diff options
Diffstat (limited to 'roles/rspamd')
16 files changed, 180 insertions, 0 deletions
diff --git a/roles/rspamd/defaults/main.yml b/roles/rspamd/defaults/main.yml new file mode 100644 index 0000000..9caad05 --- /dev/null +++ b/roles/rspamd/defaults/main.yml @@ -0,0 +1,12 @@ +rspamd_milter_port: 11332 +rspamd_milter_process_count: '{{ ansible_processor_vcpus }}' +rspamd_controller_port: 11334 +rspamd_redis_port: 6379 +rspamd_redis_bayes_port: 6380 +rspamd_redis_max_memory: 512mb +rspamd_admin_group: role-rspamd-admin + +rspamd_dkim_keys: {} +rspamd_dkim_selector: dkim + +rspamd_domain_whitelist: [] diff --git a/roles/rspamd/handlers/main.yml b/roles/rspamd/handlers/main.yml new file mode 100644 index 0000000..a355c9e --- /dev/null +++ b/roles/rspamd/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart rspamd + systemd: + name: rspamd + state: restarted diff --git a/roles/rspamd/meta/main.yml b/roles/rspamd/meta/main.yml new file mode 100644 index 0000000..0bc5383 --- /dev/null +++ b/roles/rspamd/meta/main.yml @@ -0,0 +1,19 @@ +dependencies: + - role: yum + yum_repositories: + - epel + - rspamd + tags: yum + + - role: redis + redis_port: '{{ rspamd_redis_port }}' + vars: + redis_max_memory: '{{ rspamd_redis_max_memory }}' + tags: redis + + - role: redis + redis_port: '{{ rspamd_redis_bayes_port }}' + vars: + redis_max_memory: '{{ rspamd_redis_max_memory }}' + redis_max_memory_policy: volatile-ttl + tags: redis diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml new file mode 100644 index 0000000..d9da674 --- /dev/null +++ b/roles/rspamd/tasks/main.yml @@ -0,0 +1,76 @@ +- name: install packages + dnf: + name: '{{ rspamd_packages }}' + state: present + +- name: generate config files + template: + src: '{{ item.src }}' + dest: /etc/rspamd/{{ item.path | splitext | first }} + loop: "{{ lookup('filetree', '../templates/etc/rspamd', wantlist=True) }}" + loop_control: + label: '{{ item.path }}' + when: item.state == 'file' + notify: restart rspamd + +- name: create dkim directory + file: + path: '{{ rspamd_data_dir }}/dkim' + state: directory + owner: root + group: '{{ rspamd_group }}' + mode: 0750 + +- name: generate dkim keys + copy: + content: '{{ item.value }}' + dest: '{{ rspamd_data_dir }}/dkim/{{ item.key }}.{{ rspamd_dkim_selector }}.key' + owner: root + group: '{{ rspamd_group }}' + mode: 0440 + loop: '{{ rspamd_dkim_keys | dict2items }}' + loop_control: + label: '{{ item.key }}' + +- name: generate domain whitelist + copy: + content: | + {% for domain in rspamd_domain_whitelist %} + {{ domain }} + {% endfor %} + dest: /etc/rspamd/maps.d/domain-whitelist.map + tags: whitelist + +- name: open firewall ports + firewalld: + port: '{{ item }}/tcp' + permanent: yes + immediate: yes + state: enabled + loop: + - '{{ rspamd_milter_port }}' + - '{{ rspamd_controller_port }}' + tags: firewalld + +- name: set http_port_t selinux context for http port + seport: + ports: '{{ rspamd_controller_port }}' + proto: tcp + setype: http_port_t + state: present + tags: selinux + +- name: enable rspamd + systemd: + name: rspamd + enabled: yes + state: started + +- name: create rspamd admin group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ rspamd_admin_group }}' + nonposix: yes + state: present + run_once: yes diff --git a/roles/rspamd/templates/etc/rspamd/local.d/classifier-bayes.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/classifier-bayes.conf.j2 new file mode 100644 index 0000000..e40dd74 --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/classifier-bayes.conf.j2 @@ -0,0 +1,3 @@ +backend = "redis"; +servers = "localhost:{{ rspamd_redis_bayes_port }}"; +autolearn = true; diff --git a/roles/rspamd/templates/etc/rspamd/local.d/dkim_signing.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/dkim_signing.conf.j2 new file mode 100644 index 0000000..4e04b54 --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/dkim_signing.conf.j2 @@ -0,0 +1,3 @@ +path = "{{ rspamd_data_dir }}/dkim/$domain.$selector.key"; +selector = "{{ rspamd_dkim_selector }}"; +allow_username_mismatch = true; diff --git a/roles/rspamd/templates/etc/rspamd/local.d/greylist.