From 16805458c74b66d6e3c0f5b6e3559145488c7283 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 10 Jun 2018 19:40:56 +0200 Subject: [PATCH 01/16] Mailman CAPTCHA: rename displayhtml -> display --- roles/email/files/mailman-patched/Captcha.py | 2 +- roles/email/files/mailman-patched/Cgi/listinfo.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/email/files/mailman-patched/Captcha.py b/roles/email/files/mailman-patched/Captcha.py index 42f75f0..ae979d4 100644 --- a/roles/email/files/mailman-patched/Captcha.py +++ b/roles/email/files/mailman-patched/Captcha.py @@ -18,7 +18,7 @@ import random from Mailman import Utils -def displayhtml(mlist, captchas): +def display(mlist, captchas): """Returns a CAPTCHA question, the HTML for the answer box, and the data to be put into the CSRF token""" idx = random.randrange(len(captchas)) diff --git a/roles/email/files/mailman-patched/Cgi/listinfo.py b/roles/email/files/mailman-patched/Cgi/listinfo.py index 0ce6393..b46bab1 100644 --- a/roles/email/files/mailman-patched/Cgi/listinfo.py +++ b/roles/email/files/mailman-patched/Cgi/listinfo.py @@ -221,7 +221,7 @@ def list_listinfo(mlist, lang): # for our hash so it doesn't matter. remote = remote.rsplit(':', 1)[0] # get CAPTCHA data - (captcha_question, captcha_box, captcha_idx) = Captcha.displayhtml(mlist, mm_cfg.CAPTCHAS) + (captcha_question, captcha_box, captcha_idx) = Captcha.display(mlist, mm_cfg.CAPTCHAS) replacements[''] = captcha_question replacements[''] = captcha_box # fill form -- 2.30.2 From 413a688e37e2ca6fb569ec67f9b56b0b77f60d07 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 16 Jun 2018 12:05:23 +0200 Subject: [PATCH 02/16] Install libpam-systemd before installing needrestart Otherwise, needrestart can pull in libpam-systemd from backports, and therefore upgrade the entire systemd to backports. --- roles/base/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index d1c108c..0757dc7 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,11 +11,11 @@ when: backports.rc != 0 apt_repository: repo='deb http://httpredir.debian.org/debian {{ansible_distribution_release}}-backports main contrib non-free' state=present update_cache=yes - name: get rid of packages we do not want - apt: name=exim4-base,rpcbind state=absent autoremove=yes + apt: name=exim4-base,rpcbind,procmail,fetchmail state=absent autoremove=yes +- name: install some basic tools + apt: name=nano,aptitude,rsync,git,mercurial,curl,apt-transport-https,psmisc,dnsutils,tree,htop,acl,libpam-systemd state=latest - name: install needrestart (from backports) apt: name=needrestart state=latest default_release={{ansible_distribution_release}}-backports -- name: install some basic tools - apt: name=aptitude,rsync,git,mercurial,curl,apt-transport-https,psmisc,dnsutils,tree,htop,acl state=latest # configuration - name: configure root shell copy: -- 2.30.2 From 93e78be7a2101609149534138cbd4c627a80c393 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 16 Jun 2018 19:17:41 +0200 Subject: [PATCH 03/16] make letsencrypt optional for apache/postfix --- roles/apache/templates/000-default.conf | 2 ++ roles/email/templates/main.cf | 2 ++ site.yml | 3 +-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/apache/templates/000-default.conf b/roles/apache/templates/000-default.conf index 8865a0a..23f6f5e 100644 --- a/roles/apache/templates/000-default.conf +++ b/roles/apache/templates/000-default.conf @@ -2,7 +2,9 @@ Redirect temp / https://{{ apache.default_host }}/ +{% if 'letsencrypt' in group_names %} Use SSL letsencrypt/live Redirect temp / https://{{ apache.default_host }}/ +{% endif %} diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index b674e42..eb6bdf1 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -7,6 +7,7 @@ local_recipient_maps = $alias_maps mynetworks = {{ postfix.mynetworks }} {% endif %} +{% if 'letsencrypt' in group_names %} # TLS server parameters smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key @@ -17,6 +18,7 @@ smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_ciphers = low smtpd_tls_mandatory_ciphers = high +{% endif %} # TLS client parameters smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_ciphers = low diff --git a/site.yml b/site.yml index 1483ba9..7c0c2d5 100644 --- a/site.yml +++ b/site.yml @@ -28,7 +28,7 @@ tags: letsencrypt - hosts: email - # depends: letsencrypt, unbound + # depends: unbound gather_facts: no roles: - email @@ -63,7 +63,6 @@ tags: prosody - hosts: apache - # depends: letsencrypt gather_facts: no roles: - apache -- 2.30.2 From d337571c2e21c7b410f5383233b388581817afe6 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 16 Jun 2018 19:17:50 +0200 Subject: [PATCH 04/16] journalwatch: systemd error on strato --- roles/journalwatch/files/patterns | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/journalwatch/files/patterns b/roles/journalwatch/files/patterns index f556d3a..dd3b2d4 100644 --- a/roles/journalwatch/files/patterns +++ b/roles/journalwatch/files/patterns @@ -56,6 +56,8 @@ warning: hostname [^\s]+ does not resolve to address [\da-fA-F.:]+(: Name or ser warning: [._\w-]+\[[\da-fA-F.:]+\]: SASL LOGIN authentication failed: .+ warning: non-SMTP command from \w+\[[\da-fA-F.:]+\]: .* warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher|decryption failed or bad record mac|unknown protocol|version too low):[\w./]+:\d+: +Failed to create /user.slice/user-\d+.slice/user@\d+.service/init.scope control group: Permission denied +Failed to allocate manager object: Permission denied _SYSTEMD_UNIT = dovecot.service auth: Warning: auth client \d+ disconnected with \d+ pending requests: (EOF|Connection reset by peer) -- 2.30.2 From e7f0dda5b871d22ea9925aeaf8a1513d9833128b Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 16 Jun 2018 19:57:33 +0200 Subject: [PATCH 05/16] make unbound dependency for postfix optional --- roles/email/templates/main.cf | 5 +++-- site.yml | 1 - 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index eb6bdf1..cbd7b3d 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -24,9 +24,10 @@ smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_ciphers = low smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_loglevel = 1 -{% if not(postfix.relay_host is defined) %} -smtp_tls_security_level = dane +{% if 'unbound' in group_names %} +# If there are TLSA records, enforce using encryption smtp_dns_support_level = dnssec +smtp_tls_security_level = dane {% endif %} {% if postfix.postscreen | default(False) %} diff --git a/site.yml b/site.yml index 7c0c2d5..f7fbc70 100644 --- a/site.yml +++ b/site.yml @@ -28,7 +28,6 @@ tags: letsencrypt - hosts: email - # depends: unbound gather_facts: no roles: - email -- 2.30.2 From dec35a3f16cf549b18439409490e529c0b89bdd8 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 16 Jun 2018 20:01:27 +0200 Subject: [PATCH 06/16] permit configuring mail system hostname --- host_vars/template.yml | 2 ++ roles/email/templates/main.cf | 10 +++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/host_vars/template.yml b/host_vars/template.yml index fb971ba..6b9c4c7 100644 --- a/host_vars/template.yml +++ b/host_vars/template.yml @@ -1,6 +1,8 @@ postfix: # postmaster email address postmaster: postmaster@example.org + # optional: Hostname of this email system + hostname: mail.example.org # optional: Whether to put a postscreen on port 25 postscreen: True # optional: Open another SMTP daemon on port 26 that only accepts mail from local hosts diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index cbd7b3d..f6840cc 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -1,12 +1,16 @@ compatibility_level = 2 -# local delivery: aliases only -alias_maps = hash:/etc/aliases -local_recipient_maps = $alias_maps +{% if postfix.hostname is defined %} +myhostname = {{ postfix.hostname }} +{% endif %} {% if postfix.mynetworks is defined %} mynetworks = {{ postfix.mynetworks }} {% endif %} +# local delivery: aliases only +alias_maps = hash:/etc/aliases +local_recipient_maps = $alias_maps + {% if 'letsencrypt' in group_names %} # TLS server parameters smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain -- 2.30.2 From fecf6724bb026a4891a89c33356870f83bcd76ee Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 16 Jun 2018 20:06:44 +0200 Subject: [PATCH 07/16] journalwatch: only filter broken conterinerization messages on strato machines --- roles/journalwatch/tasks/main.yml | 4 ++-- roles/journalwatch/{files => templates}/config | 0 roles/journalwatch/{files => templates}/patterns | 9 +++++++-- 3 files changed, 9 insertions(+), 4 deletions(-) rename roles/journalwatch/{files => templates}/config (100%) rename roles/journalwatch/{files => templates}/patterns (91%) diff --git a/roles/journalwatch/tasks/main.yml b/roles/journalwatch/tasks/main.yml index 8e64af3..cfdac0d 100644 --- a/roles/journalwatch/tasks/main.yml +++ b/roles/journalwatch/tasks/main.yml @@ -8,8 +8,8 @@ - name: create journalwatch config dir file: path=/root/.config/journalwatch state=directory - name: install journalwatch config files - copy: - src: files/{{item}} + template: + src: templates/{{item}} dest: /root/.config/journalwatch/{{item}} loop: - config diff --git a/roles/journalwatch/files/config b/roles/journalwatch/templates/config similarity index 100% rename from roles/journalwatch/files/config rename to roles/journalwatch/templates/config diff --git a/roles/journalwatch/files/patterns b/roles/journalwatch/templates/patterns similarity index 91% rename from roles/journalwatch/files/patterns rename to roles/journalwatch/templates/patterns index dd3b2d4..c96c19a 100644 --- a/roles/journalwatch/files/patterns +++ b/roles/journalwatch/templates/patterns @@ -44,9 +44,16 @@ SYSLOG_IDENTIFIER = systemd Received SIGRTMIN\+24 from PID .* (Reached target|Stopped target) .* Startup finished in \d+ms\. +{% if journalwatch is defined and journalwatch.strato_broken | default(False) %} +Failed to create /user.slice/user-\d+.slice/user@\d+.service/init.scope control group: Permission denied +Failed to allocate manager object: Permission denied +{% endif %} _SYSTEMD_UNIT = init.scope user@\d+\.service: Killing process \d+ \(kill\) with signal SIGKILL\. +{% if journalwatch is defined and journalwatch.strato_broken | default(False) %} +Failed to set devices.allow on /system.slice/systemd-resolved.service: Operation not permitted +{% endif %} SYSLOG_IDENTIFIER = sudo \s*[_\w.-]+ : TTY=(unknown|console|(pts/|ttyp?|vc/)\d+) ; PWD=[^;]+ ; USER=[._\w-]+ ; COMMAND=.* @@ -56,8 +63,6 @@ warning: hostname [^\s]+ does not resolve to address [\da-fA-F.:]+(: Name or ser warning: [._\w-]+\[[\da-fA-F.:]+\]: SASL LOGIN authentication failed: .+ warning: non-SMTP command from \w+\[[\da-fA-F.:]+\]: .* warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher|decryption failed or bad record mac|unknown protocol|version too low):[\w./]+:\d+: -Failed to create /user.slice/user-\d+.slice/user@\d+.service/init.scope control group: Permission denied -Failed to allocate manager object: Permission denied _SYSTEMD_UNIT = dovecot.service auth: Warning: auth client \d+ disconnected with \d+ pending requests: (EOF|Connection reset by peer) -- 2.30.2 From e77c174c33c18df68635dbe6a8ec5686dd6176d8 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 16 Jun 2018 20:15:22 +0200 Subject: [PATCH 08/16] postfix: permit adding more domains to