diff --git a/roles/jump/tasks/main.yml b/roles/jump/tasks/main.yml index 6b5bd30..52a57f8 100644 --- a/roles/jump/tasks/main.yml +++ b/roles/jump/tasks/main.yml @@ -1,191 +1,203 @@ --- - yum: name="{{ item }}" state=present with_items: - firewalld - nmap-ncat - socat - service: name=firewalld state=started enabled=true - name: SSH Config for admin copy: src: sshd_config dest: /etc/ssh/sshd_config notify: reload ssh - firewalld: port: "{{ item }}/tcp" permanent: true state: enabled immediate: true with_items: - "{{ stats_port }}" # haproxy - "{{ monit_port }}" # ganglia - "{{ vcs_port_front }}" # phabricator ssh - "{{ vcs_port_back }}" # phabricator ssh - 22280 # phabricator notification - 222 # admin ssh - 80 # phabricator http - 443 # phabricator http - 25 # smtp - firewalld: port: "{{ item }}/tcp" permanent: true state: disabled immediate: true with_items: - "{{ jenkins_port }}" # jenkins - 8083 # test shibboleth - firewalld: port: "{{ item }}/tcp" source: "{{ ip_range }}" immediate: true permanent: true zone: internal state: enabled with_items: - 25 # smtp - 5666 # nrpe - 8649 # ganglia - firewalld: port: "{{ item }}/udp" source: "{{ ip_range }}" immediate: true permanent: true zone: internal state: enabled with_items: - 8649 # ganglia # Email - name: Allow incoming email, remove old config lineinfile: dest: /etc/postfix/main.cf line: "mydestination = {{ ansible_fqdn }}, localhost" state: absent - name: Allow incoming email lineinfile: dest: /etc/postfix/main.cf line: "mydestination = {{ domain }}, {{ ansible_fqdn }}, localhost" notify: restart postfix +- name: Fix postfix role myhostname as hostname + lineinfile: + dest: /etc/postfix/main.cf + line: "myhostname = {{ ansible_fqdn }}" + state: absent + +- name: Fix postfix role myhostname as fqdn instead + lineinfile: + dest: /etc/postfix/main.cf + line: "myhostname = {{ domain }}" + notify: restart postfix + - name: Header to filter in postfix copy: src: header_checks dest: /etc/postfix/header_checks - name: Hide originating host for postfix lineinfile: dest: /etc/postfix/main.cf line: "header_checks = regexp:/etc/postfix/header_checks" notify: rebuild headers - name: Redirect phabricator inbound email using transport lineinfile: dest: /etc/postfix/main.cf line: "transport_maps = hash:/etc/postfix/transport" - name: Redirect phabricator inbound email lineinfile: dest: /etc/postfix/transport line: "phabricator@{{ domain }} relay:[{{ groups.lbs[0] }}]:2525" notify: reload transport - name: Remove alias for postmaster email lineinfile: dest: /etc/aliases line: "postmaster:\troot" state: absent notify: rebuild aliases - name: Alias for postmaster email lineinfile: dest: /etc/aliases line: "postmaster: {{ email_alias_postmaster }}" notify: rebuild aliases - name: Alias for postmaster admin lineinfile: dest: /etc/aliases line: "admin: {{ email_alias_admin }}" notify: rebuild aliases # TODO: Redirect to app instance ? - name: Alias for phabricator email lineinfile: dest: /etc/aliases line: "phabricator: {{ email_alias_phabricator }}" notify: rebuild aliases - name: Use letsencrypt cert for postfix file: path: /etc/ssl/certs/ssl-cert-snakeoil.pem src: "/etc/letsencrypt/live/{{ domain }}/cert.pem" state: link when: env != "test" - name: Use letsencrypt cert directory file: path: /etc/ssl/private/ state: directory - name: Use letsencrypt cert key for postfix file: path: /etc/ssl/certs/ssl-cert-snakeoil.key src: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" state: link when: env != "test" - name: Use letsencrypt cert key for postfix file: path: /etc/ssl/private/ssl-cert-snakeoil.key src: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" state: link when: env != "test" # SSL self-signed certificate for TEST - name: create self-signed SSL cert shell: openssl req -new -nodes -x509 -subj "/C=VD/ST=Vaud/L=Lausanne/O=c4science/CN={{ domain }}" -days 3650 -keyout /etc/ssl/certs/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -extensions v3_ca args: creates: /etc/ssl/certs/ssl-cert-snakeoil.pem when: env == "test" - name: Link to snakeoil cert for postfix file: path: /etc/ssl/private/ssl-cert-snakeoil.pem src: /etc/ssl/certs/ssl-cert-snakeoil.pem state: link when: env == "test" - name: Fake letsencrypt directory file: path: "/etc/letsencrypt/live/{{ domain }}/" state: directory when: env == "test" - name: Fake letsencrypt certificate key file file: path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" src: /etc/ssl/certs/ssl-cert-snakeoil.key state: link when: env == "test" - name: Fake letsencrypt certificate file file: path: "/etc/letsencrypt/live/{{ domain }}/cert.pem" src: /etc/ssl/certs/ssl-cert-snakeoil.pem state: link when: env == "test" - name: create combined certificate for haproxy shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.* > /etc/letsencrypt/live/{{ domain }}/combined.pem" args: creates: "/etc/letsencrypt/live/{{ domain }}/combined.pem" when: env == "test"