--- debian_mirror: http://deb.debian.org/debian #postfix: # primary: false # secondary: true # public: true # dkim: true # titanic: false loc_wireguard: tunnels: - name: "sputnik" addresses: - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/24" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/64" listen_port: 51820 private_key: "{{ vault.wireguard_sputnik_private_key }}" peers: - public_key: "{{ vault.wireguard_boeing_public_key }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820" post_up: "/sbin/ip link set sputnik alias adm" loc_slapd: ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}" replica: true replica_rid: 4 loc_moinmoin: main: false loc_certbot: - mail: root@crans.org certname: adm.crans.org domains: "*.adm.crans.org" - mail: root@crans.org certname: crans.org domains: "*.crans.org" loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org server: 172.16.10.147 port: 53 key: name: certbot_challenge. secret: "{{ vault.certbot_dns_secret }}" algorithm: HMAC-SHA512 "adm.crans.org": zone: _acme-challenge.adm.crans.org server: 172.16.10.147 port: 53 key: name: certbot_adm_challenge. secret: "{{ vault.certbot_adm_dns_secret }}" algorithm: HMAC-SHA512 loc_nginx: service_name: wiki ssl: - name: adm.crans.org cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem - name: crans.org cert: /etc/letsencrypt/live/crans.org/fullchain.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem servers: - server_name: - "wiki2.crans.org" ssl: "crans.org" access_log: "/var/log/nginx/wiki.log combined" error_log: "/var/log/nginx/wiki.error.log" additional_params: - "rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil" - "client_max_body_size 15M" locations: - filter: "/wiki" params: - "alias /var/local/wiki/htdocs/" - filter: "/robots.txt" params: - "alias /var/local/wiki/robots.txt" - filter: "/favicon.ico" params: - "alias /var/local/wiki/favicon.ico" - filter: "/www-sitemap.xml" params: - "alias /var/local/wiki/www-sitemap.xml" - filter: "/" params: - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket" - "include uwsgi_params" loc_reverseproxy: reverseproxy_sites: - {from: status.crans.org, to: "127.0.0.1:8080"} - {from: git2.crans.org, to: "127.0.0.1:3000"} - {from: git2.adm.crans.org, to: "127.0.0.1:3000", ssl: adm.crans.org} redirect_sites: [] static_sites: [] postfix: hostname: sputnik.crans.org shortname: sputnik domain: crans.org origin: crans.org append_dot: true my_networks: "172.16.10.0/24, [fd00:0:0:10::]/64" relay: "$mydestination, lists.$mydomain, $mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu" transport: - method: smtp comment: "Les mailing-listes sont délivrées localement" params: "[172.16.10.110]" targets: [lists.crans.org] - method: smtp comment: "Les mails sont délivrés par le serveur des adhérents" params: "[172.16.10.31]" targets: [crans.org, crans.eu, crans.fr, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr] aliases: /var/local/services/mail/generated/aliases virtual: /var/local/services/mail/generated/virtual tls: cert: /etc/letsencrypt/live/crans.org/fullchain.pem key: /etc/letsencrypt/live/crans.org/privkey.pem smtp: sender_login_maps: - {entry: "@crans.org", owner: root} - {entry: "@crans.fr", owner: root} - {entry: "@crans.eu", owner: root} mime_header_checks: - regex: '/^[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[ ]*$/' action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' # - regex: '[ ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[ ]*$/' # action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.' milter: true postscreen: - comment: "Nice peoples" verdict: permit targets: ["127.0.0.1","185.230.76.0/22","185.230.79.40","172.16.10.0/24","82.225.39.54","91.121.179.40","46.105.102.188","fd00:0:0:10::/64","fd00:0:0:11::/64","2a0c:700:0:2::/64","2a0c:700:0:3::/64","2a0c:700:0:12::/64","2a0c:700:0:13::/64","2a0c:700:0:21::/64","2a0c:700:0:22::/64","2a0c:700:0:23::/64","2a0c:700:0:24::/64","2a0c:700:2::ff:fe01:1002"] - comment: "ecommercant qui remplace offrespourlespros, qui spammait le 29/05/2015" verdict: reject targets: ["149.202.29.192/28","37.187.141.230","2001:41d0:a:4ce6::/64"] - comment: "gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?" verdict: reject targets: ["37.187.132.105","92.222.109.0/27"] - comment: "mail.alkar.net spam le 26/06/2016" verdict: reject targets: ["195.248.191.95"] - comment: "mail.testfast.eu spam en juin 2016" verdict: reject targets: ["176.20.27.0/24"] - comment: "Spam depuis des adresses en .ua" verdict: reject targets: ["91.194.84.10","213.186.200.70","185.117.89.15","62.141.42.44"] - comment: "installio.co.ua" verdict: reject targets: ["217.79.181.5"] - comment: Scam verdict: reject targets: ["180.137.106.59","169.255.7.5","110.159.122.90","37.104.198.10","46.62.146.206"] - comment: "Spam alcoolisme 16/09/2018" verdict: reject targets: ["46.249.59.89"] - comment: 'Spam "Pastoral shit"' verdict: reject targets: ["198.84.107.98","198.84.74.66","104.168.178.132","104.168.178.156","158.69.253.33"] - comment: "Spam overdue payment" verdict: reject targets: ["193.56.28.114"] - comment: "Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient." verdict: reject targets: ["94.242.206.15","91.188.222.33"] - comment: "Et les russes ils dégagent aussi" verdict: reject targets: ["185.50.149.0/24"] - comment: "2021/11/13: vague de spam" verdict: reject targets: ["139.162.150.93","130.255.78.23","85.171.248.149","37.59.38.218"] recipient_access: - {entry: "crans@crans.fr", action: "REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet."} - {entry: "crans.org", action: OK} - {entry: "crans.fr", action: OK} - {entry: "crans.eu", action: OK} client_checks: - {entry: 185.50.149.0/24, action: REJECT Spammers are not welcome here!} - {entry: 74.201.31.175, action: REJECT Spammers are not welcome here!} - {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!} - {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans} client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64" sender_login_maps: - {sender: "@crans.org", owner: root} - {sender: "@crans.fr", owner: root} - {sender: "@crans.eu", owner: root}