danarchy_deploy 0.2.6 → 0.2.8

data/templates/deploy_template.json

@@ -1,40 +1,66 @@
 {
   "hostname": "hostname",
-  "os": "gentoo|debian|ubuntu",
-  "ipv4": "IPv4 to use for deployment",
-  "ssh_user": "deploy-user",
-  "ssh_key": "/home/path/to/deploy-user/ssh_key.",
+  "os": "gentoo || debian || fedora || ubuntu || opensuse",
+  "ipv4": "IPv4 to use for remote deployment",
+  "ssh_user": "ssh-user",
+  "ssh_key": "/home/path/to/ssh-user/ssh_key.",
   "packages": [
     "package1",
     "package2"
   ],
-  "users": [
-    {
-      "username": "username",
+  "system": {
+    "update": "true || all || system || selected || none || false",
+    "fstab": {
+      "source": "builtin::system/fstab_gentoo_client.erb",
+      "mounts": [
+        {
+          "filesystem": "/",
+          "mountpoint": "/dev/sda3",
+          "type": "ext4",
+          "opts": "defaults,noatime",
+          "dump/pass": "0 0"
+        }
+      ]
+    }
+  },
+  "portage": {
+    "sync": false,
+    "templates": [
+      {
+        "target": "/etc/portage/make.conf",
+        "source": "builtin::portage/make.conf.erb",
+        "variables": {
+          "use": "bindist logrotate",
+          "features": "distcc"
+        }
+      }
+    ]
+  },
+  "users": {
+    "username": {
       "home": "/home/username",
       "uid": int,
       "gid": int,
-      "sudoer": "username ALL = NOPASSWD: ALL",
-      "ssh-authorized_keys": [
-	"ssh-ed25519 it0C5o6GHC8lxqctpexakfdA5o7LeSe+QbMhIl+GYtZ2OCMFliLsODDrrazR+u2y user@hostname",
-	"ssh-rsa K0APeEvotGunpBrl/LvSAG/gLUldCnOrL60v47QYjuqoGJmM3Fk8V29+8jZPp9Dl user@hostname"
+      "sudoer": ["username ALL=(ALL) NOPASSWD:ALL"],
+      "authorized_keys": [
+        "ssh-ed25519 it0C5o6GHC8lxqctpexakfdA5o7LeSe+QbMhIl+GYtZ2OCMFliLsODDrrazR+u2y user@hostname",
+        "ssh-rsa K0APeEvotGunpBrl/LvSAG/gLUldCnOrL60v47QYjuqoGJmM3Fk8V29+8jZPp9Dl user@hostname"
       ],
       "groups": [
-	int,
-	int
+        int
       ],
       "archives": [
-	{
-	  "target": "/path/to/extract/to/",
-	  "source": "/path/to/tarball.(tar.{gz,bz2}|zip)"
-	},
-	{
-	  "target": "/path/to/extract/to/",
-	  "data": "couchdb:base64_encoded_data"
-	}
+        {
+          "target": "/path/to/extract/to/",
+          "source": "/path/to/tarball.(tar.{gz,bz2}|zip)"
+        },
+        {
+          "target": "/path/to/extract/to/",
+          "data": "couchdb::base64_encoded_data"
+        }
       ]
     }
-  ],
+  },
   "groups": [
     {
       "groupname": "groupname",
@@ -50,48 +76,48 @@
         ]
       },
       "archives": [
-	{
-	  "target": "/path/to/extract/to/",
-	  "source": "/path/to/tarball.(tar.{gz,bz2}|zip)"
-	},
-	{
-	  "target": "/path/to/extract/to/",
-	  "data": "couchdb:base64_encoded_data"
-	}
+        {
+          "target": "/path/to/extract/to/",
+          "source": "/path/to/tarball.(tar.{gz,bz2}|zip)"
+        },
+        {
+          "target": "/path/to/extract/to/",
+          "data": "couchdb::base64_encoded_data"
+        }
       ],
       "templates": [
-	{
-	  "target": "/path/to/target/file",
-	  "source": "/path/to/source/erb",
-	  "dir_perms": {
+        {
+          "target": "/path/to/target/file",
+          "source": "/path/to/source/erb",
+          "dir_perms": {
             "owner": "username",
             "group": "groupname",
             "mode": "0755"
-	  },
-	  "file_perms": {
+          },
+          "file_perms": {
             "owner": "username",
             "group": "groupname",
             "mode": "0644"
-	  },
-	  "variables": {
-	    "var1": "value",
-	    "var2": "value"
-	  }
-	},
-	{
-	  "target": "/path/to/target/file",
-	  "data": "couchdb:base64_encoded_erb",
-	  "dir_perms": {
+          },
+          "variables": {
+            "var1": "value",
+            "var2": "value"
+          }
+        },
+        {
+          "target": "/path/to/target/file",
+          "data": "couchdb::base64_encoded_erb",
+          "dir_perms": {
             "owner": "username",
             "group": "groupname",
             "mode": "0755"
-	  },
-	  "file_perms": {
+          },
+          "file_perms": {
             "owner": "username",
             "group": "groupname",
             "mode": "0644"
-	  }
-	}
+          }
+        }
       ]
     }
   }

data/templates/distcc/distccd.erb

@@ -0,0 +1,14 @@
+# Deployed by dAnarchy_deploy: /etc/conf.d/distccd: config file for /etc/init.d/distccd
+
+# this is the distccd executable
+DISTCCD_EXEC="/usr/bin/distccd"
+
+# this is where distccd will store its pid file
+DISTCCD_PIDFILE="/var/run/distccd/distccd.pid"
+
+<%= @variables[:opts] ? 'DISTCCD_OPTS=' + "\"#{@variables[:opts]}\"" : 'DISTCCD_OPTS=""' %>
+<%= @variables[:port] ? 'DISTCCD_OPTS=' + "\"${DISTCCD_OPTS} --port #{@variables[:port]}\"" : 'DISTCCD_OPTS="${DISTCCD_OPTS} --port 3632"' %>
+<%= @variables[:loglevel] ? 'DISTCCD_OPTS=' + "\"${DISTCCD_OPTS} --log-level #{@variables[:loglevel]}\"" : 'DISTCCD_OPTS="${DISTCCD_OPTS} --log-level critical"' %>
+<%= @variables[:allow] ? 'DISTCCD_OPTS=' + "\"${DISTCCD_OPTS} --allow #{@variables[:allow]}\"" : '' %>
+<%= @variables[:listen] ? 'DISTCCD_OPTS=' + "\"${DISTCCD_OPTS} --listen #{@variables[:listen]}\"" : '' %>
+<%= @variables[:nice] ? 'DISTCCD_OPTS=' + "\"${DISTCCD_OPTS} -N #{@variables[:nice]}\"" : '' %>

data/templates/distcc/hosts.erb

@@ -0,0 +1,2 @@
+# Deployed by dAnarchy_deploy: /etc/distcc/hosts
+<%= @variables[:hosts] ? "#{@variables[:hosts]}" : 'localhost' -%>

data/templates/portage/make.conf.erb

@@ -0,0 +1,30 @@
+# Deployed by dAnarchy_deploy: /etc/portage/make.conf
+COMMON_FLAGS="-march=<%= `gcc -march=native -Q --help=target | grep march`.split[1] %> -O2 -pipe"
+CFLAGS="${COMMON_FLAGS}"
+CXXFLAGS="${COMMON_FLAGS}"
+FCFLAGS="${COMMON_FLAGS}"
+FFLAGS="${COMMON_FLAGS}"
+
+MAKEOPTS="-j<%= `nproc`.to_i * 2 + 1 %> -l<%= `nproc`.to_i %>"
+CPU_FLAGS_X86="<%= `cpuid2cpuflags`.split(': ').last.chomp %>"
+
+<% if !@variables -%>
+USE="bindist logrotate"
+INPUT_DEVICES="evdev keyboard"
+<% else -%>
+<%= @variables[:use] ? 'USE=' + "\"bindist logrotate #{@variables[:use]}\"\n" : "USE=\"bindist logrotate\"\n" -%>
+<%= @variables[:grub] ? 'GRUB_PLATFORMS=' + "\"#{@variables[:grub]}\"\n" : '' -%>
+<%= @variables[:ruby] ? 'RUBY_TARGETS=' + "\"#{@variables[:ruby]}\"\n" : '' -%>
+<%= @variables[:php] ? 'PHP_TARGETS=' + "\"#{@variables[:php]}\"\n" : '' -%>
+<%= @variables[:features] ? 'FEATURES=' + "\"#{@variables[:features]}\"\n" : '' -%>
+<%= @variables[:videocards] ? 'VIDEO_CARDS=' + "\"#{@variables[:videocards]}\"\n" : '' -%>
+<%= @variables[:input] ? 'INPUT_DEVICES=' + "\"#{@variables[:input]}\"\n" : "INPUT_DEVICES=\"evdev keyboard\"\n" -%>
+<% end -%>
+
+# This sets the language of build output to English.
+# Please keep this setting intact when reporting bugs.
+LC_MESSAGES=C
+
+PORTDIR="/var/db/repos/gentoo"
+DISTDIR="/var/cache/distfiles"
+PKGDIR="/var/cache/binpkgs"