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/greylist.conf.j2 new file mode 100644 index 0000000..2c675a1 --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/greylist.conf.j2 @@ -0,0 +1 @@ +servers = "localhost:{{ rspamd_redis_port }}"; diff --git a/roles/rspamd/templates/etc/rspamd/local.d/logging.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/logging.inc.j2 new file mode 100644 index 0000000..b2ff81c --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/logging.inc.j2 @@ -0,0 +1 @@ +type = console diff --git a/roles/rspamd/templates/etc/rspamd/local.d/multimap.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/multimap.conf.j2 new file mode 100644 index 0000000..7247f93 --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/multimap.conf.j2 @@ -0,0 +1,9 @@ +sender_from_whitelist_domain { + type = "header"; + header = "from"; + filter = "email:domain"; + map = "file://$LOCAL_CONFDIR/maps.d/domain-whitelist.map"; + symbol = "SENDER_FROM_WHITELIST_DOMAIN"; + description = "Local sender domain whitelist"; + score = -6.0; +} diff --git a/roles/rspamd/templates/etc/rspamd/local.d/phishing.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/phishing.conf.j2 new file mode 100644 index 0000000..caa3afe --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/phishing.conf.j2 @@ -0,0 +1 @@ +openphish_enabled = true; diff --git a/roles/rspamd/templates/etc/rspamd/local.d/redis.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/redis.conf.j2 new file mode 100644 index 0000000..2c675a1 --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/redis.conf.j2 @@ -0,0 +1 @@ +servers = "localhost:{{ rspamd_redis_port }}"; diff --git a/roles/rspamd/templates/etc/rspamd/local.d/replies.conf.j2 b/roles/rspamd/templates/etc/rspamd/local.d/replies.conf.j2 new file mode 100644 index 0000000..470f484 --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/replies.conf.j2 @@ -0,0 +1 @@ +servers = "localhost:{{ rspamd_redis_port }}" diff --git a/roles/rspamd/templates/etc/rspamd/local.d/worker-controller.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/worker-controller.inc.j2 new file mode 100644 index 0000000..e0bc633 --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/worker-controller.inc.j2 @@ -0,0 +1,11 @@ +bind_socket = 0.0.0.0:{{ rspamd_controller_port }} + +password = {{ rspamd_password_hash }} + +keypair { + algorithm = "curve25519"; + privkey = "{{ rspamd_privkey }}"; + type = "kex"; + encoding = "base32"; + pubkey = "{{ rspamd_pubkey }}"; +} diff --git a/roles/rspamd/templates/etc/rspamd/local.d/worker-normal.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/worker-normal.inc.j2 new file mode 100644 index 0000000..47f94fb --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/worker-normal.inc.j2 @@ -0,0 +1 @@ +enabled = false diff --git a/roles/rspamd/templates/etc/rspamd/local.d/worker-proxy.inc.j2 b/roles/rspamd/templates/etc/rspamd/local.d/worker-proxy.inc.j2 new file mode 100644 index 0000000..bf499db --- /dev/null +++ b/roles/rspamd/templates/etc/rspamd/local.d/worker-proxy.inc.j2 @@ -0,0 +1,7 @@ +bind_socket = 0.0.0.0:{{ rspamd_milter_port }} + +count = {{ rspamd_milter_process_count }} + +upstream "local" { + self_scan = yes; +} diff --git a/roles/rspamd/vars/main.yml b/roles/rspamd/vars/main.yml new file mode 100644 index 0000000..01508d3 --- /dev/null +++ b/roles/rspamd/vars/main.yml @@ -0,0 +1,30 @@ +rspamd_packages: + - rspamd + +rspamd_user: _rspamd +rspamd_group: _rspamd + +rspamd_data_dir: /var/lib/rspamd + +rspamd_archive_shell: >- + echo save | redis-cli -p {{ rspamd_redis_port }}; + echo save | redis-cli -p {{ rspamd_redis_bayes_port }}; + TIMESTAMP=$(date +%Y%m%d%H%M%S); + tar czf "redis-${TIMESTAMP}.tar.gz" + --transform "s|^\.|redis-${TIMESTAMP}|" + -C {{ redis_home }} . + +rspamd_apache_config: | + {{ apache_proxy_vhost_config }} + ProxyAddHeaders off + ProxyPass / http://127.0.0.1:{{ rspamd_controller_port }}/ + ProxyPassReverse / http://127.0.0.1:{{ rspamd_controller_port }}/ + + <Location /> + AuthName "FreeIPA Single Sign-On" + AuthType GSSAPI + GssapiLocalName On + {{ apache_gssapi_session_config }} + {{ apache_ldap_config }} + Require ldap-attribute memberof=cn={{ rspamd_admin_group }},{{ freeipa_group_basedn }} + </Location> |