rmails 0.1.1

data/system/lib/README_AutomateIt_lib.txt

@@ -0,0 +1,22 @@
+#-----------------------------------------------------------------------
+#
+# == LIB
+#
+# This is your AutomateIt project's "lib" directory. You can put custom
+# plugins and convenience methods into this directory.
+#
+# For example, create a convenience method for geteting the time by
+# creating a "lib/now.rb" file with the following contents:
+#
+#   def now
+#     DateTime.now
+#   end
+#
+# This will provide a "now" method that's available to your recipes,
+# interactive shell or embedded interpreter.
+#
+# Libraries are loaded every time an AutomateIt interpreter is started.
+# It loads all "*.rb" files in this directory, and all "init.rb" files
+# in subdirectories of this directory.
+#
+#-----------------------------------------------------------------------

data/system/lib/dkim_key.rb

@@ -0,0 +1,9 @@
+def generate_dkim_key(domain, keyname=domain)
+    sh("opendkim-genkey -r -d #{keyname} -D /etc/ssl/dkim")
+    chown 'opendkim', 'opendkim', "/etc/ssl/dkim/#{keyname}.private"
+
+    key_table = "default._domainkey.#{keyname} #{domain}:default:/etc/ssl/dkim/#{keyname}.private"
+    signing_table = "#{domain} default._domainkey.#{keyname}"
+
+    return key_table, signing_table
+end

data/system/lib/smtpd_key.rb

@@ -0,0 +1,39 @@
+def generate_smtpd_key(domain)
+  #pass = passwords.first||SecureRandom.base64(56)
+  #edit :file => pass_file = mktemp do
+  #  append pass
+  #end
+
+  # create cert. request
+  #sh "openssl req -new -key #{key} -out smtpd.csr -passin file:#{pass_file} -subj /C=/ST=/L=/O=/OU=/CN=#{domain}/emailAddress="
+  # create a self signed key
+  #sh "openssl x509 -req -days 365 -in smtpd.csr -signkey #{key} -out /etc/ssl/certs/smtpd.pem -passin file:#{pass_file}"
+  # remove the password from the private certificate
+  #sh "openssl rsa -in #{key} -out /etc/ssl/private/smtpd.pem -passin file:#{pass_file}"
+
+  sh "openssl req -new -newkey rsa:4096 -x509 -days 3650 -nodes -out /etc/ssl/certs/smtpd.pem -keyout /etc/ssl/private/smtpd.pem -subj /C=/ST=/L=/O=/OU=/CN=#{domain}/emailAddress=#{lookup('dovecot#postmaster')}"
+
+  chperm '/etc/ssl/private/smtpd.pem',
+      :user => "root",
+      :group => 'rmails',
+      :mode => 400
+  chperm '/etc/ssl/certs/smtpd.pem',
+      :user => "root",
+      :group => 'rmails',
+      :mode => 400
+
+  #rm pass_file
+  #pass = SecureRandom.base64(56)
+  #edit :file => pass_file = mktemp do
+  #  append pass
+  #end
+  # make ourself a trusted CA
+  #sh "openssl req -new -newkey rsa:4096 -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem -out /etc/ssl/certs/cacert.pem -days 3650 -passin file:#{pass_file} -subj /C=/ST=/L=/O=/OU=/CN=#{domain}/emailAddress"
+
+#  rm pass_file
+
+  #chmod 400, '/etc/ssl/private/cakey.pem'
+  #chmod 400, '/etc/ssl/certs/cacert.pem'
+
+  #passwords << pass
+end

data/system/lib/ssl.rb

@@ -0,0 +1,23 @@
+def server_key(file='/etc/rmails.key')
+  pass = SecureRandom.base64(56)
+  edit :file => pass_file = mktemp do
+    append pass
+  end
+  puts pass+' '+pass_file
+  sh "openssl genrsa -des3 -rand /etc/hosts -out #{file} 4096 -passout file:#{pass_file}"
+  rm pass_file
+  chperm file, :user => "root", :group => 'rmails', :mode => 400
+  pass
+end
+
+def nginx_key
+  sh "openssl req -new -newkey rsa:4096 -x509 -days 3650 -nodes -out /etc/ssl/certs/https.pem -keyout /etc/ssl/private/https.pem -subj /C=/ST=/L=/O=/OU=/CN=#{lookup('postfix#mydomain')}/emailAddress=#{lookup('dovecot#postmaster')}"
+  chperm '/etc/ssl/certs/https.pem',
+      :user => "root",
+      :group => 'rmails',
+      :mode => 400
+  chperm '/etc/ssl/private/https.pem',
+      :user => "root",
+      :group => 'rmails',
+      :mode => 400
+end

data/system/recipes/01_prepare_server.rb

@@ -0,0 +1,84 @@
+
+#
+# Install system packages
+#
+puts 'xx Install tools'
+package_manager.install %w( ntp perl awstats opendkim )
+
+# they may be platform-specific
+if tagged?("ubuntu|debian")
+  puts 'xx Install apt specific'
+  package_manager.install %w( build-essential libpq-dev )
+
+  postgres_packages = %w( postgresql )
+
+  dovecot_packages = %w( dovecot-core dovecot-pgsql dovecot-pop3d dovecot-imapd dovecot-sieve dovecot-managesieved dovecot-lmtpd )
+  dspam_packages = %w( dspam libdspam7-drv-pgsql )
+  amavis_packages = %w( amavisd-new spamassassin )
+
+  if tagged?("ubuntu")
+    package_manager.install postgres_packages + dovecot_packages
+    package_manager.install dspam_packages + amavis_packages
+
+  else # this is debian
+
+    package_manager.install postgres_packages + amavis_packages
+    backports_packages = dovecot_packages + dspam_packages
+
+    # we need to use backports - squeeze is actually stable branch
+    backports_source = "deb http://backports.debian.org/debian-backports squeeze-backports main"
+    edit(:file => "/etc/apt/sources.list") do
+      if contains? backports_source
+        uncomment backports_source
+      else
+        append backports_source
+      end
+    end
+    # update repo system
+    puts "Getting Debian backports packages information..."
+    #XXX shell_manager.sh "apt-get update > /dev/null 2>&1"
+
+    package_manager.install backports_packages, :backports => 'squeeze-backports'
+  end
+
+
+elsif tagged?("fedora | centos")
+  package_manager.install %w( gcc ruby-devel nginx postfix postgresql-server dovecot )
+
+else # fail if running on another platform
+  raise NotImplementedError.new("This platform has not been supported yet")
+
+end
+
+package_manager.install %w( postfix postfix-pgsql nginx )
+
+
+#edit :file => '~/.gemrc' do
+#  lines = "install: --no-rdoc --no-ri\nupdate:  --no-rdoc --no-ri"
+#  append lines unless contains? lines
+#end
+
+gems = %w( activerecord-postgresql-adapter pg paper_trail haml haml-rails jquery-rails chosen-rails simple_form )
+
+begin
+#  package_manager.install(gems, :with => :gem, :docs => false)
+  puts "!! Gems installed"
+rescue
+end
+render :file => "#{dist}rmails/Gemfile.2", :to => "#{rails_root}/Gemfile"
+
+shell_manager.sh 'export PATH=/var/lib/gems/1.8/bin/:${PATH}'
+
+account_manager.add_group('rmails')
+
+render(
+    :file   => "#{dist}sudoers",
+    :to     => "/etc/sudoers",
+    :mode   => 0440, :backup => false
+)
+
+# application private key
+#passwords << server_key('/etc/rmails.key')
+# remember password
+
+#puts passwords.inspect

data/system/recipes/02_setup_database.rb

@@ -0,0 +1,65 @@
+puts "?? Installed version of psql is #{`psql --version`=~/\s(\d.\d)\./;$1}"
+
+if tagged?("ubuntu | debian")
+  etc_postgresql = "/etc/postgresql/#{$1}/main/"
+
+elsif tagged?("fedora | centos")
+  etc_postgresql = "/var/lib/pgsql/#{$1}/data/"
+
+end
+
+puts etc_postgresql
+#service_manager.stop("postgresql")
+
+locals = {
+    :port   => lookup('database#port'),
+    :max_connections   => lookup('database#max_connections')
+}
+render  :file => "#{dist}postgresql/postgresql.conf.erb",
+        :to => "#{etc_postgresql}postgresql.conf",
+        :user => 'postgres',
+        :group => 'rmails',
+        :locals => locals
+
+edit(:file => "#{etc_postgresql}pg_hba.conf") do
+  unless contains?(/^host\sall\sall\s127.0.0.1\/32\smd5$/)
+    append("host \t all \t all \t 127.0.0.1/32 \t md5")
+  end
+end
+
+service_manager.restart("postgresql")
+
+# get password for database connection
+password = lookup('postfix#database#password')
+
+if 1 ==`sudo -u postgres psql -l | grep -w rmails | wc -l`
+# create roles and application database
+  shell_manager.sh "sudo -u postgres psql << EOF
+    CREATE USER postfix ENCRYPTED password '#{password}';
+    CREATE USER dovecot ENCRYPTED password '#{password}';
+    CREATE ROLE rmails_app WITH USER postfix, dovecot LOGIN PASSWORD '#{password}';
+    CREATE DATABASE rmails OWNER rmails_app;
+  EOF", :quiet => true
+end
+
+# render rails database definition
+locals = {
+    :password => password,
+    :dbhost   => lookup('database#host'),
+    :dbport   => lookup('database#port')
+}
+render  :file => "#{dist}rmails/database.yml.erb",
+        :to => "#{rails_root}/config/database.yml",
+        :locals => locals
+
+# create database schema via ActiveRecord Migrations
+#rake_task["db:migrate"].reenable
+#rake_task["db:migrate"].invoke
+shell_manager.sh "rake db:setup"
+
+# grant privileges for postfix and dovecot roles
+shell_manager.sh "sudo -u postgres psql -d rmails << EOF
+  GRANT SELECT ON virtual_aliases TO dovecot;
+  GRANT SELECT ON virtual_domains,virtual_users,virtual_aliases TO postfix;
+EOF"
+

data/system/recipes/03_setup_postfix.rb

@@ -0,0 +1,124 @@
+if tagged?("ubuntu | debian")
+  etc_postfix = '/etc/postfix'
+  dovecot_path = '/usr/lib/dovecot/deliver'
+elsif tagged?('fedora | centos')
+  etc_postfix = '/etc/postfix'
+  dovecot_path = '/usr/lib/dovecot/deliver'
+end
+
+adapter = lookup('postfix#database#adapter')
+shell_manager.mkdir "#{etc_postfix}/#{adapter}"
+
+
+#
+# Set database query files
+#
+locals = {
+    :name     => lookup('postfix#database#name'),
+    :user     => lookup('postfix#database#user'),
+    :host     => lookup('postfix#database#host'),
+    :password => lookup('postfix#database#password')
+}
+
+db_query_files = %w(
+                    sender_login_maps.cf
+                    virtual_mailbox_domains.cf
+                    virtual_mailbox_maps.cf
+                    virtual_alias_maps.cf
+                    email2email.cf            )
+db_query_files.each do |file|
+  render(
+    :file   => "#{dist}postfix/#{file}.erb",
+    :to     => "#{etc_postfix}/#{adapter}/#{file}",
+    :mode   => 0660,
+    :locals => locals
+  )
+end
+shell_manager.chown_R('root', 'postfix', "#{etc_postfix}/#{adapter}")
+
+#
+# Set master.cf
+#
+
+locals = {
+    :dovecot => dovecot_path
+}
+render(
+    :file   => "#{dist}postfix/master.cf.erb",
+    :to     => "#{etc_postfix}/master.cf",
+    :mode   => 0660,
+    :locals => locals
+)
+
+
+#
+# Set main.cf
+#
+locals = {
+    :root_path    => etc_postfix,
+    :dovecot      => dovecot_path,
+    :adapter      => adapter,
+    :mail_name    => lookup("postfix#mail_name"),
+    :myhostname   => lookup("postfix#myhostname"),
+    :mydomain     => lookup("postfix#mydomain"),
+    :smtpd_banner => lookup("postfix#smtpd_banner"),
+    :message_size_limit => lookup("postfix#message_size_limit")
+}
+render(
+    :file   => "#{dist}postfix/main.cf.erb",
+    :to     => "#{etc_postfix}/main.cf",
+    :mode   => 0660,
+    :locals => locals
+)
+
+
+#openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/certs
+#unless File.file?('/etc/ssl/certs/smtpd.pem')
+  generate_smtpd_key lookup("postfix#myhostname")
+#end
+
+
+=begin
+edit :file => "#{etc_postfix}/main.cf" do
+  uncomment('reject_rbl_client bl.spamcop.net')
+  uncomment('reject_rbl_client zen.spamhaus.org')
+end
+=end
+
+#
+# Set DKIM
+#
+edit :file => "#{etc_postfix}/main.cf" do
+  append 'smtpd_milters = inet:127.0.0.1:8891'
+  append 'non_smtpd_milters = inet:127.0.0.1:8891'
+  append 'milter_protocol = 6'
+  append 'milter_default_action = accept'
+end
+
+edit :file => "/etc/default/opendkim" do
+  comment /^SOCKET/
+  append 'SOCKET="inet:8891@localhost"'
+end
+
+
+mkdir "/etc/opendkim"
+mkdir_p "/etc/ssl/dkim"
+
+edit :file => "/etc/opendkim.conf" do
+  append "KeyTable \t/etc/opendkim/KeyTable"
+  append "SigningTable \t/etc/opendkim/SigningTable"
+  append "ExternalIgnoreList \t/etc/opendkim/TrustedHosts"
+  append "InternalHosts \t/etc/opendkim/TrustedHosts"
+end
+
+# generate "default" key
+key_table, signing_table = generate_dkim_key lookup('postfix#mydomain'), 'default'
+
+render :to => '/etc/opendkim/KeyTable',     :text => key_table
+render :to => "/etc/opendkim/SigningTable", :text => signing_table
+render :to => "/etc/opendkim/TrustedHosts", :text => "127.0.0.1\nlocalhost"
+
+
+service_manager.start("postfix")
+service_manager.start("opendkim")
+

data/system/recipes/04_setup_dovecot.rb

@@ -0,0 +1,78 @@
+# Find Dovecot configuration file location using:
+# `doveconf -n | head -1`
+
+# set config file path
+if tagged?("ubuntu | debian")
+  etc_dovecot = '/etc/dovecot'
+elsif tagged?('fedora | centos')
+  etc_dovecot = '/etc/dovecot'
+end
+
+# lookup account variables
+user_group_name = 'mail'
+user_group_id   = 8
+home = "/var/mail"
+shell_manager.mkdir home
+
+# create account for dovecot
+account_manager.add_group(user_group_name, :gid => user_group_id)
+account_manager.add_user(user_group_name, {
+  :home   => home,
+  :groups => [ user_group_name ],
+  :uid    =>  user_group_id
+})
+# grant dovecot's home
+#shell_manager.chmod('u+w', home)
+#shell_manager.chown_R(user_group_name, user_group_name, home)
+
+# create config file for SQL connection with Postfix user
+locals = {
+    :name     => lookup('postfix#database#name'),
+    :user     => lookup('postfix#database#user'),
+    :host     => lookup('postfix#database#host'),
+    :adapter  => lookup('postfix#database#adapter'),
+    :password => lookup('postfix#database#password')
+}
+render(
+    :file   => "#{dist}dovecot/dovecot-sql.conf.ext.erb",
+    :to     => "#{etc_dovecot}/dovecot-sql.conf.ext",
+    :mode   => 0400,
+    :locals => locals
+)
+# set read access while there is the password
+shell_manager.chown('mail', 'root', "#{etc_dovecot}/dovecot-sql.conf.ext")
+#shell_manager.chmod('go=', "#{etc_dovecot}/dovecot-sql.conf.ext")
+
+# create config file for dovecot service
+locals = {
+  :protocols  => lookup('dovecot#protocols'),
+  :gid        => user_group_id,
+  :home       => home,
+  :postmaster => lookup('dovecot#postmaster'),
+  :storage    => {
+    :size  => lookup('dovecot#storage_size'),
+    :spam  => lookup('dovecot#spam_storage_size'),
+    :trash => lookup('dovecot#trash_storage_size')
+  },
+  :auth_verbose => 'yes'
+}
+render(
+    :file   => "#{dist}dovecot/dovecot.conf.erb",
+    :to     => "#{etc_dovecot}/dovecot.conf",
+    :mode   => 0660,
+    :locals => locals
+)
+shell_manager.chown(user_group_name, 'rmails', "#{etc_dovecot}/dovecot.conf")
+#shell_manager.chmod('0420', "#{etc_dovecot}/dovecot.conf")
+
+
+#
+# Generate new PKI
+#
+unless File.file?('/etc/ssl/private/dovecot.pem')
+  shell_manager.sh 'openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem'
+  shell_manager.chmod '0400', "/etc/ssl/certs/dovecot.pem"
+  shell_manager.chmod '0400', "/etc/ssl/private/dovecot.pem"
+end
+
+