markt-de / puppet-rspamd Goto Github PK

View Code? Open in Web Editor NEW

4.0 3.0 9.0 230 KB

Puppet module to manage the Rspamd anti spam system

Home Page: https://forge.puppet.com/oxc/rspamd

License: Other

Ruby 28.62% Puppet 70.55% Dockerfile 0.83%

rspamd puppet

puppet-rspamd's Introduction

puppet-rspamd

Description
Setup
- What rspamd affects
- Beginning with rspamd
Usage
Reference
Development
- Contributing

Description

This module installs and manages the Rspamd spam filter, and provides resources and functions to configure the Rspamd system. It does, however, not configure the systems beyond the upstream defaults.

Please note that while all versions starting from 1.6.3 should still be supported, this module is intended to be run with the latest version of Rspamd, and compatibility with older versions will not be tested for new releases.

Setup

What rspamd affects

By default, this module...

installs the rspamd.com package repository for Debian/Ubuntu and RHEL/CentOS/Fedora
installs the rspamd package
recursively purges all custom rspamd config (e.g. local.d and override.d directories)

Beginning with rspamd

The simplest way to use this module is:

include rspamd

This will setup the rspamd service the upstream default configuration.

Usage

The rspamd::config resource can be used to specify custom configuration entries. The easiest way to use it, is to put both the file and the hierachical config key into the resource title:

class { 'rspamd': }
rspamd::config {
  'classifier-bayes:backend': value => 'redis';
  'classifier-bayes:servers': value => '127.0.0.1:6379';
  'classifier-bayes:statfile[0].symbol': value => 'BAYES_HAM';
  'classifier-bayes:statfile[0].spam':   value => false;
  'classifier-bayes:statfile[1].symbol': value => 'BAYES_SPAM';
  'classifier-bayes:statfile[1].spam':   value => true;
}

This results the following config file /etc/rspamd/local.d/classifier-bayes.conf:

# This file is managed by Puppet. DO NOT EDIT.
backend = redis;
servers = "127.0.0.1:6379";
statfile {
  spam = false;
  symbol = 'BAYES_HAM';
}
statfile {
  spam = true;
  symbol = 'BAYES_SPAM';
}

Using the rspamd $config parameter, values for multiple config files can easily be provided from hiera:

rspamd::config:
  classifier-bayes:
    backend: redis
    servers: "127.0.0.1:6379"
    statfile:
      - symbol: BAYES_HAM
        spam: false
      - symbol: BAYES_SPAM
        spam: true
  milter_headers:
    use:
      - authentication-results
      - x-spam-status
  'worker-proxy.inc':
    bind_socket: 'localhost:11332'
    upstream:
      local:
        self_scan: true
  dkim_signing:
    sign_local: true

This uses the provided rspamd::create_config_resources and rspamd::create_config_file_resources functions, which can be used in custom profiles for extended use cases:

class profile::mail::rspamd (
  Hash $config,
  Hash $override_config,
) {
  class { 'rspamd': }

  rspamd::create_config_file_resources($config)
  rspamd::create_config_file_resources($override_config, { mode => 'override' })
}

Reference

Classes and parameters are documented in REFERENCE.md.

Development

Contributing

Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.

puppet-rspamd's People

Contributors

Stargazers

Watchers

Forkers

adamwight sevencastles jnk0 lollipopman b4ldr moritzfriedrich jan-win1993 markt-de

puppet-rspamd's Issues

Should not hardcode repository configs

Repository configs should not be hardcoded, but instead be configurable through new parameters.

This affects manifests/repo/apt_stable.pp, and possibly #14.

How to set rspamd::config in Foreman ?

Hi,

As I was planning to use this module I imported it in Foreman and see the parameters under the rspamd class itself I'm not sure how I will include rspamd::config on a host(group) as it's not there because of being a resource.

Any idea about this maybe ?

Thanks again!

Matt

Add maps.d directories to management

Rspamd added new maps.d configuration directories in Commit: Introduce maps.d directories. The puppet module currently prints out the following notice upon each run:

Notice: /Stage[main]/Rspamd::Configuration/File[/etc/rspamd/local.d/maps.d]: Not removing directory; use 'force' to override
Notice: /Stage[main]/Rspamd::Configuration/File[/etc/rspamd/local.d/maps.d]/ensure: removed

Still supported ?

Is this module still active and supported ?

Migrate away from apt::key

puppet-rspamd version: <= 2.1.0

Repository gpg keys are currently installed via apt::source, which uses apt-key(8) under the hood. apt-key is deprecated in Debian >= 11 versions and prints a warning when apt is called:

W: http://rspamd.com/apt-stable/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Please switch to using apt::keyring or adding the key to /etc/apt/trusted.gpg.d. puppetlabs/puppetlabs-apt#1128 implements keyrings, which can be used through apt::source, by supplying a name parameter.

rspamd selector syntax not supported

conf-files using selector syntax (https://rspamd.com/doc/configuration/selectors.html) seem not to be supported. For example, I see no way to create 'ratelimit.conf' (https://rspamd.com/doc/modules/ratelimit.html) with the following syntax:

rates {
# Selector based ratelimit
some_limit = {
selector = 'user.lower';
# You can define more than one bucket, however, you need to use array syntax only
bucket = [
{
burst = 100;
rate = "10 / 1min";
},
{
burst = 10;
rate = "100 / 1min";
}]
}
}

Example to "overwrite" workers in rspamd.conf

I'm trying to (re)config the default workers in rspamd.conf, for an example:

worker "controller" {
#    bind_socket = "localhost:11334";
    bind_socket = "xx.xx.xx.xx:11334";
    .include "$CONFDIR/worker-controller.inc"
    .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-controller.inc"
    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-controller.inc"
}

I'm not really seeing how to accomplish this without messing up the default config, can you help me out with this to get a better overview of this "controller" one ?

The rest of the files it pretty straight forward.

Thanks again!

Allow explicit type selection in hiera values

Allow specifying an explicit type instead of auto when specifying keys in hiera, e.g.

domain:
  example.com:
    path: /var/lib/rspamd/dkim/$domain.$selector.key
    'selector: string': 20200822

When this is possible, allow arrays to be printed as config-arrays:

    rates:
      some_limit:
        selector: 'user.lower'
        'bucket: array':
          - burst: 100
            rate: "10 / 1min"
          - burst: 10
            rate: "100 / 1min"

this should result in:

rates {
  some_limit {
    selector = "user.lower";
    bucket = [
    {
      burst = 100;
      rate = "10 / 1min";
    },
    {
      burst = 10;
      rate = "100 / 1min";
    }
    ]
  }
}

The exact syntax has still TBD, but I believe key: type should have the least potential for clashing with future keys/features, while being a common way to specify types in many langauges.

puppetlabs-stdlib dependency very restrictive

The following dependency :

puppetlabs-stdlib (>= 4.16.0 < 5.0.0)

Is very restrictive. Some other modules I have require stdlib to be >5.0.0 (for example : https://forge.puppet.com/modules/puppetlabs/accounts/dependencies).

Would it be possible if your module could support stdlib up to 7.0.0?

Thanks,

Release on forge

Please let me know when this module is released on the puppet forge under the new namespace, so I can deprecate the old module.