virtual_mailbox_domains --- host_vars/template.yml | 2 ++ roles/email/templates/main.cf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/host_vars/template.yml b/host_vars/template.yml index 6b9c4c7..142e408 100644 --- a/host_vars/template.yml +++ b/host_vars/template.yml @@ -14,6 +14,8 @@ postfix: submission: True # optional: From which IPs to accept mail. mynetworks: '127.0.0.0/8 [::1]/128 203.0.113.0/24' + # optional: Domains for which to receive emails and forward according to virtual_alias_map. + alias_domains: staff.example.org # optional: Hostnames and SHA1 certificate hashes that are allowed to relay email via this host. relay_client_cert_whitelist: - hostname: other.example.org diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf index f6840cc..a03d627 100644 --- a/roles/email/templates/main.cf +++ b/roles/email/templates/main.cf @@ -87,7 +87,7 @@ relay_clientcerts = hash:$config_directory/relay_clientcerts {% endif %} # setup virtual delivery domains, aliases and destinations -virtual_mailbox_domains = +virtual_mailbox_domains = {{ postfix.alias_domains | default("") }} {% if postfix.mailman is defined %} {% for item in postfix.mailman.domains %} {{item}}{% endfor %}{% endif %} {% if postfix.dovecot is defined %} {% for item in postfix.dovecot.domains %} {{item}}{% endfor %}{% endif %} -- 2.30.2 From d69da4e51b13227263fb0f5588d65e92e4acb2d1 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 17 Jun 2018 23:08:35 +0200 Subject: [PATCH 09/16] only redirect to https if we have letsencrypt --- roles/apache/templates/000-default.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/apache/templates/000-default.conf b/roles/apache/templates/000-default.conf index 23f6f5e..0d68ad6 100644 --- a/roles/apache/templates/000-default.conf +++ b/roles/apache/templates/000-default.conf @@ -1,6 +1,10 @@ # redirect all undefined virtual hosts to {{ apache.default_host }} +{% if 'letsencrypt' in group_names %} Redirect temp / https://{{ apache.default_host }}/ +{% else %} + Redirect temp / http://{{ apache.default_host }}/ +{% endif %} {% if 'letsencrypt' in group_names %} -- 2.30.2 From 4aa3d130fde5af8dc1cd3e3e17b63d94f36b8003 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 18 Jun 2018 09:05:29 +0200 Subject: [PATCH 10/16] ignore more strato-specific errors --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index c96c19a..1fbd309 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -52,7 +52,7 @@ Failed to allocate manager object: Permission denied _SYSTEMD_UNIT = init.scope user@\d+\.service: Killing process \d+ \(kill\) with signal SIGKILL\. {% if journalwatch is defined and journalwatch.strato_broken | default(False) %} -Failed to set devices.allow on /system.slice/systemd-resolved.service: Operation not permitted +Failed to set devices.allow on /system.slice/[a-z-]+.service: Operation not permitted {% endif %} SYSLOG_IDENTIFIER = sudo -- 2.30.2 From 70a4efa949da7609c24611196d7af3417db9afc7 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 18 Jun 2018 09:23:24 +0200 Subject: [PATCH 11/16] update site.yml dependency comment --- site.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/site.yml b/site.yml index f7fbc70..d503df3 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,9 @@ # Dependencies are "expressed" by the hosts file, e.g. # ``` +# [email:children] +# journalwatch # [letsencrypt:children] -# apache -# email +# prosody # ``` # I tried using role dependencies but that doesn't interact well with tags: # When restricting to a tag, its dependencies still get played. -- 2.30.2 From d03c2eddf4a205a02db229ef10d2fbed666858b4 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 18 Jun 2018 11:34:25 +0200 Subject: [PATCH 12/16] journalwatch: bind --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 1fbd309..1e8adfe 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -72,7 +72,7 @@ error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user \w*|\w+) from [\da-fA-F.:]+ port \d+ ssh2( \[preauth\])? _SYSTEMD_UNIT = bind9.service -client [\da-fA-F.:]+#\d+ \([\w.