├── .fmf └── version ├── .codespell_ignores ├── vars ├── Rocky_8.yml ├── Rocky_9.yml ├── AlmaLinux_8.yml ├── AlmaLinux_9.yml ├── CentOS_10.yml ├── CentOS_7.yml ├── CentOS_8.yml ├── CentOS_9.yml ├── Rocky_10.yml ├── AlmaLinux_10.yml ├── Fedora.yml ├── RedHat.yml ├── Fedora_39.yml ├── RedHat_10.yml ├── RedHat_7.yml ├── RedHat_8.yml ├── RedHat_9.yml └── main.yml ├── .ostree ├── packages-runtime.txt ├── roles-runtime.txt ├── README.md └── get_ostree_data.sh ├── tests ├── roles │ └── linux-system-roles.postfix │ │ ├── meta │ │ ├── tasks │ │ ├── vars │ │ ├── defaults │ │ ├── handlers │ │ └── templates ├── templates │ └── get_ansible_managed.j2 ├── setup-snapshot.yml ├── tests_default.yml ├── tasks │ └── check_header.yml ├── tests_set_banner.yml ├── vars │ └── rh_distros_vars.yml ├── tests_disable_ipv6.yml ├── check_firewall_selinux.yml ├── tests_set_file.yml └── tests_previous_replaced.yml ├── .yamllint.yml ├── pylint_extra_requirements.txt ├── molecule_extra_requirements.txt ├── templates └── get_ansible_managed.j2 ├── .github ├── pull_request_template.md ├── CODEOWNERS ├── dependabot.yml └── workflows │ ├── codespell.yml │ ├── woke.yml │ ├── pr-title-lint.yml │ ├── markdownlint.yml │ ├── ansible-managed-var-comment.yml │ ├── test_converting_readme.yml │ ├── ansible-test.yml │ ├── tft_citest_bad.yml │ ├── ansible-lint.yml │ ├── weekly_ci.yml │ ├── changelog_to_tag.yml │ ├── build_docs.yml │ ├── tft.yml │ └── qemu-kvm-integration-tests.yml ├── custom_requirements.txt ├── tox.ini ├── meta ├── collection-requirements.yml └── main.yml ├── .gitignore ├── handlers └── main.yml ├── ansible_pytest_extra_requirements.txt ├── README-ansible.md ├── pytest_extra_requirements.txt ├── tasks ├── firewall.yml ├── set_facts.yml ├── manage_config.yml ├── selinux.yml └── main.yml ├── .codespellrc ├── .ansible-lint ├── molecule └── default │ ├── molecule.yml │ └── Dockerfile.j2 ├── defaults └── main.yml ├── README-ostree.md ├── plans ├── test_playbooks_parallel.fmf └── README-plans.md ├── contributing.md ├── .commitlintrc.js ├── .markdownlint.yaml ├── README.md ├── CHANGELOG.md ├── .pandoc_template.html5 ├── .README.html └── COPYING /.fmf/version: -------------------------------------------------------------------------------- 1 | 1 2 | -------------------------------------------------------------------------------- /.codespell_ignores: -------------------------------------------------------------------------------- 1 | passt 2 | -------------------------------------------------------------------------------- /vars/Rocky_8.yml: -------------------------------------------------------------------------------- 1 | RedHat_8.yml -------------------------------------------------------------------------------- /vars/Rocky_9.yml: -------------------------------------------------------------------------------- 1 | RedHat_9.yml -------------------------------------------------------------------------------- /vars/AlmaLinux_8.yml: -------------------------------------------------------------------------------- 1 | RedHat_8.yml -------------------------------------------------------------------------------- /vars/AlmaLinux_9.yml: -------------------------------------------------------------------------------- 1 | RedHat_9.yml -------------------------------------------------------------------------------- /vars/CentOS_10.yml: -------------------------------------------------------------------------------- 1 | RedHat_10.yml -------------------------------------------------------------------------------- /vars/CentOS_7.yml: -------------------------------------------------------------------------------- 1 | RedHat_7.yml -------------------------------------------------------------------------------- /vars/CentOS_8.yml: -------------------------------------------------------------------------------- 1 | RedHat_8.yml -------------------------------------------------------------------------------- /vars/CentOS_9.yml: -------------------------------------------------------------------------------- 1 | RedHat_9.yml -------------------------------------------------------------------------------- /vars/Rocky_10.yml: -------------------------------------------------------------------------------- 1 | RedHat_10.yml -------------------------------------------------------------------------------- /vars/AlmaLinux_10.yml: -------------------------------------------------------------------------------- 1 | RedHat_10.yml -------------------------------------------------------------------------------- /.ostree/packages-runtime.txt: -------------------------------------------------------------------------------- 1 | postfix 2 | -------------------------------------------------------------------------------- /.ostree/roles-runtime.txt: -------------------------------------------------------------------------------- 1 | firewall 2 | selinux 3 | -------------------------------------------------------------------------------- /tests/roles/linux-system-roles.postfix/meta: -------------------------------------------------------------------------------- 1 | ../../../meta -------------------------------------------------------------------------------- /tests/roles/linux-system-roles.postfix/tasks: -------------------------------------------------------------------------------- 1 | ../../../tasks -------------------------------------------------------------------------------- /tests/roles/linux-system-roles.postfix/vars: -------------------------------------------------------------------------------- 1 | ../../../vars/ -------------------------------------------------------------------------------- /tests/roles/linux-system-roles.postfix/defaults: -------------------------------------------------------------------------------- 1 | ../../../defaults -------------------------------------------------------------------------------- /tests/roles/linux-system-roles.postfix/handlers: -------------------------------------------------------------------------------- 1 | ../../../handlers -------------------------------------------------------------------------------- /tests/roles/linux-system-roles.postfix/templates: -------------------------------------------------------------------------------- 1 | ../../../templates/ -------------------------------------------------------------------------------- /.yamllint.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | --- 3 | ignore: | 4 | /.tox/ 5 | -------------------------------------------------------------------------------- /tests/templates/get_ansible_managed.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment(__comment_type | d("plain")) }} 2 | -------------------------------------------------------------------------------- /pylint_extra_requirements.txt: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | 3 | # Write extra requirements for running pylint here: 4 | -------------------------------------------------------------------------------- /molecule_extra_requirements.txt: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | 3 | # Write extra requirements for running molecule here: 4 | -------------------------------------------------------------------------------- /templates/get_ansible_managed.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | {{ "system_role:postfix" | comment(prefix="", postfix="") }} 3 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | Enhancement: 2 | 3 | Reason: 4 | 5 | Result: 6 | 7 | Issue Tracker Tickets (Jira or BZ if any): 8 | -------------------------------------------------------------------------------- /custom_requirements.txt: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | 3 | # Write requirements for running your custom commands in tox here: 4 | -------------------------------------------------------------------------------- /vars/Fedora.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | __postfix_smtp_services: 4 | - smtp 5 | - smtps 6 | - submission 7 | -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | __postfix_smtp_services: 4 | - smtp 5 | - smtps 6 | - submission 7 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # https://help.github.com/en/articles/about-code-owners 2 | # Default reviewers for everything 3 | * @richm @nhosoi @spetrosi 4 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | [lsr_config] 3 | lsr_enable = true 4 | 5 | [lsr_ansible-lint] 6 | configfile = {toxinidir}/.ansible-lint 7 | -------------------------------------------------------------------------------- /vars/Fedora_39.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | __postfix_smtp_services: 4 | - smtp 5 | - smtps 6 | - smtp-submission 7 | -------------------------------------------------------------------------------- /vars/RedHat_10.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | __postfix_smtp_services: 4 | - smtp 5 | - smtps 6 | - smtp-submission 7 | -------------------------------------------------------------------------------- /vars/RedHat_7.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | __postfix_smtp_services: 4 | - smtp 5 | - smtps 6 | - smtp-submission 7 | -------------------------------------------------------------------------------- /vars/RedHat_8.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | __postfix_smtp_services: 4 | - smtp 5 | - smtps 6 | - smtp-submission 7 | -------------------------------------------------------------------------------- /vars/RedHat_9.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | __postfix_smtp_services: 4 | - smtp 5 | - smtps 6 | - smtp-submission 7 | -------------------------------------------------------------------------------- /meta/collection-requirements.yml: -------------------------------------------------------------------------------- 1 | # DO NOT EDIT THIS FILE - managed by linux-system-roles/.github 2 | --- 3 | collections: 4 | - name: ansible.posix 5 | - name: fedora.linux_system_roles 6 | -------------------------------------------------------------------------------- /.ostree/README.md: -------------------------------------------------------------------------------- 1 | *NOTE*: The `*.txt` files are used by `get_ostree_data.sh` to create the lists 2 | of packages, and to find other system roles used by this role. DO NOT use them 3 | directly. 4 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: 2 3 | updates: 4 | - package-ecosystem: github-actions 5 | directory: / 6 | schedule: 7 | interval: monthly 8 | commit-message: 9 | prefix: ci 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | passes.yml 2 | vault.yml 3 | *.pyc 4 | *.retry 5 | /tests/.coverage 6 | /tests/htmlcov* 7 | /.tox 8 | /venv*/ 9 | /.venv/ 10 | .vscode/ 11 | artifacts/ 12 | __pycache__/ 13 | *~ 14 | .pytest_cache/ 15 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check postfix 3 | command: postfix check 4 | when: postfix_check 5 | changed_when: false 6 | 7 | - name: Restart postfix 8 | service: 9 | name: postfix 10 | state: restarted 11 | -------------------------------------------------------------------------------- /ansible_pytest_extra_requirements.txt: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | 3 | # ansible and dependencies for all supported platforms 4 | ansible ; python_version > "2.6" 5 | idna<2.8 ; python_version < "2.7" 6 | PyYAML<5.1 ; python_version < "2.7" 7 | -------------------------------------------------------------------------------- /README-ansible.md: -------------------------------------------------------------------------------- 1 | # Introduction to Ansible for Linux System Roles 2 | 3 | If you are not familiar with Ansible, please see 4 | [Introduction to Ansible for Linux System Roles](https://linux-system-roles.github.io/documentation/intro-to-ansible-for-system-roles.html), 5 | where many useful links are presented. 