Ansible mail server: dos2unix... remove ipv6, many small updates

source/resources/apps/email-ansible/group_vars/all.yml

@@ -1,14 +1,14 @@
 # Ansible connection configuration
 # It is suggested that this file be encrypted with ansible-vault
-ansible_port: 22
-ansible_user: ssh_user
-ansible_ssh_private_key_file: /path/to/pem
+ansible_port: 26101
+ansible_user: jebba
+ansible_ssh_private_key_file: /home/jebba/.ssh/id_ed25519
 
 # Uncomment to use SSH password instead of pem key
 # If you uncomment this, comment out the key_file line above
 #ansible_ssh_pass: mypassword
 
 # Domain variables required for the playbook
-var_domain: forksand.io
-var_mail_domain: mail.forksand.io
+var_domain: forksand.com
+var_mail_domain: mx1.forksand.com
 var_relay_domain: forksand.com

source/resources/apps/email-ansible/inventory.yml

@@ -1,6 +1,7 @@
 all:
   hosts:
-    10.0.0.1: # Example host
+    174.128.244.233: # mx1.forksand.com
+#    174.128.244.234: # mx2.forksand.com
 
     # Additional hosts can be specified by adding them below
     #10.0.0.2: # Example host 2. Uncomment line to use

source/resources/apps/email-ansible/roles/dkim_configuration/tasks/main.yml

@@ -73,4 +73,5 @@
     content: |
       localhost
       127.0.0.0/8
-      10.0.2.0/24
+      174.128.244.233
+      174.128.244.234

source/resources/apps/email-ansible/roles/dkim_configuration/templates/internalhosts.j2

@@ -1,3 +1,3 @@
 {{ domain }}
-10.0.2.15/255.255.255.0
-70.39.125.71
+174.128.244.233
+174.128.244.234

source/resources/apps/email-ansible/roles/dkim_configuration/templates/trustedhosts.j2

@@ -1,5 +1,5 @@
 localhost
 127.0.0.0/8
 {{ domain }}
-70.39.125.71
-10.0.2.0/24
+174.128.244.233
+174.128.244.234

source/resources/apps/email-ansible/roles/dovecot_configuration/templates/10-master.conf.j2

@@ -19,5 +19,5 @@ service auth {
   }
 }
 service auth-worker {
-  user = $default_internal_user
+  group = shadow
 }

source/resources/apps/email-ansible/roles/mikegleasonjr.firewall/defaults/main.yml

@@ -1,6 +1,5 @@
 ---
 firewall_v4_configure: true
-firewall_v6_configure: false
 
 firewall_v4_default_rules:
   001 default policies:
@@ -11,7 +10,7 @@ firewall_v4_default_rules:
     - -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   200 allow ssh ports:
     - -A INPUT -p tcp --dport 22 -j ACCEPT
-    - -A INPUT -p tcp --dport 33957 -j ACCEPT
+    - -A INPUT -p tcp --dport 26101 -j ACCEPT
   201 allow http port:
     - -A INPUT -p tcp --dport  80 -j ACCEPT
   202 allow smtp ports:
@@ -28,6 +27,3 @@ firewall_v4_default_rules:
 firewall_v4_group_rules: {}
 firewall_v4_host_rules: {}
 
-firewall_v6_default_rules: {}
-firewall_v6_group_rules: {}
-firewall_v6_host_rules: {}

source/resources/apps/email-ansible/roles/mikegleasonjr.firewall/tasks/persist-debian.yml

@@ -8,15 +8,15 @@
 - name: Check if netfilter-persistent is present
   shell: which netfilter-persistent
   register: is_netfilter
-  when: v4_script|changed or v6_script|changed
+  when: v4_script|changed
   changed_when: false
   ignore_errors: yes
   check_mode: no
 
 - name: Save rules (netfilter-persistent)
   command: netfilter-persistent save
-  when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 0
+  when: not ansible_check_mode and v4_script|changed and is_netfilter.rc == 0
 
 - name: Save rules (iptables-persistent)
   command: /etc/init.d/iptables-persistent save
-  when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 1
+  when: not ansible_check_mode and v4_script|changed and is_netfilter.rc == 1

source/resources/apps/email-ansible/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml

@@ -3,10 +3,6 @@
   shell: iptables-save -c > /etc/sysconfig/iptables
   when: v4_script|changed
 
-- name: Save v6 rules (/etc/sysconfig/ip6tables)
-  shell: ip6tables-save -c > /etc/sysconfig/ip6tables
-  when: v6_script|changed
-
 - name: Ensure iptables service is installed
   yum: name=iptables-services state=present update_cache=yes
   when: ansible_distribution_major_version >= '7'
@@ -17,7 +13,3 @@
 
 - name: Ensure iptables service is enabled & started
   service: name=iptables enabled=yes state=started
-
-- name: Ensure ip6tables service is enabled & started
-  service: name=ip6tables enabled=yes state=started
-  when: firewall_v6_configure

source/resources/apps/email-ansible/roles/mikegleasonjr.firewall/tasks/rules.yml

@@ -13,16 +13,3 @@
     'Table does not exist' in v4_script_load_result.stderr
   when: v4_script|changed
 
-- name: Generate v6 rules
-  template: src=generated.v6.j2 dest=/etc/iptables.v6.generated owner=root group=root mode=755
-  register: v6_script
-  when: firewall_v6_configure
-
-- name: Load v6 rules
-  command: /etc/iptables.v6.generated
-  register: v6_script_load_result
-  failed_when: >-
-    v6_script_load_result.rc != 0 or
-    'unknown option' in v6_script_load_result.stderr or
-    'Table does not exist' in v6_script_load_result.stderr
-  when: v6_script|changed

source/resources/apps/email-ansible/roles/mikegleasonjr.firewall/templates/generated.v6.j2

@@ -1,26 +0,0 @@
-#!/bin/sh
-# {{ ansible_managed }}
-{% set merged = firewall_v6_default_rules.copy() %}
-{% set _ = merged.update(firewall_v6_group_rules) %}
-{% set _ = merged.update(firewall_v6_host_rules) %}
-
-# flush rules & delete user-defined chains
-ip6tables -F
-ip6tables -X
-ip6tables -t raw -F
-ip6tables -t raw -X
-ip6tables -t nat -F
-ip6tables -t nat -X
-ip6tables -t mangle -F
-ip6tables -t mangle -X
-
-{% for group, rules in merged|dictsort  %}
-# {{ group }}
-{% if not rules %}
-# (none)
-{% endif %}
-{% for rule in rules %}
-ip6tables {{ rule }}
-{% endfor %}
-
-{% endfor %}

source/resources/apps/email-ansible/roles/mikegleasonjr.firewall/tests.yml

@@ -4,8 +4,6 @@
 
   roles:
     - role: .
-      firewall_v6_configure: true
-
       firewall_v4_group_rules:
         400 allow http:
           - -A INPUT -p tcp --dport http -j ACCEPT
@@ -14,14 +12,6 @@
       firewall_v4_host_rules:
         400 allow 7890: []
 
-      firewall_v6_group_rules:
-        400 allow http:
-          - -A INPUT -p tcp --dport http -j ACCEPT
-        400 allow 7890:
-          - -A INPUT -p tcp --dport 7890 -j ACCEPT
-      firewall_v6_host_rules:
-        400 allow 7890: []
-
   tasks:
     - name: Retrieve v4 rules
       command: iptables -L -n
@@ -45,24 +35,3 @@
         that: "'tcp dpt:7890' not in v4_rules.stdout"
       when: not ansible_check_mode
 
-    - name: Retrieve v6 rules
-      command: ip6tables -L -n
-      changed_when: false
-      register: v6_rules
-      when: not ansible_check_mode
-    - name: Check that INPUT policy has been applied
-      assert:
-        that: "'Chain INPUT (policy DROP' in v6_rules.stdout"
-      when: not ansible_check_mode
-    - name: Check that a default rule has been applied
-      assert:
-        that: "'tcp dpt:22' in v6_rules.stdout"
-      when: not ansible_check_mode
-    - name: Check that a group rule has been applied
-      assert:
-        that: "'tcp dpt:80' in v6_rules.stdout"
-      when: not ansible_check_mode
-    - name: Check that deleted rules are deleted
-      assert:
-        that: "'tcp dpt:7890' not in v6_rules.stdout"
-      when: not ansible_check_mode

source/resources/apps/email-ansible/roles/postfix_configuration/templates/aliases.j2

@@ -1,3 +1,3 @@
 root: jebba
-jebba: jebba-mail@{{ relay_domain }}
+#jebba: jebba-mail@{{ relay_domain }}
 nobody: /dev/null