forked from ccchb/ansible
Add rspamd support.
Postfix uses the Rspamd proxy as spam filtering milter and HAProxy exposes the Rspamd webinterface through HTTPS. Updates #10
This commit is contained in:
parent
28fbdff74b
commit
c18f53b8ea
21 changed files with 381 additions and 0 deletions
1
mail.yml
1
mail.yml
|
@ -17,4 +17,5 @@
|
|||
|
||||
roles:
|
||||
- dovecot
|
||||
- rspamd
|
||||
- postfix
|
||||
|
|
20
roles/rspamd/handlers/main.yml
Normal file
20
roles/rspamd/handlers/main.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
- name: Reload s6-rc
|
||||
service:
|
||||
name: s6-rc
|
||||
state: reloaded
|
||||
|
||||
- name: Restart Rspamd
|
||||
command: s6-svc -wR -T 5000 -ru /run/service/rspamd
|
||||
|
||||
- name: Restart Rspamd log
|
||||
command: s6-svc -wR -T 5000 -ru /run/service/rspamd-log
|
||||
|
||||
- name: Restart HAProxy
|
||||
command: s6-svc -wU -T 5000 -ru /run/service/haproxy
|
||||
|
||||
- name: Restart HAProxy log
|
||||
command: s6-svc -wU -T 5000 -ru /run/service/haproxy-log
|
||||
|
||||
- name: Reload HAProxy
|
||||
command: s6-svc -2 /run/service/haproxy
|
13
roles/rspamd/meta/main.yml
Normal file
13
roles/rspamd/meta/main.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
#dependencies:
|
||||
# - role: redis
|
||||
# redis_instance: other
|
||||
# redis_client_group: '236'
|
||||
#
|
||||
# - role: redis
|
||||
# redis_instance: bayes
|
||||
# redis_client_group: '236'
|
||||
#
|
||||
# - role: redis
|
||||
# redis_instance: fuzzy
|
||||
# redis_client_group: '236'
|
121
roles/rspamd/tasks/main.yml
Normal file
121
roles/rspamd/tasks/main.yml
Normal file
|
@ -0,0 +1,121 @@
|
|||
---
|
||||
- name: Install Rspamd
|
||||
package:
|
||||
name: rspamd
|
||||
|
||||
- name: Create rspamd local.d and override.d
|
||||
file:
|
||||
path: '/usr/local/etc/rspamd/{{ item }}'
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: wheel
|
||||
with_items:
|
||||
- local.d
|
||||
- override.d
|
||||
|
||||
- name: Configure rspamd
|
||||
template:
|
||||
dest: '/usr/local/etc/rspamd/{{ item }}'
|
||||
src: '{{ item }}.j2'
|
||||
mode: 0444
|
||||
owner: root
|
||||
group: wheel
|
||||
notify:
|
||||
- Restart Rspamd
|
||||
with_items: '{{ rspamd_config }}'
|
||||
|
||||
- name: Add /var/log/rspamd to fstab
|
||||
mount:
|
||||
path: /var/log/rspamd
|
||||
src: tmpfs
|
||||
fstype: tmpfs
|
||||
opts: 'rw,size={{ rspamd_log_size }},mode={{ rspamd_log_mode }},uid={{ rspamd_log_uid }},gid={{ rspamd_log_gid }},late'
|
||||
state: mounted
|
||||
|
||||
- name: Create rspamd HAProxy socket directory
|
||||
file:
|
||||
path: /var/run/haproxy/rspamd
|
||||
state: directory
|
||||
owner: haproxy
|
||||
group: rspamd
|
||||
mode: 0770
|
||||
|
||||
- name: Create Rspamd service directories
|
||||
file:
|
||||
path: '/etc/s6-rc/service/{{ item }}'
|
||||
state: directory
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: 0755
|
||||
with_items: '{{ rspamd_service_dirs }}'
|
||||
notify:
|
||||
- Reload s6-rc
|
||||
- Restart Rspamd log
|
||||
- Restart Rspamd
|
||||
|
||||
- name: Generate Rspamd service scripts
|
||||
template:
|
||||
dest: '/etc/s6-rc/service/{{ item }}'
|
||||
src: '{{ item }}.j2'
|
||||
mode: 0555
|
||||
owner: root
|
||||
group: wheel
|
||||
with_items: '{{ rspamd_service_scripts }}'
|
||||
notify:
|
||||
- Reload s6-rc
|
||||
- Restart Rspamd log
|
||||
- Restart Rspamd
|
||||
|
||||
- name: Generate Rspamd service configuration
|
||||
copy:
|
||||
dest: '/etc/s6-rc/service/{{ item.name }}'
|
||||
content: '{{ item.content }}'
|
||||
mode: 0444
|
||||
owner: root
|
||||
group: wheel
|
||||
loop_control:
|
||||
label: '{{ item.name }} = {{ item.content }}'
|
||||
notify:
|
||||
- Reload s6-rc
|
||||
- Restart Rspamd log
|
||||
- Restart Rspamd
|
||||
with_items: '{{ rspamd_service_config }}'
|
||||
|
||||
- name: Flush handlers
|
||||
meta: flush_handlers
|
||||
|
||||
- name: Start Rspamd
|
||||
command: fdmove -c 2 1 s6-rc -u -v 2 -t 15000 change rspamd
|
||||
register: change
|
||||
changed_when: change.stdout | length > 0
|
||||
|
||||
- name: Enable Rspamd
|
||||
lineinfile:
|
||||
path: /etc/s6-rc/service/enabled/contents
|
||||
regexp: "^rspamd$"
|
||||
line: rspamd
|
||||
state: present
|
||||
notify:
|
||||
- Reload s6-rc
|
||||
|
||||
- name: Flush handlers (again)
|
||||
meta: flush_handlers
|
||||
|
||||
- name: Tell HAProxy where to find the Rspamd webinterface
|
||||
template:
|
||||
dest: /usr/local/etc/haproxy/rspamd.cfg
|
||||
src: rspamd.cfg.j2
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: 0444
|
||||
notify:
|
||||
- Reload HAProxy
|
||||
|
||||
- name: Expose the Rspamd webinterface via HTTPS
|
||||
lineinfile:
|
||||
path: /usr/local/etc/haproxy/sni.map
|
||||
regexp: '^{{ ansible_fqdn }} '
|
||||
line: '{{ ansible_fqdn }} sni_rspamd'
|
||||
notify:
|
||||
- Reload HAProxy
|
4
roles/rspamd/templates/local.d/classifier-bayes.conf.j2
Normal file
4
roles/rspamd/templates/local.d/classifier-bayes.conf.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
backend = "redis";
|
||||
servers = "/var/run/redis-bayes/sock";
|
8
roles/rspamd/templates/local.d/composites.conf.j2
Normal file
8
roles/rspamd/templates/local.d/composites.conf.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
MAILLIST_FROM_PHPMAILER {
|
||||
expression = "MAILLIST & HAS_PHPMAILER_SIG";
|
||||
description = "PHPMailer sending mail to a mailing-list";
|
||||
score = 20;
|
||||
policy = "leave";
|
||||
}
|
3
roles/rspamd/templates/local.d/fann_redis.conf.j2
Normal file
3
roles/rspamd/templates/local.d/fann_redis.conf.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
timeout = 60s;
|
5
roles/rspamd/templates/local.d/options.inc.j2
Normal file
5
roles/rspamd/templates/local.d/options.inc.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
dns {
|
||||
nameserver = ["[::1]"];
|
||||
}
|
3
roles/rspamd/templates/local.d/redis.conf.j2
Normal file
3
roles/rspamd/templates/local.d/redis.conf.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
servers = "/var/run/redis-other/sock";
|
5
roles/rspamd/templates/override.d/logging.inc.j2
Normal file
5
roles/rspamd/templates/override.d/logging.inc.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
type = "console";
|
||||
systemd = true;
|
||||
log_color = false;
|
|
@ -0,0 +1,6 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# Ask crest for the password
|
||||
password = "$2$au1ywidxo66uz6rnhtpn64f3mn63ykrq$fmgzgxrybouknkaw5or74ho5bwa5ixasiwo7k16p19asgrqs49ay";
|
||||
enable_password = "$2$1roytuwoajssbqkdq97ec6nfa3gn6sas$zm5sqsodfmth3cf87dg4pfmmyadhgdsw9dekemfnmwphu65k5p6b";
|
||||
bind_socket = "/var/run/haproxy/rspamd/controller mode=0666";
|
4
roles/rspamd/templates/override.d/worker-fuzzy.inc.j2
Normal file
4
roles/rspamd/templates/override.d/worker-fuzzy.inc.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
backend = "redis";
|
||||
servers = "/var/run/redis-fuzzy/sock";
|
3
roles/rspamd/templates/override.d/worker-normal.inc.j2
Normal file
3
roles/rspamd/templates/override.d/worker-normal.inc.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
bind_socket = "/var/run/rspamd/normal.sock";
|
10
roles/rspamd/templates/override.d/worker-proxy.inc.j2
Normal file
10
roles/rspamd/templates/override.d/worker-proxy.inc.j2
Normal file
|
@ -0,0 +1,10 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
bind_socket = "/var/run/rspamd/proxy.sock mode=0666";
|
||||
milter = yes;
|
||||
timeout = 120s;
|
||||
|
||||
upstream "local" {
|
||||
default = yes;
|
||||
self_scan = yes;
|
||||
}
|
13
roles/rspamd/templates/rspamd-log/finish.j2
Normal file
13
roles/rspamd/templates/rspamd-log/finish.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
#!/usr/local/bin/execlineb -S2
|
||||
# {{ ansible_managed }}
|
||||
|
||||
s6-envdir ./env
|
||||
multisubstitute {
|
||||
importas -i -u NAME NAME
|
||||
}
|
||||
|
||||
fdmove -c 1 2
|
||||
ifelse { test "${1}" -eq 0 } {
|
||||
echo "${NAME}-log: Stopped."
|
||||
}
|
||||
echo "${NAME}-log: Failed with exit status (${1}, ${2})."
|
23
roles/rspamd/templates/rspamd-log/run.j2
Normal file
23
roles/rspamd/templates/rspamd-log/run.j2
Normal file
|
@ -0,0 +1,23 @@
|
|||
#!/usr/local/bin/execlineb
|
||||
# {{ ansible_managed }}
|
||||
|
||||
s6-envdir ./env
|
||||
multisubstitute {
|
||||
importas -i -u NAME NAME
|
||||
importas -i -u USER USER
|
||||
importas -i -u GROUP GROUP
|
||||
importas -i -u MODE MODE
|
||||
importas -i -u DIR DIR
|
||||
}
|
||||
|
||||
foreground { fdmove -c 1 2 echo "${NAME} log: Starting." }
|
||||
|
||||
ifelse -n { install -d -o "${USER}" -g "${GROUP}" -m "${MODE}" "$DIR" } {
|
||||
foreground { fdmove -c 1 2 echo "${NAME} log: Failed to create logging directory." }
|
||||
false
|
||||
}
|
||||
|
||||
fdmove -c 2 1
|
||||
|
||||
s6-envuidgid $USER
|
||||
s6-log -d 3 T $DIR
|
23
roles/rspamd/templates/rspamd.cfg.j2
Normal file
23
roles/rspamd/templates/rspamd.cfg.j2
Normal file
|
@ -0,0 +1,23 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
frontend front_rspamd
|
||||
log global
|
||||
bind /var/run/haproxy/rspamd.https mode 600 user haproxy group haproxy ssl crt /usr/local/etc/haproxy/{{ ansible_fqdn }}.pem alpn h2,http/1.1 accept-proxy
|
||||
http-request set-src src,ipmask(16,56)
|
||||
use_backend back_rspamd
|
||||
|
||||
backend back_rspamd
|
||||
server rspamd_controller /rspamd/controller
|
||||
option forwardfor
|
||||
http-request add-header X-Forwarded-Proto https
|
||||
http-request add-header X-Forwarded-Port 443
|
||||
|
||||
backend sni_rspamd
|
||||
mode tcp
|
||||
acl clienthello req_ssl_hello_type 1
|
||||
acl serverhello rep_ssl_hello_type 2
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content accept if clienthello
|
||||
tcp-response content accept if serverhello
|
||||
option ssl-hello-chk
|
||||
server rspamd_https /rspamd.https send-proxy
|
19
roles/rspamd/templates/rspamd/data/check.j2
Normal file
19
roles/rspamd/templates/rspamd/data/check.j2
Normal file
|
@ -0,0 +1,19 @@
|
|||
#!/usr/local/bin/execlineb -P
|
||||
# {{ ansible_managed }}
|
||||
|
||||
s6-envdir ./env
|
||||
multisubstitute {
|
||||
importas -i -u NAME NAME
|
||||
importas -i -u SOCK SOCK
|
||||
}
|
||||
|
||||
ifelse {
|
||||
redirfd -w 1 /dev/null
|
||||
fdmove -c 2 1
|
||||
pipeline { sockstat -l -j 0 -u } fgrep -q "${SOCK}"
|
||||
} {
|
||||
foreground { fdmove -c 1 2 echo "${NAME}: Ready." }
|
||||
true
|
||||
}
|
||||
foreground { fdmove -c 1 2 echo "${NAME}: Poll." }
|
||||
false
|
13
roles/rspamd/templates/rspamd/finish.j2
Normal file
13
roles/rspamd/templates/rspamd/finish.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
#!/usr/local/bin/execlineb -S2
|
||||
# {{ ansible_managed }}
|
||||
|
||||
s6-envdir ./env
|
||||
multisubstitute {
|
||||
importas -i -u NAME NAME
|
||||
}
|
||||
|
||||
fdmove -c 1 2
|
||||
ifelse { test "${1}" -eq 0 } {
|
||||
echo "${NAME}: Stopped."