6 | -------------------------------------------------------------------------------- /pytest_extra_requirements.txt: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | 3 | # Write extra requirements for running pytest here: 4 | # If you need ansible then uncomment the following line: 5 | #-ransible_pytest_extra_requirements.txt 6 | # If you need mock then uncomment the following line: 7 | #mock ; python_version < "3.0" 8 | -------------------------------------------------------------------------------- /tests/setup-snapshot.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Setup snapshot 3 | hosts: all 4 | tasks: 5 | - name: Set facts used by role 6 | include_role: 7 | name: linux-system-roles.postfix 8 | tasks_from: set_facts.yml 9 | public: true 10 | 11 | - name: Install test packages 12 | package: 13 | name: "{{ __postfix_packages }}" 14 | state: present 15 | -------------------------------------------------------------------------------- /.github/workflows/codespell.yml: -------------------------------------------------------------------------------- 1 | # Codespell configuration is within .codespellrc 2 | --- 3 | name: Codespell 4 | on: # yamllint disable-line rule:truthy 5 | - pull_request 6 | permissions: 7 | contents: read 8 | jobs: 9 | codespell: 10 | name: Check for spelling errors 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v6 15 | 16 | - name: Codespell 17 | uses: codespell-project/actions-codespell@v2 18 | -------------------------------------------------------------------------------- /tests/tests_default.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure that the rule runs with default parameters 3 | hosts: all 4 | gather_facts: false 5 | tasks: 6 | - name: Run the postfix role 7 | include_role: 8 | name: linux-system-roles.postfix 9 | public: true 10 | vars: 11 | postfix_manage_firewall: true 12 | postfix_manage_selinux: true 13 | 14 | - name: Check firewall and selinux status 15 | include_tasks: check_firewall_selinux.yml 16 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Jaroslav Škarvada 4 | description: Configure Postfix 5 | company: Red Hat, Inc. 6 | license: GPL-3.0+ 7 | min_ansible_version: "2.9" 8 | platforms: 9 | - name: Fedora 10 | versions: 11 | - all 12 | - name: EL 13 | versions: 14 | - "6" 15 | - "7" 16 | - "8" 17 | - "9" 18 | galaxy_tags: 19 | - beta 20 | - el6 21 | - el7 22 | - el8 23 | - el9 24 | - el10 25 | - fedora 26 | - system 27 | -------------------------------------------------------------------------------- /tests/tasks/check_header.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | --- 3 | - name: Get file 4 | slurp: 5 | path: "{{ __file }}" 6 | register: __content 7 | when: not __file_content is defined 8 | 9 | - name: Check for presence of ansible managed header, fingerprint 10 | assert: 11 | that: 12 | - __ansible_managed in content 13 | - __fingerprint in content 14 | vars: 15 | content: "{{ (__file_content | d(__content)).content | b64decode }}" 16 | __ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}" 17 | -------------------------------------------------------------------------------- /tasks/firewall.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | --- 3 | - name: Ensure the postfix ports status with the firewall role 4 | include_role: 5 | name: fedora.linux_system_roles.firewall 6 | vars: 7 | firewall: 8 | - {'service': 'smtp', 'state': 'enabled'} 9 | - {'service': 'smtps', 'state': 'enabled'} 10 | - {'service': 'smtp-submission', 'state': 'enabled'} 11 | when: 12 | - postfix_manage_firewall | bool 13 | - ansible_facts['os_family'] == 'RedHat' 14 | - ansible_facts['distribution_version'] is version('7', '>=') 15 | -------------------------------------------------------------------------------- /.codespellrc: -------------------------------------------------------------------------------- 1 | [codespell] 2 | check-hidden = true 3 | # Note that `-w` doesn't work when ignore-multiline-regex is set 4 | # https://github.com/codespell-project/codespell/issues/3642 5 | ignore-multiline-regex = codespell:ignore-begin.*codespell:ignore-end 6 | ignore-words = .codespell_ignores 7 | # skip-file is not available https://github.com/codespell-project/codespell/pull/2759 8 | # .pandoc_template.html5 contains a typo in Licence that we shouldn't edit 9 | # .README.html is generated from README.md automatically - no need to check spelling 10 | skip = .pandoc_template.html5,.README.html 11 | -------------------------------------------------------------------------------- /.github/workflows/woke.