gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Feature/dev 315

Browse Source
master
Görz, Friedrich 4 years ago committed by Ketelsen, Sven
parent b7624efbca
commit 19fa1db9c8
41 changed files with 35 additions and 1630 deletions
Show Stats Download Patch File Download Diff File

30
.gitlab-ci.yml
Unescape Escape View File

@ -4,9 +4,33 @@
# After committing this template, visit CI/CD > Jobs to see the script output.
job:
image: docker-cache.dev-at.de/docker:19
stages:
- ansible-lint
- ansible-builder
ansible-lint-job:
stage: ansible-lint
before_script:
- pip install ansible-lint
image: dev-harbor-01.smardigo.digital/awx/awx-custom-ee:latest
script:
- echo "running ansible-lint to check for linting violations"
- /home/runner/.local/bin/ansible-lint
tags:
- dind
ansible-builder-job:
stage: ansible-builder
script:
# provide a shell script as argument for this keyword.
- echo "Hello World"
- echo "running ansible-lint to check for linting violations"
# - ansible-builder build --tag dev-harbor-01.smardigo.digital/awx/awx-custom-ee:latest
# - docker login dev-harbor-01.smardigo.digital
# - docker tag XXXXXXXX dev-harbor-01.smardigo.digital/awx/awx-custom-ee:latest
# - docker push dev-harbor-01.smardigo.digital/awx/awx-custom-ee
tags:
- dind

4
galaxy-requirements.yml
Unescape Escape View File

@ -16,6 +16,10 @@ roles:
version: 1.0.0
src: https://github.com/cloudalchemy/ansible-blackbox-exporter
scm: git
- name: postfix
version: v3.6.1
src: https://github.com/Oefenweb/ansible-postfix.git
scm: git
collections:
- name: hetzner.hcloud

20
roles/ansible-role-kubernetes/LICENSE
Unescape Escape View File

@ -1,20 +0,0 @@
The MIT License (MIT)
Copyright (c) 2018 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

188
roles/ansible-role-kubernetes/README.md
Unescape Escape View File

@ -1,188 +0,0 @@
# Ansible Role: Kubernetes
[![CI](https://github.com/geerlingguy/ansible-role-kubernetes/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-kubernetes/actions?query=workflow%3ACI)
An Ansible Role that installs [Kubernetes](https://kubernetes.io) on Linux.
## Requirements
Requires Docker or another [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes) ; recommended role for Docker installation: `geerlingguy.docker`.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
kubernetes_packages:
- name: kubelet
state: present
- name: kubectl
state: present
- name: kubeadm
state: present
- name: kubernetes-cni
state: present
Kubernetes packages to be installed on the server. You can either provide a list of package names, or set `name` and `state` to have more control over whether the package is `present`, `absent`, `latest`, etc.
kubernetes_version: '1.20'
kubernetes_version_rhel_package: '1.20.4'
The minor version of Kubernetes to install. The plain `kubernetes_version` is used to pin an apt package version on Debian, and as the Kubernetes version passed into the `kubeadm init` command (see `kubernetes_version_kubeadm`). The `kubernetes_version_rhel_package` variable must be a specific Kubernetes release, and is used to pin the version on Red Hat / CentOS servers.
kubernetes_role: master
Whether the particular server will serve as a Kubernetes `master` (default) or `node`. The master will have `kubeadm init` run on it to intialize the entire K8s control plane, while `node`s will have `kubeadm join` run on them to join them to the `master`.
### Variables to configure kubeadm and kubelet with `kubeadm init` through a config file (recommended)
With this role, `kubeadm init` will be run with `--config <FILE>`.
kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
Path for `<FILE>`. If the directory does not exist, this role will create it.
The following variables are parsed as options to <FILE>. To understand its syntax, see https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration and https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file . The skeleton (`apiVersion`, `kind`) of the config file will be created by this role, so do not define them within the variables. (See `templates/kubeadm-kubelet-config.yaml`).
kubernetes_config_init_configuration:
localAPIEndpoint:
advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
Defines the options under `kind: InitConfiguration`. Including `kubernetes_apiserver_advertise_address` here is for backward-compatibilty to older versions of this role, where `kubernetes_apiserver_advertise_address` was used with a command-line-option.
kubernetes_config_cluster_configuration:
networking:
podSubnet: "{{ kubernetes_pod_network.cidr }}"
kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
Options under `kind: ClusterConfiguration`. Including `kubernetes_pod_network.cidr` and `kubernetes_version_kubeadm` here are for backward-compatibilty to older versions of this role, where they were used with command-line-options.
kubernetes_config_kubelet_configuration:
cgroupDriver: cgroupfs
Options to configure kubelet on any nodes in your cluster through the `kubeadm init` process. To get the syntax of this options see https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file and https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration.
NOTE: This is the recommended way to do the kubelet-configuration. Most command-line-options are deprecated.
NOTE: The recommended cgroupDriver depends on your [Container Runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes). When using this role with containerd instead of docker, this value should be changed to `systemd`.
### Variables to configure kubeadm and kubelet through command-line-options
kubernetes_kubelet_extra_args: ""
kubernetes_kubelet_extra_args_config_file: /etc/default/kubelet
Extra args to pass to `kubelet` during startup. E.g. to allow `kubelet` to start up even if there is swap is enabled on your server, set this to: `"--fail-swap-on=false"`. Or to specify the node-ip advertised by `kubelet`, set this to `"--node-ip={{ ansible_host }}"`. *This is deprecated. Please use `kubernetes_config_kubelet_configuration` instead.*
kubernetes_kubeadm_init_extra_opts: ""
Extra args to pass to `kubeadm init` during K8s control plane initialization. E.g. to specify extra Subject Alternative Names for API server certificate, set this to: `"--apiserver-cert-extra-sans my-custom.host"`
kubernetes_join_command_extra_opts: ""
Extra args to pass to the generated `kubeadm join` command during K8s node initialization. E.g. to ignore certain preflight errors like swap being enabled, set this to: `--ignore-preflight-errors=Swap`
### Additional variables
kubernetes_allow_pods_on_master: true
Whether to remove the taint that denies pods from being deployed to the Kubernetes master. If you have a single-node cluster, this should definitely be `True`. Otherwise, set to `False` if you want a dedicated Kubernetes master which doesn't run any other pods.
kubernetes_enable_web_ui: false
kubernetes_web_ui_manifest_file: https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
Whether to enable the Kubernetes web dashboard UI (only accessible on the master itself, or proxied), and the file containing the web dashboard UI manifest.
kubernetes_pod_network:
# Flannel CNI.
cni: 'flannel'
cidr: '10.244.0.0/16'
#
# Calico CNI.
# cni: 'calico'
# cidr: '192.168.0.0/16'
#
# Weave CNI.
# cni: 'weave'
# cidr: '192.168.0.0/16'
This role currently supports `flannel` (default), `calico` or `weave` for cluster pod networking. Choose only one for your cluster; converting between them is not done automatically and could result in broken networking; if you need to switch from one to another, it should be done outside of this role.
kubernetes_apiserver_advertise_address: ''
kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'
kubernetes_ignore_preflight_errors: 'all'
Options passed to `kubeadm init` when initializing the Kubernetes master. The `kubernetes_apiserver_advertise_address` defaults to `ansible_default_ipv4.address` if it's left empty.
kubernetes_apt_release_channel: main
kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
kubernetes_apt_ignore_key_error: false
Apt repository options for Kubernetes installation.
kubernetes_yum_arch: x86_64
kubernetes_yum_base_url: "https://packages.cloud.google.com/yum/repos/kubernetes-el7-{{ kubernetes_yum_arch }}"
kubernetes_yum_gpg_key:
- https://packages.cloud.google.com/yum/doc/yum-key.gpg
- https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Yum repository options for Kubernetes installation. You can change `kubernete_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `kubernetes_yum_base_url` as well.
kubernetes_flannel_manifest_file_rbac: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
Flannel manifest files to apply to the Kubernetes cluster to enable networking. You can copy your own files to your server and apply them instead, if you need to customize the Flannel networking configuration.
## Dependencies
None.
## Example Playbooks
### Single node (master-only) cluster
```yaml
- hosts: all
vars:
kubernetes_allow_pods_on_master: true
roles:
- geerlingguy.docker
- geerlingguy.kubernetes
```
### Two or more nodes (single master) cluster
Master inventory vars:
```yaml
kubernetes_role: "master"
```
Node(s) inventory vars:
```yaml
kubernetes_role: "node"
```
Playbook:
```yaml
- hosts: all
vars:
kubernetes_allow_pods_on_master: true
roles:
- geerlingguy.docker
- geerlingguy.kubernetes
```
Then, log into the Kubernetes master, and run `kubectl get nodes` as root, and you should see a list of all the servers.
## License
MIT / BSD
## Author Information
This role was created in 2018 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

71
roles/ansible-role-kubernetes/defaults/main.yml
Unescape Escape View File

@ -1,71 +0,0 @@
---
kubernetes_packages:
- name: kubelet
state: present
- name: kubectl
state: present
- name: kubeadm
state: present
- name: kubernetes-cni
state: present
kubernetes_version: '1.20'
kubernetes_version_rhel_package: '1.20.4'
kubernetes_role: master
# This is deprecated. Please use kubernetes_config_kubelet_configuration instead.
kubernetes_kubelet_extra_args: ""
kubernetes_kubeadm_init_extra_opts: ""
kubernetes_join_command_extra_opts: ""
kubernetes_allow_pods_on_master: true
kubernetes_enable_web_ui: true
# https://github.com/kubernetes/dashboard/blob/master/docs/user/installation.md
kubernetes_web_ui_manifest_file: https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
kubernetes_pod_network:
# Flannel CNI.
cni: 'flannel'
cidr: '10.244.0.0/16'
# Calico CNI.
# cni: 'calico'
# cidr: '192.168.0.0/16'
kubernetes_kubeadm_kubelet_config_file_path: '/etc/kubernetes/kubeadm-kubelet-config.yaml'
kubernetes_config_kubelet_configuration:
cgroupDriver: "cgroupfs"
kubernetes_config_init_configuration:
localAPIEndpoint:
advertiseAddress: "{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
# if you use the next lines, remove the command line argument below
# nodeRegistration:
# ignorePreflightErrors:
# - all
kubernetes_config_cluster_configuration:
networking:
podSubnet: "{{ kubernetes_pod_network.cidr }}"
kubernetesVersion: "{{ kubernetes_version_kubeadm }}"
kubernetes_apiserver_advertise_address: ''
kubernetes_version_kubeadm: 'stable-{{ kubernetes_version }}'
kubernetes_ignore_preflight_errors: 'all'
kubernetes_apt_release_channel: main
# Note that xenial repo is used for all Debian derivatives at this time.
kubernetes_apt_repository: "deb http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"
kubernetes_apt_ignore_key_error: false
kubernetes_yum_arch: '$basearch'
kubernetes_yum_base_url: "https://packages.cloud.google.com/yum/repos/kubernetes-el7-{{ kubernetes_yum_arch }}"
kubernetes_yum_gpg_key:
- https://packages.cloud.google.com/yum/doc/yum-key.gpg
- https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
# Flannel config files.
kubernetes_flannel_manifest_file_rbac: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml
kubernetes_flannel_manifest_file: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
# Calico config files
kubernetes_calico_manifest_file: https://docs.projectcalico.org/v3.10/manifests/calico.yaml

3
roles/ansible-role-kubernetes/handlers/main.yml
Unescape Escape View File

@ -1,3 +0,0 @@
---
- name: restart kubelet
service: name=kubelet state=restarted

35
roles/ansible-role-kubernetes/meta/main.yml
Unescape Escape View File

@ -1,35 +0,0 @@
---
dependencies: []
galaxy_info:
role_name: kubernetes
author: geerlingguy
description: Kubernetes for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 7
- 8
- name: Debian
versions:
- stretch
- buster
- name: Ubuntu
versions:
- xenial
- bionic
- focal
galaxy_tags:
- system
- containers
- docker
- rkt
- orchestration
- kubernetes
- k8s
- paas
- saas
- hosting

50
roles/ansible-role-kubernetes/molecule/default/calico.yml
Unescape Escape View File

@ -1,50 +0,0 @@
---
- name: Converge
hosts: all
become: true
vars:
kubernetes_pod_network:
cni: 'calico'
cidr: '192.168.0.0/16'
# Allow swap in test environments (hard to control in some Docker envs).
kubernetes_kubelet_extra_args: "--fail-swap-on=false --cgroup-driver=cgroupfs"
docker_install_compose: false
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
- name: Ensure test dependencies are installed (RedHat).
package: name=iproute state=present
when: ansible_os_family == 'RedHat'
- name: Ensure test dependencies are installed (Debian).
package: name=iproute2 state=present
when: ansible_os_family == 'Debian'
- name: Gather facts.
action: setup
roles:
- role: geerlingguy.docker
- role: geerlingguy.kubernetes
post_tasks:
- name: Get cluster info.
command: kubectl cluster-info
changed_when: false
register: kubernetes_info
- name: Print cluster info.
debug: var=kubernetes_info.stdout
- name: Get all running pods.
command: kubectl get pods --all-namespaces
changed_when: false
register: kubernetes_pods
- name: Print list of running pods.
debug: var=kubernetes_pods.stdout

46
roles/ansible-role-kubernetes/molecule/default/converge.yml
Unescape Escape View File

@ -1,46 +0,0 @@
---
- name: Converge
hosts: all
become: true
vars:
# Allow swap in test environments (hard to control in some Docker envs).
kubernetes_kubelet_extra_args: "--fail-swap-on=false --cgroup-driver=cgroupfs"
docker_install_compose: false
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
- name: Ensure test dependencies are installed (RedHat).
package: name=iproute state=present
when: ansible_os_family == 'RedHat'
- name: Ensure test dependencies are installed (Debian).
package: name=iproute2 state=present
when: ansible_os_family == 'Debian'
- name: Gather facts.
action: setup
roles:
- role: geerlingguy.docker
- role: geerlingguy.kubernetes
post_tasks:
- name: Get cluster info.
command: kubectl cluster-info
changed_when: false
register: kubernetes_info
- name: Print cluster info.
debug: var=kubernetes_info.stdout
- name: Get all running pods.
command: kubectl get pods --all-namespaces
changed_when: false
register: kubernetes_pods
- name: Print list of running pods.
debug: var=kubernetes_pods.stdout

18
roles/ansible-role-kubernetes/molecule/default/molecule.yml
Unescape Escape View File

@ -1,18 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- /var/lib/docker
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

2
roles/ansible-role-kubernetes/molecule/default/requirements.yml
Unescape Escape View File

@ -1,2 +0,0 @@
---
- src: geerlingguy.docker

42
roles/ansible-role-kubernetes/tasks/kubelet-setup.yml
Unescape Escape View File

@ -1,42 +0,0 @@
---
# ---- DEPRECATED ----------------
#
# Most of the kubernetes_kubelet_extra_args are deprecated. See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet for details.
# Use the kubernetes_kubelet_config variable instead, which will be used to create the kubelet config file.
- name: Check for existence of kubelet environment file. (deprecated)
stat:
path: '{{ kubelet_environment_file_path }}'
register: kubelet_environment_file
- name: Set facts for KUBELET_EXTRA_ARGS task if environment file exists. (deprecated)
set_fact:
kubelet_args_path: '{{ kubelet_environment_file_path }}'
kubelet_args_line: "{{ 'KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args }}"
kubelet_args_regexp: '^KUBELET_EXTRA_ARGS='
when: kubelet_environment_file.stat.exists
- name: Set facts for KUBELET_EXTRA_ARGS task if environment file doesn't exist. (deprecated)
set_fact:
kubelet_args_path: '/etc/systemd/system/kubelet.service.d/10-kubeadm.conf'
kubelet_args_line: "{{ 'Environment=\"KUBELET_EXTRA_ARGS=' + kubernetes_kubelet_extra_args + '\"' }}"
kubelet_args_regexp: '^Environment="KUBELET_EXTRA_ARGS='
when: not kubelet_environment_file.stat.exists
- name: Configure KUBELET_EXTRA_ARGS. (deprecated)
lineinfile:
path: '{{ kubelet_args_path }}'
line: '{{ kubelet_args_line }}'
regexp: '{{ kubelet_args_regexp }}'
state: present
mode: 0644
register: kubelet_extra_args
when: kubernetes_kubelet_extra_args|length > 0
- name: Reload systemd unit if args were changed. (deprecated)
systemd:
state: restarted
daemon_reload: true
name: kubelet
when: kubelet_extra_args is changed

59
roles/ansible-role-kubernetes/tasks/main.yml
Unescape Escape View File

@ -1,59 +0,0 @@
---
- name: Include OS-specific variables.
include_vars: "{{ ansible_os_family }}.yml"
- include_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: setup-Debian.yml
when: ansible_os_family == 'Debian'
- name: Ensure dependencies are installed.
package: name=curl state=present
- name: Install Kubernetes packages.
package:
name: "{{ item.name | default(item) }}"
state: "{{ item.state | default('present') }}"
notify: restart kubelet
with_items: "{{ kubernetes_packages }}"
- include_tasks: sysctl-setup.yml
- include_tasks: kubelet-setup.yml # deprecated
when: kubernetes_kubelet_extra_args|length > 0
- name: Ensure kubelet is started and enabled at boot.
service:
name: kubelet
state: started
enabled: true
- name: Check if Kubernetes has already been initialized.
stat:
path: /etc/kubernetes/admin.conf
register: kubernetes_init_stat
# Set up master.
- include_tasks: master-setup.yml
when: kubernetes_role == 'master'
# Set up nodes.
- name: Get the kubeadm join command from the Kubernetes master.
command: kubeadm token create --print-join-command
changed_when: false
when: kubernetes_role == 'master'
register: kubernetes_join_command_result
- name: Set the kubeadm join command globally.
set_fact:
kubernetes_join_command: >
{{ kubernetes_join_command_result.stdout }}
{{ kubernetes_join_command_extra_opts }}
when: kubernetes_join_command_result.stdout is defined
delegate_to: "{{ item }}"
delegate_facts: true
with_items: "{{ groups['all'] }}"
- include_tasks: node-setup.yml
when: kubernetes_role == 'node'

98
roles/ansible-role-kubernetes/tasks/master-setup.yml
Unescape Escape View File

@ -1,98 +0,0 @@
---
- name: Create the directory for the kubernetes_config_file
file:
path: "{{ kubernetes_kubeadm_kubelet_config_file_path | dirname }}"
state: directory
- name: Deploy the config-file for kubeadm and kubelet
template:
src: "kubeadm-kubelet-config.j2"
dest: "{{ kubernetes_kubeadm_kubelet_config_file_path }}"
- name: Initialize Kubernetes master with kubeadm init
command: >
kubeadm init
--config {{ kubernetes_kubeadm_kubelet_config_file_path }}
{{ kubernetes_kubeadm_init_extra_opts }}
register: kubeadmin_init
when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is not defined)
- name: Initialize Kubernetes master with kubeadm init and ignore_preflight_errors
command: >
kubeadm init
--config {{ kubernetes_kubeadm_kubelet_config_file_path }}
--ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
{{ kubernetes_kubeadm_init_extra_opts }}
register: kubeadmin_init
when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is defined)
- name: Print the init output to screen.
debug:
var: kubeadmin_init.stdout
verbosity: 2
when: not kubernetes_init_stat.stat.exists
- name: Ensure .kube directory exists.
file:
path: ~/.kube
state: directory
mode: 0755
- name: Symlink the kubectl admin.conf to ~/.kube/conf.
file:
src: /etc/kubernetes/admin.conf
dest: ~/.kube/config
state: link
mode: 0644
- name: Configure Flannel networking.
command: "{{ item }}"
with_items:
- kubectl apply -f {{ kubernetes_flannel_manifest_file_rbac }}
- kubectl apply -f {{ kubernetes_flannel_manifest_file }}
register: flannel_result
changed_when: "'created' in flannel_result.stdout"
when: kubernetes_pod_network.cni == 'flannel'
- name: Configure Calico networking.
command: "{{ item }}"
with_items:
- kubectl apply -f {{ kubernetes_calico_manifest_file }}
register: calico_result
changed_when: "'created' in calico_result.stdout"
when: kubernetes_pod_network.cni == 'calico'
- name: Get Kubernetes version for Weave installation.
shell: kubectl version | base64 | tr -d '\n'
changed_when: false
register: kubectl_version
when: kubernetes_pod_network.cni == 'weave'
- name: Configure Weave networking.
command: "{{ item }}"
with_items:
- "kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version={{ kubectl_version.stdout_lines[0] }}"
register: weave_result
changed_when: "'created' in weave_result.stdout"
when: kubernetes_pod_network.cni == 'weave'
# TODO: Check if taint exists with something like `kubectl describe nodes`
# instead of using kubernetes_init_stat.stat.exists check.
- name: Allow pods on master node (if configured).
command: "kubectl taint nodes --all node-role.kubernetes.io/master-"
when:
- kubernetes_allow_pods_on_master | bool
- not kubernetes_init_stat.stat.exists
- name: Check if Kubernetes Dashboard UI service already exists.
shell: kubectl get services --namespace kubernetes-dashboard | grep -q kubernetes-dashboard
changed_when: false
failed_when: false
register: kubernetes_dashboard_service
when: kubernetes_enable_web_ui | bool
- name: Enable the Kubernetes Web Dashboard UI (if configured).
command: "kubectl create -f {{ kubernetes_web_ui_manifest_file }}"
when:
- kubernetes_enable_web_ui | bool
- kubernetes_dashboard_service.rc != 0

6
roles/ansible-role-kubernetes/tasks/node-setup.yml
Unescape Escape View File

@ -1,6 +0,0 @@
---
- name: Join node to Kubernetes master
shell: >
{{ kubernetes_join_command }}
creates=/etc/kubernetes/kubelet.conf
tags: ['skip_ansible_lint']

26
roles/ansible-role-kubernetes/tasks/setup-Debian.yml
Unescape Escape View File

@ -1,26 +0,0 @@
---
- name: Ensure dependencies are installed.
apt:
name:
- apt-transport-https
- ca-certificates
state: present
- name: Add Kubernetes apt key.
apt_key:
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
state: present
register: add_repository_key
ignore_errors: "{{ kubernetes_apt_ignore_key_error }}"
- name: Add Kubernetes repository.
apt_repository:
repo: "{{ kubernetes_apt_repository }}"
state: present
update_cache: true
- name: Add Kubernetes apt preferences file to pin a version.
template:
src: apt-preferences-kubernetes.j2
dest: /etc/apt/preferences.d/kubernetes
mode: 0644

23
roles/ansible-role-kubernetes/tasks/setup-RedHat.yml
Unescape Escape View File

@ -1,23 +0,0 @@
---
- name: Ensure Kubernetes repository exists.
yum_repository:
name: kubernetes
description: Kubernetes
enabled: true
gpgcheck: true
repo_gpgcheck: true
baseurl: "{{ kubernetes_yum_base_url }}"
gpgkey: "{{ kubernetes_yum_gpg_key }}"
- name: Add Kubernetes GPG keys.
rpm_key:
key: "{{ item }}"
state: present
register: kubernetes_rpm_key
with_items: "{{ kubernetes_yum_gpg_key }}"
- name: Make cache if Kubernetes GPG key changed.
command: "yum -q makecache -y --disablerepo='*' --enablerepo='kubernetes'"
when: kubernetes_rpm_key is changed
args:
warn: false

21
roles/ansible-role-kubernetes/tasks/sysctl-setup.yml
Unescape Escape View File

@ -1,21 +0,0 @@
---
- name: Ensure procps is installed.
package:
name: "{{ procps_package }}"
state: present
when: >
ansible_distribution != 'Debian'
or ansible_distribution_major_version | int < 10
# See: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#letting-iptables-see-bridged-traffic
- name: Let iptables see bridged traffic.
sysctl:
name: "{{ item }}"
value: '1'
state: present
loop:
- net.bridge.bridge-nf-call-iptables
- net.bridge.bridge-nf-call-ip6tables
when: >
ansible_distribution != 'Debian'
or ansible_distribution_major_version | int < 10

11
roles/ansible-role-kubernetes/templates/apt-preferences-kubernetes.j2
Unescape Escape View File

@ -1,11 +0,0 @@
Package: kubectl
Pin: version {{ kubernetes_version }}.*
Pin-Priority: 1000
Package: kubeadm
Pin: version {{ kubernetes_version }}.*
Pin-Priority: 1000
Package: kubelet
Pin: version {{ kubernetes_version }}.*
Pin-Priority: 1000

14
roles/ansible-role-kubernetes/templates/kubeadm-kubelet-config.j2
Unescape Escape View File

@ -1,14 +0,0 @@
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
{{ kubernetes_config_init_configuration | to_nice_yaml }}
---
kind: ClusterConfiguration
apiVersion: kubeadm.k8s.io/v1beta2
{{ kubernetes_config_cluster_configuration | to_nice_yaml }}
---
{% if kubernetes_config_kubelet_configuration|length > 0 %}
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
{{ kubernetes_config_kubelet_configuration | to_nice_yaml }}
{% endif %}

3
roles/ansible-role-kubernetes/vars/Debian.yml
Unescape Escape View File

@ -1,3 +0,0 @@
---
procps_package: procps
kubelet_environment_file_path: /etc/default/kubelet

12
roles/ansible-role-kubernetes/vars/RedHat.yml
Unescape Escape View File

@ -1,12 +0,0 @@
---
procps_package: procps-ng
kubelet_environment_file_path: /etc/sysconfig/kubelet
kubernetes_packages:
- name: kubelet-{{ kubernetes_version_rhel_package }}-0
state: present
- name: kubectl-{{ kubernetes_version_rhel_package }}-0
state: present
- name: kubeadm-{{ kubernetes_version_rhel_package }}-0
state: present
- name: kubernetes-cni
state: present

2
roles/awx/tasks/main.yml
Unescape Escape View File

@ -23,7 +23,7 @@
- name: "Install and setup kubernetes (single node, master-only cluster) for {{ inventory_hostname }}"
include_role:
name: ansible-role-kubernetes
name: geerlingguy.kubernetes
vars:
kubernetes_version: "{{ awx_kubernetes_version }}"
kubernetes_allow_pods_on_master: true

1
roles/harbor/tasks/configure_scanall_schedule.yml
Unescape Escape View File

@ -9,7 +9,6 @@
force_basic_auth: yes
headers:
Content-Type: application/json
status_code: [200]
body: '{{ scanschedule |to_json }}'
status_code: [201,412]
register: create_scanschedule

19
roles/postfix/LICENSE.txt
Unescape Escape View File

@ -1,19 +0,0 @@
Copyright (c) Oefenweb.nl <https://github.com/Oefenweb>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

264
roles/postfix/README.md
Unescape Escape View File

@ -1,264 +0,0 @@
## postfix
[![CI](https://github.com/Oefenweb/ansible-postfix/workflows/CI/badge.svg)](https://github.com/Oefenweb/ansible-postfix/actions?query=workflow%3ACI)
[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-postfix-blue.svg)](https://galaxy.ansible.com/oefenweb/postfix)
Set up a postfix server in Debian-like systems.
#### Requirements
None
#### Variables
* `postfix_install` [default: `[postfix, mailutils, libsasl2-2, sasl2-bin, libsasl2-modules]`]: Packages to install
* `postfix_hostname` [default: `{{ ansible_fqdn }}`]: Host name, used for `myhostname` and in `mydestination`
* `postfix_mailname` [default: `{{ ansible_fqdn }}`]: Mail name (in `/etc/mailname`), used for `myorigin`
* `postfix_compatibility_level` [optional]: With backwards compatibility turned on (the compatibility_level value is less than the Postfix built-in value), Postfix looks for settings that are left at their implicit default value, and logs a message when a backwards-compatible default setting is required (e.g. `2`, `Postfix >= 3.0`)
* `postfix_default_database_type` [default: `hash`]: The default database type for use in `newaliases`, `postalias` and `postmap` commands
* `postfix_aliases` [default: `[]`]: Aliases to ensure present in `/etc/aliases`
* `postfix_virtual_aliases` [default: `[]`]: Virtual aliases to ensure present in `/etc/postfix/virtual`
* `postfix_sender_canonical_maps` [default: `[]`]: Sender address rewriting in `/etc/postfix/sender_canonical_maps` ([see](http://www.postfix.org/postconf.5.html#transport_maps))
* `postfix_sender_canonical_maps_database_type` [default: `"{{ postfix_default_database_type }}"`]: The database type for use in `postfix_sender_canonical_maps`
* `postfix_recipient_canonical_maps` [default: `[]`]: Recipient address rewriting in `/etc/postfix/recipient_canonical_maps` ([see](http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps))
* `postfix_recipient_canonical_maps_database_type` [default: `"{{ postfix_default_database_type }}"`]: The database type for use in `postfix_recipient_canonical_maps`
* `postfix_transport_maps` [default: `[]`]: Transport mapping based on recipient address `/etc/postfix/transport_maps` ([see](http://www.postfix.org/postconf.5.html#recipient_canonical_maps))
* `postfix_transport_maps_database_type` [default: `"{{ postfix_default_database_type }}"`]: The database type for use in `postfix_transport_maps`
* `postfix_sender_dependent_relayhost_maps` [default: `[]`]: Transport mapping based on sender address `/etc/postfix/sender_dependent_relayhost_maps` ([see](http://www.postfix.org/postconf.5.html#recipient_canonical_maps))
* `postfix_header_checks` [default: `[]`]: Lookup tables for content inspection of primary non-MIME message headers `/etc/postfix/header_checks` ([see](http://www.postfix.org/postconf.5.html#header_checks))
* `postfix_header_checks_database_type` [default: `regexp`]: The database type for use in `header_checks`
* `postfix_generic` [default: `postfix_smtp_generic_maps`]: **Deprecated**, use `postfix_smtp_generic_maps`
* `postfix_smtp_generic_maps` [default: `[]`]: Generic table address mapping in `/etc/postfix/generic` ([see](http://www.postfix.org/generic.5.html))
* `postfix_smtp_generic_maps_database_type` [default: `"{{ postfix_default_database_type }}"`]: The database type for use in `smtp_generic_maps`
* `postfix_mydestination` [default: `["{{ postfix_hostname }}", 'localdomain', 'localhost', 'localhost.localdomain']`]: Specifies what domains this machine will deliver locally, instead of forwarding to another machine
* `postfix_mynetworks` [default: `['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128']`]: The list of "trusted" remote SMTP clients that have more privileges than "strangers"
* `postfix_inet_interfaces` [default: `all`]: Network interfaces to bind ([see](http://www.postfix.org/postconf.5.html#inet_interfaces))
* `postfix_inet_protocols` [default: `all`]: The Internet protocols Postfix will attempt to use when making or accepting connections ([see](http://www.postfix.org/postconf.5.html#inet_protocols))
* `postfix_relayhost` [default: `''` (no relay host)]: Hostname to relay all email to
* `postfix_relayhost_mxlookup` [default: `false` (not using mx lookup)]: Lookup for MX record instead of A record for relayhost
* `postfix_relayhost_port` [default: 587]: Relay port (on `postfix_relayhost`, if set)
* `postfix_relaytls` [default: `false`]: Use TLS when sending with a relay host
* `postfix_smtpd_client_restrictions` [optional]: List of client restrictions ([see](http://www.postfix.org/postconf.5.html#smtpd_client_restrictions))
* `postfix_smtpd_helo_restrictions` [optional]: List of helo restrictions ([see](http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions))
* `postfix_smtpd_sender_restrictions` [optional]: List of sender restrictions ([see](http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions))
* `postfix_smtpd_recipient_restrictions` [optional]: List of recipient restrictions ([see](http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions))
* `postfix_smtpd_relay_restrictions` [optional]: List of access restrictions for mail relay control ([see](http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions))
* `postfix_smtpd_data_restrictions` [optional]: List of data restrictions ([see](http://www.postfix.org/postconf.5.html#smtpd_data_restrictions))
* `postfix_sasl_auth_enable` [default: `true`]: Enable SASL authentication in the SMTP client
* `postfix_sasl_user` [default: `postmaster@{{ ansible_domain }}`]: SASL relay username
* `postfix_sasl_password` [default: `k8+haga4@#pR`]: SASL relay password **Make sure to change!**
* `postfix_sasl_security_options` [default: `noanonymous`]: SMTP client SASL security options
* `postfix_sasl_tls_security_option` [default: `noanonymous`]: SMTP client SASL TLS security options
* `postfix_sasl_mechanism_filter` [default: `''`]: SMTP client SASL authentication mechanism filter ([see](http://www.postfix.org/postconf.5.html#smtp_sasl_mechanism_filter))
* `postfix_smtp_tls_security_level` [default: `encrypt`]: The default SMTP TLS security level for the Postfix SMTP client ([see](http://www.postfix.org/postconf.5.html#smtp_tls_security_level))
* `postfix_smtp_tls_note_starttls_offer` [default: `true`]: Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server ([see](http://www.postfix.org/postconf.5.html#smtp_tls_note_starttls_offer))
* `postfix_smtp_tls_cafile` [optional]: A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates (e.g. `/etc/ssl/certs/ca-certificates.crt`)
* `postfix_smtpd_banner` [default: `$myhostname ESMTP $mail_name (Ubuntu)`]: Greeting banner **You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.**
* `postfix_disable_vrfy_command` [default: `false`]: Disable the `SMTP VRFY` command. This stops some techniques used to harvest email addresses
* `postfix_message_size_limit` [default: `10240000`]: The maximal size in bytes of a message, including envelope information
* `postfix_smtpd_tls_cert_file` [default: `/etc/ssl/certs/ssl-cert-snakeoil.pem`]: Path to certificate file
* `postfix_smtpd_tls_key_file` [default: `/etc/ssl/certs/ssl-cert-snakeoil.key`]: Path to key file
* `postfix_raw_options` [default: `[]`]: List of lines (to pass extra (unsupported) configuration)
## Dependencies
* `debconf`
* `debconf-utils`
#### Example(s)
A simple example that doesn't use SASL relaying:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
```
A simple example with virtual aliases for mail forwarding that doesn't use SASL relaying:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_mydestination:
- "{{ postfix_hostname }}"
- '$mydomain'
- localdomain
- localhost
- localhost.localdomain
postfix_virtual_aliases:
- virtual: webmaster@yourdomain.com
alias: personal_email@gmail.com
- virtual: billandbob@yourdomain.com
alias: bill@gmail.com, bob@gmail.com
```
A simple example that rewrites the sender address:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_sender_canonical_maps:
- sender: root
rewrite: postmaster@yourdomain.org
```
Provide the relay host name if you want to enable relaying:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: mail.yourdomain.org
```
Provide the relay domain name and use MX records if you want to enable relaying to DNS MX records of a domain:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: yourdomain.org
postfix_relayhost_mxlookup: true
```
Conditional relaying:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_transport_maps:
- pattern: 'root@yourdomain.org'
result: ':'
- pattern: '*'
result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"
postfix_sender_dependent_relayhost_maps:
- pattern: 'logcheck@yourdomain.org'
result: 'DUNNO'
- pattern: 'pflogsumm@yourdomain.org'
result: 'DUNNO'
- pattern: '*'
result: "smtp:{{ ansible_lo['ipv4']['address'] }}:1025"
```
For AWS SES support:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: sesverified@yourdomain.org
postfix_relayhost: email-smtp.us-east-1.amazonaws.com
postfix_relaytls: true
# AWS IAM SES credentials (not access key):
postfix_sasl_user: AKIXXXXXXXXXXXXXXXXX
postfix_sasl_password: ASDFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
```
For MailHog support:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: "{{ ansible_lo['ipv4']['address'] }}"
postfix_relayhost_port: 1025
postfix_sasl_auth_enable: false
```
For Gmail support:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_aliases:
- user: root
alias: you@yourdomain.org
postfix_relayhost: smtp.gmail.com
postfix_relaytls: true
postfix_smtp_tls_cafile: /etc/ssl/certs/ca-certificates.crt
postfix_sasl_user: 'foo'
postfix_sasl_password: 'bar'
```
If you configure your Google account for extra security to use the 2-step verification, then
postfix won't send out emails anymore and you might notice error messages in the `/var/log/mail.log` file
To fix this issue, you need to visit the ([Authorizing applications & sites](http://www.google.com/accounts/IssuedAuthSubTokens?hide_authsub=1))
page under your Google Account settings. On this page enter the name of the application to be authorized (Postfix) and click on Generate button.
Set the `postfix_sasl_password` variable with the password generated by this page.
A simple example that shows how to add some raw config:
```yaml
---
- hosts: all
roles:
- postfix
vars:
postfix_raw_options:
- |
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:opendkim/opendkim.sock unix:opendmarc/opendmarc.sock unix:spamass/spamass.sock unix:clamav/clamav-milter.ctl
milter_connect_macros = "i j {daemon_name} v {if_name} _"
policyd-spf_time_limit = 3600
```
#### License
MIT
#### Author Information
Mischa ter Smitten
#### Feedback, bug-reports, requests, ...
Are [welcome](https://github.com/Oefenweb/ansible-postfix/issues)!

63
roles/postfix/defaults/main.yml
Unescape Escape View File

@ -1,63 +0,0 @@
# defaults file
---
postfix_install:
- postfix
- mailutils
- libsasl2-2
- sasl2-bin
- libsasl2-modules
postfix_hostname: "{{ ansible_fqdn }}"
postfix_mailname: "{{ ansible_fqdn }}"
postfix_default_database_type: hash
postfix_aliases: []
postfix_virtual_aliases: []
postfix_sender_canonical_maps: []
postfix_sender_canonical_maps_database_type: "{{ postfix_default_database_type }}"
postfix_recipient_canonical_maps: []
postfix_recipient_canonical_maps_database_type: "{{ postfix_default_database_type }}"
postfix_transport_maps: []
postfix_transport_maps_database_type: "{{ postfix_default_database_type }}"
postfix_sender_dependent_relayhost_maps: []
postfix_header_checks: []
postfix_header_checks_database_type: regexp
postfix_generic: "{{ postfix_smtp_generic_maps }}"
postfix_smtp_generic_maps: []
postfix_smtp_generic_maps_database_type: "{{ postfix_default_database_type }}"
postfix_relayhost: ''
postfix_relayhost_mxlookup: false
postfix_relayhost_port: 587
postfix_relaytls: false
postfix_sasl_auth_enable: true
postfix_sasl_user: "postmaster@{{ ansible_domain }}"
postfix_sasl_password: 'k8+haga4@#pR'
postfix_sasl_security_options: noanonymous
postfix_sasl_tls_security_options: noanonymous
postfix_sasl_mechanism_filter: ''
postfix_smtp_tls_security_level: encrypt
postfix_smtp_tls_note_starttls_offer: true
postfix_inet_interfaces: all
postfix_inet_protocols: all
postfix_mydestination:
- "{{ postfix_hostname }}"
- localdomain
- localhost
- localhost.localdomain
postfix_mynetworks:
- 127.0.0.0/8
- '[::ffff:127.0.0.0]/104'
- '[::1]/128'
postfix_smtpd_banner: '$myhostname ESMTP $mail_name (Ubuntu)'
postfix_disable_vrfy_command: false
postfix_message_size_limit: 10240000
postfix_smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
postfix_smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
postfix_raw_options: []

0
roles/postfix/files/empty
Unescape Escape View File

47
roles/postfix/handlers/main.yml
Unescape Escape View File

@ -1,47 +0,0 @@
# handlers file
---
- name: new aliases
command: newaliases
when: postfix_default_database_type != 'regexp'
- name: new virtual aliases
command: postmap {{ postfix_default_database_type }}:{{ postfix_virtual_aliases_file }}
when: postfix_default_database_type != 'regexp'
- name: postmap sasl_passwd
command: postmap -p {{ postfix_default_database_type }}:{{ postfix_sasl_passwd_file }}
when: postfix_default_database_type != 'regexp'
- name: postmap sender_canonical_maps
command: postmap {{ postfix_sender_canonical_maps_database_type }}:{{ postfix_sender_canonical_maps_file }}
when: postfix_sender_canonical_maps_database_type != 'regexp'
- name: postmap recipient_canonical_maps
command: postmap {{ postfix_recipient_canonical_maps_database_type }}:{{ postfix_recipient_canonical_maps_file }}
when: postfix_recipient_canonical_maps_database_type != 'regexp'
- name: postmap transport_maps
command: postmap {{ postfix_transport_maps_database_type }}:{{ postfix_transport_maps_file }}
when: postfix_transport_maps_database_type != 'regexp'
- name: postmap sender_dependent_relayhost_maps
command: postmap {{ postfix_default_database_type }}:{{ postfix_sender_dependent_relayhost_maps_file }}
when: postfix_default_database_type != 'regexp'
- name: postmap generic
command: postmap {{ postfix_smtp_generic_maps_database_type }}:{{ postfix_smtp_generic_maps_file }}
when: postfix_smtp_generic_maps_database_type != 'regexp'
- name: remove pid
file:
path: "~postfix/pid/master.pid"
state: absent
listen: restart postfix
when: is_docker_guest
- name: restart service
service:
name: postfix
state: restarted
listen: restart postfix
when: service_default_state | default('started') == 'started'

25
roles/postfix/meta/main.yml
Unescape Escape View File

@ -1,25 +0,0 @@
# meta file
---
galaxy_info:
namespace: oefenweb
role_name: postfix
author: Mischa ter Smitten
company: Oefenweb.nl B.V.
description: Set up a postfix server in Debian-like systems
license: MIT
min_ansible_version: 2.8.0
platforms:
- name: Ubuntu
versions:
- xenial
- bionic
- focal
- name: Debian
versions:
- jessie
- stretch
- buster
galaxy_tags:
- system
- web
dependencies: []

6
roles/postfix/molecule/default/converge.yml
Unescape Escape View File

@ -1,6 +0,0 @@
---
- name: Converge
hosts: all
become: true
roles:
- ../../../

19
roles/postfix/molecule/default/molecule.yml
Unescape Escape View File

@ -1,19 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu1604}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml

5
roles/postfix/molecule/default/prepare.yml
Unescape Escape View File

@ -1,5 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks: []

5
roles/postfix/molecule/default/verify.yml
Unescape Escape View File

@ -1,5 +0,0 @@
---
- name: Verify
hosts: all
become: true
tasks: []

262
roles/postfix/tasks/main.yml
Unescape Escape View File

@ -1,261 +1,5 @@
---
### tags:
### configuration
### postfix
### postfix-facts
### postfix-install
### postfix-mailname
### postfix-configuration
### postfix-sasl-passwd
### postfix-aliases
### postfix-virtual-aliases
### postfix-sender-canonical-maps
### postfix-transport-maps
### postfix-sender-dependent-relayhost-maps
### postfix-generic-table
### postfix-header-checks-table
### postfix-start-enable-service
- name: facts | set
set_fact:
is_docker_guest: "{{ ansible_virtualization_role | default('host') == 'guest' and ansible_virtualization_type | default('none') == 'docker' }}"
tags:
- configuration
- postfix
- postfix-facts
- name: configure debconf
debconf:
name: "{{ item.name }}"
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "{{ item.vtype }}"
with_items: "{{ postfix_debconf_selections }}"
tags:
- configuration
- postfix
- postfix-install
- name: install package
apt:
name: "{{ postfix_install }}"
state: "{{ apt_install_state | default('latest') }}"
update_cache: true
cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
tags:
- configuration
- postfix
- postfix-install
- name: configure mailname
template:
src: "{{ postfix_mailname_file.lstrip('/') }}.j2"
dest: "{{ postfix_mailname_file }}"
owner: root
group: root
mode: 0644
notify: restart postfix
tags:
- configuration
- postfix
- postfix-mailname
- name: update configuration file
template:
src: "{{ postfix_main_cf.lstrip('/') }}.j2"
dest: "{{ postfix_main_cf }}"
owner: root
group: root
mode: 0644
notify: restart postfix
tags:
- configuration
- postfix
- postfix-configuration
- name: configure sasl username/password
template:
src: "{{ postfix_sasl_passwd_file.lstrip('/') }}.j2"
dest: "{{ postfix_sasl_passwd_file }}"
owner: root
group: root
mode: 0600
when:
- postfix_relayhost | length
- postfix_sasl_auth_enable | bool
no_log: "{{ not ansible_check_mode }}"
notify:
- postmap sasl_passwd
- restart postfix
tags:
- configuration
- postfix
- postfix-sasl-passwd
- name: configure aliases
template:
src: "{{ postfix_aliases_file.lstrip('/') }}.j2"
dest: "{{ postfix_aliases_file }}"
owner: root
group: root
mode: 0644
notify:
- new aliases
- restart postfix
tags:
- configuration
- postfix
- postfix-aliases
- name: check if aliases.db exists
stat:
path: "{{ postfix_aliases_file }}.db"
register: _aliasesdb
changed_when: not _aliasesdb.stat.exists
when: postfix_default_database_type == 'hash'
notify:
- new aliases
- restart postfix
tags:
- configuration
- postfix
- postfix-aliases
- name: configure virtual aliases
lineinfile:
dest: "{{ postfix_virtual_aliases_file }}"
regexp: '^{{ item.virtual | regex_escape }}\s.*'
line: '{{ item.virtual }} {{ item.alias }}'
owner: root
group: root
mode: 0644
create: true
state: present
with_items: "{{ postfix_virtual_aliases }}"
notify:
- new virtual aliases
- restart postfix
tags:
- configuration
- postfix
- postfix-virtual-aliases
- name: configure sender canonical maps
lineinfile:
dest: "{{ postfix_sender_canonical_maps_file }}"
regexp: '^{{ item.sender | regex_escape }}\s.*'
line: '{{ item.sender }} {{ item.rewrite }}'
owner: root
group: root
mode: 0644
create: true
state: present
with_items: "{{ postfix_sender_canonical_maps }}"
notify:
- postmap sender_canonical_maps
- restart postfix
tags:
- configuration
- postfix
- postfix-sender-canonical-maps
- name: configure recipient canonical maps
lineinfile:
dest: "{{ postfix_recipient_canonical_maps_file }}"
regexp: '^{{ item.recipient | regex_escape }}\s.*'
line: '{{ item.recipient }} {{ item.rewrite }}'
owner: root
group: root
mode: 0644
create: true
state: present
with_items: "{{ postfix_recipient_canonical_maps }}"
notify:
- postmap recipient_canonical_maps
- restart postfix
tags:
- configuration
- postfix
- postfix-recipient-canonical-maps
- name: configure transport maps
lineinfile:
dest: "{{ postfix_transport_maps_file }}"
regexp: '^{{ item.pattern | regex_escape }}\s.*'
line: '{{ item.pattern }} {{ item.result }}'
owner: root
group: root
mode: 0644
create: true
state: present
with_items: "{{ postfix_transport_maps }}"
notify:
- postmap transport_maps
- restart postfix
tags:
- configuration
- postfix
- postfix-transport-maps
- name: configure sender dependent relayhost maps
lineinfile:
dest: "{{ postfix_sender_dependent_relayhost_maps_file }}"
regexp: '^{{ item.pattern | regex_escape }}\s.*'
line: '{{ item.pattern }} {{ item.result }}'
owner: root
group: root
mode: 0644
create: true
state: present
with_items: "{{ postfix_sender_dependent_relayhost_maps }}"
notify:
- postmap sender_dependent_relayhost_maps
- restart postfix
tags:
- configuration
- postfix
- postfix-sender-dependent-relayhost-maps
- name: configure generic table
lineinfile:
dest: "{{ postfix_smtp_generic_maps_file }}"
regexp: '^{{ item.pattern | regex_escape }}\s.*'
line: '{{ item.pattern }} {{ item.result }}'
owner: root
group: root
mode: 0644
create: true
state: present
with_items: "{{ postfix_smtp_generic_maps }}"
notify:
- postmap generic
- restart postfix
tags:
- configuration
- postfix
- postfix-generic-table
- name: configure header checks
template:
src: "{{ postfix_header_checks_file.lstrip('/') }}.j2"
dest: "{{ postfix_header_checks_file }}"
owner: root
group: root
mode: 0644
notify:
- restart postfix
tags:
- configuration
- postfix
- postfix-header-checks-table
- name: start and enable service
service:
name: postfix
state: "{{ service_default_state | default('started') }}"
enabled: "{{ service_default_enabled | default(true) | bool }}"
tags:
- configuration
- postfix
- postfix-start-enable-service
- name: "Install postfix via included upstream role"
include_role:
name: postfix

7
roles/postfix/templates/etc/aliases.j2
Unescape Escape View File

@ -1,7 +0,0 @@
{{ ansible_managed | comment }}
# See man 5 aliases for format
postmaster: root
{% for alias in postfix_aliases %}
{{ alias.user }}: {{ alias.alias }}
{% endfor %}

1
roles/postfix/templates/etc/mailname.j2
Unescape Escape View File

@ -1 +0,0 @@
{{ postfix_mailname }}

5
roles/postfix/templates/etc/postfix/header_checks.j2
Unescape Escape View File

@ -1,5 +0,0 @@
# {{ ansible_managed }}
{% for rule in postfix_header_checks | default([]) %}
{{ rule.pattern }} {{ rule.action }} {% if rule.text is defined %}{{ rule.text }}{% endif %}
{% endfor %}

126
roles/postfix/templates/etc/postfix/main.cf.j2
Unescape Escape View File

@ -1,126 +0,0 @@
# {{ ansible_managed }}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
myorigin = {{ postfix_mailname_file }}
smtpd_banner = {{ postfix_smtpd_banner }}
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
{% if postfix_compatibility_level is defined %}
compatibility_level = {{ postfix_compatibility_level }}
{% endif %}
# TLS parameters
smtpd_tls_cert_file = {{ postfix_smtpd_tls_cert_file }}
smtpd_tls_key_file = {{ postfix_smtpd_tls_key_file }}
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = {{ postfix_hostname }}
default_database_type = {{ postfix_default_database_type }}
alias_maps = {{ postfix_default_database_type }}:{{ postfix_aliases_file }}
alias_database = {{ postfix_default_database_type }}:{{ postfix_aliases_file }}
{% if postfix_virtual_aliases %}
virtual_alias_maps = {{ postfix_default_database_type }}:{{ postfix_virtual_aliases_file }}
{% endif %}
{% if postfix_sender_canonical_maps %}
sender_canonical_maps = {{ postfix_sender_canonical_maps_database_type }}:{{ postfix_sender_canonical_maps_file }}
{% endif %}
{% if postfix_recipient_canonical_maps %}
recipient_canonical_maps = {{ postfix_recipient_canonical_maps_database_type }}:{{ postfix_recipient_canonical_maps_file }}
{% endif %}
{% if postfix_transport_maps %}
transport_maps = {{ postfix_transport_maps_database_type }}:{{ postfix_transport_maps_file }}
{% endif %}
{% if postfix_sender_dependent_relayhost_maps %}
sender_dependent_relayhost_maps = {{ postfix_default_database_type }}:{{ postfix_sender_dependent_relayhost_maps_file }}
{% endif %}
{% if postfix_smtp_generic_maps %}
smtp_generic_maps = {{ postfix_smtp_generic_maps_database_type }}:{{ postfix_smtp_generic_maps_file }}
{% endif %}
{% if postfix_header_checks %}
smtp_header_checks = {{ postfix_header_checks_database_type }}:{{ postfix_header_checks_file }}
{% endif %}
mydestination = {{ postfix_mydestination | join(', ') }}
mynetworks = {{ postfix_mynetworks | join(' ') }}
mailbox_size_limit = 0
recipient_delimiter = +
{% if postfix_inet_interfaces is string %}
inet_interfaces = {{ postfix_inet_interfaces }}
{% else %}
inet_interfaces = {{ postfix_inet_interfaces | join(', ') }}
{% endif %}
{% if postfix_inet_protocols is string %}
inet_protocols = {{ postfix_inet_protocols }}
{% else %}
inet_protocols = {{ postfix_inet_protocols | join(', ') }}
{% endif %}
{% if postfix_relayhost %}
{% if postfix_relayhost_mxlookup %}
relayhost = {{ postfix_relayhost }}:{{ postfix_relayhost_port }}
{% else %}
relayhost = [{{ postfix_relayhost }}]:{{ postfix_relayhost_port }}
{% endif %}
{% if postfix_sasl_auth_enable %}
smtp_sasl_auth_enable = {{ postfix_sasl_auth_enable | bool | ternary('yes', 'no') }}
smtp_sasl_password_maps = {{ postfix_default_database_type }}:{{ postfix_sasl_passwd_file }}
smtp_sasl_security_options = {{ postfix_sasl_security_options }}
smtp_sasl_tls_security_options = {{ postfix_sasl_tls_security_options }}
smtp_sasl_mechanism_filter = {{ postfix_sasl_mechanism_filter }}
{% endif %}
{% if postfix_relaytls %}
smtp_use_tls = {{ postfix_relaytls | bool | ternary('yes', 'no') }}
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
smtp_tls_note_starttls_offer = {{ postfix_smtp_tls_note_starttls_offer | bool | ternary('yes', 'no') }}
{% if postfix_smtp_tls_cafile is defined %}
smtp_tls_CAfile = {{ postfix_smtp_tls_cafile }}
{% endif %}
{% endif %}
{% else %}
relayhost =
{% endif %}
{% if postfix_smtpd_client_restrictions is defined %}
smtpd_client_restrictions = {{ postfix_smtpd_client_restrictions | join(', ') }}
{% endif %}
{% if postfix_smtpd_helo_restrictions is defined %}
smtpd_helo_restrictions = {{ postfix_smtpd_helo_restrictions | join(', ') }}
{% endif %}
{% if postfix_smtpd_sender_restrictions is defined %}
smtpd_sender_restrictions = {{ postfix_smtpd_sender_restrictions | join(', ') }}
{% endif %}
{% if postfix_smtpd_recipient_restrictions is defined %}
smtpd_recipient_restrictions = {{ postfix_smtpd_recipient_restrictions | join(', ') }}
{% endif %}
{% if postfix_smtpd_relay_restrictions is defined %}
smtpd_relay_restrictions = {{ postfix_smtpd_relay_restrictions | join(', ') }}
{% endif %}
{% if postfix_smtpd_data_restrictions is defined %}
smtpd_data_restrictions = {{ postfix_smtpd_data_restrictions | join(', ') }}
{% endif %}
message_size_limit = {{ postfix_message_size_limit }}
# Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
disable_vrfy_command = {{ postfix_disable_vrfy_command | bool | ternary('yes', 'no') }}
{% for raw_option in postfix_raw_options | default([]) %}
{{ raw_option }}
{% endfor %}

7
roles/postfix/templates/etc/postfix/sasl_passwd.j2
Unescape Escape View File

@ -1,7 +0,0 @@
# {{ ansible_managed }}
{% if postfix_relayhost_mxlookup %}
{{ postfix_relayhost }}:{{ postfix_relayhost_port }} {{ postfix_sasl_user }}:{{ postfix_sasl_password }}
{% else %}
[{{ postfix_relayhost }}]:{{ postfix_relayhost_port }} {{ postfix_sasl_user }}:{{ postfix_sasl_password }}
{% endif %}

19
roles/postfix/vars/main.yml
Unescape Escape View File

@ -1,19 +0,0 @@
# vars file
---
postfix_debconf_selections:
- name: postfix
question: postfix/main_mailer_type
value: No configuration
vtype: select
postfix_main_cf: /etc/postfix/main.cf
postfix_mailname_file: /etc/mailname
postfix_aliases_file: /etc/aliases
postfix_virtual_aliases_file: /etc/postfix/virtual
postfix_sasl_passwd_file: /etc/postfix/sasl_passwd
postfix_sender_canonical_maps_file: /etc/postfix/sender_canonical_maps
postfix_recipient_canonical_maps_file: /etc/postfix/recipient_canonical_maps
postfix_transport_maps_file: /etc/postfix/transport_maps
postfix_sender_dependent_relayhost_maps_file: /etc/postfix/sender_dependent_relayhost_maps
postfix_smtp_generic_maps_file: /etc/postfix/generic
postfix_header_checks_file: /etc/postfix/header_checks
Write Preview
Loading…
Cancel
Save