Breaks out postfix config into discrete role

Previously we configured both postfix and procmail inside the
"ossec-server" role, which was essentially shoehorning the config. It's
appropriate to target the "securedrop_monitor_server" group with those
config items, but technically there's not literally OSSEC server, but
rather a separate service that deserves its own configuration logic.

Tidies up some of the vars. We've documented use of the
`ossec_from_address` publicly, so we can't simply drop reference to it.
Since the associated logic now resides in the "postfix" role, it should
be prefixed with the `postfix_` namespace. That's done, old values of
`ossec_from_address` set at the site level, if set, will be honored.

install_files/ansible-base/group_vars/staging.yml

@@ -42,7 +42,7 @@ sasl_password: "password123"
 
 # Disable Postfix in staging, so we don't hammer Google mail relays
 # with known-bad credentials.
-ossec_server_enable_postfix: no
+postfix_enable_service: no
 
 # Permit direct access for SSH in the staging environment.
 # Otherwise, all SSH connections would be forced over Tor.

install_files/ansible-base/roles/ossec-server/defaults/main.yml

@@ -1,31 +1,8 @@
 ---
-smtp_relay_cert_dir: /etc/ssl/certs
-smtp_relay_cert_override_dir: '/etc/ssl/certs_local'
-smtp_relay_cert_override_file: ''
-
-# Email address listed in the FROM line when sending OSSEc email alerts.
-# Some mail servers require that this match the account that authenticated
-# to send mail.
-ossec_from_address: ''
-
 # Override capability for installing locally built deb packages in the staging
 # environment. By default, packages are installed via the FPF apt repo.
 install_local_packages: False
 
 ossec_group: ossec
 
-# Apt dependencies for the ossec server package
-ossec_postfix_dependencies:
-  - procmail
-  - postfix
-  - mailutils
-
-# Configuration info for procmail and postfix
-postfix_hostname: ossec.server
-
-# Whether to enable Postfix for sending mail. Required in prod,
-# but unnecessary in staging contexts, where SASL authentication
-# will always fail, due to lack of site-specific credentials.
-ossec_server_enable_postfix: True
-
 ossec_agent_already_registered: false

install_files/ansible-base/roles/ossec-server/handlers/main.yml

@@ -12,25 +12,6 @@
 - name: reload authd iptables
   shell: iptables-restore < /etc/network/iptables/rules_v4
 
-- name: update aliases
-  command: postalias /etc/aliases
-
-- name: update sasl_passwd db
-  command: postmap /etc/postfix/sasl_passwd
-
-- name: update generic_maps
-  command: postmap /etc/postfix/generic
-
-- name: postmap_header_checks
-  command: postmap /etc/postfix/header_checks
-
-- name: restart postfix
-  service:
-    name: postfix
-    state: restarted
-  # Don't bounce the service if set to disabled, e.g. in staging
-  when: ossec_server_enable_postfix
-
 - name: restart ossec-server
   service:
     name: ossec

install_files/ansible-base/roles/ossec-server/tasks/main.yml

@@ -3,12 +3,5 @@
   # error change these to lineinfile module to work with the exemptions
 - include: mon_configure_ossec_gpg_alerts.yml
 
-  # Configure SSL certificates for SMTP relay if manual
-  # overrides are declared. See default vars
-  # `smtp_relay_cert_override_file` and `smtp_relay_cert_override_dir`.
-- include: mon_configure_custom_cert.yml
-
-- include: mon_install_postfix.yml
-
 - include: authd.yml
   tags: authd

install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml

@@ -9,16 +9,6 @@
   tags:
     - apt
 
-- name: Install procmail.
-  apt:
-    name: procmail
-    state: latest
-    update_cache: yes
-    cache_valid_time: 3600
-  tags:
-    - apt
-    - procmail
-
 - name: Copy the OSSEC GPG public key for sending encrypted alerts.
   copy:
     src: "{{ ossec_alert_gpg_public_key }}"
@@ -47,43 +37,3 @@
   tags:
     - procmail
     - permissions
-
-  # This log file doesn't exist by default, so we need to create it. We don't
-  # want to clobber the contents if it already exists, however, thus the "force: no".
-  # The `copy` module will back off if the file already exists, which means permissions
-  # will be ignored if the file exists. A subsequent task will handle permissions.
-- name: Create procmail log file.
-  copy:
-    dest: /var/log/procmail.log
-    mode: "0660"
-    owner: ossec
-    group: root
-    content: ""
-    force: no
-  tags:
-    - procmail
-    - permissions
-    - logging
-
-  # The previous task is essentially a `touch` command, without the side-effect of reporting
-  # "changed" every time. In order to force correct ownership and permissions, we'll take a
-  # second pass at the log file and only report "changed" if updates were made.
-- name: Update permissions on procmail log file.
-  file:
-    path: /var/log/procmail.log
-    mode: "0660"
-    owner: ossec
-    group: root
-  tags:
-    - procmail
-    - permissions
-    - logging
-
-- name: Copy procmail config file.
-  copy:
-    src: procmailrc
-    dest: /var/ossec/.procmailrc
-    owner: root
-    group: ossec
-  tags:
-    - procmail

install_files/ansible-base/roles/postfix/defaults/main.yml

@@ -0,0 +1,23 @@
+---
+# Email address listed in the FROM line when sending OSSEc email alerts.
+# Some mail servers require that this match the account that authenticated
+# to send mail. Using the `ossec_from_address` for backwards-compatibility.
+postfix_from_address: "{{ ossec_from_address|default('') }}"
+
+# Apt dependencies for the ossec server package
+postfix_dependencies:
+  - procmail
+  - postfix
+  - mailutils
+
+# Configuration info for procmail and postfix
+postfix_hostname: ossec.server
+
+# Whether to enable Postfix for sending mail. Required in prod,
+# but unnecessary in staging contexts, where SASL authentication
+# will always fail, due to lack of site-specific credentials.
+postfix_enable_service: True
+
+smtp_relay_cert_dir: /etc/ssl/certs
+smtp_relay_cert_override_dir: '/etc/ssl/certs_local'
+smtp_relay_cert_override_file: ''

install_files/ansible-base/roles/postfix/handlers/main.yml

@@ -0,0 +1,19 @@
+---
+- name: update aliases
+  command: postalias /etc/aliases
+
+- name: update sasl_passwd db
+  command: postmap /etc/postfix/sasl_passwd
+
+- name: update generic_maps
+  command: postmap /etc/postfix/generic
+
+- name: postmap_header_checks
+  command: postmap /etc/postfix/header_checks
+
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+  # Don't bounce the service if set to disabled, e.g. in staging
+  when: postfix_enable_service

install_files/ansible-base/roles/ossec-server/tasks/mon_install_postfix.yml → install_files/ansible-base/roles/postfix/tasks/install_postfix.yml

@@ -1,9 +1,9 @@
 ---
-- name: Install postfix.
+- name: Install mailing utilities.
   apt:
     pkg: "{{ item }}"
-    state: latest
-  with_items: "{{ ossec_postfix_dependencies }}"
+    state: present
+  with_items: "{{ postfix_dependencies }}"
   tags:
     - apt
     - postfix
@@ -18,10 +18,10 @@
 
 - name: Create mapping for outbound address.
   copy:
-    content: "ossec@{{ postfix_hostname }} {{ ossec_from_address }}"
+    content: "ossec@{{ postfix_hostname }} {{ postfix_from_address }}"
     dest: /etc/postfix/generic
   notify: update generic_maps
-  when: ossec_from_address != ""
+  when: postfix_from_address != ""
   tags:
     - postfix
 
@@ -55,7 +55,7 @@
 - name: Configure Postfix service.
   service:
     name: postfix
-    state: "{{ 'started' if ossec_server_enable_postfix else 'stopped' }}"
-    enabled: "{{ ossec_server_enable_postfix }}"
+    state: "{{ 'started' if postfix_enable_service else 'stopped' }}"
+    enabled: "{{ postfix_enable_service }}"
 
 # TODO - name: configure postfix proxy

install_files/ansible-base/roles/postfix/tasks/install_procmail.yml

@@ -0,0 +1,40 @@
+---
+  # This log file doesn't exist by default, so we need to create it. We don't
+  # want to clobber the contents if it already exists, however, thus the "force: no".
+  # The `copy` module will back off if the file already exists, which means permissions
+  # will be ignored if the file exists. A subsequent task will handle permissions.
+- name: Create procmail log file.
+  copy:
+    dest: /var/log/procmail.log
+    mode: "0660"
+    owner: ossec
+    group: root
+    content: ""
+    force: no
+  tags:
+    - procmail
+    - permissions
+    - logging
+
+  # The previous task is essentially a `touch` command, without the side-effect of reporting
+  # "changed" every time. In order to force correct ownership and permissions, we'll take a
+  # second pass at the log file and only report "changed" if updates were made.
+- name: Update permissions on procmail log file.
+  file:
+    path: /var/log/procmail.log
+    mode: "0660"
+    owner: ossec
+    group: root
+  tags:
+    - procmail
+    - permissions
+    - logging
+
+- name: Copy procmail config file.
+  copy:
+    src: procmailrc
+    dest: /var/ossec/.procmailrc
+    owner: root
+    group: ossec
+  tags:
+    - procmail

install_files/ansible-base/roles/postfix/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- include: install_postfix.yml
+
+- include: install_procmail.yml
+
+  # Configure SSL certificates for SMTP relay if manual
+  # overrides are declared. See default vars
+  # `smtp_relay_cert_override_file` and `smtp_relay_cert_override_dir`.
+- include: configure_custom_cert.yml

install_files/ansible-base/roles/ossec-server/templates/main.cf → install_files/ansible-base/roles/postfix/templates/main.cf

@@ -58,7 +58,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 maximal_queue_lifetime = 14d
-{% if ossec_from_address != "" %}
+{% if postfix_from_address != "" %}
 # Used to remap outbound from address in emails
 smtp_generic_maps = hash:/etc/postfix/generic
 {% endif %}