diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-03 22:38:06 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-03 22:38:06 -0400 |
| commit | a1bddcb1de1053994fb445267ca5d1ffaecb0fb5 (patch) | |
| tree | ba2f614ac93dabc6b148037fc604966c7907b384 /scripts | |
| parent | 47f90d0916ac34ef132e3bb6da92a4a67dffbba8 (diff) | |
| download | infrastructure-a1bddcb1de1053994fb445267ca5d1ffaecb0fb5.tar.gz | |
more postfix/rspamd stuff
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/hostclass/pkg_repository | 22 | ||||
| -rw-r--r-- | scripts/hostclass/smtp_server/10-rspamd | 10 | ||||
| -rw-r--r-- | scripts/hostclass/smtp_server/20-postfix | 4 |
3 files changed, 27 insertions, 9 deletions
diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index a356b3e..6070794 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -11,11 +11,17 @@ poudriere_data_dir=/usr/local/poudriere poudriere_conf_dir=/usr/local/etc/poudriere.d +poudriere_patch_dir="${poudriere_conf_dir}/patches" # Create poudriere datasets. create_dataset -o "mountpoint=${poudriere_data_dir}" "${state_dataset}/poudriere" create_dataset -o "mountpoint=${poudriere_conf_dir}" "${state_dataset}/poudriere-config" +# Since we're doing a ton of compilation, disable sync on the poudriere dataset. +# Possibly snakeoil, but my hope is that most file I/O will end up in the ARC cache +# and not thrash the disks. +zfs set sync=disabled "${poudriere_dataset}/poudriere" + # These packages are needed to bootstrap poudriere. On the first run, they'll # be installed from the public FreeBSD repos. pkg install -y \ @@ -45,12 +51,20 @@ service nginx restart # Create and update the `latest` ports tree. [ -d "${poudriere_data_dir}/ports/latest" ] || poudriere ports -c -v -p latest +git -C "${poudriere_data_dir}/ports/latest" restore :/ +git -C "${poudriere_data_dir}/ports/latest" clean -f poudriere ports -v -u -p latest -# Since we're doing a ton of compilation, disable sync on the poudriere dataset. -# Possibly snakeoil, but my hope is that most file I/O will end up in the ARC cache -# and not thrash the disks. -zfs set sync=disabled "${poudriere_dataset}/poudriere" +# Apply custom patches. +install_directory -m 0755 "$poudriere_patch_dir" +rm -f "${poudriere_patch_dir}/"*.patch +install_file -m 0644 \ + "${poudriere_patch_dir}/postgresql16-gssapi.patch" + +for patch in "${poudriere_patch_dir}/"*.patch; do + [ -f "$patch" ] || continue + patch -d "${poudriere_data_dir}/ports/latest" -u < "$patch" +done # For each specified FreeBSD version, build all packages. for version in $poudriere_versions; do diff --git a/scripts/hostclass/smtp_server/10-rspamd b/scripts/hostclass/smtp_server/10-rspamd index d104e9c..094dc8a 100644 --- a/scripts/hostclass/smtp_server/10-rspamd +++ b/scripts/hostclass/smtp_server/10-rspamd @@ -5,6 +5,7 @@ : ${rspamd_domain_whitelist:=''} : ${rspamd_port:='11334'} : ${rspamd_redis_maxmemory:='1g'} +: ${rspamd_admin_users:=''} : ${postfix_virtual_domains:="$email_domain"} postfix_user=postfix @@ -22,6 +23,7 @@ rspamd_redis_data_dir="${redis_data_dir}/rspamd" rspamd_bayes_redis_data_dir="${redis_data_dir}/rspamd-bayes" rspamd_tls_cert=/usr/local/etc/nginx/rspamd.crt rspamd_tls_key=/usr/local/etc/nginx/rspamd.key +nginx_keytab="${keytab_dir}/nginx.keytab" pkg install -y \ postfix \ @@ -85,9 +87,15 @@ pw groupmod "$redis_user" -m "$rspamd_user" # Generate nginx configuration. install_template -m 0644 \ /usr/local/etc/nginx/nginx.conf \ - /usr/local/etc/nginx/acme.conf \ /usr/local/etc/nginx/vhosts.conf +# Create HTTP service principal and keytab. +add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}" + +ktadd -k "$nginx_keytab" "HTTP/${fqdn}" +chgrp "$nginx_user" "$nginx_keytab" +chmod 640 "$nginx_keytab" + # Copy TLS certificate for nginx. install_certificate nginx "$rspamd_tls_cert" install_certificate_key nginx "$rspamd_tls_key" diff --git a/scripts/hostclass/smtp_server/20-postfix b/scripts/hostclass/smtp_server/20-postfix index 6f891da..0d4830f 100644 --- a/scripts/hostclass/smtp_server/20-postfix +++ b/scripts/hostclass/smtp_server/20-postfix @@ -21,7 +21,6 @@ postfix_public_tls_cert="${acme_cert_dir}/postfix.crt" postfix_public_tls_key="${acme_cert_dir}/postfix.key" postfix_local_tls_cert="${postfix_conf_dir}/postfix.crt" postfix_local_tls_key="${postfix_conf_dir}/postfix.key" -postfix_dhparams="${postfix_conf_dir}/dhparams.pem" # Install packages. pkg install -y \ @@ -55,9 +54,6 @@ install_directory -m 0750 -o "$saslauthd_user" -g "$postfix_user" "$saslauthd_ru install_certificate -m 0644 -o root -g "$postfix_user" postfix "$postfix_local_tls_cert" install_certificate_key -m 0640 -o root -g "$postfix_user" postfix "$postfix_local_tls_key" -# Generate dhparams. -[ -f "$postfix_dhparams" ] || openssl dhparam -out "$postfix_dhparams" 2048 - if [ "$postfix_public_fqdn" != "$fqdn" ]; then # Acquire public TLS certificate. install_file /usr/local/etc/sudoers.d/acme |