Add exim config for firehose and storyboard

In order to get puppet out of the business of mucking with exim and fighting ansible, finish moving the config to ansible. This introduces a storyboard group that we can use to apply the exim config across both servers. It also splits the base playbook so that we can avoid running exim on the backup servers. And we set purge_apt_sources the same as was set in puppet. We should probably remove it though, since none of us have any clue why it's here. Change-Id: I43ee891a9c1beead7f97808208829b01a0a7ced6
2018-08-13 14:40:19 -05:00 · 2018-08-13 14:40:19 -05:00 · 0d1f235fce
commit 0d1f235fce
parent 4cca3f8d2a
6 changed files with 58 additions and 2 deletions
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@ -3,9 +3,12 @@
    - users
    - base-repos

-# Split into two plays so that the update apt cache handler fires
-# before we run base-server
+# Run base-server seperately so that the update apt cache handler in base-repos
+# fires before we run base-server
 - hosts: "!disabled"
  roles:
    - base-server
+
+- hosts: "!ci-backup:!disabled"
+  roles:
    - exim
--- a/playbooks/group_vars/ci-backup.yaml
+++ b/playbooks/group_vars/ci-backup.yaml
@ -0,0 +1,2 @@
+# TODO(mordred) Why is this set?
+purge_apt_sources: false
--- a/playbooks/group_vars/mailman.yaml
+++ b/playbooks/group_vars/mailman.yaml
@ -2,3 +2,5 @@ exim_queue_interval: '1m'
 exim_queue_run_max: '50'
 exim_smtp_accept_max: '100'
 exim_smtp_accept_max_per_host: '10'
+# TODO(mordred) Why is this set?
+purge_apt_sources: false
--- a/playbooks/group_vars/storyboard.yaml
+++ b/playbooks/group_vars/storyboard.yaml
@ -0,0 +1,34 @@
+exim_routers:
+  - storyboard_verp_router: |
+      driver = dnslookup
+      # we only consider messages sent in through loopback
+      condition = ${if or{{eq{$sender_host_address}{127.0.0.1}}\
+                          {eq{$sender_host_address}{::1}}}{yes}{no}}
+      # we do not do this for traffic going to the local machine
+      domains = '!+local_domains'
+      ignore_target_hosts = <; \
+            0.0.0.0; \
+            64.94.110.11; \
+            127.0.0.0/8; \
+            ::1/128; \
+            fe80::/10; \
+            fec0::/10; \
+            ff00::/8
+      # only the un-VERPed bounce addresses are handled
+      senders = "*-bounces@*"
+      transport = storyboard_verp_smtp
+  - storyboard: |
+      # Send bounces to /dev/null until storyboard supports them.
+      driver = redirect
+      local_parts = storyboard
+      local_part_suffix_optional = true
+      local_part_suffix = -bounces : -bounces+*
+      data = :blackhole:
+exim_transports:
+  - storyboard_verp_smtp: |
+      driver = smtp
+      return_path = \
+        ${local_part:$return_path}+$local_part=$domain@${domain:$return_path}
+      max_rcpt = 1
+      headers_remove = Errors-To
+      headers_add = Errors-To: ${return_path}
--- a/playbooks/host_vars/firehose.openstack.org.yaml
+++ b/playbooks/host_vars/firehose.openstack.org.yaml
@ -0,0 +1,14 @@
+exim_local_domains: "@:firehose.openstack.org"
+exim_routers:
+  - cyrus: |
+      driver = accept
+      domains = +local_domains
+      local_part_suffix = +*
+      local_part_suffix_optional
+      transport = cyrus
+exim_transports:
+  - cyrus: |
+      driver = lmtp
+      socket = /var/run/cyrus/socket/lmtp
+      user = cyrus
+      batch_max = 35
--- a/playbooks/roles/install-ansible/files/groups.yaml
+++ b/playbooks/roles/install-ansible/files/groups.yaml
@ -24,6 +24,7 @@ groups:
  review-dev: inventory_hostname|regex_match('review-dev\d+\.openstack\.org')
  review: inventory_hostname|regex_match('review\d+\.openstack\.org')
  status: inventory_hostname.startswith('status')
+  storyboard: inventory_hostname.startswith('storyboard')
  subunit-worker: inventory_hostname.startswith('subunit-worker')
  survey: inventory_hostname.startswith('survey')
  translate-dev: inventory_hostname|regex_match('translate-dev\d+\.openstack\.org')