Mercurial > repos > other > Puppet
diff manifests/templates.pp @ 313:49e66019faf7
Configure Postfix for IPv6 w/proxy
Also centralised and standardised some IP settings
Currently untested on IPv4 - Postfix might not like the
"[ip.add.re.ss]" format, *but* we can't pass the brackets as
part of the parameter because then it doesn't validate as IPv6!
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Mon, 24 Feb 2020 20:49:51 +0000 |
| parents | 51d3748f8112 |
| children | 2a20a5b7f65a |
line wrap: on
line diff
--- a/manifests/templates.pp Sun Feb 23 20:29:42 2020 +0000 +++ b/manifests/templates.pp Mon Feb 24 20:49:51 2020 +0000 @@ -32,7 +32,6 @@ $proxy_upstream = undef, $mailserver, $imapserver, - $imapserver_proxy = undef, $firewall_cmd = 'iptables', ) { @@ -53,6 +52,18 @@ content => "${lo_ip} localhost\n${primary_ip} ${fqdn}", } + if $proxy_4to6_ip_prefix != undef { + # …:1 to …:9 for websites, …:10 for mail + $ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } + + $ipv6_secondaries = join($ipv6_addresses, " ") + + augeas {'IPv6 secondary addresses': + context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", + changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", + } + } + require repos include basenode include privat @@ -63,6 +74,7 @@ class { 'webserver': primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, + proxy_4to6_mask => 124, proxy_upstream => $proxy_upstream, } include cronjobs @@ -75,7 +87,7 @@ mailserver => $mailserver, imapserver => $imapserver, mailserver_ip => $primary_ip, - imapserver_proxy => $imapserver_proxy, + proxy_ip => $proxy_4to6_ip_prefix != undef ? { true => "${proxy_4to6_ip_prefix}:10", default => undef }, proxy_upstream => $proxy_upstream, } } @@ -145,13 +157,6 @@ chain => 'INPUT', jump => 'Fail2Ban', } - firewall { '101 allow SMTP': - dport => [25, 465], - proto => tcp, - action => accept, - } - # Note: SSH port will be managed separately as we - # put it on a different port to hide from script kiddy noise } class dnsresolver { @@ -348,23 +353,16 @@ class webserver ( $primary_ip, $proxy_4to6_ip_prefix = undef, + $proxy_4to6_mask = undef, $proxy_upstream = undef, ) { - if $proxy_4to6_ip_prefix == undef { - $ipv6_addresses = [] - } - else { - $ipv6_addresses = [1, 2, 3, 4, 5, 6, 7, 8, 9].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } - } - #Setup base website parameters class { 'website': base_dir => '/srv/sites', primary_ip => $primary_ip, proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, - proxy_4to6_mask => 124, - proxy_4to6_addresses => $ipv6_addresses, + proxy_4to6_mask => $proxy_4to6_mask, proxy_upstream => $proxy_upstream, default_owner => $defaultusers::default_user, default_group => $defaultusers::default_user, @@ -468,7 +466,6 @@ $proxy_upstream = undef, $mailserver, $imapserver, - $imapserver_proxy = undef, $firewall_cmd = 'iptables', ){ class { 'basevpsnode': @@ -477,7 +474,6 @@ proxy_upstream => $proxy_upstream, mailserver => $mailserver, imapserver => $imapserver, - imapserver_proxy => $imapserver_proxy, firewall_cmd => $firewall_cmd, } @@ -709,17 +705,20 @@ $mailserver, $imapserver, $mailserver_ip, - $imapserver_proxy = undef, + $proxy_ip = undef, $proxy_upstream = [], ){ class { 'postfix': mailserver => $mailserver, - protocols => has_key($facts, 'ipaddress') ? { true => 'ipv4', default => 'ipv6' }, + mailserver_ip => $mailserver_ip, + mailserver_proxy => $proxy_ip, + proxy_upstream => $proxy_upstream, + protocols => $mailserver_ip =~ Stdlib::IP::Address::V6 ? { true => 'ipv6', default => 'ipv4' }, } class { 'dovecot': imapserver => $imapserver, imapserver_ip => $mailserver_ip, - imapserver_proxy => $imapserver_proxy, + imapserver_proxy => $proxy_ip, proxy_upstream => $proxy_upstream, } # Unspecified SpamAssassin config dependencies that started