27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
# File 'modules/profile/manifests/mail/smarthost.pp', line 27
class profile::mail::smarthost (
$dkim_domains = lookup('profile::mail::smarthost::dkim_domains', {'default_value' => []}),
$cert_name = lookup('profile::mail::smarthost::cert_name', {'default_value' => $facts['hostname']}),
$relay_from_hosts = lookup('profile::mail::smarthost::relay_from_hosts', {'default_value' => []}),
$envelope_rewrite_rules = lookup('profile::mail::smarthost::envelope_rewrite_rules', {'default_value' => []}),
$root_alias_rcpt = lookup('profile::mail::smarthost::root_alias_rcpt', {'default_value' => ':blackhole:'}),
$exim_primary_hostname = lookup('profile::mail::smarthost::exim_primary_hostname', {'default_value' => $facts['fqdn']}),
Boolean $support_ipv6 = lookup('profile::mail::smarthost::support_ipv6', {default_value => true}),
) {
class { 'exim4':
variant => 'light',
config => template('profile/exim/exim4.conf.smarthost.erb'),
}
ferm::service { 'exim-smtp':
proto => 'tcp',
port => '25',
}
mailalias { 'root':
recipient => $root_alias_rcpt,
}
file { '/etc/exim4/bounce_message_file':
ensure => present,
owner => 'root',
group => 'Debian-exim',
mode => '0444',
source => 'puppet:///modules/profile/exim/bounce_message_file',
}
file { '/etc/exim4/warn_message_file':
ensure => present,
owner => 'root',
group => 'Debian-exim',
mode => '0444',
source => 'puppet:///modules/profile/exim/warn_message_file',
}
$dkim_domains.each |$name, $dkim_domain| {
$selectors = [$dkim_domain['selector']].flatten
$selectors.each |String[1] $selector| {
exim4::dkim { "${name}-${selector}":
domain => $dkim_domain['domain'],
selector => $selector,
content => secret("dkim/${dkim_domain['domain']}-${selector}.key"),
}
}
}
acme_chief::cert { $cert_name:
key_group => 'Debian-exim',
puppet_svc => 'exim4',
}
mtail::program { 'exim':
ensure => present,
notify => Service['mtail'],
source => 'puppet:///modules/mtail/programs/exim.mtail',
}
# Customize logrotate settings to support longer retention (T167333)
logrotate::conf { 'exim4-base':
ensure => 'present',
source => 'puppet:///modules/profile/exim/logrotate/exim4-base.mx',
}
# monitor mail queue size (T133110)
nrpe::plugin { 'check_exim_queue':
source => 'puppet:///modules/icinga/check_exim_queue.sh',
}
# sudo rule to used by monitoring check
::sudo::user { 'nagios_exim_queue':
user => 'nagios',
privileges => ['ALL = NOPASSWD: /usr/sbin/exipick -bpc -o [[\:digit\:]][[\:digit\:]][mh]'],
}
monitoring::service { 'smtp':
description => 'Exim SMTP',
check_command => 'check_smtp_tls_le',
notes_url => 'https://wikitech.wikimedia.org/wiki/Mail#Troubleshooting',
}
nrpe::monitor_service { 'check_exim_queue':
description => 'exim queue',
nrpe_command => '/usr/local/lib/nagios/plugins/check_exim_queue -w 1000 -c 3000',
check_interval => 30,
retry_interval => 10,
timeout => 20,
notes_url => 'https://wikitech.wikimedia.org/wiki/Mail#Troubleshooting',
}
}
|