'mail.localdomain' { + $persistent_data = '/media/persistent' + include mail::persistent + Class['mail::persistent'] -> Class['base'] + + include base + + # include mail::backups + include mail::mailu + include mail::operatingsystem + include mail::services +} diff --git a/modules/docker/manifests/init.pp b/modules/docker/manifests/init.pp new file mode 100644 index 0000000..aec73a4 --- /dev/null +++ b/modules/docker/manifests/init.pp @@ -0,0 +1,5 @@ +class docker { + package { "docker-compose": + ensure => installed; + } +} diff --git a/mail/mail/files/dhparam.pem b/modules/mail/files/dhparam.pem index bb54913..bb54913 100644 --- a/mail/mail/files/dhparam.pem +++ b/modules/mail/files/dhparam.pem diff --git a/mail/mail/files/dkim_signing.conf b/modules/mail/files/dkim_signing.conf index b1ddead..b1ddead 100644 --- a/mail/mail/files/dkim_signing.conf +++ b/modules/mail/files/dkim_signing.conf diff --git a/mail/mail/files/docker-compose.yml b/modules/mail/files/docker-compose.yml index 747ba65..747ba65 100644 --- a/mail/mail/files/docker-compose.yml +++ b/modules/mail/files/docker-compose.yml diff --git a/mail/mail/files/env b/modules/mail/files/env index b47ba25..ab79b29 100644 --- a/mail/mail/files/env +++ b/modules/mail/files/env @@ -1,7 +1,7 @@ -ROOT=/mailu +ROOT=/media/persistent VERSION=1.5 -DOMAIN=new2.tozt.net -HOSTNAMES=newsmtp2.tozt.net,newmail3.tozt.net +DOMAIN=new.tozt.net +HOSTNAMES=newsmtp.tozt.net POSTMASTER=admin TLS_FLAVOR=letsencrypt AUTH_RATELIMIT=10/minute;1000/hour diff --git a/mail/mail/files/service b/modules/mail/files/service index 8d55580..f1da3bb 100644 --- a/mail/mail/files/service +++ b/modules/mail/files/service @@ -5,4 +5,4 @@ After=network.target [Service] ExecStart=/usr/local/bin/docker-compose up Restart=on-failure -WorkingDirectory=/mailu +WorkingDirectory=/media/persistent diff --git a/mail/mail/manifests/mailu.pp b/modules/mail/manifests/mailu.pp index 26a66d5..9c61ecb 100644 --- a/mail/mail/manifests/mailu.pp +++ b/modules/mail/manifests/mailu.pp @@ -1,66 +1,64 @@ class mail::mailu { include mail::persistent include docker + include haveged - package { [ - "haveged", - "opendkim-tools", - ]: + package { "opendkim": ensure => installed; } file { - "/mailu/docker-compose.yml": + "/media/persistent/docker-compose.yml": source => "puppet:///modules/mail/docker-compose.yml", require => Class["mail::persistent"]; - "/mailu/.env.tmpl": + "/media/persistent/.env.tmpl": source => "puppet:///modules/mail/env", require => Class["mail::persistent"]; - "/mailu/certs": + "/media/persistent/certs": ensure => directory, require => Class["mail::persistent"]; - "/mailu/dkim": + "/media/persistent/dkim": ensure => directory, require => Class["mail::persistent"]; - "/mailu/certs/dhparam.pem": + "/media/persistent/certs/dhparam.pem": source => "puppet:///modules/mail/dhparam.pem", - require => File["/mailu/certs"]; - "/mailu/overrides": + require => File["/media/persistent/certs"]; + "/media/persistent/overrides": ensure => directory, require => Class["mail::persistent"]; - "/mailu/overrides/rspamd": + "/media/persistent/overrides/rspamd": ensure => directory, - require => File["/mailu/overrides"]; - "/mailu/overrides/rspamd/dkim_signing.conf": + require => File["/media/persistent/overrides"]; + "/media/persistent/overrides/rspamd/dkim_signing.conf": source => "puppet:///modules/mail/dkim_signing.conf", - require => File["/mailu/overrides/rspamd"]; + require => File["/media/persistent/overrides/rspamd"]; } exec { "generate dkim keys": provider => shell, command => " opendkim-genkey -s dkim -d new2.tozt.net - mv dkim.private /mailu/dkim/new2.tozt.net.dkim.key - mv dkim.txt /mailu/dkim/new2.tozt.net.dkim.pub + mv dkim.private /media/persistent/dkim/new2.tozt.net.dkim.key + mv dkim.txt /media/persistent/dkim/new2.tozt.net.dkim.pub ", - cwd => "/mailu", - creates => "/mailu/dkim/new2.tozt.net.dkim.key", + cwd => "/media/persistent", + creates => "/media/persistent/dkim/new2.tozt.net.dkim.key", require => [ - Package["haveged"], - Package["opendkim-tools"], + Class["haveged"], + Package["opendkim"], Class["mail::persistent"], - File["/mailu/dkim"], + File["/media/persistent/dkim"], ]; } exec { "generate mailu secret key": provider => shell, command => " - echo SECRET_KEY=$(dd if=/dev/urandom bs=64 count=1 status=none | base64 -w 0 | cut -b -16) > /mailu/secret-key + echo SECRET_KEY=$(dd if=/dev/urandom bs=64 count=1 status=none | base64 -w 0 | cut -b -16) > /media/persistent/secret-key ", - creates => "/mailu/secret-key", + creates => "/media/persistent/secret-key", require => [ - Package["haveged"], + Class["haveged"], Class["mail::persistent"], ] } @@ -73,12 +71,16 @@ class mail::mailu { exec { "create env file": provider => shell, - command => "cat /mailu/.env.tmpl /mailu/secret-key /run/mailu_bind_address > /mailu/.env", - unless => "test -f /mailu/.env && test -f /run/mailu_bind_address && grep -F `cat /run/mailu_bind_address` /mailu/.env", + command => "cat /media/persistent/.env.tmpl /media/persistent/secret-key /run/mailu_bind_address > /media/persistent/.env", + unless => " + test -f /media/persistent/.env &&\ + test -f /run/mailu_bind_address &&\ + grep -F `cat /run/mailu_bind_address` /media/persistent/.env + ", subscribe => [ Exec["generate mailu secret key"], Exec["find local ip address"], - File["/mailu/.env.tmpl"], + File["/media/persistent/.env.tmpl"], ]; } @@ -90,7 +92,7 @@ class mail::mailu { ensure => running, enable => true, require => [ - File["/mailu/docker-compose.yml"], + File["/media/persistent/docker-compose.yml"], Exec["create env file"], File["/etc/systemd/system/mailu.service"], ] diff --git a/modules/mail/manifests/persistent.pp b/modules/mail/manifests/persistent.pp new file mode 100644 index 0000000..630047e --- /dev/null +++ b/modules/mail/manifests/persistent.pp @@ -0,0 +1,27 @@ +class mail::persistent { + file { + "/media": + ensure => directory; + "/media/persistent": + ensure => directory, + require => File["/media"]; + } + + $fstab_line = "/dev/disk/by-id/scsi-0DO_Volume_mail-persistent /media/persistent ext4 rw,relatime 0 2" + exec { "populate fstab": + provider => shell, + command => "echo '${fstab_line}' >> /etc/fstab", + unless => "/usr/bin/grep -qF '${fstab_line}' /etc/fstab", + require => File["/media/persistent"]; + } + + exec { "mount /media/persistent": + provider => shell, + command => "/usr/bin/mount /media/persistent", + unless => "grep ' /media/persistent ' /proc/mounts", + require => [ + File["/media/persistent"], + Exec["populate fstab"], + ]; + } +} diff --git a/modules/mail/manifests/services.pp b/modules/mail/manifests/services.pp new file mode 100644 index 0000000..ca9f88a --- /dev/null +++ b/modules/mail/manifests/services.pp @@ -0,0 +1,3 @@ +class mail::services { + include fail2ban +} |