postfix: move postfix installation from evolinux-base to postfix role, plus some refactoring

postfix: * Move common packages installation in common.yml * Replace ansible_fqdn by evolinux_fqdn, set postfix_slow_transport_include to false by default (only for packmails and packwebs) * Remove dependency on evolinux_fqdn var * Do not overwrite main.cf if it has been modified (except if postfix_force_main_cf) evolinux-base: * Move exim4 purge from evolinux-base to postfix role * Call postfix role call after nagios role (dependency)
2024-01-24 11:42:15 +01:00 · 2024-01-24 11:42:15 +01:00 · 1f8738fbda
parent 554bbaa36f
commit 1f8738fbda
13 changed files with 73 additions and 78 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -97,6 +97,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »).
 * dovecot: fix missing default mails
 * webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
+* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
+* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
+* postfix: remove dependency on evolinux_fqdn var
 * roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)

 ### Removed
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@ -2,6 +2,5 @@

 general_alert_email: "root@localhost"
 log2mail_alert_email: Null
-
 dovecot_vmail_uid: 5000
 dovecot_vmail_gid: 5000
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -159,12 +159,10 @@ evolinux_root_disable_ssh: False
 # postfix

 evolinux_postfix_include: True
-
-evolinux_postfix_packages: True
+evolinux_mail_aliases_include: True
 evolinux_postfix_users_alias_root: True
 evolinux_postfix_mailer_alias_root: True
 evolinux_postfix_root_alias: True
-evolinux_postfix_purge_exim: True

 # logs

--- a/evolinux-base/files/cert.sh
+++ b/evolinux-base/files/cert.sh
@ -34,3 +34,4 @@ else
    usage
    exit 1
 fi
+
--- a/evolinux-base/tasks/mail_aliases.yml
+++ b/evolinux-base/tasks/mail_aliases.yml
@ -1,36 +1,5 @@
 ---

- name: Postfix packages are installed
-  ansible.builtin.apt:
-    name:
-      - postfix
-      - mailgraph
-    state: present
-  tags:
-    - packages
-    - postfix
-  when: evolinux_postfix_packages | bool
-
- name: configure postfix myhostname
-  ansible.builtin.lineinfile:
-    dest: /etc/postfix/main.cf
-    state: present
-    line: "myhostname = {{ evolinux_fqdn }}"
-    regexp: '^myhostname'
-  notify: reload postfix
-  tags:
-    - postfix
-
- name: configure postfix mynetworks
-  ansible.builtin.lineinfile:
-    dest: /etc/postfix/main.cf
-    state: present
-    line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost localhost.$mydomain"
-    regexp: '^mydestination'
-  notify: reload postfix
-  tags:
-    - postfix
-
 - name: fetch users list
  ansible.builtin.shell:
    cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
@ -81,18 +50,3 @@

 - ansible.builtin.meta: flush_handlers

- name: exim4 is absent
-  ansible.builtin.apt:
-    name:
-      - exim4
-      - exim4-base
-      - exim4-config
-      - exim4-daemon-light
-    purge: yes
-    state: absent
-  tags:
-    - packages
-    - postfix
-  when: evolinux_postfix_purge_exim | bool
-
- ansible.builtin.meta: flush_handlers
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@ -81,9 +81,16 @@
  ansible.builtin.import_tasks: root.yml
  when: evolinux_root_include | bool

- name: Postfix
-  ansible.builtin.import_tasks: postfix.yml
+- name: Postfix role
+  ansible.builtin.include_role:
+    name: evolix/postfix
  when: evolinux_postfix_include | bool
+  tags:
+    - postfix
+
+- name: Configure /etc/aliases
+  ansible.builtin.import_tasks: mail_aliases.yml
+  when: evolinux_mail_aliases_include | bool

 - name: Logs management
  ansible.builtin.import_tasks: logs.yml
@ -132,6 +139,14 @@
    name: evolix/check_free_space
  when: evolinux_check_free_space_include | bool

+# postfix role must be after nagios-nrpe role
+- name: Postfix role
+  ansible.builtin.include_role:
+    name: evolix/postfix
+  when: evolinux_postfix_include | bool
+  tags:
+    - postfix
+
 - name: Autosysadmin
  ansible.builtin.include_role:
    name: 'evolix/autosysadmin'
--- a/postfix/defaults/main.yml
+++ b/postfix/defaults/main.yml
@ -1,5 +1,7 @@
 ---
-postfix_hostname: "{{ ansible_fqdn }}"
+postfix_hostname: "{{ evolinux_hostname }}.{{ evolinux_domain }}"
 postfix_force_main_cf: False
 postfix_packmail: False
-postfix_slow_transport_include: "{{ postfix_packmail }}"
+postfix_slow_transport_include: False
+postfix_purge_exim: True
+
--- a/postfix/tasks/common.yml
+++ b/postfix/tasks/common.yml
@ -1,11 +1,32 @@
---

