From 8027dc0f25fc6dff3db406cf0e5c4cf8f912a17d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Fri, 19 Jul 2024 16:16:11 +0000
Subject: [PATCH] Better site-specific mail delivery configuration

---
 README.md                      | 13 ++++++------
 common/playbooks/k8s.yaml      | 38 ++++++++++++++++++++++------------
 staging1/inventory/99-all.yaml |  1 +
 3 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index a6dc0b4..fa97a0c 100644
--- a/README.md
+++ b/README.md
@@ -26,12 +26,11 @@ Note: example commands to create secrets for "eosc-dev":
     vault kv put -mount secrets $prefix/FEDCLOUD_DYNAMIC_DNS $HOST1=$SECRET1 $HOST2=$SECRET2
     vault kv put -mount secrets $prefix/deployment-hub checkin_host=... client_id=... client_secret=...
 
-## Sites
+## Inventory parameters
 
-### CESNET Central
+Used parameters in ansible recipes:
 
-Kubernetes cluster for the "central" components - Jupyter Hub, image repository, ...
-
-### CESNET MCC
-
-Example site. Kubernetes cluster for worker nodes with Jupyter Enterprise Gateway.
+* *mail\_fromdomain*: hostname in from header
+* *mail_local*: disable e-mail (only local delivery)
+* *site\_name*: site identifier
+* *vault\_mount\_point:*: path to secrets in the Vault
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index 9ca0808..ef46de4 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -50,24 +50,34 @@
         mode: 0644
     - name: Mails settings
       vars:
-        main_global:
-          # disable everything except TLSv1.2
-          smtpd_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
-          smtpd_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
-          smtp_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
-          smtp_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
-        fromdomain: "{{ lookup('dig', groups['fip'][0] + '/PTR') | regex_replace('\\.$', '') }}"
+        fip_hostname: "{{ lookup('dig', groups['fip'][0] + '/PTR') | regex_replace('\\.$', '') }}"
       block:
-        - name: Site-specific postfix settings
+        - name: Global postfix settings
           set_fact:
+            main:
+              # disable everything except TLSv1.2
+              smtpd_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+              smtpd_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+              smtp_tls_mandatory_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+              smtp_tls_protocols: "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+        - name: Site-specific postfix settings (CESNET)
+          vars:
             main_cesnet:
-              myhostname: "{{ fromdomain }}"
+              myhostname: "{{ fip_hostname }}"
               relayhost: relay.muni.cz
               inet_protocols: ipv4
-          when: site_name == "cesnet" or site_name == "cesnet-mcc"
+          set_fact:
+            main: '{{ main | combine(main_cesnet) }}'
+          when: site_name == "cesnet-testing" or site_name == "cesnet-mcc"
+        - name: Site-specific postfix settings - mail_fromdomain
+          set_fact:
+            main: '{{ main | combine({ "myhostname": mail_fromdomain }) }}'
+          when: mail_fromdomain is defined
+        - name: Site-specific postfix settings - default_transport
+          set_fact:
+            main: '{{ main | combine({ "default_transport": "error: This server sends mail only locally." }) }}'
+          when: mail_local | default(false) | bool
         - name: Setup postfix
-          vars:
-            main: "{{ main_global | combine(main_cesnet | default({})) }}"
           lineinfile:
             regexp: '^{{ item.key }}\s*=\s*.*'
             line: "{{ item.key }} = {{ item.value }}"
@@ -75,11 +85,13 @@
           loop: "{{ main | dict2items }}"
           notify: Reload postfix
         - name: Setup mailutils
+          vars:
+            fromdomain: "{{ mail_fromdomain | default(fip_hostname) }}"
           template:
             src: templates/etc/mailutils.conf
             dest: /etc/mailutils.conf
             mode: 0644
-          when: site_name == "cesnet" or site_name == "cesnet-mcc"
+          when: (site_name == "cesnet-testing" or site_name == "cesnet-mcc" or mail_fromdomain is defined) and not (mail_local | default(false))
     - name: Site touch
       file:
         path: "/EOSC-{{ site_name | upper }}"
diff --git a/staging1/inventory/99-all.yaml b/staging1/inventory/99-all.yaml
index 835c93c..68641ba 100644
--- a/staging1/inventory/99-all.yaml
+++ b/staging1/inventory/99-all.yaml
@@ -12,6 +12,7 @@ all:
     ansible_user: egi
     ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q egi@{{ groups["fip"][0] }}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
 
+    mail_local: true
     site_name: psnc-staging
     vault_mount_point: secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-staging
 
-- 
GitLab