data/templates/portage/package.use/bindist

@@ -0,0 +1,3 @@
+# Allow EC algorithms in OpenSSL/OpenSSH (patents blocked with bindist)
+dev-libs/openssl -bindist
+net-misc/openssh -bindist

data/templates/portage/package.use/documentation

@@ -0,0 +1,3 @@
+dev-lang/perl doc
+dev-lang/python doc
+dev-lang/ruby doc

data/templates/services/memcached/memcached.erb

@@ -0,0 +1,40 @@
+# memcached config file
+
+MEMCACHED_BINARY="/usr/bin/memcached"
+
+# Specify memory usage in megabytes (do not use letters)
+# 64MB is default
+MEMUSAGE="64"
+
+# User to run as
+MEMCACHED_RUNAS="memcached"
+
+# Specify maximum number of concurrent connections
+# 1024 is default
+MAXCONN="1024"
+
+# Listen for connections on what address?
+# If this is empty, memcached will listen on 0.0.0.0
+# be sure you have a firewall in place!
+LISTENON="<%= (@variables && @variables[:listenon]) ? @variables[:listenon] : '127.0.0.1' %>"
+
+# Listen for connections on what port?
+PORT="<%= (@variables && @variables[:port]) ? @variables[:port] : '11211' %>"
+
+# Listen for UDP connecitons on what port? 0 means turn off UDP
+UDPPORT="${PORT}"
+
+# PID file location
+# '-${PORT}.${CONF}.pid' will be appended to this!
+# You do not normally need to change this.
+PIDBASE="/var/run/memcached/memcached"
+
+# Socket to listen on
+#SOCKET="/var/run/memcached/memcached.sock"
+
+# Socket mask
+# 0700 is default
+#SOCKET_MASK="0700"
+
+# Other Options
+MISC_OPTS=""

data/templates/services/mysql/my.cnf.erb

@@ -0,0 +1,143 @@
+# /etc/mysql/my.cnf: The global mysql configuration file.
+
+# The following options will be passed to all MySQL clients
+[client]
+#password                                       = your_password
+port                                            = 3306
+socket                                          = /var/run/mysqld/mysqld.sock
+
+[mysql]
+character-sets-dir=/usr/share/mariadb/charsets
+default-character-set=utf8
+
+[mysqladmin]
+character-sets-dir=/usr/share/mariadb/charsets
+default-character-set=utf8
+
+[mysqlcheck]
+character-sets-dir=/usr/share/mariadb/charsets
+default-character-set=utf8
+
+[mysqldump]
+character-sets-dir=/usr/share/mariadb/charsets
+default-character-set=utf8
+
+[mysqlimport]
+character-sets-dir=/usr/share/mariadb/charsets
+default-character-set=utf8
+
+[mysqlshow]
+character-sets-dir=/usr/share/mariadb/charsets
+default-character-set=utf8
+
+[myisamchk]
+character-sets-dir=/usr/share/mariadb/charsets
+
+[myisampack]
+character-sets-dir=/usr/share/mariadb/charsets
+
+# use [safe_mysqld] with mysql-3
+[mysqld_safe]
+err-log                                         = /var/log/mysql/mysqld.err
+
+# add a section [mysqld-4.1] or [mysqld-5.0] for specific configurations
+[mysqld]
+expire_logs_days		= 30
+character-set-server            = utf8
+user                            = mysql
+port                            = 3306
+socket                          = /var/run/mysqld/mysqld.sock
+pid-file                        = /var/run/mysqld/mysqld.pid
+log-error                       = /var/log/mysql/mysqld.err
+basedir                         = /usr
+datadir                         = <%= @variables[:datadir] ? @variables[:datadir] : '/var/lib/mysql' %>
+skip-external-locking
+key_buffer_size                 = 16M
+max_allowed_packet              = 4M
+table_open_cache                = 400
+sort_buffer_size                = 512K
+net_buffer_length               = 16K
+read_buffer_size                = 256K
+read_rnd_buffer_size            = 512K
+myisam_sort_buffer_size         = 8M
+lc_messages_dir                 = /usr/share/mariadb
+#Set this to your desired error message language
+lc_messages                     = en_US
+
+# security:
+# using "localhost" in connects uses sockets by default
+# skip-networking
+bind-address                            = <%= @variables[:bind_address] ? @variables[:bind_address] : '127.0.0.1' %>
+skip-name-resolve
+
+log-bin					= /var/log/mysql/mysql-bin.log
+binlog_format				= MIXED
+binlog_expire_logs_seconds		= 604800 # 7 days binlogs
+server-id                               = 1
+
+# point the following paths to different dedicated disks
+tmpdir                                          = /tmp/
+#log-update                             = /path-to-dedicated-directory/hostname
+
+# you need the debug USE flag enabled to use the following directives,
+# if needed, uncomment them, start the server and issue
+# #tail -f /tmp/mysqld.sql /tmp/mysqld.trace
+# this will show you *exactly* what's happening in your server ;)
+
+#log                                            = /tmp/mysqld.sql
+#gdb
+#debug                                          = d:t:i:o,/tmp/mysqld.trace
+#one-thread
+
+# the rest of the innodb config follows:
+# don't eat too much memory, we're trying to be safe on 64Mb boxes
+# you might want to bump this up a bit on boxes with more RAM
+innodb_buffer_pool_size = 128M
+#
+# i'd like to use /var/lib/mysql/innodb, but that is seen as a database :-(
+# and upstream wants things to be under /var/lib/mysql/, so that's the route
+# we have to take for the moment
+#innodb_data_home_dir           = /var/lib/mysql/
+#innodb_log_arch_dir            = /var/lib/mysql/
+#innodb_log_group_home_dir      = /var/lib/mysql/
+# you may wish to change this size to be more suitable for your system
+# the max is there to avoid run-away growth on your machine
+innodb_data_file_path = ibdata1:10M:autoextend:max:128M
+# we keep this at around 25% of of innodb_buffer_pool_size
+# sensible values range from 1MB to (1/innodb_log_files_in_group*innodb_buffer_pool_size)
+innodb_log_file_size = 48M
+# this is the default, increase it if you have very large transactions going on
+innodb_log_buffer_size = 8M
+# see the innodb config docs, the other options are not always safe
+innodb_flush_log_at_trx_commit = 1
+innodb_lock_wait_timeout = 50
+innodb_file_per_table
+
+# Uncomment this to get FEDERATED engine support
+#plugin-load=federated=ha_federated.so
+#loose-federated
+
+[mysqldump]
+quick
+max_allowed_packet                      = 16M
+
+[mysql]
+# uncomment the next directive if you are not familiar with SQL
+#safe-updates
+
+[isamchk]
+key_buffer_size                         = 20M
+sort_buffer_size                        = 20M
+read_buffer                             = 2M
+write_buffer                            = 2M
+
+[myisamchk]
+key_buffer_size                         = 20M
+sort_buffer_size                        = 20M
+read_buffer_size                        = 2M
+write_buffer_size                       = 2M
+
+[mysqlhotcopy]
+interactive-timeout
+
+[mariadb]