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yamllint disable rule:line-length 3 | name: Woke 4 | on: # yamllint disable-line rule:truthy 5 | - pull_request 6 | jobs: 7 | woke: 8 | name: Detect non-inclusive language 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Checkout 12 | uses: actions/checkout@v6 13 | 14 | - name: Run lsr-woke-action 15 | # Originally, uses: get-woke/woke-action@v0 16 | uses: linux-system-roles/lsr-woke-action@main 17 | with: 18 | woke-args: "-c https://raw.githubusercontent.com/linux-system-roles/tox-lsr/main/src/tox_lsr/config_files/woke.yml --count-only-error-for-failure" 19 | # Cause the check to fail on any broke rules 20 | fail-on-error: true 21 | -------------------------------------------------------------------------------- /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | profile: production 3 | kinds: 4 | - yaml: "**/meta/collection-requirements.yml" 5 | - playbook: "**/tests/get_coverage.yml" 6 | - yaml: "**/tests/collection-requirements.yml" 7 | - playbook: "**/tests/tests_*.yml" 8 | - playbook: "**/tests/setup-snapshot.yml" 9 | - tasks: "**/tests/*.yml" 10 | - playbook: "**/tests/playbooks/*.yml" 11 | - tasks: "**/tests/tasks/*.yml" 12 | - tasks: "**/tests/tasks/*/*.yml" 13 | - vars: "**/tests/vars/*.yml" 14 | - playbook: "**/examples/*.yml" 15 | skip_list: 16 | - fqcn-builtins 17 | - var-naming[no-role-prefix] 18 | exclude_paths: 19 | - tests/roles/ 20 | - .github/ 21 | - .markdownlint.yaml 22 | - examples/roles/ 23 | mock_roles: 24 | - linux-system-roles.postfix 25 | supported_ansible_also: 26 | - "2.14.0" 27 | -------------------------------------------------------------------------------- /tests/tests_set_banner.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Set smtpd banner 3 | hosts: all 4 | 5 | vars: 6 | postfix_conf: 7 | smtpd_banner: test 8 | postfix_manage_firewall: false 9 | postfix_manage_selinux: true 10 | 11 | tasks: 12 | - name: Run the role with test smtpd_banner 13 | include_role: 14 | name: linux-system-roles.postfix 15 | public: true 16 | 17 | - name: Get smtpd banner 18 | command: postconf smtpd_banner 19 | register: smtpd_banner 20 | changed_when: false 21 | 22 | - name: Assert smtpd banner is valid 23 | assert: 24 | that: smtpd_banner.stdout_lines[0] == 25 | 'smtpd_banner = ' ~ postfix_conf.smtpd_banner 26 | 27 | - name: Check firewall and selinux status 28 | include_tasks: check_firewall_selinux.yml 29 | -------------------------------------------------------------------------------- /tests/vars/rh_distros_vars.yml: -------------------------------------------------------------------------------- 1 | # vars for handling conditionals for RedHat and clones 2 | # DO NOT EDIT - file is auto-generated 3 | # repo is https://github.com/linux-system-roles/.github 4 | # file is playbooks/templates/tests/vars/rh_distros_vars.yml 5 | --- 6 | # Ansible distribution identifiers that the role treats like RHEL 7 | __postfix_rh_distros: 8 | - AlmaLinux 9 | - CentOS 10 | - RedHat 11 | - Rocky 12 | 13 | # Same as above but includes Fedora 14 | __postfix_rh_distros_fedora: "{{ __postfix_rh_distros + ['Fedora'] }}" 15 | 16 | # Use this in conditionals to check if distro is Red Hat or clone 17 | __postfix_is_rh_distro: "{{ ansible_distribution in __postfix_rh_distros }}" 18 | 19 | # Use this in conditionals to check if distro is Red Hat or clone, or Fedora 20 | __postfix_is_rh_distro_fedora: "{{ ansible_distribution in __postfix_rh_distros_fedora }}" 21 | -------------------------------------------------------------------------------- /.github/workflows/pr-title-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: PR Title Lint 3 | on: # yamllint disable-line rule:truthy 4 | pull_request: 5 | types: 6 | - opened 7 | - synchronize 8 | - reopened 9 | - edited 10 | merge_group: 11 | branches: 12 | - main 13 | types: 14 | - checks_requested 15 | permissions: 16 | contents: read 17 | jobs: 18 | commit-checks: 19 | runs-on: ubuntu-latest 20 | steps: 21 | - uses: actions/checkout@v6 22 | with: 23 | fetch-depth: 0 24 | 25 | - name: Install conventional-commit linter 26 | run: npm install @commitlint/config-conventional @commitlint/cli 27 | 28 | - name: Run commitlint on PR title 29 | env: 30 | PR_TITLE: ${{ github.event.pull_request.title }} 31 | # Echo from env variable to avoid bash errors with extra characters 32 | run: echo "$PR_TITLE" | npx commitlint --verbose 33 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | --- 3 | dependency: 4 | name: galaxy 5 | driver: 6 | name: ${LSR_MOLECULE_DRIVER:-docker} 7 | platforms: 8 | - name: centos-6 9 | image: registry.centos.org/centos:6 10 | volumes: 11 | - /sys/fs/cgroup:/sys/fs/cgroup:ro 12 | privileged: true 13 | command: /sbin/init 14 | - name: centos-7 15 | image: registry.centos.org/centos/systemd:latest 16 | volumes: 17 | - /sys/fs/cgroup:/sys/fs/cgroup:ro 18 | privileged: true 19 | command: /usr/lib/systemd/systemd --system 20 | - name: centos-8 21 | image: registry.centos.org/centos:8 22 | volumes: 23 | - /sys/fs/cgroup:/sys/fs/cgroup:ro 24 | privileged: true 25 | command: /usr/lib/systemd/systemd --system 26 | provisioner: 27 | name: ansible 28 | log: true 29 | playbooks: 30 | converge: ../../tests/tests_default.yml 31 | scenario: 32 | name: default 33 | test_sequence: 34 | - destroy 35 | - create 36 | - converge 37 | - idempotence 38 | - check 39 | - destroy 40 | -------------------------------------------------------------------------------- /.github/workflows/markdownlint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yamllint disable rule:line-length 3 | name: Markdown Lint 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | merge_group: 7 | branches: 8 | - main 9 | types: 10 | - checks_requested 11 | push: 12 | branches: 13 | - main 14 | workflow_dispatch: 15 | permissions: 16 | contents: read 17 | jobs: 18 | markdownlint: 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Update pip, git 22 | run: | 23 | set -euxo pipefail 24 | sudo apt update 25 | sudo apt install -y git 26 | 27 | - name: Check out code 28 | uses: actions/checkout@v6 29 | 30 | # CHANGELOG.md is generated automatically from PR titles and descriptions 31 | # It might have issues but they are not critical 32 | - name: Lint all markdown files except for CHANGELOG.md 33 | uses: docker://avtodev/markdown-lint:master 34 | with: 35 | args: >- 36 | --ignore=CHANGELOG.md 37 | **/*.md 38 | config: .markdownlint.yaml 39 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Postfix configuration dictionary, e.g.: 3 | # postfix_conf: 4 | # relay_domains: "$mydestination" 5 | # relayhost: "example.com" 6 | # 7 | postfix_conf: {} 8 | 9 | # Additional config maps/files, e.g.: 10 | # postfix_files: 11 | # - name: 'sasl_passwd' 12 | # content: 'smtp.example.com user@example.com:myFirstPassword 13 | # postmap: true 14 | # - name: 'sender_canonical_maps' 15 | # content: '/.