Puppet Class: profile::mail::smarthost

Defined in:
modules/profile/manifests/mail/smarthost.pp

Overview

Parameters:

  • prometheus_nodes (Any) (defaults to: hiera('prometheus_nodes', []))
  • dkim_domains (Any) (defaults to: hiera('profile::mail::smarthost::dkim_domains', []))
  • cert_name (Any) (defaults to: hiera('profile::mail::smarthost::cert_name', $facts['hostname']))
  • cert_subjects (Any) (defaults to: hiera('profile::mail::smarthost::cert_subjects', $facts['fqdn']))
  • relay_from_hosts (Any) (defaults to: hiera('profile::mail::smarthost::relay_from_hosts', []))
  • envelope_rewrite_rules (Any) (defaults to: hiera('profile::mail::smarthost::envelope_rewrite_rules', []))
  • root_alias_rcpt (Any) (defaults to: hiera('profile::mail::smarthost::root_alias_rcpt', ':blackhole:'))
  • exim_primary_hostname (Any) (defaults to: hiera('profile::mail::smarthost::exim_primary_hostname', $facts['fqdn']))


28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# File 'modules/profile/manifests/mail/smarthost.pp', line 28

class profile::mail::smarthost (
    $prometheus_nodes         = hiera('prometheus_nodes', []),
    $dkim_domains             = hiera('profile::mail::smarthost::dkim_domains', []),
    $cert_name                = hiera('profile::mail::smarthost::cert_name', $facts['hostname']),
    $cert_subjects            = hiera('profile::mail::smarthost::cert_subjects', $facts['fqdn']),
    $relay_from_hosts         = hiera('profile::mail::smarthost::relay_from_hosts', []),
    $envelope_rewrite_rules   = hiera('profile::mail::smarthost::envelope_rewrite_rules', []),
    $root_alias_rcpt          = hiera('profile::mail::smarthost::root_alias_rcpt', ':blackhole:'),
    $exim_primary_hostname    = hiera('profile::mail::smarthost::exim_primary_hostname', $facts['fqdn']),
) {

    class { 'exim4':
        variant => 'light',
        config  => template('profile/exim/exim4.conf.smarthost.erb'),
    }

    ferm::service { 'exim-smtp':
        proto => 'tcp',
        port  => '25',
    }

    mailalias { 'root':
        recipient => $root_alias_rcpt,
    }

    file { '/etc/exim4/bounce_message_file':
        ensure => present,
        owner  => 'root',
        group  => 'Debian-exim',
        mode   => '0444',
        source => 'puppet:///modules/profile/exim/bounce_message_file',
    }

    file { '/etc/exim4/warn_message_file':
        ensure => present,
        owner  => 'root',
        group  => 'Debian-exim',
        mode   => '0444',
        source => 'puppet:///modules/profile/exim/warn_message_file',
    }

    $dkim_domains.each |$name, $dkim_domain| {
      exim4::dkim{ $name:
        domain   => $dkim_domain['domain'],
        selector => $dkim_domain['selector'],
        content  => secret("dkim/${dkim_domain['domain']}-${dkim_domain['selector']}.key"),
      }
    }

    letsencrypt::cert::integrated { $cert_name:
        subjects   => $cert_subjects,
        key_group  => 'Debian-exim',
        puppet_svc => 'nginx',
        system_svc => 'nginx',
    }

    class { 'nginx':
        variant => 'light',
    }

    nginx::site { 'letsencrypt-standalone':
        content => template('letsencrypt/cert/integrated/standalone.nginx.erb'),
    }

    ferm::service { 'nginx-http':
        proto => 'tcp',
        port  => '80',
    }

    ferm::service { 'mtail':
        proto  => 'tcp',
        port   => '3903',
        srange => "(@resolve((${prometheus_nodes_ferm})) @resolve((${prometheus_nodes_ferm}), AAAA))",
    }

    mtail::program { 'exim':
        ensure => present,
        notify => Service['mtail'],
        source => 'puppet:///modules/mtail/programs/exim.mtail',
    }

    $prometheus_nodes_ferm = join($prometheus_nodes, ' ')

    # Customize logrotate settings to support longer retention (T167333)
    logrotate::conf { 'exim4-base':
        ensure => 'present',
        source => 'puppet:///modules/profile/exim/logrotate/exim4-base.mx',
    }

    # monitor mail queue size (T133110)
    file { '/usr/local/lib/nagios/plugins/check_exim_queue':
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
        source => 'puppet:///modules/icinga/check_exim_queue.sh',
    }

    # sudo rule to used by monitoring check
    ::sudo::user { 'nagios_exim_queue':
        user       => 'nagios',
        privileges => ['ALL = NOPASSWD: /usr/sbin/exipick -bpc -o [[\:digit\:]][[\:digit\:]][mh]'],
    }

    monitoring::service { 'smtp':
        description   => 'Exim SMTP',
        check_command => 'check_smtp_tls_le',
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Mail#Troubleshooting',
    }

    nrpe::monitor_service { 'check_exim_queue':
        description    => 'exim queue',
        nrpe_command   => '/usr/local/lib/nagios/plugins/check_exim_queue -w 1000 -c 3000',
        check_interval => 30,
        retry_interval => 10,
        timeout        => 20,
        notes_url      => 'https://wikitech.wikimedia.org/wiki/Mail#Troubleshooting',
    }

}