summaryrefslogtreecommitdiffstats
path: root/roles/common/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/templates')
-rw-r--r--roles/common/templates/etc/apt/preferences.j28
-rw-r--r--roles/common/templates/etc/apt/sources.list.j28
-rw-r--r--roles/common/templates/etc/munin/plugin-conf.d/munin-node.j21
-rw-r--r--roles/common/templates/etc/postfix/main.cf.j29
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j242
5 files changed, 35 insertions, 33 deletions
diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2
index 4e18a6e..383037f 100644
--- a/roles/common/templates/etc/apt/preferences.j2
+++ b/roles/common/templates/etc/apt/preferences.j2
@@ -3,27 +3,27 @@
# Install updates as soon as they're available
Package: *
-Pin: release a={{ ansible_lsb.codename }}-updates
+Pin: release o=Debian, n={{ ansible_lsb.codename }}-updates
Pin-Priority: 990
{% if 'backports' in group_names -%}
# Automatically packages from backports (those manually installed)
Package: *
-Pin: release a={{ ansible_lsb.codename }}-backports
+Pin: release o=Debian Backports, n={{ ansible_lsb.codename }}-backports
Pin-Priority: 200
{% endif %}
{% if inventory_hostname_short in non_free_packages.keys() -%}
# Automatically upgrade non-free firmwares (when manually installed)
Package: {{ non_free_packages[inventory_hostname_short] | join (' ') }}
-Pin: version *
+Pin: release o=Debian
Pin-Priority: 200
{% endif %}
{% if ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest' -%}
# Automatically upgrade the microcode (when manually installed)
Package: intel-microcode iucode-tool
-Pin: version *
+Pin: release o=Debian
Pin-Priority: 200
{% endif %}
diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2
index 8d1b7fd..4ae1cb5 100644
--- a/roles/common/templates/etc/apt/sources.list.j2
+++ b/roles/common/templates/etc/apt/sources.list.j2
@@ -2,12 +2,12 @@
# Do NOT edit this file directly!
# vim: set filetype=debsources :
-deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
+deb http://deb.debian.org/debian {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
-deb http://deb.debian.org/debian-security/ {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
+deb http://deb.debian.org/debian-security {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
-deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }}-updates main
+deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-updates main
{% if 'backports' in group_names -%}
-deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }}-backports main
+deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-backports main
{% endif %}
diff --git a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
index 6cfa3f9..2d434bc 100644
--- a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
+++ b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
@@ -36,6 +36,7 @@ user root
[df*]
env.warning 92
env.critical 98
+env.exclude_re ^/run/user
[exim_mailqueue]
group adm, (Debian-exim)
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index af909ba..55361ee 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -4,10 +4,11 @@
# {{ ansible_managed }}
# Do NOT edit this file directly!
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-readme_directory = no
-mail_owner = postfix
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+compatibility_level = 2
myorigin = /etc/mailname
myhostname = {{ ansible_fqdn }}
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index c30f95b..10fc303 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -11,7 +11,7 @@
# ==========================================================================
{% if inst is not defined %}
-[127.0.0.1]:16132 inet n - - - - smtpd
+[127.0.0.1]:16132 inet n - y - - smtpd
{% elif inst == 'MX' %}
smtpd pass - - n - - smtpd
-o cleanup_service_name=cleanup_nochroot
@@ -20,7 +20,7 @@ tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
cleanup_nochroot unix n - n - 0 cleanup
{% elif inst == 'MSA' %}
-submission inet n - - - - smtpd
+submission inet n - y - - smtpd
-o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd
@@ -34,30 +34,30 @@ submission inet n - - - - smtpd
[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
{% endif %}
-pickup unix n - - 60 1 pickup
-cleanup unix n - - - 0 cleanup
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
-tlsmgr unix - - - 1000? 1 tlsmgr
-rewrite unix - - - - - trivial-rewrite
-bounce unix - - - - 0 bounce
-defer unix - - - - 0 bounce
-trace unix - - - - 0 bounce
-verify unix - - - - 1 verify
-flush unix n - - 1000? 0 flush
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
-smtp unix - - - - - smtp
-relay unix - - - - - smtp
+smtp unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
-showq unix n - - - - showq
-error unix - - - - - error
-retry unix - - - - - error
-discard unix - - - - - discard
+relay unix - - y - - smtp
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
-lmtp unix - - - - - lmtp
-anvil unix - - - - 1 anvil
-scache unix - - - - 1 scache
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
{% if inst is defined and inst == 'MX' %}
reserved-alias unix - n n - - pipe
flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
@@ -76,7 +76,7 @@ amavisfeed unix - - n - 5 lmtp
-o disable_dns_lookups=yes
# Server part (smtpd) - amavis
-[127.0.0.1]:10025 inet n - n - - smtpd
+[127.0.0.1]:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 05:00:17 +0000