data/templates/services/mysql/root_my.cnf.erb

@@ -0,0 +1,11 @@
+[mysql]
+<%= @variables[:host] ? "host=\"#{@variables[:host]}\"\n" : '' -%>
+<%= @variables[:user] ? "user=\"#{@variables[:user]}\"\n" : '' -%>
+<%= @variables[:pass] ? "password=\"#{@variables[:pass]}\"\n" : '' -%>
+<%= @variables[:port] ? "port=\"#{@variables[:port]}\"\n" : '' -%>
+
+[client]
+<%= @variables[:host] ? "host=\"#{@variables[:host]}\"\n" : '' -%>
+<%= @variables[:user] ? "user=\"#{@variables[:user]}\"\n" : '' -%>
+<%= @variables[:pass] ? "password=\"#{@variables[:pass]}\"\n" : '' -%>
+<%= @variables[:port] ? "port=\"#{@variables[:port]}\"\n" : '' -%>

data/templates/services/mysql/user_db_grants.sql.erb

@@ -0,0 +1,33 @@
+DROP DATABASE IF EXISTS test;
+
+<% @variables.each do |mysql| -%>
+<% if mysql[:action] == 'grant' -%>
+
+CREATE DATABASE IF NOT EXISTS `<%= mysql[:database] %>`;
+GRANT <%= mysql[:grants].join(', ') %>
+      ON `<%= mysql[:database] %>`.*
+      TO `<%= mysql[:user] %>`@`<%= mysql[:host] %>`
+      IDENTIFIED BY '<%= DanarchyDeploy::Helpers.decode_base64(mysql[:password]) %>';
+
+<% elsif mysql[:action] == 'revoke' -%>
+
+REVOKE <%= mysql[:grants].join(', ') %>
+      ON `<%= mysql[:database] %>`.*
+      FROM `<%= mysql[:user] %>`@`<%= mysql[:host] %>`;
+
+<% elsif mysql[:action] == 'drop' %>
+
+DROP DATABASE IF EXISTS <%= mysql[:database] %>;
+REVOKE ALL PRIVILEGES
+      ON `<%= mysql[:database] %>`.*
+      FROM `<%= mysql[:user] %>`@`<%= mysql[:host] %>`;
+DROP USER `<%= mysql[:user] %>`;
+
+<% elsif mysql[:action] == 'dropuser' %>
+
+DROP USER IF EXISTS `<%= mysql[:user] %>`@`<%= mysql[:host] %>`;
+
+<% end -%>
+<% end -%>
+
+FLUSH PRIVILEGES;

data/templates/services/mysql/user_db_grants.sql.erb_cleanupUsers

@@ -0,0 +1,52 @@
+DROP DATABASE IF EXISTS test;
+
+<% @variables.each do |mysql| -%>
+<% if mysql[:action] == 'grant' -%>
+
+CREATE DATABASE IF NOT EXISTS `<%= mysql[:database] %>`;
+GRANT <%= mysql[:grants].join(', ') %>
+      ON `<%= mysql[:database] %>`.*
+      TO `<%= mysql[:user] %>`@`<%= mysql[:host] %>`
+      IDENTIFIED BY '<%= DanarchyDeploy::Helpers.decode_base64(mysql[:password]) %>';
+
+<% elsif mysql[:action] == 'revoke' -%>
+
+REVOKE <%= mysql[:grants].join(', ') %>
+      ON `<%= mysql[:database] %>`.*
+      FROM `<%= mysql[:user] %>`@`<%= mysql[:host] %>`;
+
+<% elsif mysql[:action] == 'drop' %>
+
+DROP DATABASE IF EXISTS <%= mysql[:database] %>;
+REVOKE ALL PRIVILEGES
+      ON `<%= mysql[:database] %>`.*
+      FROM `<%= mysql[:user] %>`@`<%= mysql[:host] %>`;
+DROP USER `<%= mysql[:user] %>`;
+
+<% elsif mysql[:action] == 'dropuser' %>
+
+DROP USER IF EXISTS `<%= mysql[:user] %>`@`<%= mysql[:host] %>`;
+
+<% end -%>
+
+# Cleanup user privileges without grants
+SET @keep_hosts = NULL;
+SELECT GROUP_CONCAT(Host) INTO @keep_hosts
+      FROM (
+      	   SELECT Host FROM mysql.db
+	   	  WHERE User = '<%= mysql[:user] %>'
+	   UNION
+	   SELECT Host FROM mysql.tables_priv
+	   	  WHERE User = '<%= mysql[:user] %>'
+	   ) AS T;
+
+SET @drop_users = SELECT GROUP_CONCAT('\'', user, '\'@\'', host, '\'') FROM mysql.user
+    WHERE User = '<%= mysql[:user] %>'
+    AND NOT FIND_IN_SET(Host, @keep_hosts);
+PREPARE stmt1 FROM @drop_users;
+EXECUTE stmt1;
+DEALLOCATE PREPARE stmt1;
+
+<% end -%>
+
+FLUSH PRIVILEGES;

data/templates/services/nginx/nginx.conf.erb

@@ -0,0 +1,48 @@
+user <%= @variables[:web_user] ? @variables[:web_user] : 'nginx' %>;
+worker_processes auto;
+
+error_log /var/log/nginx/error_log info;
+
+events {
+    worker_connections 1024;
+    use epoll;
+
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type text/html;
+
+    log_format main
+    	       '$remote_addr - $remote_user [$time_local] '
+	       '"$request" $status $bytes_sent '
+	       '"$http_referer" "$http_user_agent" '
+	       '"$gzip_ratio"';
+
+    client_header_timeout 10m;
+    client_body_timeout 10m;
+    client_max_body_size <%= @variables[:client_max_body_size] ? @variables[:client_max_body_size] : '32mm' %>;
+    send_timeout 10m;
+
+    connection_pool_size 256;
+    client_header_buffer_size 1k;
+    large_client_header_buffers 4 2k;
+    request_pool_size 4k;
+
+    gzip on;
+
+    output_buffers 1 32k;
+    postpone_output 1460;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    keepalive_timeout 75 20;
+
+    ignore_invalid_headers on;
+
+    index index.html;
+
+    include /home/*/nginx/sites-enabled/*.conf;
+}

data/templates/services/php/php-fpm.conf.erb

@@ -0,0 +1,2 @@
+[Global]
+include=/home/*/php-fpm/sites-enabled/*.conf

data/templates/services/postfix/localmail.initial_setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [[ ${UID} != 0 ]]; then
+    echo 'Run this script as root!'
+    exit 1
+fi
+
+postfix upgrade-configuration
+postfix check
+
+newaliases
+
+if [[ $(which rc-service) ]]; then
+    rc-service postfix restart
+elif [[ $(which systemctl) ]]; then
+     systemctl restart postfix
+else
+    echo 'Unable to determine init system! Restart postfix manually.'
+fi

data/templates/services/postfix/localmail.main.cf.erb

@@ -0,0 +1,41 @@
+
+compatibility_level = 3.8
+
+
+queue_directory = /var/spool/postfix
+command_directory = /usr/sbin
+daemon_directory = /usr/libexec/postfix
+data_directory = /var/lib/postfix
+
+mail_owner = postfix
+myhostname = localhost
+mydomain = localdomain
+
+inet_interfaces = $myhostname, localhost
+mydestination = $myhostname, localhost.$mydomain, localhost
+
+unknown_local_recipient_reject_code = 550
+mynetworks_style = host
+default_transport = error:outside mail is not deliverable
+
+debug_peer_level = 2
+debugger_command =
+	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+	 ddd $daemon_directory/$process_name $process_id & sleep 5
+
+
+sendmail_path = /usr/sbin/sendmail
+newaliases_path = /usr/bin/newaliases
+mailq_path = /usr/bin/mailq
+
+setgid_group = postdrop
+html_directory = no
+
+manpage_directory = /usr/share/man
+sample_directory = /etc/postfix
+
+readme_directory = no
+inet_protocols = ipv4
+shlib_directory = /usr/lib64/postfix/${mail_version}
+meta_directory = /etc/postfix
+home_mailbox = .maildir/

data/templates/services/postfix/mailname.erb

@@ -0,0 +1 @@
+<%= @variables[:hostname] %>

data/templates/services/postfix/mailrelayhost_main.cf.erb

@@ -0,0 +1,33 @@
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate \"delayed mail\" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file = <%= @variables[:ssl_cert] %>
+smtpd_tls_key_file = <%= @variables[:ssl_key] %>
+smtpd_use_tls = <%= @variables[:use_tls] || 'yes' %>
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = <%= @variables[:hostname] %>
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = <%= @variables[:hostname] %>, localhost
+relayhost = <%= @variables[:relayhost] %>
+mynetworks = <%= @variables[:mynetworks] %> 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = ipv4