From 0d1f235fce25ff8fa46fc8dad6339d98f694d688 Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Mon, 13 Aug 2018 14:40:19 -0500
Subject: [PATCH] Add exim config for firehose and storyboard

In order to get puppet out of the business of mucking with exim and
fighting ansible, finish moving the config to ansible.

This introduces a storyboard group that we can use to apply the exim
config across both servers. It also splits the base playbook so that we
can avoid running exim on the backup servers. And we set
purge_apt_sources the same as was set in puppet. We should probably
remove it though, since none of us have any clue why it's here.

Change-Id: I43ee891a9c1beead7f97808208829b01a0a7ced6
---
 playbooks/base.yaml                           |  7 ++--
 playbooks/group_vars/ci-backup.yaml           |  2 ++
 playbooks/group_vars/mailman.yaml             |  2 ++
 playbooks/group_vars/storyboard.yaml          | 34 +++++++++++++++++++
 .../host_vars/firehose.openstack.org.yaml     | 14 ++++++++
 .../roles/install-ansible/files/groups.yaml   |  1 +
 6 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 playbooks/group_vars/ci-backup.yaml
 create mode 100644 playbooks/group_vars/storyboard.yaml
 create mode 100644 playbooks/host_vars/firehose.openstack.org.yaml

diff --git a/playbooks/base.yaml b/playbooks/base.yaml
index 0ce939cb42..579a7b1181 100644
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@@ -3,9 +3,12 @@
     - users
     - base-repos
 
-# Split into two plays so that the update apt cache handler fires
-# before we run base-server
+# Run base-server seperately so that the update apt cache handler in base-repos
+# fires before we run base-server
 - hosts: "!disabled"
   roles:
     - base-server
+
+- hosts: "!ci-backup:!disabled"
+  roles:
     - exim
diff --git a/playbooks/group_vars/ci-backup.yaml b/playbooks/group_vars/ci-backup.yaml
new file mode 100644
index 0000000000..bcfd6be7dd
--- /dev/null
+++ b/playbooks/group_vars/ci-backup.yaml
@@ -0,0 +1,2 @@
+# TODO(mordred) Why is this set?
+purge_apt_sources: false
diff --git a/playbooks/group_vars/mailman.yaml b/playbooks/group_vars/mailman.yaml
index eb4ad8a64b..4cfb82ce9d 100644
--- a/playbooks/group_vars/mailman.yaml
+++ b/playbooks/group_vars/mailman.yaml
@@ -2,3 +2,5 @@ exim_queue_interval: '1m'
 exim_queue_run_max: '50'
 exim_smtp_accept_max: '100'
 exim_smtp_accept_max_per_host: '10'
+# TODO(mordred) Why is this set?
+purge_apt_sources: false
diff --git a/playbooks/group_vars/storyboard.yaml b/playbooks/group_vars/storyboard.yaml
new file mode 100644
index 0000000000..7f813d1a84
--- /dev/null
+++ b/playbooks/group_vars/storyboard.yaml
@@ -0,0 +1,34 @@
+exim_routers:
+  - storyboard_verp_router: |
+      driver = dnslookup
+      # we only consider messages sent in through loopback
+      condition = ${if or{{eq{$sender_host_address}{127.0.0.1}}\
+                          {eq{$sender_host_address}{::1}}}{yes}{no}}
+      # we do not do this for traffic going to the local machine
+      domains = '!+local_domains'
+      ignore_target_hosts = <; \
+            0.0.0.0; \
+            64.94.110.11; \
+            127.0.0.0/8; \
+            ::1/128; \
+            fe80::/10; \
+            fec0::/10; \
+            ff00::/8
+      # only the un-VERPed bounce addresses are handled
+      senders = "*-bounces@*"
+      transport = storyboard_verp_smtp
+  - storyboard: |
+      # Send bounces to /dev/null until storyboard supports them.
+      driver = redirect
+      local_parts = storyboard
+      local_part_suffix_optional = true
+      local_part_suffix = -bounces : -bounces+*
+      data = :blackhole:
+exim_transports:
+  - storyboard_verp_smtp: |
+      driver = smtp
+      return_path = \
+        ${local_part:$return_path}+$local_part=$domain@${domain:$return_path}
+      max_rcpt = 1
+      headers_remove = Errors-To
+      headers_add = Errors-To: ${return_path}
diff --git a/playbooks/host_vars/firehose.openstack.org.yaml b/playbooks/host_vars/firehose.openstack.org.yaml
new file mode 100644
index 0000000000..c3c4486ff4
--- /dev/null
+++ b/playbooks/host_vars/firehose.openstack.org.yaml
@@ -0,0 +1,14 @@
+exim_local_domains: "@:firehose.openstack.org"
+exim_routers:
+  - cyrus: |
+      driver = accept
+      domains = +local_domains
+      local_part_suffix = +*
+      local_part_suffix_optional
+      transport = cyrus
+exim_transports:
+  - cyrus: |
+      driver = lmtp
+      socket = /var/run/cyrus/socket/lmtp
+      user = cyrus
+      batch_max = 35
diff --git a/playbooks/roles/install-ansible/files/groups.yaml b/playbooks/roles/install-ansible/files/groups.yaml
index f45136ec00..4b1c4e6cf1 100644
--- a/playbooks/roles/install-ansible/files/groups.yaml
+++ b/playbooks/roles/install-ansible/files/groups.yaml
@@ -24,6 +24,7 @@ groups:
   review-dev: inventory_hostname|regex_match('review-dev\d+\.openstack\.org')
   review: inventory_hostname|regex_match('review\d+\.openstack\.org')
   status: inventory_hostname.startswith('status')
+  storyboard: inventory_hostname.startswith('storyboard')
   subunit-worker: inventory_hostname.startswith('subunit-worker')
   survey: inventory_hostname.startswith('survey')
   translate-dev: inventory_hostname|regex_match('translate-dev\d+\.openstack\.org')