From ed61026b454d1feb59d0a9cd16c77ef44ed3484d Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Sat, 29 Mar 2025 08:27:18 +0100
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8:=20add=20smtp=20global=20relay?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 inventory/host_vars/ks3370405.yml            |  6 +++
 inventory/static.yml                         |  4 ++
 playbooks/global_smtprelay.yml               |  7 ++++
 playbooks/site.yml                           |  2 +
 playbooks/smtprelay.yml                      |  2 +-
 roles/global_smtp_relay/handlers/main.yml    |  6 +++
 roles/global_smtp_relay/tasks/main.yml       | 15 +++++++
 roles/global_smtp_relay/templates/main.cf.j2 | 43 ++++++++++++++++++++
 roles/ufw/defaults/main.yml                  |  2 +
 roles/ufw/tasks/main.yml                     | 43 ++++++++++++++++++++
 10 files changed, 129 insertions(+), 1 deletion(-)
 create mode 100644 inventory/host_vars/ks3370405.yml
 create mode 100644 playbooks/global_smtprelay.yml
 create mode 100644 roles/global_smtp_relay/handlers/main.yml
 create mode 100644 roles/global_smtp_relay/tasks/main.yml
 create mode 100644 roles/global_smtp_relay/templates/main.cf.j2
 create mode 100644 roles/ufw/defaults/main.yml
 create mode 100644 roles/ufw/tasks/main.yml

diff --git a/inventory/host_vars/ks3370405.yml b/inventory/host_vars/ks3370405.yml
new file mode 100644
index 0000000..31e2399
--- /dev/null
+++ b/inventory/host_vars/ks3370405.yml
@@ -0,0 +1,6 @@
+---
+
+allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
+
+global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
+ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"
diff --git a/inventory/static.yml b/inventory/static.yml
index 73b9fc3..82e53ca 100644
--- a/inventory/static.yml
+++ b/inventory/static.yml
@@ -14,6 +14,8 @@ all:
       ansible_host: muse-HP-EliteBook-820-G2.home.arpa
     pinkypie:
       ansible_host: pinkypie.home.arpa
+    ks3370405:
+      ansible_host: ks3370405.kimsufi.com
 
 router:
   hosts:
@@ -76,6 +78,7 @@ disabled_munin:
     baybay-ponay:
     muse-HP-EliteBook-820-G2:
     pinkypie:
+    ks3370405:
 
 disabled_syslog:
   hosts:
@@ -83,6 +86,7 @@ disabled_syslog:
     machinbox:
     muse-HP-EliteBook-820-G2:
     pinkypie:
+    ks3370405:
 
 # Those are not servers and should not be configured as such
 disabled_server_conf:
diff --git a/playbooks/global_smtprelay.yml b/playbooks/global_smtprelay.yml
new file mode 100644
index 0000000..9a3af34
--- /dev/null
+++ b/playbooks/global_smtprelay.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Install & configure the global SMTP relay
+  hosts: ks3370405
+  roles:
+    - ufw
+    - global_smtp_relay
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 8b37864..3f6693c 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -18,6 +18,8 @@
   import_playbook: firewall.yml
 - name: Run mail playbook
   import_playbook: mail.yml
+- name: Run global_smtprelay playbook
+  import_playbook: global_smtprelay.yml
 - name: Run xmpp playbook
   import_playbook: xmpp.yml
 - name: Run webservers playbook
diff --git a/playbooks/smtprelay.yml b/playbooks/smtprelay.yml
index 180b824..42317c3 100644
--- a/playbooks/smtprelay.yml
+++ b/playbooks/smtprelay.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: Deploy smtp relay
-  hosts: all:!disabled_server_conf:!machinbox:!mail
+  hosts: all:!disabled_server_conf:!machinbox:!mail:!ks3370405
   diff: true
   roles:
     - smtprelay
diff --git a/roles/global_smtp_relay/handlers/main.yml b/roles/global_smtp_relay/handlers/main.yml
new file mode 100644
index 0000000..d9d3def
--- /dev/null
+++ b/roles/global_smtp_relay/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart postfix
+  ansible.bultin.service:
+    name: postfix
+    state: restarted
+    enable: true
diff --git a/roles/global_smtp_relay/tasks/main.yml b/roles/global_smtp_relay/tasks/main.yml
new file mode 100644
index 0000000..52dc8c7
--- /dev/null
+++ b/roles/global_smtp_relay/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Install postfix
+  ansible.builtin.package:
+    name: postfix
+    state: present
+
+- name: Put configuration
+  ansible.builtin.template:
+    src: main.cf.j2
+    dest: /etc/postfix/main.cf.j2
+    owner: root
+    group: root
+    mode: "0o640"
+  notify: Restart postfix
diff --git a/roles/global_smtp_relay/templates/main.cf.j2 b/roles/global_smtp_relay/templates/main.cf.j2
new file mode 100644
index 0000000..b77244c
--- /dev/null
+++ b/roles/global_smtp_relay/templates/main.cf.j2
@@ -0,0 +1,43 @@
+compatibility_level = 2
+queue_directory = /var/spool/postfix
+command_directory = /usr/bin
+daemon_directory = /usr/lib/postfix/bin
+data_directory = /var/lib/postfix
+mail_owner = postfix
+myhostname = mail-relay.mateu.be
+myorigin = $myhostname
+mydestination = $myhostname, localhost.$mydomain, localhost
+unknown_local_recipient_reject_code = 550
+mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200
+debugger_command =
+	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+	 ddd $daemon_directory/$process_name $process_id & sleep 5
+sendmail_path = /usr/bin/sendmail
+newaliases_path = /usr/bin/newaliases
+mailq_path = /usr/bin/mailq
+setgid_group = postdrop
+html_directory = no
+mailbox_size_limit = 104857600
+message_size_limit = 104857600
+manpage_directory = /usr/share/man
+sample_directory = /etc/postfix
+readme_directory = /usr/share/doc/postfix
+inet_protocols = ipv4
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib/postfix
+## Référence de chiffrement TLS
+# serveur SMTP
+smtpd_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer
+smtpd_tls_key_file = /etc/x509/mail-relay.mateu.be/mail-relay.mateu.be.key
+smtpd_use_tls = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_loglevel = 1
+# client SMTP
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer
+smtp_tls_key_file = /etc/x509/mail-relay.mateu.be/mail-relay.mateu.be.key
+smtp_use_tls = yes
+smtp_tls_protocols = !SSLv2,!SSLv3
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
diff --git a/roles/ufw/defaults/main.yml b/roles/ufw/defaults/main.yml
new file mode 100644
index 0000000..9a02e17
--- /dev/null
+++ b/roles/ufw/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ufw_allowed_smtp_ips: []
diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml
new file mode 100644
index 0000000..a3bb8f2
--- /dev/null
+++ b/roles/ufw/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+
+- name: Install ufw
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
+- name: Permit outgoing flows
+  community.general.ufw:
+    default: allow
+    direction: outgoing
+
+- name: Deny incoming flows
+  community.general.ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow incoming SSH
+  community.general.ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+
+- name: Allow incoming HTTP
+  community.general.ufw:
+    rule: allow
+    port: http
+    proto: tcp
+
+- name: Allow incoming SMTP
+  community.general.ufw:
+    rule: allow
+    port: smtp
+    src: "{{ item }}"
+  loop: "{{ ufw_allowed_smtp_ips }}"
+
+- name: Set logging
+  community.general.ufw:
+    logging: "on"
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled