bundles/rspamd: introduce, add to htz.ex42-1048908
Some checks failed
bundlewrap/pipeline/head There was a failure building this commit
Some checks failed
bundlewrap/pipeline/head There was a failure building this commit
This commit is contained in:
parent
a236444fe5
commit
15428b03be
14 changed files with 179 additions and 7 deletions
4
bundles/rspamd/files/dkim.conf
Normal file
4
bundles/rspamd/files/dkim.conf
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# TODO
|
||||||
|
path = "/var/lib/rspamd/dkim/$selector.key";
|
||||||
|
selector = "2019";
|
||||||
|
allow_username_mismatch = true;
|
3
bundles/rspamd/files/ip_whitelist.map
Normal file
3
bundles/rspamd/files/ip_whitelist.map
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
% for ip in sorted(node.metadata.get('rspamd', {}).get('ignore_spam_check_for_ips', set())):
|
||||||
|
${ip}
|
||||||
|
% endfor
|
1
bundles/rspamd/files/local.d/classifier-bayes.conf
Normal file
1
bundles/rspamd/files/local.d/classifier-bayes.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
backend = "redis";
|
2
bundles/rspamd/files/local.d/logging.inc
Normal file
2
bundles/rspamd/files/local.d/logging.inc
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
systemd = true;
|
||||||
|
type = "console";
|
2
bundles/rspamd/files/local.d/milter_headers.conf
Normal file
2
bundles/rspamd/files/local.d/milter_headers.conf
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
|
||||||
|
authenticated_headers = ["authentication-results"];
|
6
bundles/rspamd/files/local.d/multimap.conf
Normal file
6
bundles/rspamd/files/local.d/multimap.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
IP_WHITELIST {
|
||||||
|
type = "ip";
|
||||||
|
prefilter = true;
|
||||||
|
map = "/etc/rspamd/local.d/ip_whitelist.map";
|
||||||
|
action = "accept";
|
||||||
|
}
|
1
bundles/rspamd/files/local.d/redis.conf
Normal file
1
bundles/rspamd/files/local.d/redis.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
servers = "127.0.0.1";
|
1
bundles/rspamd/files/local.d/worker-normal.inc
Normal file
1
bundles/rspamd/files/local.d/worker-normal.inc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
bind_socket = "localhost:11333";
|
7
bundles/rspamd/files/local.d/worker-proxy.inc
Normal file
7
bundles/rspamd/files/local.d/worker-proxy.inc
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
bind_socket = "localhost:11332";
|
||||||
|
milter = yes;
|
||||||
|
timeout = 120s;
|
||||||
|
upstream "local" {
|
||||||
|
default = yes;
|
||||||
|
self_scan = yes;
|
||||||
|
}
|
6
bundles/rspamd/files/override.d/antivirus.conf
Normal file
6
bundles/rspamd/files/override.d/antivirus.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
clamav {
|
||||||
|
servers = "/run/clamav/clamd.ctl";
|
||||||
|
action = "reject";
|
||||||
|
type = "clamav";
|
||||||
|
symbol = "CLAM_VIRUS";
|
||||||
|
}
|
1
bundles/rspamd/files/worker-controller.inc
Normal file
1
bundles/rspamd/files/worker-controller.inc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
password = "${node.metadata['rspamd']['password']}";
|
88
bundles/rspamd/items.py
Normal file
88
bundles/rspamd/items.py
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
from os import listdir
|
||||||
|
from os.path import join
|
||||||
|
|
||||||
|
directories = {
|
||||||
|
'/etc/rspamd/local.d': {
|
||||||
|
'purge': True,
|
||||||
|
'needs': {
|
||||||
|
'pkg_apt:rspamd',
|
||||||
|
},
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:rspamd:restart',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
'/etc/rspamd/override.d': {
|
||||||
|
'purge': True,
|
||||||
|
'needs': {
|
||||||
|
'pkg_apt:rspamd',
|
||||||
|
},
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:rspamd:restart',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
svc_systemd = {
|
||||||
|
'rspamd': {
|
||||||
|
'needs': {
|
||||||
|
'file:',
|
||||||
|
'pkg_apt:rspamd',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
'clamav-daemon': {
|
||||||
|
'needs': {
|
||||||
|
'pkg_apt:clamav',
|
||||||
|
'pkg_apt:clamav-daemon',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
'clamav-freshclam': {
|
||||||
|
'needs': {
|
||||||
|
'pkg_apt:clamav-freshclam',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
files = {
|
||||||
|
'/etc/rspamd/local.d/ip_whitelist.map': {
|
||||||
|
'content_type': 'mako',
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:rspamd:restart',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
# TODO manage this using bundlewrap
|
||||||
|
if node.metadata.get('rspamd', {}).get('dkim', False):
|
||||||
|
for i in {'arc', 'dkim_signing'}:
|
||||||
|
files[f'/etc/rspamd/local.d/{i}.conf'] = {
|
||||||
|
'source': 'dkim.conf',
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:rspamd:restart',
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
if 'password' in node.metadata.get('rspamd', {}):
|
||||||
|
files['/etc/rspamd/local.d/worker-controller.inc'] = {
|
||||||
|
'content_type': 'mako',
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:rspamd:restart',
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
local_config_path = join(repo.path, 'bundles', 'rspamd', 'files', 'local.d')
|
||||||
|
for f in listdir(local_config_path):
|
||||||
|
files[f'/etc/rspamd/local.d/{f}'] = {
|
||||||
|
'source': f'local.d/{f}',
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:rspamd:restart',
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
override_config_path = join(repo.path, 'bundles', 'rspamd', 'files', 'override.d')
|
||||||
|
for f in listdir(override_config_path):
|
||||||
|
files[f'/etc/rspamd/override.d/{f}'] = {
|
||||||
|
'source': f'override.d/{f}',
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:rspamd:restart',
|
||||||
|
},
|
||||||
|
}
|
|
@ -1,8 +1,40 @@
|
||||||
# WIP
|
# WIP
|
||||||
defaults = {
|
defaults = {
|
||||||
'apt': {
|
'apt': {
|
||||||
|
'repos': {
|
||||||
|
'rspamd': {
|
||||||
|
'items': {
|
||||||
|
'deb [arch=amd64] http://rspamd.com/apt-stable/ {os_release} main',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
'packages': {
|
'packages': {
|
||||||
|
'clamav': {},
|
||||||
|
'clamav-daemon': {},
|
||||||
|
'clamav-freshclam': {},
|
||||||
|
'clamav-unofficial-sigs': {},
|
||||||
'rspamd': {},
|
'rspamd': {},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'cron': {
|
||||||
|
'clamav-unofficial-sigs': f'{node.magic_number%60} */4 * * * clamav /usr/sbin/clamav-unofficial-sigs >/dev/null',
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Nodes managed by us should always be able to send mail to all other
|
||||||
|
# servers.
|
||||||
|
@metadata_reactor
|
||||||
|
def populate_permitted_ips_list_with_ips_from_repo(metadata):
|
||||||
|
ips = set()
|
||||||
|
|
||||||
|
for rnode in repo.nodes:
|
||||||
|
for ip in repo.libs.tools.resolve_identifier(repo, rnode.name):
|
||||||
|
if not ip.is_private:
|
||||||
|
ips.add(str(ip))
|
||||||
|
|
||||||
|
return {
|
||||||
|
'rspamd': {
|
||||||
|
'ignore_spam_check_for_ips': ips,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -96,14 +96,8 @@ nodes['htz.ex42-1048908'] = {
|
||||||
'matrix.franzi.business': {
|
'matrix.franzi.business': {
|
||||||
'franzi.business',
|
'franzi.business',
|
||||||
},
|
},
|
||||||
'mx0.kunbox.net': set(), # TODO move to bundle
|
|
||||||
'part.of.the.trans-agenda.eu': set(),
|
'part.of.the.trans-agenda.eu': set(),
|
||||||
},
|
},
|
||||||
'reload_after': {
|
|
||||||
# TODO move to bundles
|
|
||||||
'dovecot',
|
|
||||||
'postfix',
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
'matrix-synapse': {
|
'matrix-synapse': {
|
||||||
'server_name': 'franzi.business',
|
'server_name': 'franzi.business',
|
||||||
|
@ -197,7 +191,7 @@ nodes['htz.ex42-1048908'] = {
|
||||||
'extras': True,
|
'extras': True,
|
||||||
},
|
},
|
||||||
'postfixadmin.mx0.kunbox.net': {
|
'postfixadmin.mx0.kunbox.net': {
|
||||||
'webroot': '/srv/postfixadmin/public/',
|
'webroot': '/opt/postfixadmin/public/',
|
||||||
'php': True,
|
'php': True,
|
||||||
},
|
},
|
||||||
'rspamd.mx0.kunbox.net': {
|
'rspamd.mx0.kunbox.net': {
|
||||||
|
@ -281,6 +275,30 @@ nodes['htz.ex42-1048908'] = {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'rspamd': {
|
||||||
|
'dkim': True,
|
||||||
|
'ignore_spam_check_for_ips': {
|
||||||
|
# entropia
|
||||||
|
'188.40.158.213',
|
||||||
|
'188.40.158.214',
|
||||||
|
'188.40.158.218',
|
||||||
|
'2a01:4f8:221:2f83:2130::2',
|
||||||
|
'2a01:4f8:221:2f83:2140::2',
|
||||||
|
'2a01:4f8:221:2f83:2180::2',
|
||||||
|
# ccc
|
||||||
|
'212.12.55.65',
|
||||||
|
'212.12.55.67',
|
||||||
|
'2a00:14b0:4200:3000:23:55:0:65',
|
||||||
|
# IN-Berlin mailman
|
||||||
|
'130.133.8.35',
|
||||||
|
'192.109.42.28',
|
||||||
|
'193.29.188.9',
|
||||||
|
'217.197.80.23',
|
||||||
|
'217.197.80.134',
|
||||||
|
'2001:bf0:c000:a::2:134',
|
||||||
|
},
|
||||||
|
'password': vault.decrypt('encrypt$gAAAAABfp7qzym32R6Go1A6oax0NGQM7EBMckbEbnZC6-RSKx-klSJsL57XbSUTD-AJM-gBIPzlmor-3bfVxPWLRYXtO8uTVw6jNQ1yt15ReHkOTijVqV2ACk-LTDBG3p4YKBn0pQgNvvjXhWV_J1-Pgjywbl4sHXc0zqjCGZ6xtEn6ywj0Pd599JJjREF4QCIFVZVWuKvo1'),
|
||||||
|
},
|
||||||
'travelynx': {
|
'travelynx': {
|
||||||
'version': '1.18.7',
|
'version': '1.18.7',
|
||||||
'mail_from': 'travelynx@franzi.business',
|
'mail_from': 'travelynx@franzi.business',
|
||||||
|
|
Loading…
Reference in a new issue