From 8e6e40abc4944c1fc3cf7a0b06d8158c0820c1b7 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 8 Jan 2015 22:44:36 -0400 Subject: propellor spin --- config-joey.hs | 4 +++ src/Propellor/Property/SiteSpecific/JoeySites.hs | 39 ++++++++++++++++++++++-- 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/config-joey.hs b/config-joey.hs index d8aefd1a..726623a4 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -74,6 +74,10 @@ darkstar = host "darkstar.kitenet.net" & Docker.configured ! Docker.docked gitAnnexAndroidDev + & JoeySites.dkimInstalled + & JoeySites.postfixClientRelay (Context "darkstar.kitenet.net") + & JoeySites.dkimMilter + clam :: Host clam = standardSystem "clam.kitenet.net" Unstable "amd64" [ "Unreliable server. Anything here may be lost at any time!" ] diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 9d84716a..cb80a21b 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -465,8 +465,7 @@ kiteMailServer = propertyList "kitenet.net mail server" , "/etc/aliases" `File.hasPrivContentExposed` ctx `onChange` Postfix.newaliases , hasJoeyCAChain - , "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx - , "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx + , hasPostfixCert ctx , "/etc/postfix/mydomain" `File.containsLines` [ "/.*\\.kitenet\\.net/\tOK" @@ -589,6 +588,25 @@ kiteMailServer = propertyList "kitenet.net mail server" pinescript = "/usr/local/bin/pine" dovecotusers = "/etc/dovecot/users" +-- Configures postfix to relay outgoing mail to kitenet.net, with +-- verification via tls cert. +postfixClientRelay :: Context -> Property +postfixClientRelay ctx = Postfix.mainCfFile `File.containsLines` + [ "relayhost = kitenet.net" + , "smtp_tls_CAfile = /etc/ssl/certs/joeyca.pem" + , "smtp_tls_cert_file = /etc/ssl/certs/postfix.pem" + , "smtp_tls_key_file = /etc/ssl/private/postfix.pem" + , "smtp_tls_loglevel = 0" + , "smtp_use_tls = yes" + ] + `describe` "postfix client relay" + `onChange` Postfix.dedupMainCf + `onChange` Postfix.reloaded + `requires` hasJoeyCAChain + `requires` hasPostfixCert ctx + +-- This does not configure postfix to use the dkim milter, +-- nor does it set up domainkey DNS. dkimInstalled :: Property dkimInstalled = propertyList "opendkim installed" [ Apt.serviceInstalledRunning "opendkim" @@ -605,6 +623,17 @@ dkimInstalled = propertyList "opendkim installed" ] `onChange` Service.restarted "opendkim" +-- Configures postfix to have the dkim milter, and no other milters. +dkimMilter :: Property +dkimMilter = Postfix.mainCfFile `File.containsLines` + [ "inet:localhost:8891" + , "non_smtpd_milters = inet:localhost:8891" + , "milter_default_action = accept" + ] + `describe` "postfix dkim milter" + `onChange` Postfix.dedupMainCf + `onChange` Postfix.reloaded + -- This is the dkim public key, corresponding with /etc/mail/dkim.key -- This value can be included in a domain's additional records to make -- it use this domainkey. @@ -615,6 +644,12 @@ hasJoeyCAChain :: Property hasJoeyCAChain = "/etc/ssl/certs/joeyca.pem" `File.hasPrivContentExposed` Context "joeyca.pem" +hasPostfixCert :: Context -> Property +hasPostfixCert ctx = combineProperties "postfix tls cert installed" + [ "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx + , "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx + ] + kitenetHttps :: Property kitenetHttps = propertyList "kitenet.net https certs" [ File.hasPrivContent "/etc/ssl/certs/web.pem" ctx -- cgit v1.2.3