From b72a3a8bf03b504ff60b75519489345f28253ed3 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 15 Jul 2024 01:09:13 +0200
Subject: add initial rspamd role

---
 chaos-at-home/ch-testvm-prometheus.yml       |  2 +
 inventory/host_vars/ch-testvm-prometheus.yml |  6 +++
 roles/mail/rspamd/defaults/main.yml          | 11 +++++
 roles/mail/rspamd/handlers/main.yml          | 14 ++++++
 roles/mail/rspamd/tasks/main.yml             | 70 ++++++++++++++++++++++++++++
 5 files changed, 103 insertions(+)
 create mode 100644 roles/mail/rspamd/defaults/main.yml
 create mode 100644 roles/mail/rspamd/handlers/main.yml
 create mode 100644 roles/mail/rspamd/tasks/main.yml

diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml
index 10388bda..aa71d2c3 100644
--- a/chaos-at-home/ch-testvm-prometheus.yml
+++ b/chaos-at-home/ch-testvm-prometheus.yml
@@ -12,6 +12,8 @@
   hosts: ch-testvm-prometheus
   roles:
   - role: x509/static-ca/base
+  - role: nginx/base
   - role: mail/opendkim
+  - role: mail/rspamd
   - role: mail/postfix/base
   - role: mail/postfix/submission
diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml
index ce56456b..80f3b4d0 100644
--- a/inventory/host_vars/ch-testvm-prometheus.yml
+++ b/inventory/host_vars/ch-testvm-prometheus.yml
@@ -54,6 +54,12 @@ opendkim_domains:
         keylength: 2048
 
 
+rspamd_web:
+  hostname: mx0.chaox.org
+  password: secret
+  enable_password: very-secret
+
+
 postfix_base_mynetworks:
   - "127.0.0.0/8"
   - "[::ffff:127.0.0.0]/104"
diff --git a/roles/mail/rspamd/defaults/main.yml b/roles/mail/rspamd/defaults/main.yml
new file mode 100644
index 00000000..fd235a82
--- /dev/null
+++ b/roles/mail/rspamd/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+rspamd_disable_normal_worker: yes
+
+rspamd_proxy_socket_for_postfix: yes
+
+# rspamd_web:
+#   hostname: mx0.example.com
+#   password: "secret"
+#   enable_password: "very-secret"
+#   tls:
+#     certificate_provider: ...
diff --git a/roles/mail/rspamd/handlers/main.yml b/roles/mail/rspamd/handlers/main.yml
new file mode 100644
index 00000000..f6980d50
--- /dev/null
+++ b/roles/mail/rspamd/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: restart rspamd
+  service:
+    name: rspamd
+    state: restarted
+
+- name: reload rspamd
+  service:
+    name: rspamd
+    state: reloaded
diff --git a/roles/mail/rspamd/tasks/main.yml b/roles/mail/rspamd/tasks/main.yml
new file mode 100644
index 00000000..7546c8a5
--- /dev/null
+++ b/roles/mail/rspamd/tasks/main.yml
@@ -0,0 +1,70 @@
+---
+- name: install rspamd packages
+  apt:
+    name:
+    - rspamd
+    state: present
+
+- name: disable normal worker
+  when: rspamd_disable_normal_worker
+  copy:
+    content: |
+      # ansible generated
+      enabled = false;
+    dest: /etc/rspamd/local.d/worker-normal.inc
+  notify: restart rspamd
+
+- name: prepare rspamd-proxy to be used with chrooted postfix
+  when: rspamd_proxy_socket_for_postfix
+  block:
+  - name: create systemd override directory
+    file:
+      path: /etc/systemd/system/rspamd.service.d
+      state: directory
+
+  - name: add systemd service override
+    copy:
+      content: |
+        [Service]
+        ExecStartPre=+/usr/bin/install -d /var/spool/postfix/rspamd -o _rspamd -g _rspamd -m 0750
+      dest: /etc/systemd/system/rspamd.service.d/postfix-chroot.conf
+    notify: reload systemd
+
+  - name: set rspamd-proxy options for postfix using milter over unix-socket
+    copy:
+      content: |
+        # ansible generated
+        milter = yes;
+        bind_socket = "/var/spool/postfix/rspamd/rspamd-proxy.sock mode=0660 owner=_rspamd"
+      dest: /etc/rspamd/local.d/worker-proxy.inc
+    notify: restart rspamd
+
+- name: configure rspamd web interface
+  when: rspamd_web is defined
+  block:
+  - name: configure rspmad-controller passwords
+    copy:
+      content: |
+        # ansible generated
+        password = "{{ rspamd_web.password }}";
+        enable_password = "{{ rspamd_web.enable_password }}";
+      dest: /etc/rspamd/local.d/worker-controller.inc
+      mode: 0400
+      owner: _rspamd
+    notify: reload rspamd
+
+    # TODO: add support for tls!
+    # TODO: add support for whaty-nginx-sso?
+  - name: configure nginx reverse proxy for rspamd web interface
+    vars:
+      nginx_vhost:
+        default: yes
+        name: rspamd
+        template: generic
+        hostnames:
+        - "{{ rspamd_web.hostname }}"
+        locations:
+          '/':
+            proxy_pass: http://127.0.0.1:11334
+    include_role:
+      name: nginx/vhost
-- 
cgit v1.2.3