ghp/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mass update

Browse Source
This commit is contained in:
ace
2024-05-25 18:12:30 +03:00
parent d057e60ea4
commit 6b2f7f716d
38 changed files with 569 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
requirements.txt
View File

@@ -1,28 +1,29 @@
ansible==7.6.0
ansible-core==2.14.7
cachetools==5.3.1
certifi==2023.5.7
cffi==1.15.1
charset-normalizer==3.1.0
cryptography==41.0.1
google-auth==2.21.0
idna==3.4
Jinja2==3.1.2
kubernetes==26.1.0
MarkupSafe==2.1.3
ansible==9.5.1
ansible-core==2.16.6
cachetools==5.3.3
certifi==2024.2.2
cffi==1.16.0
charset-normalizer==3.3.2
cryptography==42.0.7
google-auth==2.29.0
idna==3.7
Jinja2==3.1.4
kubernetes==29.0.0
MarkupSafe==2.1.5
netaddr==1.2.1
oauthlib==3.2.2
openshift==0.13.1
packaging==23.1
pyasn1==0.5.0
pyasn1-modules==0.3.0
pycparser==2.21
python-dateutil==2.8.2
openshift==0.13.2
packaging==24.0
pyasn1==0.6.0
pyasn1_modules==0.4.0
pycparser==2.22
python-dateutil==2.9.0.post0
python-string-utils==1.0.0
PyYAML==6.0
PyYAML==6.0.1
requests==2.31.0
requests-oauthlib==1.3.1
resolvelib==0.8.1
requests-oauthlib==2.0.0
resolvelib==1.0.1
rsa==4.9
six==1.16.0
urllib3==1.26.16
websocket-client==1.6.1
urllib3==2.2.1
websocket-client==1.8.0

2
roles/adguard-home/tasks/main.yaml
View File

@@ -19,7 +19,7 @@
group: cert-manager.io
- set_fact:
adguard_combined_values: "{{ adguard_default_values | combine(adguard_values, recursive=true) }}"
adguard_combined_values: "{{ adguard_default_values | combine(adguard_values | default({}), recursive=true) }}"
- name: Deploy Adguard Home
kubernetes.core.helm:

2
roles/bitwarden/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
bitwarden_combined_values: "{{ bitwarden_default_values | combine(bitwarden_values, recursive=true) }}"
bitwarden_combined_values: "{{ bitwarden_default_values | combine(bitwarden_values | default({}), recursive=true) }}"
- name: Deploy Bitwarden
kubernetes.core.helm:

2
roles/ceph-csi-cephfs/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
ceph_csi_cephfs_combined_values: "{{ ceph_csi_cephfs_default_values | combine(ceph_csi_cephfs_values, recursive=true) }}"
ceph_csi_cephfs_combined_values: "{{ ceph_csi_cephfs_default_values | combine(ceph_csi_cephfs_values | default({}), recursive=true) }}"
- name: Deploy CSI CephFS {{ ceph_csi_cephfs_version }}
kubernetes.core.helm:

2
roles/ceph-csi-rbd/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
ceph_csi_rbd_combined_values: "{{ ceph_csi_rbd_default_values | combine(ceph_csi_rbd_values, recursive=true) }}"
ceph_csi_rbd_combined_values: "{{ ceph_csi_rbd_default_values | combine(ceph_csi_rbd_values | default({}), recursive=true) }}"
- name: Deploy CSI Ceph RBD {{ ceph_csi_rbd_version }}
kubernetes.core.helm:

2
roles/cert-manager/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values, recursive=true) }}"
cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values | default({}), recursive=true) }}"
- name: Deploy Cert-manager {{ cert_manager_version }}
kubernetes.core.helm:

199
roles/dovecot/defaults/main.yaml
View File

@@ -51,14 +51,12 @@ dovecot_default_values:
auth-ldap: |
passdb {
driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/ldap.conf
}
userdb {
driver = ldap
args = /etc/dovecot/ldap.conf
}
10-auth: |
auth_default_realm = {{ domain }}
@@ -158,7 +156,202 @@ dovecot_default_values:
ssl = required
#verbose_ssl = yes
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_min_protocol = TLSv1.3
ssl_cert = </tls/tls.crt
ssl_key = </tls/tls.key
10-logging: |
log_path = /dev/stderr
info_log_path = /dev/stdout
debug_log_path = /dev/stdout
15-lda: |
postmaster_address = postmaster@{{ domain }}
hostname = {{ domain }}
rejection_reason = Your message to was automatically rejected:%n%r
protocol lda {
mail_plugins = virtual sieve
}
20-lmtp: |
protocol lmtp {
mail_plugins = virtual sieve
postmaster_address = postmaster@{{ domain }}
}
20-managesieve: |
service managesieve-login {
inet_listener sieve {
port = 4190
ssl = yes
}
service_count = 1
vsz_limit = 64M
}
service managesieve {
process_limit = 1024
}
service:
type: LoadBalancer
loadBalancerIP: "{{ dovecot_loadbalancer_ip | default(omit) }}"
# WIP
dovecot_oidc: false
dovecot_oidc_default_values:
replicaCount: 1
persistence:
enabled: true
existingClaim: mailboxes
tls:
enabled: true
existingSecret: "{{ mail_short_name | default('mail') }}.{{ domain }}-secret"
dovecot:
configmaps:
dovecot:
dovecot: |
protocols = imap lmtp sieve
mail_max_userip_connections = 1000
mail_plugins = virtual
auth_debug = yes
auth_verbose = yes
#haproxy_trusted_networks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
#haproxy_timeout = 30s
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
oauth2: |
introspection_mode = post
introspection_url = https://{{ dovecot_oidc_username }}:{{ dovecot_oidc_password }}@keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token/introspect
grant_url = https://keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token
#client_id = dovecot
#client_secret = X10dQgQprHLxZj8nsvB2fEpJwuBr0hWq
tokeninfo_url = https://keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token
#tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
rawlog_dir = /tmp/oauth2
debug = yes
#use_grant_password = no
#username_attribute = username
#pass_attrs = pass=%{oauth2:access_token}
ldap: |
confd:
auth-ldap: |
auth-oauth2: |
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/oauth2.conf
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/home/vmail/%u
}
10-auth: |
auth_default_realm = {{ domain }}
auth_username_format = %Lu
auth_mechanisms = plain login xoauth2 oauthbearer
10-mail: |
mail_location = maildir:%h
namespace inbox {
inbox = yes
}
mail_uid = vmail
mail_gid = vmail
first_valid_uid = 1000
last_valid_uid = 1000
first_valid_gid = 1000
last_valid_gid = 1000
protocol !indexer-worker {
}
mbox_write_locks = fcntl
10-master: |
protocol imap {
mail_plugins = virtual
}
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
#port = 993
#ssl = yes
}
inet_listener imap_haproxy {
port = 1109
#haproxy = yes
}
inet_listener imaps_haproxy {
port = 10993
ssl = yes
#haproxy = yes
}
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service lmtp {
inet_listener lmtp {
port = 24
}
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
group = postfix
user = postfix
}
user = vmail
}
service imap {
}
service pop3 {
}
service auth {
inet_listener {
port = 12345
}
unix_listener auth-userdb {
mode = 0660
user = vmail
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}
10-ssl: |
ssl = required
#verbose_ssl = yes
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.3
ssl_cert = </tls/tls.crt
ssl_key = </tls/tls.key
10-logging: |

8
roles/dovecot/tasks/main.yaml
View File

@@ -1,5 +1,10 @@
- set_fact:
dovecot_combined_values: "{{ dovecot_default_values | combine(dovecot_values, recursive=true) }}"
dovecot_combined_values: "{{ dovecot_default_values | combine(dovecot_values | default({}), recursive=true) }}"
when: not mail_oidc
- set_fact:
dovecot_combined_values: "{{ dovecot_oidc_default_values | combine(dovecot_oidc_values | default({}), recursive=true) }}"
when: mail_oidc
- name: Deploy Dovecot
kubernetes.core.helm:
@@ -9,5 +14,4 @@
chart_ref: "{{ dovecot_chart_ref }}"
chart_version: "{{ dovecot_version | default(omit) }}"
release_values: "{{ dovecot_combined_values | from_yaml }}"
wait: true

2
roles/external-dns/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
external_dns_combined_values: "{{ external_dns_default_values | combine(external_dns_values, recursive=true) }}"
external_dns_combined_values: "{{ external_dns_default_values | combine(external_dns_values | default({}), recursive=true) }}"
- name: Deploy external DNS
kubernetes.core.helm:

2
roles/external-ingress-nginx/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
external_ingress_nginx_combined_values: "{{ external_ingress_nginx_default_values | combine(external_ingress_nginx_values, recursive=true) }}"
external_ingress_nginx_combined_values: "{{ external_ingress_nginx_default_values | combine(external_ingress_nginx_values | default({}), recursive=true) }}"
- name: Deploy external Nginx Ingress
kubernetes.core.helm:

2
roles/gitea-act-runner/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
gitea_act_runner_combined_values: "{{ gitea_act_runner_default_values | combine(gitea_act_runner_values, recursive=true) }}"
gitea_act_runner_combined_values: "{{ gitea_act_runner_default_values | combine(gitea_act_runner_values | default({}), recursive=true) }}"
- name: Deploy Gitea Act Runner
kubernetes.core.helm:

10
roles/gitea/tasks/main.yaml
View File

@@ -5,20 +5,20 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
gitea_combined_values: "{{ gitea_default_values | combine(gitea_values, recursive=true) }}"
gitea_combined_values: "{{ gitea_default_values | combine(gitea_values | default({}), recursive=true) }}"
- set_fact:
gitea_combined_values: "{{ gitea_combined_values | combine(gitea_external_db_values, recursive=true) }}"
gitea_combined_values: "{{ gitea_combined_values | combine(gitea_external_db_values | default({}), recursive=true) }}"
when: gitea_use_external_db
- set_fact:
gitea_dns_combined_values: "{{ gitea_dns_default_values | combine(gitea_dns_values, recursive=true) }}"
gitea_dns_combined_values: "{{ gitea_dns_default_values | combine(gitea_dns_values | default({}), recursive=true) }}"
- set_fact:
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_default_values | combine(gitea_ingress_nginx_values, recursive=true) }}"
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_default_values | combine(gitea_ingress_nginx_values | default({}), recursive=true) }}"
- set_fact:
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_combined_values | combine(gitea_publish_ingress_nginx_values, recursive=true) }}"
gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_combined_values | combine(gitea_publish_ingress_nginx_values | default({}), recursive=true) }}"
when: gitea_publish_web
- name: Deploy Nginx Ingress for Gitea

2
roles/harbor/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
harbor_combined_values: "{{ harbor_default_values | combine(harbor_values, recursive=true) }}"
harbor_combined_values: "{{ harbor_default_values | combine(harbor_values | default({}), recursive=true) }}"
- name: Deploy Harbor
kubernetes.core.helm:

2
roles/internal-dns/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
internal_dns_combined_values: "{{ internal_dns_default_values | combine(internal_dns_values, recursive=true) }}"
internal_dns_combined_values: "{{ internal_dns_default_values | combine(internal_dns_values | default({}), recursive=true) }}"
- name: Deploy internal DNS
kubernetes.core.helm:

2
roles/internal-ingress-nginx/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
internal_ingress_nginx_combined_values: "{{ internal_ingress_nginx_default_values | combine(internal_ingress_nginx_values, recursive=true) }}"
internal_ingress_nginx_combined_values: "{{ internal_ingress_nginx_default_values | combine(internal_ingress_nginx_values | default({}), recursive=true) }}"
- name: Deploy internal Nginx Ingress
kubernetes.core.helm:

2
roles/keycloak/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values, recursive=true) }}"
keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values | default({}), recursive=true) }}"
- name: Deploy Keycloak
kubernetes.core.helm:

2
roles/local-dns/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
local_dns_combined_values: "{{ local_dns_default_values | combine(local_dns_values, recursive=true) }}"
local_dns_combined_values: "{{ local_dns_default_values | combine(local_dns_values | default({}), recursive=true) }}"
- name: Deploy local DNS
kubernetes.core.helm:

2
roles/local-ingress-nginx/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
local_ingress_nginx_combined_values: "{{ local_ingress_nginx_default_values | combine(local_ingress_nginx_values, recursive=true) }}"
local_ingress_nginx_combined_values: "{{ local_ingress_nginx_default_values | combine(local_ingress_nginx_values | default({}), recursive=true) }}"
- name: Deploy local Nginx Ingress
kubernetes.core.helm:

3
roles/mail/defaults/main.yaml
View File

@@ -1 +1,4 @@
mail_short_name: "mail"
# WIP
mail_oidc: false

4
roles/mail/tasks/main.yaml
View File

@@ -37,11 +37,15 @@
storageClassName: "{{ mailbox_storage | default('nfs-hdd') }}"
- name: Deploy Postfix
vars:
postfix_oidc: "{{ mail_oidc }}"
import_role:
name: postfix
tags: postfix
- name: Deploy Dovecot
vars:
dovecot_oidc: "{{ mail_oidc }}"
import_role:
name: dovecot
tags: dovecot

2
roles/mastodon/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
mastodon_combined_values: "{{ mastodon_default_values | combine(mastodon_values, recursive=true) }}"
mastodon_combined_values: "{{ mastodon_default_values | combine(mastodon_values | default({}), recursive=true) }}"
- name: Deploy Mastodon
kubernetes.core.helm:

2
roles/metallb/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
metallb_combined_values: "{{ metallb_default_values | combine(metallb_values, recursive=true) }}"
metallb_combined_values: "{{ metallb_default_values | combine(metallb_values | default({}), recursive=true) }}"
- name: Deploy MetalLB
kubernetes.core.helm:

2
roles/metrics-server/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
metrics_server_combined_values: "{{ metrics_server_default_values | combine(metrics_server_values, recursive=true) }}"
metrics_server_combined_values: "{{ metrics_server_default_values | combine(metrics_server_values | default({}), recursive=true) }}"
- name: Deploy Metrics server
kubernetes.core.helm:

2
roles/minio/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
minio_combined_values: "{{ minio_default_values | combine(minio_values, recursive=true) }}"
minio_combined_values: "{{ minio_default_values | combine(minio_values | default({}), recursive=true) }}"
- name: Deploy MinIO
kubernetes.core.helm:

2
roles/nextcloud/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
nextcloud_combined_values: "{{ nextcloud_default_values | combine(nextcloud_values, recursive=true) }}"
nextcloud_combined_values: "{{ nextcloud_default_values | combine(nextcloud_values | default({}), recursive=true) }}"
- name: Deploy Nextcloud
kubernetes.core.helm:

4
roles/nfs-client-provisioner/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
nfs_client_provisioner_hdd_combined_values: "{{ nfs_client_provisioner_hdd_default_values | combine(nfs_client_provisioner_hdd_values, recursive=true) }}"
nfs_client_provisioner_hdd_combined_values: "{{ nfs_client_provisioner_hdd_default_values | combine(nfs_client_provisioner_hdd_values | default({}), recursive=true) }}"
- name: Deploy NFS client provisioner for HDD storage
kubernetes.core.helm:
@@ -12,7 +12,7 @@
wait: true
- set_fact:
nfs_client_provisioner_ssd_combined_values: "{{ nfs_client_provisioner_ssd_default_values | combine(nfs_client_provisioner_ssd_values, recursive=true) }}"
nfs_client_provisioner_ssd_combined_values: "{{ nfs_client_provisioner_ssd_default_values | combine(nfs_client_provisioner_ssd_values | default({}), recursive=true) }}"
- name: Deploy NFS client provisioner for SSD storage
kubernetes.core.helm:

2
roles/openldap/tasks/main.yaml
View File

@@ -31,7 +31,7 @@
group: cert-manager.io
- set_fact:
openldap_combined_values: "{{ openldap_default_values | combine(openldap_values, recursive=true) }}"
openldap_combined_values: "{{ openldap_default_values | combine(openldap_values | default({}), recursive=true) }}"
- name: Deploy OpenLDAP
kubernetes.core.helm:

2
roles/peertube/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
peertube_combined_values: "{{ peertube_default_values | combine(peertube_values, recursive=true) }}"
peertube_combined_values: "{{ peertube_default_values | combine(peertube_values | default({}), recursive=true) }}"
- name: Deploy PeerTube
kubernetes.core.helm:

2
roles/playmaker/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
playmaker_combined_values: "{{ playmaker_default_values | combine(playmaker_values, recursive=true) }}"
playmaker_combined_values: "{{ playmaker_default_values | combine(playmaker_values | default({}), recursive=true) }}"
- name: Deploy Docker playmaker
kubernetes.core.helm:

284
roles/postfix/defaults/main.yaml
View File

@@ -287,6 +287,290 @@ postfix_default_values:
query_filter = mail=%s
result_attribute = cn
cache = no
service:
type: LoadBalancer
loadBalancerIP: "{{ postfix_loadbalancer_ip | default(omit) }}"
# WIP
postfix_oidc: false
postfix_oidc_default_values:
replicaCount: 1
persistence:
enabled: true
existingClaim: mailboxes
tls:
enabled: true
existingSecret: "{{ mail_short_name | default('mail') }}.{{ domain }}-secret"
postfix:
configmaps:
main: |
#smtp_host_lookup = native
compatibility_level = 2
maillog_file = /dev/stdout
# Use ipv4 and listen on all interfaces
inet_protocols = ipv4
inet_interfaces = all
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
# Postfix full server name for mail send/recieve
myhostname = {{ mail_short_name | default('mail') }}.{{ domain }}
# Set domain name
mydomain = {{ domain }}
# Local name for mail send
myorigin = $mydomain
# Local mail delivery
mydestination = $myhostname, localhost.$mydomain, localhost
# Transport type
local_transport = virtual
# Local users map
#local_recipient_maps = $virtual_mailbox_maps
# Reject code
unknown_local_recipient_reject_code = 550
# Virtual domain list
virtual_mailbox_domains = {{ domain }}
virtual_mailbox_base = /var/mail/vhosts
# Allowed users map
#virtual_mailbox_maps = ldap:/etc/postfix/ldap-local-recipients.cf
# Dovecot socket for mail delivery
#virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_transport = lmtp:inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:24
# Certs and TLS options
smtpd_tls_cert_file = /tls/tls.crt
smtpd_tls_key_file = /tls/tls.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_security_level = may
# DANE-Settings
#smtp_dns_support_level=dnssec
#smtp_host_lookup=dns
#smtp_tls_security_level = dane
#smtp_tls_loglevel=1
# Filters for mail
smtpd_helo_required = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination
smtpd_discard_ehlo_keywords = ''
# SASL auth with dovecot options
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
smtpd_sasl_local_domain = $myorigin
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
smtpd_milters = inet:{{ rspamd_short_name | default('rspamd') }}.{{ namespace }}.svc.cluster.local:11332
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
sendmail_path = /usr/sbin/sendmail
html_directory = no
setgid_group = postdrop
manpage_directory = /usr/share/man
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
master: |
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
2525 inet n - n - 1 postscreen
#-o postscreen_upstream_proxy_protocol=haproxy
-o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache
-o syslog_name=postfix/2525
10587 inet n - n - - smtpd
-o syslog_name=postfix/10587
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
#-o smtpd_upstream_proxy_protocol=haproxy
10465 inet n - n - - smtpd
-o syslog_name=postfix/10465
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
#-o smtpd_upstream_proxy_protocol=haproxy
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
#dane unix - - n - - smtp
# -o smtp_dns_support_level=dnssec
# -o smtp_tls_security_level=dane
#policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
ldap-local-recipients: |
service:
type: LoadBalancer
loadBalancerIP: "{{ postfix_loadbalancer_ip | default(omit) }}"

