feat: add rspamd role

galaxy.yml

@@ -8,7 +8,7 @@ namespace: s3lph
 name: mailserver
 
 # The version of the collection. Must be compatible with semantic versioning
-version: '0.3.10'
+version: '0.4.0'
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
@@ -39,6 +39,7 @@ tags:
   - postsrsd
   - schleuder
   - opendkim
+  - rspamd
 
 # Collections that this collection requires to be installed for it to be usable. The key of the dict is the
 # collection label 'namespace.name'. The value is a version range

roles/postfix/defaults/main/global.yml

@@ -23,6 +23,7 @@ postfix_policyd_spf_enable: no
 postfix_srsd_enable: no
 postfix_srsd_nodefault: no
 postfix_spamassassin_enable: no
+postfix_rspamd_enable: no
 postfix_easywks_pipe_transport: no
 postfix_opendkim_enable: no
 postfix_srsd_forward_lookup: "tcp:localhost:10001"

roles/postfix/defaults/main/restrictions.yml

@@ -41,6 +41,7 @@ postfix_smtpd_client_restrictions:
 postfix_non_smtpd_milters: []
 postfix_smtpd_milters: []
 postfix_spamassassin_milter: "unix:/spamass/spamass.sock"
+postfix_rspamd_milter: "inet:localhost:11332"
 postfix_opendkim_milter: "unix:/opendkim/opendkim.sock"
 
 postfix_header_checks: []

roles/postfix/templates/etc/postfix/main.cf.j2

@@ -134,6 +134,9 @@ smtpd_milters =
 {% if postfix_spamassassin_enable %}
 	{{ postfix_spamassassin_milter }},
 {% endif %}
+{% if postfix_rspamd_enable %}
+	{{ postfix_rspamd_milter }},
+{% endif %}
 {% if postfix_opendkim_enable %}
 	{{ postfix_opendkim_milter }},
 {% endif %}

roles/rspamd/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+
+rspamd_redis_servers: [localhost]
+rspamd_redis_servers_write: "{{ rspamd_redis_servers }}"
+
+rspamd_controller_password: "q1"
+
+rspamd_greylist_enable: true

roles/rspamd/tasks/config.yml

@@ -0,0 +1,34 @@
+---
+
+- name: Render rspamd configuration
+  ansible.builtin.template:
+    src: etc/rspamd/local.d/{{ item }}.j2
+    dest: /etc/rspamd/local.d/{{ item }}
+    owner: root
+    group: root
+    mode: "0644"
+  loop:
+    - worker-controller.inc
+    - redis.conf
+  notify: reload rspamd
+
+- name: Render /etc/rspamd/local.d/
+  ansible.builtin.template:
+    src: etc/rspamd/local.d/worker-controller.inc.j2
+    dest: /etc/rspamd/local.d/worker-controller.inc
+    owner: root
+    group: root
+    mode: "0644"
+  notify: reload rspamd
+
+- name: Start and enable redis-server
+  ansible.builtin.service:
+    name: redis
+    state: started
+    enabled: true
+
+- name: Start and enable rspamd
+  ansible.builtin.service:
+    name: rspamd
+    state: started
+    enabled: true

roles/rspamd/tasks/install.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Install rspamd
+  ansible.builtin.apt:
+    name:
+      - rspamd
+      - redis-server

roles/rspamd/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Install rspamd
+  ansible.builtin.import_tasks: install.yml
+  tags:
+    - "role::rspamd"
+    - "role::rspamd:install"
+
+- name: Configure rspamd
+  ansible.builtin.import_tasks: config.yml
+  tags:
+    - "role::rspamd"
+    - "role::rspamd:config"

roles/rspamd/templates/etc/rspamd/local.d/greylist.conf.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+
+enable = {{ rspamd_greylist_enable | ternary('true', 'false') }};

roles/rspamd/templates/etc/rspamd/local.d/redis.conf.j2

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+
+read_servers = "{{ rspamd_redis_servers | join(',') }}";
+write_servers = "{{ rspamd_redis_servers_write | join(',') }}";

roles/rspamd/templates/etc/rspamd/local.d/worker-controller.inc.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+
+password = "{{ rspamd_controller_password }}";