bundlewrap/bundles/postfix/metadata.py

154 lines
4 KiB
Python

from bundlewrap.metadata import atomic
defaults = {
'apt': {
'packages': {
'postfix': {},
'python3-dnsq': {
# handled by pkg_pip
'installed': False,
},
},
},
'icinga2_api': {
'postfix': {
'services': {
'POSTFIX PROCESS': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix@-',
},
'POSTFIX QUEUE': {
'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_postfix_queue -w 20 -c 40 -d 50',
},
},
},
},
'pacman': {
'packages': {
'postfix': {},
},
},
}
if node.has_bundle('postfixadmin'):
defaults['backups'] = {
'paths': {
'/var/mail',
},
}
defaults['icinga2_api']['postfix']['services'].update({
'SMTP CONNECT': {
'check_command': 'check_smtp',
'max_check_attempts': '5',
'retry_interval': '3m',
'vars.notification.sms': True,
},
'SMTP SUBMISSION CONNECT': {
'check_command': 'check_smtp',
'max_check_attempts': '5',
'retry_interval': '3m',
'vars.notification.sms': True,
'vars.port': '587',
},
})
else:
defaults['icinga2_api']['postfix']['services'].update({
'SMTP CONNECT': {
'command_on_monitored_host': '/usr/lib/nagios/plugins/check_smtp -H localhost',
},
})
if node.has_bundle('telegraf'):
defaults['telegraf'] = {
'input_plugins': {
'exec': {
'postfix': {
'commands': ['postfix-telegraf-queue'],
'interval': '30s',
'data_format': 'influx',
'timeout': '5s',
},
},
},
'sudo_commands': {
'/usr/sbin/postqueue -j',
},
}
@metadata_reactor.provides(
'letsencrypt/domains',
'letsencrypt/reload_after',
)
def letsencrypt(metadata):
if not node.has_bundle('letsencrypt') or not node.has_bundle('postfixadmin'):
raise DoNotRunAgain
result = {
'reload_after': {
'postfix',
},
}
result['domains'] = {
metadata.get('postfix/myhostname', metadata.get('hostname')): set(),
}
return {
'letsencrypt': result,
}
@metadata_reactor.provides(
'iptables/port_rules/25',
'iptables/port_rules/587',
'iptables/port_rules/2525',
)
def iptables(metadata):
if node.has_bundle('postfixadmin'):
default = {'*'}
else:
default = metadata.get('postfix/mynetworks', set())
rules = {
'25': atomic(metadata.get('postfix/restrict-to', default)),
}
if node.has_bundle('postfixadmin'):
rules['587'] = atomic(metadata.get('postfix/restrict-to', default))
rules['2525'] = atomic(metadata.get('postfix/restrict-to', default))
return {
'iptables': {
'port_rules': rules,
},
}
@metadata_reactor.provides(
'icinga2_api/postfix/services',
)
def icinga2(metadata):
if metadata.get('postfix/relayhost', ''):
# The system does not send mail on its own. There is no point in
# checking it for any listings.
return {}
services = {}
for ip_type in repo.libs.tools.resolve_identifier(repo, node.name).values():
for ip in ip_type:
if not ip.is_private:
services[f'SPAM BLOCKLIST {ip}'] = {
'command_on_monitored_host': f'/usr/local/share/icinga/plugins/check_spam_blocklist {ip}',
'vars.sshmon_timeout': 15,
'check_interval': '15m',
'retry_interval': '5m',
}
return {
'icinga2_api': {
'postfix': {
'services': services,
},
},
}