7
roles/postfix/tasks/main.yaml
View File

@@ -1,5 +1,10 @@
- set_fact:
postfix_combined_values: "{{ postfix_default_values | combine(postfix_values, recursive=true) }}"
postfix_combined_values: "{{ postfix_default_values | combine(postfix_values | default({}), recursive=true) }}"
when: not mail_oidc
- set_fact:
postfix_combined_values: "{{ postfix_oidc_default_values | combine(postfix_oidc_values | default({}), recursive=true) }}"
when: mail_oidc
- name: Deploy Postfix
kubernetes.core.helm:

4
roles/postgres/tasks/main.yaml
View File

@@ -43,7 +43,7 @@
ALLOW_NOSSL: "true"
- set_fact:
postgres_operator_combined_values: "{{ postgres_operator_default_values | combine(postgres_operator_values, recursive=true) }}"
postgres_operator_combined_values: "{{ postgres_operator_default_values | combine(postgres_operator_values | default({}), recursive=true) }}"
when: postgres_operator_enabled
- name: Deploy Postgres Operator
@@ -58,7 +58,7 @@
when: postgres_operator_enabled
- set_fact:
postgres_operator_ui_combined_values: "{{ postgres_operator_ui_default_values | combine(postgres_operator_ui_values, recursive=true) }}"
postgres_operator_ui_combined_values: "{{ postgres_operator_ui_default_values | combine(postgres_operator_ui_values | default({}), recursive=true) }}"
when: postgres_operator_ui_enabled
- name: Deploy Postgres Operator UI

2
roles/pypiserver/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
pypiserver_combined_values: "{{ pypiserver_default_values | combine(pypiserver_values, recursive=true) }}"
pypiserver_combined_values: "{{ pypiserver_default_values | combine(pypiserver_values | default({}), recursive=true) }}"
- name: Deploy pypiserver
kubernetes.core.helm:

4
roles/roundcube/defaults/main.yaml
View File

@@ -77,7 +77,7 @@ roundcube_default_values:
'ssl' => array(
'verify_peer' => false,
'allow_self_signed' => true,
'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
'ciphers' => 'TLSv1.3+HIGH:!aNull:@STRENGTH',
),
);
// For STARTTLS SMTP
@@ -85,7 +85,7 @@ roundcube_default_values:
'ssl' => array(
'verify_peer' => false,
'allow_self_signed' => true,
'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
'ciphers' => 'TLSv1.3+HIGH:!aNull:@STRENGTH',
),
);
?>

2
roles/roundcube/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
roundcube_combined_values: "{{ roundcube_default_values | combine(roundcube_values, recursive=true) }}"
roundcube_combined_values: "{{ roundcube_default_values | combine(roundcube_values | default({}), recursive=true) }}"
- name: Deploy RoundCube
kubernetes.core.helm:

2
roles/rspamd/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
rspamd_combined_values: "{{ rspamd_default_values | combine(rspamd_values, recursive=true) }}"
rspamd_combined_values: "{{ rspamd_default_values | combine(rspamd_values | default({}), recursive=true) }}"
- name: Deploy Rspamd
kubernetes.core.helm:

2
roles/service-dns/tasks/main.yaml
View File

@@ -1,5 +1,5 @@
- set_fact:
service_dns_combined_values: "{{ service_dns_default_values | combine(service_dns_values, recursive=true) }}"
service_dns_combined_values: "{{ service_dns_default_values | combine(service_dns_values | default({}), recursive=true) }}"
- name: Deploy service DNS
kubernetes.core.helm:

2
roles/wikijs/tasks/main.yaml
View File

@@ -5,7 +5,7 @@
- postgres_enabled is defined and postgres_enabled
- set_fact:
wikijs_combined_values: "{{ wikijs_default_values | combine(wikijs_values, recursive=true) }}"
wikijs_combined_values: "{{ wikijs_default_values | combine(wikijs_values | default({}), recursive=true) }}"
- name: Deploy WikiJS
kubernetes.core.helm: