fix(spamassassin): add service user in /etc/default/spamd; for some reason spamd drops to nobody in bookworm

2023-07-09 23:37:29 +02:00 · 2023-07-09 23:37:29 +02:00 · 4097fe691a
commit 4097fe691a
parent e96eddb960
6 changed files with 127 additions and 2 deletions
--- a/roles/getaddrinfo/defaults/main.yml
+++ b/roles/getaddrinfo/defaults/main.yml
@ -0,0 +1,5 @@
+---
+
+getaddrinfo_label: {}
+getaddrinfo_precedence: {}
+getaddrinfo_scopev4: {}
--- a/roles/getaddrinfo/tasks/config.yml
+++ b/roles/getaddrinfo/tasks/config.yml
@ -0,0 +1,9 @@
+---
+
+- name: Render /etc/gai.conf
+  ansible.builtin.template:
+    src: etc/gai.conf.j2
+    dest: /etc/gai.conf
+    owner: root
+    group: root
+    mode: 0644
--- a/roles/getaddrinfo/tasks/lookup.yml
+++ b/roles/getaddrinfo/tasks/lookup.yml
@ -0,0 +1,21 @@
+---
+
+- name: Get all Google address ranges from ARIN RDAP
+  ansible.builtin.uri:
+    url: https://rdap.arin.net/registry/entity/GOGL
+  register: gai_register_gogl_rdap
+  
+- name: Initialize precedence list
+  ansible.builtin.set_fact:
+    getaddrinfo_precedence: "{{ getaddrinfo_precedence | default({}) }}"
+
+- name: Add all Google v4 nets to precedence list
+  ansible.builtin.debug:
+    msg: "{%- set _ = getaddrinfo_precedence[cidr] = 100 -%}{{- cidr -}}"
+  vars:
+    cidr: "{{ item.v4prefix }}/{{ item.length }}"
+  loop: "{{ gai_register_gogl_rdap.json.networks | selectattr('ipVersion', 'eq', 'v4') | map(attribute='cidr0_cidrs') | flatten }}"
+      
+- name: Add all Google v4 nets to precedence list
+  ansible.builtin.debug:
+    var: getaddrinfo_precedence
--- a/roles/getaddrinfo/tasks/main.yml
+++ b/roles/getaddrinfo/tasks/main.yml
@ -0,0 +1,14 @@
+---
+
+- name: Lookup addresses
+  ansible.builtin.import_tasks: lookup.yml
+  tags:
+    - "role::getaddrinfo"
+    - "role::getaddrinfo:config"
+    - "role::getaddrinfo:lookup"
+
+- name: Configure gai.conf
+  ansible.builtin.import_tasks: config.yml
+  tags:
+    - "role::getaddrinfo"
+    - "role::getaddrinfo:config"
--- a/roles/getaddrinfo/templates/etc/gai.conf.j2
+++ b/roles/getaddrinfo/templates/etc/gai.conf.j2
@ -0,0 +1,76 @@
+{{ ansible_managed | comment }}
+
+# Configuration for getaddrinfo(3).
+#
+# So far only configuration for the destination address sorting is needed.
+# RFC 3484 governs the sorting.  But the RFC also says that system
+# administrators should be able to overwrite the defaults.  This can be
+# achieved here.
+#
+# All lines have an initial identifier specifying the option followed by
+# up to two values.  Information specified in this file replaces the
+# default information.  Complete absence of data of one kind causes the
+# appropriate default information to be used.  The supported commands include:
+#
+# reload  <yes|no>
+#    If set to yes, each getaddrinfo(3) call will check whether this file
+#    changed and if necessary reload.  This option should not really be
+#    used.  There are possible runtime problems.  The default is no.
+#
+# label   <mask>   <value>
+#    Add another rule to the RFC 3484 label table.  See section 2.1 in
+#    RFC 3484.  The default is:
+#
+#label ::1/128       0
+#label ::/0          1
+#label 2002::/16     2
+#label ::/96         3
+#label ::ffff:0:0/96 4
+#label fec0::/10     5
+#label fc00::/7      6
+#label 2001:0::/32   7
+#
+#    This default differs from the tables given in RFC 3484 by handling
+#    (now obsolete) site-local IPv6 addresses and Unique Local Addresses.
+#    The reason for this difference is that these addresses are never
+#    NATed while IPv4 site-local addresses most probably are.  Given
+#    the precedence of IPv6 over IPv4 (see below) on machines having only
+#    site-local IPv4 and IPv6 addresses a lookup for a global address would
+#    see the IPv6 be preferred.  The result is a long delay because the
+#    site-local IPv6 addresses cannot be used while the IPv4 address is
+#    (at least for the foreseeable future) NATed.  We also treat Teredo
+#    tunnels special.
+#
+# precedence  <mask>   <value>
+#    Add another rule to the RFC 3484 precedence table.  See section 2.1
+#    and 10.3 in RFC 3484.  The default is:
+#
+#precedence  ::1/128       50
+#precedence  ::/0          40
+#precedence  2002::/16     30
+#precedence ::/96          20
+#precedence ::ffff:0:0/96  10
+#
+#    For sites which prefer IPv4 connections change the last line to
+#
+#precedence ::ffff:0:0/96  100
+
+{% for cidr, weight in getaddrinfo_precedence.items() | selectattr('0', 'ipv6') %}
+precedence {{ cidr }} {{ weight }}
+{% endfor %}
+
+{% for cidr, weight in getaddrinfo_precedence.items() | selectattr('0', 'ipv4') %}
+precedence {{ cidr }} {{ weight }}
+precedence {{ cidr | ipv4('ipv6') }} {{ weight }}
+{% endfor %}
+
+#
+# scopev4  <mask>  <value>
+#    Add another rule to the RFC 6724 scope table for IPv4 addresses.
+#    By default the scope IDs described in section 3.2 in RFC 6724 are
+#    used.  Changing these defaults should hardly ever be necessary.
+#    The defaults are equivalent to:
+#
+#scopev4 ::ffff:169.254.0.0/112  2
+#scopev4 ::ffff:127.0.0.0/104    2
+#scopev4 ::ffff:0.0.0.0/96       14
--- a/roles/spamassassin/tasks/config.yml
+++ b/roles/spamassassin/tasks/config.yml
@ -20,8 +20,8 @@

 - name: render /etc/default/spamd
  ansible.builtin.template:
-    src: etc/default/spamass-milter.j2
-    dest: /etc/default/spamass-milter
+    src: etc/default/spamd.j2
+    dest: /etc/default/spamd
    owner: root
    group: root
    mode: 0644