|
||||
}
|
||||
echo "${NAME}: Failed with exit status (${1}, ${2})."
|
13
roles/rspamd/templates/rspamd/run.j2
Normal file
13
roles/rspamd/templates/rspamd/run.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
#!/usr/local/bin/execlineb -P
|
||||
# {{ ansible_managed }}
|
||||
|
||||
s6-envdir ./env
|
||||
multisubstitute {
|
||||
importas -i -u NAME NAME
|
||||
}
|
||||
|
||||
foreground { fdmove -c 1 2 echo "${NAME}: Starting." }
|
||||
s6-notifyoncheck -d -w 100 -n 70
|
||||
|
||||
fdmove -c 2 1
|
||||
rspamd -f -u rspamd -g rspamd
|
71
roles/rspamd/vars/main.yml
Normal file
71
roles/rspamd/vars/main.yml
Normal file
|
@ -0,0 +1,71 @@
|
|||
---
|
||||
rspamd_log_size: '32m'
|
||||
rspamd_log_mode: '750'
|
||||
rspamd_log_uid: '20000'
|
||||
rspamd_log_gid: '20000'
|
||||
|
||||
rspamd_service_dirs:
|
||||
- rspamd
|
||||
- rspamd/env
|
||||
- rspamd/data
|
||||
- rspamd-log
|
||||
- rspamd-log/env
|
||||
|
||||
rspamd_service_scripts:
|
||||
- rspamd/run
|
||||
- rspamd/finish
|
||||
- rspamd/data/check
|
||||
- rspamd-log/run
|
||||
- rspamd-log/finish
|
||||
|
||||
rspamd_service_config:
|
||||
- name: rspamd/type
|
||||
content: longrun
|
||||
- name: rspamd/producer-for
|
||||
content: rspamd-log
|
||||
- name: rspamd/notification-fd
|
||||
content: 3
|
||||
- name: rspamd/env/NAME
|
||||
content: rspamd
|
||||
- name: rspamd/env/PATH
|
||||
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
||||
- name: rspamd/env/SOCK
|
||||
content: /var/run/rspamd/normal.sock
|
||||
- name: rspamd/dependencies
|
||||
content: |
|
||||
unbound
|
||||
redis-bayes
|
||||
redis-fuzzy
|
||||
redis-other
|
||||
|
||||
- name: rspamd-log/type
|
||||
content: longrun
|
||||
- name: rspamd-log/notification-fd
|
||||
content: 3
|
||||
- name: rspamd-log/consumer-for
|
||||
content: rspamd
|
||||
- name: rspamd-log/env/NAME
|
||||
content: rspamd
|
||||
- name: rspamd-log/env/PATH
|
||||
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
||||
- name: rspamd-log/env/MODE
|
||||
content: '750'
|
||||
- name: rspamd-log/env/USER
|
||||
content: s6-log
|
||||
- name: rspamd-log/env/GROUP
|
||||
content: s6-log
|
||||
- name: rspamd-log/env/DIR
|
||||
content: /var/log/rspamd
|
||||
|
||||
rspamd_config:
|
||||
- override.d/logging.inc
|
||||
- override.d/worker-normal.inc
|
||||
- override.d/worker-controller.inc
|
||||
- override.d/worker-fuzzy.inc
|
||||
- override.d/worker-proxy.inc
|
||||
|
||||
- local.d/redis.conf
|
||||
- local.d/options.inc
|
||||
- local.d/classifier-bayes.conf
|
||||
- local.d/composites.conf
|
||||
- local.d/fann_redis.conf
|
Loading…
Reference in a new issue