- name: check if main.cf is default
+- name: Postfix packages are installed
+  ansible.builtin.apt:
+    name:
+      - postfix
+      - mailgraph
+    state: present
+  tags:
+    - postfix
+
+- name: exim4 is absent
+  ansible.builtin.apt:
+    name:
+      - exim4
+      - exim4-base
+      - exim4-config
+      - exim4-daemon-light
+    purge: yes
+    state: absent
+  tags:
+    - postfix
+  when: postfix_purge_exim | bool
+
+- name: compute main.cf SHA1 checksum
  ansible.builtin.shell:
-    cmd: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -'
+    cmd: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | sha1sum | cut -d " " -f1'
  changed_when: False
  check_mode: no
-  register: default_main_cf
+  register: main_cf_checksum
  tags:
    - postfix

--- a/postfix/tasks/minimal.yml
+++ b/postfix/tasks/minimal.yml
@ -1,10 +1,8 @@
 ---
- name: ensure packages are installed
-  ansible.builtin.apt:
-    name: postfix
-    state: present
-  tags:
-  - postfix
+
+- name: display checksums of known main.cf files
+  debug:
+    var: main_cf_known_checksums

 - name: create minimal main.cf
  ansible.builtin.template:
@ -15,6 +13,6 @@
    mode: "0644"
    force: true
  notify: restart postfix
-  when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout)
+  when: (postfix_force_main_cf | bool) or (main_cf_checksum.stdout in main_cf_known_checksums)
  tags:
  - postfix
--- a/postfix/tasks/packmail-spam.yml
+++ b/postfix/tasks/packmail-spam.yml
@ -1,8 +1,6 @@
 ---
- name: "mount /usr in rw"
-  ansible.builtin.command:
-    cmd: 'mount -o remount,rw /usr'
-  changed_when: False
+- ansible.builtin.include_role:
+    name: evolix/remount-usr
  tags: postfix

 - name: copy spam.sh script
--- a/postfix/tasks/packmail.yml
+++ b/postfix/tasks/packmail.yml
@ -1,11 +1,9 @@
 ---
- name: ensure packages are installed
+- name: Complementary packmail packages are installed
  ansible.builtin.apt:
    name:
-      - postfix
      - postfix-ldap
      - postfix-policyd-spf-python
-      - mailgraph
    state: present
  tags:
  - postfix
@ -24,6 +22,10 @@
    enabled: yes
    state: started

+- name: display checksums of known main.cf files
+  debug:
+    var: main_cf_known_checksums
+
 - name: create packmail main.cf
  ansible.builtin.template:
    src: packmail_main.cf.j2
@ -33,7 +35,7 @@
    mode: "0644"
    force: true
  notify: restart postfix
-  when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout)
+  when: (postfix_force_main_cf | bool) or (main_cf_checksum.stdout in main_cf_known_checksums)
  tags:
  - postfix

--- a/postfix/templates/packmail_main.cf.j2
+++ b/postfix/templates/packmail_main.cf.j2
@ -66,7 +66,7 @@ smtpd_banner = $myhostname ESMTP mail server

 # Indique le nom d'hote pleinement qualifie ou se trouve postfix [OBLIGATOIRE]
 #par defaut, = [retour de la commande Unix hostname]
-myhostname = {{ ansible_fqdn }}
+myhostname = {{ postfix_hostname }}

 # Variable indiquant le domaine dans lequel se trouve la machine
 #par defaut, = [partie domain de la variable $myhostname]
--- a/postfix/vars/main.yml
+++ b/postfix/vars/main.yml
@ -1,5 +1,9 @@
 ---
-## MD5 hash of default main.cf filter, obtained with this command :
-# grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf  | md5sum -
-postfix_maincf_md5_jessie: "5450c05d65878e99dad696c7c722e511"
-postfix_maincf_md5_stretch: "30022953f1f61f002bfb72e163ecb27e"
+# Output of default main.cf:
+# grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | sha1sum | cut -d " " -f1
+main_cf_known_checksums:
+  - 72bd6999f053ea89b359e233cf252616ee6e2fbb  # bookworm
+  - efd078215285ad520addee5b11af869717627b95  # bullseye
+  - c7d1e008120565927b213be1bf646fddfa949dc6  # buster
+  - 8b4de47321a9c003bf414a683c0d056b4469b325  # stretch
+  - f72feb50754830a7d8ae46f28e86d758881bcfc3  # jessie