from bundlewrap.metadata import atomic defaults = { 'apt': { 'packages': { 'postfix': {}, 'python3-dnsq': {}, }, }, 'icinga2_api': { 'postfix': { 'services': { 'POSTFIX PROCESS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix@-', }, 'POSTFIX QUEUE': { 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_postfix_queue -w 20 -c 40 -d 50', }, }, }, }, } if node.has_bundle('postfixadmin'): defaults['backups'] = { 'paths': { '/var/mail', }, } defaults['icinga2_api']['postfix']['services'].update({ 'SMTP CONNECT': { 'check_command': 'check_smtp', 'vars.notification.sms': True, }, 'SMTP SUBMISSION CONNECT': { 'check_command': 'check_smtp', 'vars.port': '587', 'vars.notification.sms': True, }, }) else: defaults['icinga2_api']['postfix']['services'].update({ 'SMTP CONNECT': { 'command_on_monitored_host': '/usr/lib/nagios/plugins/check_smtp -H localhost', }, }) @metadata_reactor.provides( 'letsencrypt/domains', 'letsencrypt/reload_after', ) def letsencrypt(metadata): if not node.has_bundle('letsencrypt') or not node.has_bundle('postfixadmin'): raise DoNotRunAgain result = { 'reload_after': { 'postfix', }, } result['domains'] = { metadata.get('postfix/myhostname', metadata.get('hostname')): set(), } return { 'letsencrypt': result, } @metadata_reactor.provides( 'iptables/port_rules/25', 'iptables/port_rules/587', 'iptables/port_rules/2525', ) def iptables(metadata): if node.has_bundle('postfixadmin'): default = set('*') else: default = metadata.get('postfix/mynetworks', set()) rules = { '25': atomic(metadata.get('postfix/restrict-to', default)), } if node.has_bundle('postfixadmin'): rules['587'] = atomic(metadata.get('postfix/restrict-to', default)) rules['2525'] = atomic(metadata.get('postfix/restrict-to', default)) return { 'iptables': { 'port_rules': rules, }, } @metadata_reactor.provides( 'icinga2_api/postfix/services', ) def icinga2(metadata): if metadata.get('postfix/relayhost', ''): # The system does not send mail on its own. There is no point in # checking it for any listings. return {} services = {} for ip_type in repo.libs.tools.resolve_identifier(repo, node.name).values(): for ip in ip_type: if not ip.is_private: services[f'SPAM BLOCKLIST {ip}'] = { 'command_on_monitored_host': f'/usr/local/share/icinga/plugins/check_spam_blocklist {ip}', 'vars.sshmon_timeout': 15, 'check_interval': '15m', 'retry_interval': '5m', } return { 'icinga2_api': { 'postfix': { 'services': services, }, }, }