-]+\): (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type)) +client [\da-fA-F.:]+#\d+ \([\w.-]+\): (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) _SYSTEMD_UNIT = opendkim.service [A-Z0-9]+: (bad signature data|failed to parse [Aa]uthentication-[Rr]esults: header field) -- 2.30.2 From 95b82708df05b1794e7991904899659f2ddc40cd Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Thu, 21 Jun 2018 10:02:08 +0200 Subject: [PATCH 13/16] add script to continuously check DNS settings --- roles/unbound/tasks/main.yml | 5 +++++ roles/unbound/templates/fix-dns | 12 ++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 roles/unbound/templates/fix-dns diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index c53cecb..988517f 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -34,3 +34,8 @@ copy: dest: /etc/resolv.conf content: "nameserver 127.0.0.2\n" +# some providers need extra hacks to make our DNS persistent +- name: install DNS-fix cronjob + template: + dest: /etc/cron.hourly/fix-dns + src: templates/fix-dns diff --git a/roles/unbound/templates/fix-dns b/roles/unbound/templates/fix-dns new file mode 100644 index 0000000..ca7f860 --- /dev/null +++ b/roles/unbound/templates/fix-dns @@ -0,0 +1,12 @@ +#!/bin/bash +set -e + +# Fix for some providers messing with DNS settings +if ! diff /etc/resolv.conf <(echo "nameserver 127.0.0.2") > /dev/null; then + echo "Someone messed up our DNS! Fixing it..." + echo "nameserver 127.0.0.2" > /etc/resolv.conf +{% if 'email' in group_names %} + # Just to make sure postfix uses the new settings + systemctl restart postfix +{% endif %} +fi -- 2.30.2 From 84ef3f297780eacbe571dc1d6b33c00ec141eccf Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Thu, 21 Jun 2018 10:05:28 +0200 Subject: [PATCH 14/16] fix cronjob mode --- roles/unbound/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 988517f..d8d03e3 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -39,3 +39,4 @@ template: dest: /etc/cron.hourly/fix-dns src: templates/fix-dns + mode: +x -- 2.30.2 From fea5c9af78fd0460bbe3a581a28648bc941a9476 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 24 Jun 2018 18:30:28 +0200 Subject: [PATCH 15/16] disable upgrade debug output for now --- upgrade.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upgrade.yml b/upgrade.yml index 1b4ab61..402de2a 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -10,4 +10,4 @@ environment: NEEDRESTART_MODE: a register: upgrade - - debug: msg={{ upgrade.msg }} +# - debug: msg={{ upgrade.msg }} -- 2.30.2 From 4e75ff92c8935c88936e6b1a7d751f96a4b15516 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 27 Jun 2018 09:27:32 +0200 Subject: [PATCH 16/16] journalwatch: bind --- roles/journalwatch/templates/patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/journalwatch/templates/patterns b/roles/journalwatch/templates/patterns index 1e8adfe..5a94891 100644 --- a/roles/journalwatch/templates/patterns +++ b/roles/journalwatch/templates/patterns @@ -72,7 +72,7 @@ error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .* error: maximum authentication attempts exceeded for (invalid user \w*|\w+) from [\da-fA-F.:]+ port \d+ ssh2( \[preauth\])? _SYSTEMD_UNIT = bind9.service -client [\da-fA-F.:]+#\d+ \([\w.-]+\): (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) +client [\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input)) _SYSTEMD_UNIT = opendkim.service [A-Z0-9]+: (bad signature data|failed to parse [Aa]uthentication-[Rr]esults: header field) -- 2.30.2