propellor spin

config-joey.hs

@@ -101,17 +101,8 @@ hosts =                 --                  (o)  `
 			`requires` Gpg.keyImported "98147487" "root"
 			`requires` Ssh.keyImported SshRsa "root"
 				(Context "kite.kitenet.net")
+		& JoeySites.kiteMailServer
 
-		& Docker.configured
-		& Docker.garbageCollected `period` (Weekly (Just 1))
-
-		-- Mail server is in a docker container for stability.
-		& Docker.docked hosts "mail-server"
-			`requires` File.dirExists "/var/spool/postfix"
-		-- sstmp is used to relay mail on kite into the container's
-		-- mail server.
-		& Apt.installed ["ssmtp"]
-	
   	, standardSystem "diatom.kitenet.net" Stable "amd64"
 	  	[ "Important stuff that needs not too much memory or CPU." ]
 		& ipv4 "107.170.31.195"
@@ -250,32 +241,6 @@ hosts =                 --                  (o)  `
 		& Docker.volume "/var/www:/var/www"
 		& Apt.serviceInstalledRunning "apache2"
 
-	-- Mail server (smtp, pop, imap) in a container.
-	-- Uses the host's /home, /var/mail and /var/spool/postfix directories,
-	-- which must exist on the host.
-	, standardContainer "mail-server" Stable "amd64"
-		& Docker.volume "/home"
-		& Docker.volume "/var/mail"
-		& Docker.volume "/var/spool/postfix"
-		& Docker.publish "25:25" -- smtp
-		& Docker.publish "110:110" -- pop3
-		& Docker.publish "220:220" -- imap3
-		& Docker.publish "465:465" -- smtps
-		& Docker.publish "993:993" -- imaps
-		& Docker.publish "995:995" -- pop3s
-		& Postfix.installed
-		& Apt.installed ["postgrey", "postfix-pcre"]
-		& Apt.installed ["spamass-milter", "spamassassin"]
-		& "/etc/default/spamassassin" `File.containsLines`
-			[ "ENABLED=1"
-			, "OPTIONS=\"--create-prefs --max-children 5 --helper-home-dir\""
-			, "CRON=1"
-			, "NICE=\"--nicelevel 15\""
-			]
-		& Apt.installed ["maildrop"]
-		& Apt.serviceInstalledRunning "dovecot-imapd"
-		& Apt.serviceInstalledRunning "dovecot-pop3d"
-
 	-- My own openid provider. Uses php, so containerized for security
 	-- and administrative sanity.
 	, standardContainer "openid-provider" Stable "amd64"

src/Propellor/Property/Postfix.hs

@@ -23,3 +23,12 @@ satellite = setup `requires` installed
 			, ("postfix/destinations", "string", " ")
 			, ("postfix/mailname", "string", hn)
 			]
+
+-- | Sets up a file by running a property (which the filename is passed
+-- to). If the setup property makes a change, postmap will be run on the
+-- file, and postfix will be reloaded.
+mappedFile :: FilePath -> (FilePath -> Property) -> Property
+mappedFile f setup = setup f
+	`onChange` cmdProperty postmap [postmap]
+  where
+	postmap = "postmap " ++ f

src/Propellor/Property/SiteSpecific/JoeySites.hs

@@ -14,6 +14,7 @@ import qualified Propellor.Property.Service as Service
 import qualified Propellor.Property.User as User
 import qualified Propellor.Property.Obnam as Obnam
 import qualified Propellor.Property.Apache as Apache
+import qualified Propellor.Property.Postfix as Postfix
 import Utility.SafeCommand
 import Utility.FileMode
 import Utility.Path
@@ -382,3 +383,88 @@ podcatcher = Cron.niceJob "podcatcher run hourly" "55 * * * *"
 	"joey" "/home/joey/lib/sound/podcasts"
 	"xargs git-annex importfeed -c annex.genmetadata=true < feeds; mr --quiet update"
 	`requires` Apt.installed ["git-annex", "myrepos"]
+
+kiteMailServer :: Property
+kiteMailServer = propertyList "kitenet.net mail server"
+	[ Postfix.installed
+	, Apt.installed ["postfix-pcre"]
+	, Apt.serviceInstalledRunning "postgrey"
+	, Apt.serviceInstalledRunning "spamassassin"
+	, "/etc/default/spamassassin" `File.containsLines`
+		[ "ENABLED=1"
+		, "OPTIONS=\"--create-prefs --max-children 5 --helper-home-dir\""
+		, "CRON=1"
+		, "NICE=\"--nicelevel 15\""
+		] `onChange` Service.restarted "spamassassin"
+	, Apt.serviceInstalledRunning "spamass-miter"
+	, Apt.installed ["maildrop"]
+	, "/etc/aliases" `File.hasPrivContentExposed` ctx
+		`onChange` cmdProperty "newaliases" ["newaliases"]
+	, "/etc/ssl/certs/joeyca.pem" `File.hasPrivContentExposed` ctx
+	, "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx
+	, "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx
+	, "/etc/postfix/mydomain" `File.containsLines`
+		[ "/.*\\.kitenet\\.net/\tOK"
+		, "/mooix\\.net/\tOK"
+		, "/ikiwiki\\.info/\tOK"
+		, "/joeyh\\.name/\tOK"
+		]
+		`onChange` Service.restarted "postfix"
+	, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
+		"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
+		`onChange` Service.restarted "postfix"
+	, Postfix.mappedFile "/etc/postfix/virtual" $
+		flip File.containsLines
+			[ "# *@joeyh.name to joey"
+			, "@joeyh.name\tjoey"
+			]
+	, Postfix.mappedFile "/etc/postfix/relay_clientcerts" $
+		flip File.hasPrivContentExposed ctx
+	, "/etc/postfix/main.cf" `File.containsLines`
+		[ "myhostname = kitenet.net"
+		, "mydomain = $myhostname"
+		, "append_dot_mydomain = no"
+		, "myorigin = kitenet.net"
+		, "mydestination = $myhostname, localhost.$mydomain, $mydomain, kite.$mydomain., localhost, regexp:$config_directory/mydomain"
+		, "mailbox_command = maildrop"
+		, "virtual_alias_maps = hash:/etc/postfix/virtual"
+
+		, "# Allow clients with trusted certs to relay mail through."
+		, "relay_clientcerts = hash:/etc/postfix/relay_clientcerts"
+		, "smtpd_relay_restrictions = permit_mynetworks,permit_tls_clientcerts,permit_sasl_authenticated,reject_unauth_destination"
+
+		, "# Filter out client relay lines from headers."
+		, "header_checks = pcre:$config_directory/obscure_client_relay.pcre"
+
+		, "# Enable postgrey."
+		, "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
+
+		, "# Enable spamass-milter."
+		, "smtpd_milters = unix:/spamass/spamass.sock"
+		, "milter_connect_macros = j {daemon_name} v {if_name} _"
+
+		, "# TLS setup -- server"
+		, "smtpd_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+		, "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
+		, "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
+		, "smtpd_tls_loglevel = 1"
+		, "smtpd_tls_received_header = yes"
+		, "smtpd_use_tls = yes"
+		, "smtpd_tls_ask_ccert = yes"
+		, "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
+
+		, "# TLS setup -- client"
+		, "smtp_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+		, "smtp_tls_cert_file = /etc/ssl/certs/postfix.pem"
+		, "smtp_tls_key_file = /etc/ssl/private/postfix.pem"
+		, "smtp_tls_loglevel = 1"
+		, "smtp_use_tls = yes"
+		, "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
+		]
+		`onChange` Service.restarted "postfix"
+	, Apt.serviceInstalledRunning "dovecot-imapd"
+	, Apt.serviceInstalledRunning "dovecot-pop3d"
+	, Apt.serviceInstalledRunning "cron"
+	]
+  where
+	ctx = Context "kitenet.net"