ansible/host_vars/sputnik.adm.crans.org.yml

---
debian_mirror: http://deb.debian.org/debian

#postfix:
#  primary: false
#  secondary: true
#  public: true
#  dkim: true
#  titanic: false

loc_wireguard:
  tunnels:
    - name: "sputnik"
      addresses:
        - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/24"
        - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/64"
      listen_port: 51820
      private_key: "{{ vault.wireguard_sputnik_private_key }}"
      peers:
        - public_key: "{{ vault.wireguard_boeing_public_key }}"
          allowed_ips:
            - "{{ query('ldap', 'network', 'adm') }}"
            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
      post_up: "/sbin/ip link set sputnik alias adm"

loc_slapd:
  ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}"
  replica: true
  replica_rid: 4

loc_moinmoin:
  main: false

loc_certbot:
  - mail: root@crans.org
    certname: adm.crans.org
    domains: "*.adm.crans.org"
  - mail: root@crans.org
    certname: crans.org
    domains: "*.crans.org"

loc_service_certbot:
  config:
    "crans.org":
      zone: _acme-challenge.crans.org
      server: 172.16.10.147
      port: 53
      key:
        name: certbot_challenge.
        secret: "{{ vault.certbot_dns_secret }}"
        algorithm: HMAC-SHA512
    "adm.crans.org":
      zone: _acme-challenge.adm.crans.org
      server: 172.16.10.147
      port: 53
      key:
        name: certbot_adm_challenge.
        secret: "{{ vault.certbot_adm_dns_secret }}"
        algorithm: HMAC-SHA512

loc_nginx:
  service_name: wiki
  ssl:
    - name: adm.crans.org
      cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem
      cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem
      trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem
    - name: crans.org
      cert: /etc/letsencrypt/live/crans.org/fullchain.pem
      cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
      trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
  servers:
    - server_name:
        - "wiki2.crans.org"
      ssl: "crans.org"
      access_log: "/var/log/nginx/wiki.log combined"
      error_log: "/var/log/nginx/wiki.error.log"
      additional_params:
        - "rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil"
        - "client_max_body_size 15M"

      locations:
        - filter: "/wiki"
          params:
            - "alias /var/local/wiki/htdocs/"

        - filter: "/robots.txt"
          params:
            - "alias /var/local/wiki/robots.txt"

        - filter: "/favicon.ico"
          params:
            - "alias /var/local/wiki/favicon.ico"

        - filter: "/www-sitemap.xml"
          params:
            - "alias /var/local/wiki/www-sitemap.xml"

        - filter: "/"
          params:
            - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket"
            - "include uwsgi_params"

loc_reverseproxy:
  reverseproxy_sites:
    - {from: status.crans.org, to: "127.0.0.1:8080"}
    - {from: git2.crans.org, to: "127.0.0.1:3000"}
    - {from: git2.adm.crans.org, to: "127.0.0.1:3000", ssl: adm.crans.org}

  redirect_sites: []

  static_sites: []

postfix:
  hostname: sputnik.crans.org
  shortname: sputnik
  domain: crans.org
  origin: crans.org
  append_dot: true
  my_networks: "172.16.10.0/24, [fd00:0:0:10::]/64"
  relay: "$mydestination, lists.$mydomain, $mydomain, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr, crans.fr, crans.eu"
  transport:
    - method: smtp
      comment: "Les mailing-listes sont délivrées localement"
      params: "[172.16.10.110]"
      targets: [lists.crans.org]
    - method: smtp
      comment: "Les mails sont délivrés par le serveur des adhérents"
      params: "[172.16.10.31]"
      targets: [crans.org, crans.eu, crans.fr, crans.ens-cachan.fr, clubs.ens-cachan.fr, install-party.ens-cachan.fr]
  aliases: /var/local/services/mail/generated/aliases
  virtual: /var/local/services/mail/generated/virtual
  tls:
    cert: /etc/letsencrypt/live/crans.org/fullchain.pem
    key: /etc/letsencrypt/live/crans.org/privkey.pem
  smtp:
    sender_login_maps:
      - {entry: "@crans.org", owner: root}
      - {entry: "@crans.fr", owner: root}
      - {entry: "@crans.eu", owner: root}
  mime_header_checks:
    - regex: '/^[	 ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(exe|com|pif|bat|scr|vbs|chm|cpl)\"?[	 ]*$/'
      action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
    # - regex: '[	 ]*(Content-Type:.*)?(Content-Disposition:.*)?(filename|name)=\"?(.*)\.(com|pif|bat|scr|vbs|chm)\"?[	 ]*$/'
    #   action: 'REJECT Content blocked : possible Virus are rejected. Please change filename extension of attachement "$4.$5" and resend mail.'
  milter: true
  postscreen:
    - comment: "Nice peoples"
      verdict: permit
      targets: ["127.0.0.1","185.230.76.0/22","185.230.79.40","172.16.10.0/24","82.225.39.54","91.121.179.40","46.105.102.188","fd00:0:0:10::/64","fd00:0:0:11::/64","2a0c:700:0:2::/64","2a0c:700:0:3::/64","2a0c:700:0:12::/64","2a0c:700:0:13::/64","2a0c:700:0:21::/64","2a0c:700:0:22::/64","2a0c:700:0:23::/64","2a0c:700:0:24::/64","2a0c:700:2::ff:fe01:1002"]
    - comment: "ecommercant qui remplace offrespourlespros, qui spammait le 29/05/2015"
      verdict: reject
      targets: ["149.202.29.192/28","37.187.141.230","2001:41d0:a:4ce6::/64"]
    - comment: "gboxyw.net (reverse wasnh.net) le 05/11/2015, devenu vorange.net, vous le sentez le spam qui vient ?"
      verdict: reject
      targets: ["37.187.132.105","92.222.109.0/27"]
    - comment: "mail.alkar.net spam le 26/06/2016"
      verdict: reject
      targets: ["195.248.191.95"]
    - comment: "mail.testfast.eu spam en juin 2016"
      verdict: reject
      targets: ["176.20.27.0/24"]
    - comment: "Spam depuis des adresses en .ua"
      verdict: reject
      targets: ["91.194.84.10","213.186.200.70","185.117.89.15","62.141.42.44"]
    - comment: "installio.co.ua"
      verdict: reject
      targets: ["217.79.181.5"]
    - comment: Scam
      verdict: reject
      targets: ["180.137.106.59","169.255.7.5","110.159.122.90","37.104.198.10","46.62.146.206"]
    - comment: "Spam alcoolisme 16/09/2018"
      verdict: reject
      targets: ["46.249.59.89"]
    - comment: 'Spam "Pastoral shit"'
      verdict: reject
      targets: ["198.84.107.98","198.84.74.66","104.168.178.132","104.168.178.156","158.69.253.33"]
    - comment: "Spam overdue payment"
      verdict: reject
      targets: ["193.56.28.114"]
    - comment: "Non, nous ne voulons pas traiter l'alcoolisme à l'insu du patient."
      verdict: reject
      targets: ["94.242.206.15","91.188.222.33"]
    - comment: "Et les russes ils dégagent aussi"
      verdict: reject
      targets: ["185.50.149.0/24"]
    - comment: "2021/11/13: vague de spam"
      verdict: reject
      targets: ["139.162.150.93","130.255.78.23","85.171.248.149","37.59.38.218"]
  recipient_access:
    - {entry: "crans@crans.fr", action: "REJECT Le Crans se fiche du basket. Veuillez supprimer l'adresse crans@crans.fr de votre carnet."}
    - {entry: "crans.org", action: OK}
    - {entry: "crans.fr", action: OK}
    - {entry: "crans.eu", action: OK}
  client_checks:
    - {entry: 185.50.149.0/24, action: REJECT Spammers are not welcome here!}
    - {entry: 74.201.31.175, action: REJECT Spammers are not welcome here!}
    - {entry: 109.237.103.41, action: REJECT Spammers are not welcome here!}
    - {entry: 185.230.79.0/24, action: ACCEPT Coucou les serveurs du crans}
  client_event_limit_exceptions: "172.16.10.0/24, [fd00:0:0:10::]/64"
  sender_login_maps:
    - {sender: "@crans.org", owner: root}
    - {sender: "@crans.fr", owner: root}
    - {sender: "@crans.eu", owner: root}