Dirk
/
Ansible-Test
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Weitere Daeien hinzugefügt

master
Dirk Wirts 2 years ago
parent
bc24f838a6
commit
72d5016cbf
3 changed files with 352 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 242
      ansible-create_mailrelay.yml
  2. 71
      ansible-create_unify.yml
  3. 39
      setups/install-ansible.sh

242
ansible-create_mailrelay.yml
View File

@ -0,0 +1,242 @@
---
- name: Setup and Configure Mail Relay Docker Container
hosts: your_target_host
become: true
vars:
mail_relay_dir: /mnt/docker/mail-relay
conf_dir: "{{ mail_relay_dir }}/conf"
mail_relay_password: "{{ lookup('community.general.random_string', length=10, special=false) }}"
certificate_subject: "/C=DE/ST=Germany/L=NRW/O=Asmodee Group/OU=Mail-Relay/CN=localhost/name=Mail-Relay/emailAddress=it-admin@asmodee.de"
tasks:
- name: Create necessary directories
file:
path: "{{ item }}"
state: directory
loop:
- "{{ mail_relay_dir }}"
- "{{ conf_dir }}"
- "{{ mail_relay_dir }}/spool"
- "{{ mail_relay_dir }}/sasl2"
- name: Create Dockerfile for mail relay
copy:
dest: /mnt/docker/mail-relay/mail-relay.Dockerfile
content: |
FROM alpine:3.17
RUN apk add --no-cache bash net-tools tzdata busybox-extras postfix cyrus-sasl cyrus-sasl-static cyrus-sasl-login
RUN echo 'saslauthd -a sasldb -V; postfix start-fg' | tee /start.sh; chmod 755 /start.sh
CMD /start.sh
- name: Create Docker Compose file
copy:
dest: /mnt/docker/mail-relay/docker-compose.yaml
content: |
version: "3"
services:
mail-relay:
image: mail-relay-custom
build:
context: .
dockerfile: ./mail-relay.Dockerfile
container_name: mail-relay
restart: unless-stopped
healthcheck:
test: ( grep -qr "master" /proc/*/status && grep -qr "saslauthd" /proc/*/status ) || exit 1
interval: 1m
timeout: 30s
retries: 3
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- ./main.cf:/etc/postfix/main.cf:ro
- ./master.cf:/etc/postfix/master.cf:ro
- ./conf:/etc/postfix/conf
- ./spool:/var/spool/postfix
- ./sasl2:/etc/sasl2
networks:
default:
name: build
external: true
- name: Create main.cf Postfix configuration file
copy:
dest: "{{ conf_dir }}/main.cf"
content: |
# Global Postfix configuration file
alias_maps = lmdb:/etc/postfix/conf/aliases
alias_database = lmdb:/etc/postfix/conf/aliases
myhostname = mail-relay
mynetworks_style = host
inet_interfaces = all
inet_protocols = ipv4
message_size_limit = 10240000
soft_bounce = no
# Queue Time
bounce_queue_lifetime = 10h
maximal_queue_lifetime = 12h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
# TLS for smtp
smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = secure
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Send over Smarthost (outgoing Emails)
smtp_connection_cache_on_demand = no
smtp_sender_dependent_authentication = yes
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = lmdb:/etc/postfix/conf/smtp_sasl_password_maps
sender_dependent_relayhost_maps = lmdb:/etc/postfix/conf/sender_dependent_relayhost_maps
# Cleanup the Header
smtp_header_checks = regexp:/etc/postfix/conf/smtp_header_checks
# SASL authentication (incoming Emails)
broken_sasl_auth_clients = no
smtpd_tls_auth_only = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = $smtpd_sender_restrictions
# TLS for smtpd
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/conf/server.crt
smtpd_tls_key_file = /etc/postfix/conf/server.key
# connection limits
smtpd_client_connection_rate_limit = 0
smtpd_client_connection_count_limit = 0
# Logging for Docker Container
maillog_file = /dev/stdout
- name: Create master.cf Postfix configuration file
copy:
dest: "{{ conf_dir }}/master.cf"
content: |
# Postfix master process configuration file
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
-o syslog_name=postfix/smtp
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
- name: Generate RSA private key
openssl_privatekey:
path: "{{ conf_dir }}/server.key"
size: 4096
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: "{{ conf_dir }}/server.crt"
privatekey_path: "{{ conf_dir }}/server.key"
subject: "{{ certificate_subject }}"
provider: selfsigned
- name: Set permissions for server.key
file:
path: "{{ conf_dir }}/server.key"
mode: '0644'
- name: Create smtp_sasl_password_maps file
copy:
dest: "{{ conf_dir }}/smtp_sasl_password_maps"
content: "mail@notifications.asmodee.de apikey:{{ password }}"
mode: '0600'
- name: Create sender_dependent_relayhost_maps file
copy:
dest: "{{ conf_dir }}/sender_dependent_relayhost_maps"
content: "mail@notifications.asmodee.de [smtp.sendgrid.net]:"
- name: Create aliases file
file:
path: "{{ conf_dir }}/aliases"
state: touch
- name: Create smtp_header_checks file
copy:
dest: "{{ conf_dir }}/smtp_header_checks"
content: |
/^Received:/ IGNORE
/^User-Agent:/ IGNORE
/^Message-ID:/ IGNORE
/^X-Originating-ip:/ IGNORE
/^X-Forward:/ IGNORE
/^X-Mailer:/ IGNORE
/^X-Virus-/ IGNORE
/^X-Spam-/ IGNORE
- name: Start Docker container with Docker Compose
community.docker.docker_compose:
project_src: "{{ mail_relay_dir }}"
state: present
restarted: yes
- name: Update Postfix maps and aliases
community.docker.docker_container_exec:
container: mail-relay
command: "{{ item }}"
loop:
- "postmap /etc/postfix/conf/smtp_sasl_password_maps"
- "postmap /etc/postfix/conf/sender_dependent_relayhost_maps"
- "postalias /etc/postfix/conf/aliases"
- name: Configure SASL password and permissions
community.docker.docker_container_exec:
container: mail-relay
command: "sh -c 'echo {{ mail_relay_password }} | saslpasswd2 -c -p -u mail-relay relay-apikey; chmod 640 /etc/sasl2/sasldb2; chown root:postfix /etc/sasl2/sasldb2'"
- name: List SASL users
community.docker.docker_container_exec:
container: mail-relay
command: "sasldblistusers2"

71
ansible-create_unify.yml
View File

@ -0,0 +1,71 @@
---
- name: Setup UniFi Controller Docker Container
hosts: your_target_host
become: true
vars:
unifi_dir: /mnt/docker/unifi-controller
cert_dir: "{{ unifi_dir }}/data/cert"
cert_files:
- unifi-controller.asmodee.local.crt
- unifi-controller.asmodee.local.key
- root-ca.crt
tasks:
- name: Create necessary directories
file:
path: "{{ item }}"
state: directory
loop:
- "{{ unifi_dir }}"
- "{{ cert_dir }}"
- name: Create Docker Compose file for UniFi Controller
copy:
dest: "{{ unifi_dir }}/docker-compose.yaml"
content: |
version: "3"
services:
unifi-controller:
image: jacobalberty/unifi:latest
container_name: unifi-controller
restart: unless-stopped
healthcheck:
test: grep -qr "java" /proc/*/status || exit 1
interval: 1m
timeout: 30s
retries: 3
ports:
- 6789:6789
- 8080:8080
- 8443:8443
- 8843:8843
- 8880:8880
- 3478:3478/udp
environment:
- RUNAS_UID0=false
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- ./data:/unifi
- ./run:/var/run/unifi
networks:
default:
name: build
external: true
- name: Copy certificate files to UniFi directory
copy:
src: "{{ item }}"
dest: "{{ cert_dir }}/{{ item }}"
mode: '0600'
loop: "{{ cert_files }}"
- name: Append certificate to chain file
command:
cmd: "cat {{ cert_dir }}/{{ cert_files[0] }} >> {{ cert_dir }}/chain.pem"
- name: Start Docker container with Docker Compose
community.docker.docker_compose:
project_src: "{{ unifi_dir }}"
state: present
restarted: yes

39
setups/install-ansible.sh
View File

@ -0,0 +1,39 @@
#!/bin/bash
# Ensure the script is run as root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Update and Upgrade the System
apt update && apt upgrade -y
# Install sudo and other necessary packages
apt install -y sudo openssh-server
# Create the ansible user
useradd -m -s /bin/bash ansible
# Set up SSH for the ansible user
mkdir -p /home/ansible/.ssh
chmod 700 /home/ansible/.ssh
touch /home/ansible/.ssh/authorized_keys
chmod 600 /home/ansible/.ssh/authorized_keys
# Replace 'your_public_key' with the actual public key
echo 'your_public_key' > /home/ansible/.ssh/authorized_keys
# Change ownership of the .ssh directory to the ansible user
chown -R ansible:ansible /home/ansible/.ssh
# Configure sudo privileges
echo 'ansible ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ansible
# Ensure the sudoers file is secure
chmod 0440 /etc/sudoers.d/ansible
# Install Ansible
apt install -y ansible
echo "Ansible and user setup complete."
Write Preview
Loading…
Cancel
Save