From b441dd4a7c3ce72008968d324a12e5c342d164a3 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 9 Jul 2016 23:46:21 +0200
Subject: Route SMTP traffic from the webmail through IPsec.

---
 group_vars/all.yml | 38 +++++++++++++++++++++++++++-----------
 1 file changed, 27 insertions(+), 11 deletions(-)

(limited to 'group_vars')

diff --git a/group_vars/all.yml b/group_vars/all.yml
index a9bfda9..96f723b 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,15 +1,4 @@
 ---
-postfix_instance:
-  # The keys are the group names associated with a Postfix role, and the
-  # values are the name and group (optional) of the instance dedicated
-  # to that role.
-  IMAP:    { name: mda,             port: 2526 }
-  MX:      { name: mx,  group: mta             }
-  out:     { name: out, group: mta, port: 2525 }
-  MSA:     { name: msa                         }
-  lists:   { name: lists,           port: 2527 }
-
-
 # Virtual (non-routable) IPv4 subnet for IPsec.  It is always nullrouted
 # in the absence of xfrm lookup (i.e., when there is no matching IPsec
 # Security Association) to avoid data leaks.
@@ -23,3 +12,30 @@ ipsec:
   elefant:  172.16.0.4
   giraff:   172.16.0.5
   mistral:  172.16.0.6
+
+
+postfix_instance:
+  # The keys are the group names associated with a Postfix role, and the
+  # values are the name and group (optional) of the instance dedicated
+  # to that role.
+  # For internal services, we also specify its (non-routable) IP address
+  # and port.
+  # XXX it's unfortunate that we can only specify a single address, and
+  #     therefore have to limit the number of outgoing SMTP proxy and
+  #     IMAP server to one. Since hosts(5) files cannot map and IP
+  #     address to multiple hostnames, a workaround would be to use
+  #     round-robin DNS, but we can't rely on DNS as long as our zone is
+  #     unsigned.
+  IMAP:    { name: mda
+           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}"
+           , port: 2526 }
+  MX:      { name: mx,  group: mta }
+  out:     { name: out, group: mta
+           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}"
+           , port: 2525 }
+  MSA:     { name: msa }
+  lists:   { name: lists
+           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}"
+           , port: 2527 }
+
+imapsvr_addr: "{{ postfix_instance.IMAP.addr | ipaddr }}"
-- 
cgit v1.2.3