add postfix and journalwatch roles

diff --git a/email.yml b/email.yml
new file mode 100644 (file)
index 0000000..a4bb8e8
--- /dev/null
+++ b/email.yml
@@ -0,0 +1,4 @@
+- hosts: all
+  roles:
+  - postfix
+  - journalwatch

diff --git a/roles/journalwatch/tasks/main.yml b/roles/journalwatch/tasks/main.yml
new file mode 100644 (file)
index 0000000..773a2b2
--- /dev/null
+++ b/roles/journalwatch/tasks/main.yml
@@ -0,0 +1,23 @@
+- name: install journalwatch dependencies
+  apt: name=python3-systemd state=latest
+- name: install journalwatch
+  git:
+    repo: 'https://github.com/The-Compiler/journalwatch.git'
+    version: b62f223bc36eabc193cfcf0d309d284da4f66463
+    dest: /root/journalwatch
+- name: create journalwatch config dir
+  file: path=/root/.config/journalwatch state=directory
+- name: install journalwatch config files
+  template:
+    src: templates/{{item}}
+    dest: /root/.config/journalwatch/{{item}}
+  with_items:
+  - config
+  - patterns
+- name: delete old journalwatch crontab entry
+  file: path=/etc/cron.d/journalwatch state=absent
+- name: create journalwatch crontab entry
+  cron:
+    name: "journalwatch"
+    minute: "*/10"
+    job: "/root/journalwatch/journalwatch.py mail"

diff --git a/roles/journalwatch/templates/config b/roles/journalwatch/templates/config
new file mode 100644 (file)
index 0000000..8da85b8
--- /dev/null
+++ b/roles/journalwatch/templates/config
@@ -0,0 +1,15 @@
+# vim: ft=dosini
+#
+# This is the config for journalwatch. All options are defined in the [DEFAULT]
+# section.
+#
+# You can add any commandline argument to the config, without the '--'.
+# See  journalwatch --help for all arguments and their description.
+
+[DEFAULT]
+# priority 5: notice
+priority=5
+mail_from=root
+mail_to=root
+mail_subject={hostname}: {count} system events
+mail_binary=/usr/sbin/sendmail

diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns
new file mode 100644 (file)
index 0000000..8b5d7d2
--- /dev/null
+++ b/roles/journalwatch/templates/patterns
@@ -0,0 +1,67 @@
+# In this file, patterns for journalwatch are defined to blacklist all journal
+# messages which are not errors.
+#
+# Lines starting with '#' are comments. Inline-comments are not permitted.
+#
+# The patterns are separated into blocks delimited by empty lines. Each block
+# matches on a log entry field, and the patterns in that block then are matched
+# against all messages with a matching log entry field.
+#
+# The syntax of a block looks like this:
+#
+# <field> = <value>
+# <pattern>
+# [<pattern>]
+# [...]
+#
+# If <value> starts and ends with a slash, it is interpreted as a regular
+# expression, if not, it's an exact match. Patterns are always regular
+# expressions.
+#
+# Below are some useful examples. If you have a small set of users, you might
+# want to adjust things like "user \w" to something like "user (root|foo|bar)".
+#
+# The regular expressions are extended Python regular expressions, for details
+# see:
+#
+# https://docs.python.org/3.4/library/re.html#regular-expression-syntax
+# https://docs.python.org/3.4/howto/regex.html
+# http://doc.pyschools.com/html/regex.html
+#
+# The journal fields are explained in systemd.journal-fields(7).
+
+_SYSTEMD_UNIT = systemd-logind.service
+New session [a-z]?\d+ of user \w+\.
+Removed session [a-z]?\d+\.
+
+SYSLOG_IDENTIFIER = /(CROND|crond)/
+pam_unix\(crond:session\): session (opened|closed) for user \w+
+\(\w+\) CMD .*
+
+SYSLOG_IDENTIFIER = systemd
+(Stopped|Stopping|Starting|Started) .*
+(Created slice|Removed slice) user-\d+\.slice\.
+Received SIGRTMIN\+24 from PID .*
+(Reached target|Stopped target) .*
+Startup finished in \d+ms\.
+
+_SYSTEMD_UNIT = init.scope
+user@\d+\.service: Killing process \d+ \(kill\) with signal SIGKILL\.
+
+SYSLOG_IDENTIFIER = sudo
+\s*[_\w.-]+ : TTY=(unknown|console|(pts/|ttyp?|vc/)\d+) ; PWD=[^;]+ ; USER=[._\w-]+ ; COMMAND=.*
+
+_SYSTEMD_UNIT = postfix@-.service
+warning: hostname [^\s]+ does not resolve to address [\da-fA-F.:]+(: Name or service not known)?
+warning: [._\w-]+\[[\da-fA-F.:]+\]: SASL LOGIN authentication failed: [._\w-]+
+warning: non-SMTP command from \w+\[[\da-fA-F.:]+\]: .*
+
+SYSLOG_IDENTIFIER = sshd
+error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .*
+error: maximum authentication attempts exceeded for invalid user \w+ from [\da-fA-F.:]+ port \d+ ssh2( \[preauth\])?
+
+_SYSTEMD_UNIT = bind9.service
+client [\da-fA-F.:]+#\d+ \([\w.-]+\): (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type))
+
+_SYSTEMD_UNIT = opendkim.service
+[A-Z0-9]+: bad signature data

diff --git a/roles/postfix/files/check-for-local-mail b/roles/postfix/files/check-for-local-mail
new file mode 100644 (file)
index 0000000..4f70a66
--- /dev/null
+++ b/roles/postfix/files/check-for-local-mail
@@ -0,0 +1,8 @@
+#!/bin/bash
+exists() {
+    [ -e "$1" ]
+}
+
+if exists /var/mail/*; then
+    echo "There is mail for some users in /var/mail!"
+fi

diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
new file mode 100644 (file)
index 0000000..69f8317
--- /dev/null
+++ b/roles/postfix/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: install postfix
+  apt: name=postfix,bsd-mailx state=latest
+- name: install postfix main.cf
+  register: config_main
+  template:
+    src: templates/main.cf
+    dest: /etc/postfix/main.cf
+- name: reload postfix
+  service: name=postfix state=restarted enabled=yes
+  when: config_main.changed
+- name: delete old local-mail cronjob
+  file: path=/etc/cron.daily/local-mail state=absent
+- name: install check-for-local-mail cronjob
+  copy:
+    src: files/check-for-local-mail
+    dest: /etc/cron.daily/check-for-local-mail
+    mode: u=rwx,g=rx,o=rx

diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf
new file mode 100644 (file)
index 0000000..ac40750
--- /dev/null
+++ b/roles/postfix/templates/main.cf
@@ -0,0 +1,61 @@
+# local delivery: aliases only
+alias_maps = hash:/etc/aliases
+local_recipient_maps = $alias_maps
+# explicitly UNSET relay domains to prevent implicit domains
+relay_domains =
+# only consider ourselves local
+mynetworks_style = host
+{% if postfix.mynetworks is defined %}
+mynetworks = {{ postfix.mynetworks }}
+{% endif %}
+
+# TLS server parameters
+smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain
+smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_security_level = may
+smtpd_tls_loglevel = 1
+smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
+smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
+smtpd_tls_ciphers = low
+smtpd_tls_mandatory_ciphers = high
+# TLS client parameters
+smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
+smtp_tls_ciphers = low
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_security_level = dane
+smtp_dns_support_level = dnssec
+smtp_tls_loglevel = 1
+
+# postscreen config
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_whitelist_threshold = -2
+postscreen_dnsbl_sites =
+       ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2
+       bl.spamcop.net dnsbl.sorbs.net bl.mailspike.net
+       swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
+postscreen_greet_action = enforce
+postscreen_dnsbl_action = enforce
+postscreen_pipelining_enable = yes
+postscreen_non_smtp_command_enable = yes
+postscreen_bare_newline_enable = yes
+# control relay access
+smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts,
+       # allow nobody else
+       defer_unauth_destination
+# spam-protection restrictions
+smtpd_helo_required = yes
+smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
+       # check everybody else
+       reject_unauth_pipelining,
+        reject_invalid_helo_hostname,
+       reject_non_fqdn_recipient,
+       reject_non_fqdn_sender,
+
+# misc
+smtpd_delay_reject = yes
+disable_vrfy_command = yes
+recipient_delimiter = +
+delay_warning_time = 4h
+message_size_limit = 21384000
+append_dot_mydomain = no