initial commit

author: Stonewall Jackson <stonewall@sacredheartsc.com> 2023-02-04 01:23:43 -0500
committer: Stonewall Jackson <stonewall@sacredheartsc.com> 2023-02-04 01:52:13 -0500
commit: 0261e875679f1bf63c8d689da7fc7e014597885d (patch)
tree: 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/rspamd
download: selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz
selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip
16 files changed, 180 insertions, 0 deletions
diff --git a/roles/rspamd/defaults/main.yml b/roles/rspamd/defaults/main.yml
new file mode 100644
index 0000000..9caad05
--- /dev/null
+++ b/roles/rspamd/defaults/main.yml
@@ -0,0 +1,12 @@
+rspamd_milter_port: 11332
+rspamd_milter_process_count: '{{ ansible_processor_vcpus }}'
+rspamd_controller_port: 11334
+rspamd_redis_port: 6379
+rspamd_redis_bayes_port: 6380
+rspamd_redis_max_memory: 512mb
+rspamd_admin_group: role-rspamd-admin
+
+rspamd_dkim_keys: {}
+rspamd_dkim_selector: dkim
+
+rspamd_domain_whitelist: []
diff --git a/roles/rspamd/handlers/main.yml b/roles/rspamd/handlers/main.yml
new file mode 100644
index 0000000..a355c9e
--- /dev/null
+++ b/roles/rspamd/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart rspamd
+  systemd:
+    name: rspamd
+    state: restarted
diff --git a/roles/rspamd/meta/main.yml b/roles/rspamd/meta/main.yml
new file mode 100644
index 0000000..0bc5383
--- /dev/null
+++ b/roles/rspamd/meta/main.yml
@@ -0,0 +1,19 @@
+dependencies:
+  - role: yum
+    yum_repositories:
+      - epel
+      - rspamd
+    tags: yum
+
+  - role: redis
+    redis_port: '{{ rspamd_redis_port }}'
+    vars:
+      redis_max_memory: '{{ rspamd_redis_max_memory }}'
+    tags: redis
+
+  - role: redis
+    redis_port: '{{ rspamd_redis_bayes_port }}'
+    vars:
+      redis_max_memory: '{{ rspamd_redis_max_memory }}'
+      redis_max_memory_policy: volatile-ttl
+    tags: redis
diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml
new file mode 100644
index 0000000..d9da674
--- /dev/null
+++ b/roles/rspamd/tasks/main.yml
@@ -0,0 +1,76 @@
+- name: install packages
+  dnf:
+    name: '{{ rspamd_packages }}'
+    state: present
+
+- name: generate config files
+  template:
+    src: '{{ item.src }}'
+    dest: /etc/rspamd/{{ item.path | splitext | first }}
+  loop: "{{ lookup('filetree', '../templates/etc/rspamd', wantlist=True) }}"
+  loop_control:
+    label: '{{ item.path }}'
+  when: item.state == 'file'
+  notify: restart rspamd
+
+- name: create dkim directory
+  file:
+    path: '{{ rspamd_data_dir }}/dkim'
+    state: directory
+    owner: root
+    group: '{{ rspamd_group }}'
+    mode: 0750
+
+- name: generate dkim keys
+  copy:
+    content: '{{ item.value }}'
+    dest: '{{ rspamd_data_dir }}/dkim/{{ item.key }}.{{ rspamd_dkim_selector }}.key'
+    owner: root
+    group: '{{ rspamd_group }}'
+    mode: 0440
+  loop: '{{ rspamd_dkim_keys | dict2items }}'
+  loop_control:
+    label: '{{ item.key }}'
+
+- name: generate domain whitelist
+  copy:
+    content: |
+      {% for domain in rspamd_domain_whitelist %}
+      {{ domain }}
+      {% endfor %}
+    dest: /etc/rspamd/maps.d/domain-whitelist.map
+  tags: whitelist
+
+- name: open firewall ports
+  firewalld:
+    port: '{{ item }}/tcp'
+    permanent: yes
+    immediate: yes
+    state: enabled
+  loop:
+    - '{{ rspamd_milter_port }}'
+    - '{{ rspamd_controller_port }}'
+  tags: firewalld
+
+- name: set http_port_t selinux context for http port
+  seport:
+    ports: '{{ rspamd_controller_port }}'
+    proto: tcp
+    setype: http_port_t
+    state: present
+  tags: selinux
+
+- name: enable rspamd
+  systemd:
+    name: rspamd
+    enabled: yes
+    state: started
+
+- name: create rspamd admin group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ rspamd_admin_group }}'
+    nonposix: yes
+    state: present
+  run_once: yes
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/classifier-bayes.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/classifier-bayes.conf.j2
new file mode 100644
index 0000000..e40dd74
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/classifier-bayes.conf.j2
@@ -0,0 +1,3 @@
+backend = "redis";
+servers = "localhost:{{ rspamd_redis_bayes_port }}";
+autolearn = true;
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/dkim_signing.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/dkim_signing.conf.j2
new file mode 100644
index 0000000..4e04b54
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/dkim_signing.conf.j2
@@ -0,0 +1,3 @@
+path = "{{ rspamd_data_dir }}/dkim/$domain.$selector.key";
+selector = "{{ rspamd_dkim_selector }}";
+allow_username_mismatch = true;
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/greylist.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/greylist.conf.j2
new file mode 100644
index 0000000..2c675a1
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/greylist.conf.j2
@@ -0,0 +1 @@
+servers = "localhost:{{ rspamd_redis_port }}";
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/logging.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/logging.inc.j2
new file mode 100644
index 0000000..b2ff81c
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/logging.inc.j2
@@ -0,0 +1 @@
+type = console
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/multimap.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/multimap.conf.j2
new file mode 100644
index 0000000..7247f93
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/multimap.conf.j2
@@ -0,0 +1,9 @@
+sender_from_whitelist_domain {
+  type = "header";
+  header = "from";
+  filter = "email:domain";
+  map = "file://$LOCAL_CONFDIR/maps.d/domain-whitelist.map";
+  symbol = "SENDER_FROM_WHITELIST_DOMAIN";
+  description = "Local sender domain whitelist";
+  score = -6.0;
+}
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/phishing.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/phishing.conf.j2
new file mode 100644
index 0000000..caa3afe
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/phishing.conf.j2
@@ -0,0 +1 @@
+openphish_enabled = true;
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/redis.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/redis.conf.j2
new file mode 100644
index 0000000..2c675a1
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/redis.conf.j2
@@ -0,0 +1 @@
+servers = "localhost:{{ rspamd_redis_port }}";
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/replies.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/replies.conf.j2
new file mode 100644
index 0000000..470f484
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/replies.conf.j2
@@ -0,0 +1 @@
+servers = "localhost:{{ rspamd_redis_port }}"
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/worker-controller.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/worker-controller.inc.j2
new file mode 100644
index 0000000..e0bc633
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/worker-controller.inc.j2
@@ -0,0 +1,11 @@
+bind_socket = 0.0.0.0:{{ rspamd_controller_port }}
+
+password = {{ rspamd_password_hash }}
+
+keypair {
+  algorithm = "curve25519";
+  privkey = "{{ rspamd_privkey }}";
+  type = "kex";
+  encoding = "base32";
+  pubkey = "{{ rspamd_pubkey }}";
+}
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/worker-normal.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/worker-normal.inc.j2
new file mode 100644
index 0000000..47f94fb
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/worker-normal.inc.j2
@@ -0,0 +1 @@
+enabled = false
diff --git a/roles/rspamd/templates/etc/rspamd/local.d/worker-proxy.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/worker-proxy.inc.j2
new file mode 100644
index 0000000..bf499db
--- /dev/null
+++ b/roles/rspamd/templates/etc/rspamd/local.d/worker-proxy.inc.j2
@@ -0,0 +1,7 @@
+bind_socket = 0.0.0.0:{{ rspamd_milter_port }}
+
+count = {{ rspamd_milter_process_count }}
+
+upstream "local" {
+  self_scan = yes;
+}
diff --git a/roles/rspamd/vars/main.yml b/roles/rspamd/vars/main.yml
new file mode 100644
index 0000000..01508d3
--- /dev/null
+++ b/roles/rspamd/vars/main.yml
@@ -0,0 +1,30 @@
+rspamd_packages:
+  - rspamd
+
+rspamd_user: _rspamd
+rspamd_group: _rspamd
+
+rspamd_data_dir: /var/lib/rspamd
+
+rspamd_archive_shell: >-
+  echo save | redis-cli -p {{ rspamd_redis_port }};
+  echo save | redis-cli -p {{ rspamd_redis_bayes_port }};
+  TIMESTAMP=$(date +%Y%m%d%H%M%S);
+  tar czf "redis-${TIMESTAMP}.tar.gz"
+  --transform "s|^\.|redis-${TIMESTAMP}|"
+  -C {{ redis_home }} .
+
+rspamd_apache_config: |
+  {{ apache_proxy_vhost_config }}
+  ProxyAddHeaders off
+  ProxyPass        / http://127.0.0.1:{{ rspamd_controller_port }}/
+  ProxyPassReverse / http://127.0.0.1:{{ rspamd_controller_port }}/
+
+  <Location />
+    AuthName "FreeIPA Single Sign-On"
+    AuthType GSSAPI
+    GssapiLocalName On
+    {{ apache_gssapi_session_config }}
+    {{ apache_ldap_config }}
+    Require ldap-attribute memberof=cn={{ rspamd_admin_group }},{{ freeipa_group_basedn }}
+  </Location>
author	Stonewall Jackson <stonewall@sacredheartsc.com>	2023-02-04 01:23:43 -0500
committer	Stonewall Jackson <stonewall@sacredheartsc.com>	2023-02-04 01:52:13 -0500
commit	0261e875679f1bf63c8d689da7fc7e014597885d (patch)
tree	3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/rspamd
download	selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip