ssl is optional now

certbot.cf

@@ -62,12 +62,15 @@ bundle agent certbot_cert(site,webroot)
 
 vars:
 
+
 	"domain" string => "$(site[domain])";
 	"keytype" string => "rsa";
 	
 	"ds" slist => {"$(site[domain])"};
 
 	"domains" slist => sort(mergedata(@(ds),getvalues(@(site[aliases]))));
+	"domains_txt" string => string_mustache("{{#-top-}}{{.}} {{/-top-}}",@(domains));
+
 
 	"site_json" string => storejson(@(site));
 	"args" string => string_mustache(
@@ -79,19 +82,27 @@ vars:
 			"--standalone",
                         "--webroot -w $(webroot)");
 
+	"cert_test_cmd" string => "$(def.wmde_lib)/scripts/get-domains-from-cert.sh $(certbot.certbot_dir)/live/$(site[domain])/cert.pem";
+	
+	"current_domains_txt" string => execresult("/bin/sh $(cert_test_cmd)","useshell"),
+		if => isvariable ("site[domain]");
+
 files:
-	"$(sys.workdir)/data/agent/certbot/$(site[domain])-cert-created"
+#	"$(sys.workdir)/data/agent/certbot/$(site[domain])-cert-created"
-		create => "true",
+#		create => "true",
-		content => "$(args)",
+#		content => "$(args)",
-		classes => if_repaired(certbot_repaired);
+#		classes => if_repaired(certbot_repaired);
 
 classes:
-	"no_cert_file"
+#	"no_cert_file"
-	comment => "run certbot because no cert dir exists",
+#	comment => "run certbot because no cert dir exists",
-	not => fileexists("$(certbot.certbot_dir)/live/$(site[domain])");
+#	not => fileexists("$(certbot.certbot_dir)/live/$(site[domain])");
 
-	"run_certbot"
+#	"run_certbot"
-	or => {no_cert_file, certbot_repaired};
+#	or => {no_cert_file, certbot_repaired};
+
+	"run_certbot" 
+	expression => not (strcmp("$(current_domains_txt) ","$(domains_txt)"));
 
 defaults:
 	"webroot" string => "standalone";
@@ -113,6 +124,15 @@ commands:
 		args => "certonly --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";
 
 reports:
+#	"CURRENT DOMAINS FOR $(site[domain]) : $(current_domains)";
+#	"EXEC IST: $(cert_test_cmd)";
+
+#	"IS '$(domains_txt)' == '$(current_domains_txt) ' ?";
+	
+#	run_certbot_new::
+#		"WE MUST RUN CERTBOT FOR $(domains_txt)";
+#	!run_certbot_new::
+#		"WE SHOULD NOT RUN CERTBOT FOR $(domains_txt)";
 }
 
 

dovecot.cf

@@ -4,6 +4,8 @@
 
 bundle agent dovecot(cfg)
 {
+classes:
+	"use_ssl" expression => strcmp("$(cfg[ssl])","true"); 
 vars:
 	freebsd::
 		"cfg_dir" string => "/usr/local/etc/dovecot";
@@ -49,13 +51,8 @@ vars:
 		"submission_cert" string => "$(cfg_dir)/private/submission.crt";
 		"service_name" string => "dovecot";
 
-
+	use_ssl::
-
+		"service_deps" slist => {
-
-methods:
-	"any" usebundle => wmde_install_packages(@(pkgs),"dovecot");
-	"any" usebundle => wmde_service("$(service_name)","dovecot_kept","dovecot_repaired"),
-		depends_on => {
 			"dovecot_pkgs_installed",
 			"dovecot_cfg_created",
 			"dovecot_imap_key_installed",
@@ -63,7 +60,19 @@ methods:
 			"dovecot_submission_key_installed",
 			"dovecot_submission_cert_installed",
 		};
-services:
+	!use_ssl::
+		"service_deps" slist => {
+			"dovecot_pkgs_installed",
+			"dovecot_cfg_created",
+		};
+
+
+
+
+methods:
+	"any" usebundle => wmde_install_packages(@(pkgs),"dovecot");
+	"any" usebundle => wmde_service("$(service_name)","dovecot_kept","dovecot_repaired"),
+		depends_on => @(service_deps);
 
 files:	
 	"$(cfg_dir)/."
@@ -81,34 +90,41 @@ files:
 	handle => "dovecot_cfg_created",
 	edit_template => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/dovecot/dovecot.conf.mustache";
 
-	"$(imap_cert)" 
+	use_ssl::
-	handle => "dovecot_imap_cert_installed",
-	classes => if_repaired(dovecot_repaired),
-	copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[imap_cert])","noshell" )),
-	perms => mog("600","root","root");
 
-	"$(imap_key)" 
+		"$(imap_cert)" 
-	handle => "dovecot_imap_key_installed",
+		handle => "dovecot_imap_cert_installed",
-	classes => if_repaired(dovecot_repaired),
+		classes => if_repaired(dovecot_repaired),
-	copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[imap_key])","noshell" )),
+		copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[imap_cert])","noshell" )),
-	perms => mog("600","root","root");
+		perms => mog("600","root","root");
 
-	"$(submission_cert)" 
+		"$(imap_key)" 
-	handle => "dovecot_submission_cert_installed",
+		handle => "dovecot_imap_key_installed",
-	classes => if_repaired(dovecot_repaired),
+		classes => if_repaired(dovecot_repaired),
-	copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[submission_cert])","noshell" )),
+		copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[imap_key])","noshell" )),
-	perms => mog("600","root","root");
+		perms => mog("600","root","root");
 
-	"$(submission_key)" 
+		"$(submission_cert)" 
-	handle => "dovecot_submission_key_installed",
+		handle => "dovecot_submission_cert_installed",
-	classes => if_repaired(dovecot_repaired),
+		classes => if_repaired(dovecot_repaired),
-	copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[submission_key])","noshell" )),
+		copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[submission_cert])","noshell" )),
-	perms => mog("600","root","root");
+		perms => mog("600","root","root");
+
+		"$(submission_key)" 
+		handle => "dovecot_submission_key_installed",
+		classes => if_repaired(dovecot_repaired),
+		copy_from => local_dcp( execresult(  "/usr/bin/readlink -qfn $(cfg[submission_key])","noshell" )),
+		perms => mog("600","root","root");
 
 
 	
 
 reports:
+	use_ssl::
+		"USE_SSL: TRUE";
+	!use_ssl::
+		"USE_SSL: FALSE";
+	
 #	"IMAP_CERT: $(imap_cert)";
 #
 #	dovecot_kept::
@@ -135,3 +151,10 @@ files:
 
 
 }
+
+
+bundle agent install_dovecot_pkgs
+{
+methods:
+	"any" usebundle => wmde_install_packages(@(dovecot.pkgs),"dovecot");
+}

postfix.cf

@@ -81,7 +81,8 @@ users:
 		classes => if_repaired(postfix_repaired);
 
 methods:
-	"any" usebundle => wmde_install_packages(@(pkgs),"postfix");
+#	"any" usebundle => wmde_install_packages(@(pkgs),"postfix");
+	"any" usebundle => install_postfix_pkgs;
 	"any" usebundle => wmde_service("$(service_name)","postfix_kept","postfix_repaired"),
 		depends_on => {
 			"postfix_pkgs_installed",
@@ -246,3 +247,13 @@ reports:
 
 }
 
+#
+# Install postfix pacgages as they come from repos
+# This sould also create the postfix user 
+#
+bundle agent install_postfix_pkgs
+{
+methods:
+	"any" usebundle => wmde_install_packages(@(postfix.pkgs),"postfix");
+	
+}

rspamd.cf

@@ -76,7 +76,7 @@ classes:
 commands:
 	install_yum_repo::
 	"wget"
-	args => "-qO /etc/yum.repos.d/rspamd.repo https://rspamd.com/rpm-stable/centos-8/rspamd.repo && rpm --import https://rspamd.com/rpm-stable/gpg.key && yum update -y",
+	args => "-qO /etc/yum.repos.d/rspamd.repo https://rspamd.com/rpm-stable/centos-$(sys.os_version_major)/rspamd.repo && rpm --import https://rspamd.com/rpm-stable/gpg.key && yum update -y",
 	contain => wmde_cmd_useshell;
 
 

strongswan.cf

@@ -42,9 +42,9 @@ vars:
 
 
 methods:
-	"any" usebundle => install_system_repos;
+	"any" usebundle => install_system_repos, handle => "system_repos_installed";
 	"any" usebundle => wmde_install_packages(@(strongswan.pkgs),"strongswan"),
-		depends_on => {"system_repos_pkgs_installed"};
+		depends_on => {"system_repos_installed"};
 	"any" usebundle => wmde_service("$(strongswan.service_name)","strongswan_kept","strongswan_repaired"),
 		depends_on => @(service_deps);
 files:

sympa.cf

@@ -8,6 +8,10 @@ classes:
 	"sympa_b";
 
 vars:
+	"user" string => "sympa";
+	"group" string => "sympa";
+
+
 	debian::	
 		"lib_dir" string => "/usr/lib/sympa";
 		"var_lib_dir" string => "/var/lib/sympa";
@@ -126,6 +130,20 @@ commands:
 		depends_on => {"sympa_config_updated"};
 
 
+# Configure Backup stuff
+files:
+	run_backups::
+		"$(cfg[backup_dir])/."
+		create => "true";
+methods:
+	run_backups::
+		"any" usebundle => create_mysql_backup_cron_job(@(cfg[db_settings]),"$(cfg[backup_dir])/sympa.sql","user_table","true");
+	!run_backups::
+		"any" usebundle => create_mysql_backup_cron_job(@(cfg[db_settings]),"$(cfg[backup_dir])/sympa.sql","user_table","false");
+
+
+
+
 }
 
 
@@ -313,7 +331,16 @@ methods:
 reports:
 }
 
-
+bundle agent sympa_create_mailname(cfg)
+{
+files:
+	debian::
+		"/etc/mailname"
+		create => "true",
+		perms => m("644"),
+		content=>"$(cfg[settings][domain])";
+		
+}
 
 
 
@@ -324,6 +351,7 @@ vars:
 	"domains_idx" slist => getindices(@(cfg[domains]));
 #	"cfg_domains" slist => {"a","b","c"};
 methods:
+	"any" usebundle => sympa_create_mailname(@(cfg));
 	"any" usebundle => wmde_install_packages(@(sympa.pkgs),"sympa");
 	"any" usebundle => sympa_update_config(@(cfg));
 	"any" usebundle => sympa_init_db(@(cfg));
@@ -553,5 +581,10 @@ methods:
 
 		
 reports:
+	run_backup::
+		"SYMPA IS RUN BACKUP";
+
+	!run_backup::
+		"SYMPA DOES  NOT RUN BACKUP";
 
 }

templates/dovecot/dovecot.conf.mustache

@@ -4,14 +4,17 @@
 
 protocols = {{#vars.dovecot.cfg.protocols}} {{.}} {{/vars.dovecot.cfg.protocols}}
 
-service imap-login {
+#service imap-login {
-	inet_listener imap {
+#	inet_listener imap {
-    		#port = 143
+#    		#port = 143
-  	}
+#  	}
-	inet_listener imaps {
+#
-		port = 993
+#{{#vars.dovecot.cfg.ssl}}
-		ssl = yes
+#	inet_listener imaps {
-	}
+#		port = 993
+#		ssl = yes
+#	}
+#{{/vars.dovecot.cfg.ssl}}
 
 	# Number of connections to handle before starting a new process. Typically
 	# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
@@ -23,12 +26,14 @@ service imap-login {
 
 	# If you set service_count=0, you probably need to grow this.
 	#vsz_limit = $default_vsz_limit
-}
+#}
 
 protocol imap {
 
+{{#vars.dovecot.cfg.ssl}}
 	ssl_cert = <{{vars.dovecot.imap_cert}}
 	ssl_key = <{{vars.dovecot.imap_key}}
+{{/vars.dovecot.cfg.ssl}}
 
 	# Space separated list of plugins to load (default is global mail_plugins).
 	#mail_plugins = $mail_plugins
@@ -40,8 +45,10 @@ protocol imap {
 
 protocol submission {
 
+{{#vars.dovecot.cfg.ssl}}
 	ssl_cert = <{{vars.dovecot.submission_cert}}
 	ssl_key = <{{vars.dovecot.submission_key}}
+{{/vars.dovecot.cfg.ssl}}
 
 	# Space separated list of plugins to load (default is global mail_plugins).
 	#mail_plugins = $mail_plugins
@@ -51,6 +58,15 @@ protocol submission {
 	#mail_max_userip_connections = 10
 }
 
+protocol lda {
+  mail_plugins = $mail_plugins sieve
+}
+protocol lmtp {
+  mail_plugins = $mail_plugins sieve
+}
+
+
+
 
 {{#vars.dovecot.cfg.userdbs}}
 userdb {

templates/postfix-main.cf.mustache

@@ -110,6 +110,15 @@ mail_owner = {{vars.postfix.mail_owner}}
 #
 #mydomain = domain.tld
 
+#
+# CFengine Raw
+#
+{{vars.postfix.cfg.main_raw}}
+#
+# CFengine Raw End
+#
+
+
 # SENDING MAIL
 # 
 # The myorigin parameter specifies the domain that locally-posted
@@ -190,7 +199,7 @@ mail_owner = {{vars.postfix.mail_owner}}
 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
 #	mail.$mydomain, www.$mydomain, ftp.$mydomain
 
-mydestination = {{#vars.postfix.cfg.mydestination}} {{.}} {{/vars.postfix.cfg.mydestination}}
+# mydestination = 
 
 # REJECTING MAIL FOR UNKNOWN LOCAL USERS
 #
@@ -688,7 +697,7 @@ setgid_group = {{vars.postfix.mail_group}}
 # readme_directory: The location of the Postfix README files.
 #
 #readme_directory = /usr/local/share/doc/postfix
-inet_protocols = all
+#inet_protocols = all
 
 # smtp CA path (default to system-wide location)
 smtp_tls_CApath = /etc/ssl/certs
@@ -705,5 +714,4 @@ milter_default_action = reject
 #
 non_smtpd_milters = {{#vars.postfix.cfg.non_smtpd_milters}} {{.}}{{/vars.postfix.cfg.non_smtpd_milters}}
 
-{{vars.postfix.cfg.main_raw}}
 

templates/postfix-master.cf.mustache

@@ -51,10 +51,13 @@ postlog   unix-dgram n  -       n       -       1       postlogd
 #
 # {{comment}}
 #
-{{@}}	{{type}}	{{private}}	{{unpriv}}	{{chroot}}	{{wakeup}}	{{maxproc}}	{{command}}
+{{#enable}}
-	{{#args}}
+{{co}}{{name}}	{{type}}	{{private}}	{{unpriv}}	{{chroot}}	{{wakeup}}	{{maxproc}}	{{command}}
-	{{{.}}}
+{{#args}}
-	{{/args}}
+{{co}}	{{{.}}}
+{{/args}}
+{{/enable}}
+
 {{/vars.postfix.cfg.services}}
 
 # CFEngine Raw Start