+/ user@example.com' 16 | postfix_files: [] 17 | 18 | # Whether to run 'postfix check' before it's started 19 | postfix_check: true 20 | 21 | # Whether to make backup of current config 22 | postfix_backup: false 23 | 24 | # Whether to do multiple backups with timestamp (if true) or 25 | # single backup (if false and postfix_backup == true) 26 | postfix_backup_multiple: true 27 | 28 | # If true, manage the smtp related ports, 25/tcp, 465/tcp, and 29 | # 587/tcp using the firewall role. 30 | postfix_manage_firewall: false 31 | 32 | # If true, manage the smtp related ports, 25/tcp, 465/tcp, and 33 | # 587/tcp using the selinux role. 34 | postfix_manage_selinux: false 35 | -------------------------------------------------------------------------------- /.github/workflows/ansible-managed-var-comment.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Check for ansible_managed variable use in comments 3 | on: # yamllint disable-line rule:truthy 4 | pull_request: 5 | merge_group: 6 | branches: 7 | - main 8 | types: 9 | - checks_requested 10 | push: 11 | branches: 12 | - main 13 | workflow_dispatch: 14 | permissions: 15 | contents: read 16 | jobs: 17 | ansible_managed_var_comment: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Update pip, git 21 | run: | 22 | set -euxo pipefail 23 | python3 -m pip install --upgrade pip 24 | sudo apt update 25 | sudo apt install -y git 26 | 27 | - name: Checkout repo 28 | uses: actions/checkout@v6 29 | 30 | - name: Install tox, tox-lsr 31 | run: | 32 | set -euxo pipefail 33 | pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.14.0" 34 | 35 | - name: Run ansible-plugin-scan 36 | run: | 37 | set -euxo pipefail 38 | TOXENV=ansible-managed-var-comment lsr_ci_runtox 39 | -------------------------------------------------------------------------------- /tests/tests_disable_ipv6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure that the rule runs with IPv6 disabled 3 | hosts: all 4 | tags: 5 | - tests::reboot 6 | gather_facts: false 7 | tasks: 8 | - name: Disable IPv6 9 | include_role: 10 | name: fedora.linux_system_roles.bootloader 11 | vars: 12 | bootloader_settings: 13 | - kernel: ALL 14 | options: 15 | - name: ipv6.disable_ipv6 16 | value: "1" 17 | bootloader_reboot_ok: true 18 | 19 | - name: Run handlers 20 | meta: flush_handlers 21 | 22 | - name: Run the postfix role 23 | include_role: 24 | name: linux-system-roles.postfix 25 | public: true 26 | 27 | - name: Enable IPv6 28 | include_role: 29 | name: fedora.linux_system_roles.bootloader 30 | vars: 31 | bootloader_settings: 32 | - kernel: ALL 33 | options: 34 | - name: ipv6.disable_ipv6 35 | state: absent 36 | bootloader_reboot_ok: true 37 | 38 | - name: Run handlers again 39 | meta: flush_handlers 40 | -------------------------------------------------------------------------------- /tasks/set_facts.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: BSD-3-Clause 2 | --- 3 | - name: Ensure ansible_facts used by role are present 4 | setup: 5 | gather_subset: "{{ __postfix_required_facts_subsets }}" 6 | when: __postfix_required_facts | 7 | difference(ansible_facts.keys() | list) | length > 0 8 | 9 | - name: Determine if system is ostree and set flag 10 | when: not __postfix_is_ostree is defined 11 | block: 12 | - name: Check if system is ostree 13 | stat: 14 | path: /run/ostree-booted 15 | register: __ostree_booted_stat 16 | 17 | - name: Set flag to indicate system is ostree 18 | set_fact: 19 | __postfix_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" 20 | 21 | - name: Set platform/version specific variables 22 | include_vars: "{{ __postfix_vars_file }}" 23 | loop: 24 | - "{{ ansible_os_family }}.yml" 25 | - "{{ ansible_distribution }}.yml" 26 | - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml" 27 | - "{{ ansible_distribution }}_{{ ansible_distribution_version }}.yml" 28 | vars: 29 | __postfix_vars_file: "{{ role_path }}/vars/{{ item }}" 30 | when: __postfix_vars_file is file 31 | -------------------------------------------------------------------------------- /tests/check_firewall_selinux.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | --- 3 | # Assume firewalld and selinux are not manually configured. 4 | - name: Manage firewall 5 | when: 6 | - postfix_manage_firewall | bool 7 | - ansible_facts['os_family'] == 'RedHat' 8 | - ansible_facts['distribution_version'] is version('7', '>=') 9 | block: 10 | - name: Get the firewall services 11 | shell: |- 12 | set -euo pipefail 13 | firewall-cmd --list-services 14 | register: __services 15 | changed_when: false 16 | 17 | - name: Assert the expected services are configured 18 | assert: 19 | that: item in __service_list 20 | vars: 21 | __service_list: "{{ __services.stdout.split(' ') }}" 22 | loop: 23 | - smtp 24 | - smtps 25 | - smtp-submission 26 | 27 | - name: Manage SELinux 28 | when: postfix_manage_selinux | bool 29 | block: 30 | - name: Ensure smtp ports are retrieved 31 | assert: 32 | that: _postfix_selinux | length > 0 33 | 34 | - name: Check associated selinux 35 | shell: |- 36 | set -euo pipefail 37 | semanage port --list -C | grep "smtp_port_t" | \ 38 | grep "{{ item['proto'] }}" | grep "{{ item['ports'] }}" 39 | changed_when: false 40 | loop: "{{ _postfix_selinux }}" 41 | -------------------------------------------------------------------------------- /.github/workflows/test_converting_readme.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yamllint disable rule:line-length 3 | name: Test converting README.md to README.html 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | merge_group: 7 | branches: 8 | - main 9 | types: 10 | - checks_requested 11 | push: 12 | branches: 13 | - main 14 | permissions: 15 | contents: read 16 | jobs: 17 | test_converting_readme: 18 | runs-on: ubuntu-latest 19 | permissions: 20 | contents: write 21 | steps: 22 | - name: Update pip, git 23 | run: | 24 | set -euxo pipefail 25 | sudo apt update 26 | sudo apt install -y git 27 | 28 | - name: Check out code 29 | uses: actions/checkout@v6 30 | 31 | - name: Remove badges from README.md prior to converting to HTML 32 | run: sed -i '1,8 {/^\[\!.*actions\/workflows/d}' README.md 33 | 34 | - name: Convert README.md to HTML 35 | uses: docker://pandoc/core:latest 36 | with: 37 | args: >- 38 | --from gfm --to html5 --toc --shift-heading-level-by=-1 39 | --template .pandoc_template.html5 40 | --output README.html README.md 41 | 42 | - name: Upload README.html as an artifact 43 | uses: actions/upload-artifact@v5 44 | with: 45 | name: README.html 46 | path: README.html 47 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-only 2 | --- 3 | # List of default rpm packages to install. 4 | __postfix_packages: 5 | - postfix 6 | 7 | __postfix_smtp_services: 8 | - smtp 9 | - smtps 10 | - smtp-submission 11 | 12 | # ansible_facts required by the role 13 | __postfix_required_facts: 14 | - distribution_version 15 | - os_family 16 | 17 | # the subsets of ansible_facts that need to be gathered in case any of the 18 | # facts in required_facts is missing; see the documentation of 19 | # the 'gather_subset' parameter of the 'setup' module 20 | __postfix_required_facts_subsets: "{{ ['!all', '!min'] + 21 | __postfix_required_facts }}" 22 | 23 | # BEGIN - DO NOT EDIT THIS BLOCK - rh distros variables 24 | # Ansible distribution identifiers that the role treats like RHEL 25 | __postfix_rh_distros: 26 | - AlmaLinux 27 | - CentOS 28 | - RedHat 29 | - Rocky 30 | 31 | # Same as above but includes Fedora 32 | __postfix_rh_distros_fedora: "{{ __postfix_rh_distros + ['Fedora'] }}" 33 | 34 | # Use this in conditionals to check if distro is Red Hat or clone 35 | __postfix_is_rh_distro: "{{ ansible_distribution in __postfix_rh_distros }}" 36 | 37 | # Use this in conditionals to check if distro is Red Hat or clone, or Fedora 38 | __postfix_is_rh_distro_fedora: "{{ ansible_distribution in __postfix_rh_distros_fedora }}" 39 | # END - DO NOT EDIT THIS BLOCK - rh distros variables 40 | -------------------------------------------------------------------------------- /.github/workflows/ansible-test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ansible Test 3 | on: # yamllint disable-line rule:truthy 4 | pull_request: 5 | merge_group: 6 | branches: 7 | - main 8 | types: 9 | - checks_requested 10 | push: 11 | branches: 12 | - main 13 | workflow_dispatch: 14 | env: 15 | LSR_ROLE2COLL_NAMESPACE: fedora 16 | LSR_ROLE2COLL_NAME: linux_system_roles 17 | permissions: 18 | contents: read 19 | jobs: 20 | ansible_test: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - name: Update pip, git 24 | run: | 25 | set -euxo pipefail 26 | python3 -m pip install --upgrade pip 27 | sudo apt update 28 | sudo apt install -y git 29 | 30 | - name: Checkout repo 31 | uses: actions/checkout@v6 32 | 33 | - name: Install tox, tox-lsr 34 | run: | 35 | set -euxo pipefail 36 | pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.14.0" 37 | 38 | - name: Convert role to collection format 39 | run: | 40 | set -euxo pipefail 41 | TOXENV=collection lsr_ci_runtox 42 | 43 | - name: Run ansible-test 44 | uses: ansible-community/ansible-test-gh-action@release/v1 45 | with: 46 | testing-type: sanity # wokeignore:rule=sanity 47 | ansible-core-version: stable-2.17 48 | collection-src-directory: ${{ github.workspace }}/.tox/ansible_collections/${{ env.LSR_ROLE2COLL_NAMESPACE }}/${{ env.LSR_ROLE2COLL_NAME }} 49 | -------------------------------------------------------------------------------- /molecule/default/Dockerfile.j2: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | # Molecule managed 3 | 4 | {% if item.registry is defined %} 5 | FROM {{ item.registry.url }}/{{ item.image }} 6 | {% else %} 7 | FROM {{ item.image }} 8 | {% endif %} 9 | 10 | RUN set -euo pipefail; \ 11 | pkgs="python sudo yum-plugin-ovl bash"; \ 12 | if grep 'CentOS release 6' /etc/centos-release > /dev/null 2>&1; then \ 13 | for file in /etc/yum.repos.d/CentOS-*.repo; do \ 14 | if ! grep '^baseurl=.*vault[.]centos[.]org' "$file"; then \ 15 | sed -i -e 's,^mirrorlist,#mirrorlist,' \ 16 | -e 's,^#baseurl=,baseurl=,' \ 17 | -e 's,mirror.centos.org/centos/$releasever,vault.centos.org/6.10,' \ 18 | "$file"; \ 19 | fi; \ 20 | done; \ 21 | pkgs="$pkgs upstart chkconfig initscripts"; \ 22 | fi; \ 23 | if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ 24 | elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python3 sudo python3-devel python3-dnf bash && dnf clean all; \ 25 | elif [ $(command -v yum) ]; then yum makecache fast && yum install -y $pkgs && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ 26 | elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ 27 | elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ 28 | elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi 29 | -------------------------------------------------------------------------------- /tests/tests_set_file.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create a postmapped file 3 | hosts: all 4 | 5 | vars: 6 | postfix_files: 7 | - name: test 8 | content: test 9 | postmap: true 10 | __test_file_suffix: "{{ '.lmdb' 11 | if postfix_default_database_type == 'lmdb' 12 | else '.db' }}" 13 | 14 | tasks: 15 | - name: Run the role with test postmap file 16 | include_role: 17 | name: linux-system-roles.postfix 18 | public: true 19 | 20 | - name: Check if postmap file exists 21 | stat: 22 | path: /etc/postfix/test{{ __test_file_suffix }} 23 | register: test_file 24 | changed_when: false 25 | 26 | - name: Assert file is present 27 | assert: 28 | that: test_file.stat.exists 29 | 30 | - name: Check relay_domains 31 | when: ansible_version["major"] > 2 or ansible_version["minor"] > 9 32 | block: 33 | # cannot use postfix_default_database_type with postfix_conf 34 | # in ansible 2.9 35 | - name: Run the role to test postfix_default_database_type 36 | include_role: 37 | name: linux-system-roles.postfix 38 | public: true 39 | vars: 40 | postfix_conf: 41 | relay_domains: "{{ 42 | postfix_default_database_type }}:/etc/postfix/relay_domains" 43 | 44 | - name: Get relay_domains 45 | command: postconf -h relay_domains 46 | changed_when: false 47 | register: __test_relay_domains 48 | 49 | - name: Check relay_domains 50 | assert: 51 | that: __test_relay_domains.stdout | trim == 52 | postfix_default_database_type ~ ":/etc/postfix/relay_domains" 53 | 54 | - name: Clean up test files 55 | file: 56 | path: /etc/postfix/test{{ __test_file_suffix }} 57 | state: absent 58 | -------------------------------------------------------------------------------- /tasks/manage_config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # input __postfix_conf - dict of key/value pairs to apply 3 | - name: Apply changes 4 | when: __postfix_has_config_changed | d("") is search("True") 5 | block: 6 | - name: Gather facts for ansible_date_time 7 | setup: 8 | filter: ansible_date_time 9 | when: postfix_backup_multiple | bool 10 | 11 | - name: Backup configuration 12 | copy: 13 | remote_src: true 14 | src: /etc/postfix/main.cf 15 | dest: /etc/postfix/main.cf.{{ postfix_backup_multiple | 16 | ternary(ansible_date_time.iso8601, "backup") }} 17 | mode: "0644" 18 | when: postfix_backup or postfix_backup_multiple 19 | 20 | - name: Ensure Last modified header is absent 21 | lineinfile: 22 | path: /etc/postfix/main.cf 23 | regexp: '# Last modified:' 24 | state: absent 25 | 26 | # Previously, the role inserted a plain-text comment at the top of main.cf. 27 | # This task removes this outdated header for compatibility. 28 | - name: Ensure the outdated ansible managed header is absent 29 | lineinfile: 30 | path: /etc/postfix/main.cf 31 | regexp: "# This file is managed by [aA]nsible" 32 | state: absent 33 | 34 | - name: Ensure ansible_managed header in configuration file 35 | vars: 36 | __lsr_ansible_managed: "{{ 37 | lookup('template', 'get_ansible_managed.j2') }}" 38 | blockinfile: 39 | path: /etc/postfix/main.cf 40 | block: "{{ __lsr_ansible_managed }}" 41 | insertbefore: BOF 42 | 43 | - name: Configure Postfix 44 | command: postconf -e {{ item.key | quote }}={{ item.value | quote }} 45 | notify: 46 | - Check postfix 47 | - Restart postfix 48 | with_dict: "{{ __postfix_conf }}" 49 | when: 50 | - item.key not in ['previous'] 51 | - __postfix_has_config_changed 52 | | d("") is search("True itemstr " ~ item.key) 53 | changed_when: 54 | - item.key not in ['previous'] 55 | - __postfix_has_config_changed 56 | | d("") is search("True itemstr " ~ item.key) 57 | -------------------------------------------------------------------------------- /tests/tests_previous_replaced.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Test setting previous=replaced with postfix_conf 3 | hosts: all 4 | tasks: 5 | - name: Run the role with previous=replaced only 6 | include_role: 7 | name: linux-system-roles.postfix 8 | public: true 9 | vars: 10 | postfix_manage_firewall: true 11 | postfix_manage_selinux: false 12 | postfix_conf: 13 | previous: replaced 14 | 15 | - name: Check firewall and selinux status 16 | include_tasks: check_firewall_selinux.yml 17 | 18 | - name: Run the role to configure relay_domains and relayhost 19 | include_role: 20 | name: linux-system-roles.postfix 21 | public: true 22 | vars: 23 | postfix_manage_firewall: true 24 | postfix_manage_selinux: true 25 | postfix_conf: 26 | relay_domains: London 27 | relayhost: example.com 28 | 29 | - name: Flush handlers 30 | meta: flush_handlers 31 | 32 | - name: Check firewall and selinux status again 33 | include_tasks: check_firewall_selinux.yml 34 | 35 | - name: Check header for ansible_managed, fingerprint 36 | include_tasks: tasks/check_header.yml 37 | vars: 38 | __file: /etc/postfix/main.cf 39 | __fingerprint: "system_role:postfix" 40 | 41 | - name: Reset all settings and configure relay_domains 42 | include_role: 43 | name: linux-system-roles.postfix 44 | vars: 45 | postfix_conf: 46 | previous: replaced 47 | relay_domains: Liverpool city 48 | 49 | - name: Flush handlers again 50 | meta: flush_handlers 51 | 52 | - name: Print postfix settings that have explicit value set 53 | command: postconf -n 54 | register: __postfix_explicit_config 55 | changed_when: false 56 | 57 | - name: Verify that relayhost is unset and relay_domains is set 58 | assert: 59 | that: 60 | - __postfix_explicit_config.stdout is search( 61 | "relay_domains = Liverpool city") 62 | - (__postfix_explicit_config.stdout | regex_search('^relayhost\\s*=\\s*$', multiline=True)) or 63 | __postfix_explicit_config.stdout is not search("relayhost") 64 | -------------------------------------------------------------------------------- /README-ostree.md: -------------------------------------------------------------------------------- 1 | # rpm-ostree 2 | 3 | The role supports running on [rpm-ostree](https://coreos.github.io/rpm-ostree/) 4 | systems. The primary issue is that the `/usr` filesystem is read-only, and the 5 | role cannot install packages. Instead, it will just verify that the necessary 6 | packages and any other `/usr` files are pre-installed. The role will change the 7 | package manager to one that is compatible with `rpm-ostree` systems. 8 | 9 | ## Building 10 | 11 | To build an ostree image for a particular operating system distribution and 12 | version, use the script `.ostree/get_ostree_data.sh` to get the list of 13 | packages. If the role uses other system roles, then the script will include the 14 | packages for the other roles in the list it outputs. The list of packages will 15 | be sorted in alphanumeric order. 16 | 17 | Usage: 18 | 19 | ```bash 20 | .ostree/get_ostree_data.sh packages runtime DISTRO-VERSION FORMAT 21 | ``` 22 | 23 | `DISTRO-VERSION` is in the format that Ansible uses for `ansible_distribution` 24 | and `ansible_distribution_version` - for example, `Fedora-38`, `CentOS-8`, 25 | `RedHat-9.4` 26 | 27 | `FORMAT` is one of `toml`, `json`, `yaml`, `raw` 28 | 29 | * `toml` - each package in a TOML `[[packages]]` element 30 | 31 | ```toml 32 | [[packages]] 33 | name = "package-a" 34 | version = "*" 35 | [[packages]] 36 | name = "package-b" 37 | version = "*" 38 | ... 39 | ``` 40 | 41 | * `yaml` - a YAML list of packages 42 | 43 | ```yaml 44 | - package-a 45 | - package-b 46 | ... 47 | ``` 48 | 49 | * `json` - a JSON list of packages 50 | 51 | ```json 52 | ["package-a","package-b",...] 53 | ``` 54 | 55 | * `raw` - a plain text list of packages, one per line 56 | 57 | ```bash 58 | package-a 59 | package-b 60 | ... 61 | ``` 62 | 63 | What format you choose depends on which image builder you are using. For 64 | example, if you are using something based on 65 | [osbuild-composer](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line), 66 | you will probably want to use the `toml` output format. 67 | -------------------------------------------------------------------------------- /.github/workflows/tft_citest_bad.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Re-run failed testing farm tests 3 | on: 4 | issue_comment: 5 | types: 6 | - created 7 | permissions: 8 | contents: read 9 | jobs: 10 | citest_bad_rerun: 11 | if: | 12 | github.event.issue.pull_request 13 | && contains(fromJson('["[citest_bad]", "[citest-bad]", "[citest bad]"]'), github.event.comment.body) 14 | && contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association) 15 | permissions: 16 | actions: write # for re-running failed jobs: https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2022-11-28#re-run-a-job-from-a-workflow-run 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Wait 10s until tft.yml workflow is created and skipped because new comment don't match [citest] 20 | run: sleep 10s 21 | 22 | - name: Re-run failed jobs for this PR 23 | env: 24 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 25 | REPO: ${{ github.repository }} 26 | PR_TITLE: ${{ github.event.issue.title }} 27 | run: | 28 | PENDING_RUN=$(gh api "repos/$REPO/actions/workflows/tft.yml/runs?event=issue_comment" \ 29 | | jq -r "[.workflow_runs[] | select( .display_title == \"$PR_TITLE\") | \ 30 | select(.status == \"pending\" or .status == \"queued\" or .status == \"in_progress\") | .id][0]") 31 | # if pending run don't exist, take the last run with failure state 32 | if [ "$PENDING_RUN" != "null" ]; then 33 | echo "The workflow $PENDING_RUN is still running, wait for it to finish to re-run" 34 | exit 1 35 | fi 36 | # TF tests can fail or can be cancelled due to TF internal issues 37 | RUN_ID=$(gh api "repos/$REPO/actions/workflows/tft.yml/runs?event=issue_comment" \ 38 | | jq -r "[.workflow_runs[] | select( .display_title == \"$PR_TITLE\" ) | select( .conclusion == \"failure\" or .conclusion == \"cancelled\" ) | .id][0]") 39 | if [ "$RUN_ID" = "null" ]; then 40 | echo "Failed workflow not found, exiting" 41 | exit 1 42 | fi 43 | echo "Re-running workflow $RUN_ID" 44 | gh api --method POST repos/$REPO/actions/runs/$RUN_ID/rerun-failed-jobs 45 | -------------------------------------------------------------------------------- /plans/test_playbooks_parallel.fmf: -------------------------------------------------------------------------------- 1 | summary: A general test for a system role 2 | tag: playbooks_parallel 3 | provision: 4 | # TF uses `how: artemis`, and `tmt try`` uses `how: virtual`. 5 | # Hence there is no need to define `how` explicitly. 6 | - name: control-node1 7 | role: control_node 8 | - name: managed-node1 9 | role: managed_node 10 | - name: managed-node2 11 | role: managed_node 12 | environment: 13 | SR_ANSIBLE_VER: 2.17 14 | SR_REPO_NAME: postfix 15 | SR_PYTHON_VERSION: 3.12 16 | SR_ONLY_TESTS: "" # tests_default.yml 17 | SR_TEST_LOCAL_CHANGES: true 18 | SR_PR_NUM: "" 19 | SR_LSR_USER: "" 20 | SR_LSR_DOMAIN: "" 21 | SR_LSR_SSH_KEY: "" 22 | SR_ARTIFACTS_DIR: "" 23 | SR_ARTIFACTS_URL: "" 24 | SR_TFT_DEBUG: false 25 | prepare: 26 | - name: Use vault.centos.org repos (CS 7, 8 EOL workaround) 27 | script: | 28 | if grep -q 'CentOS Stream release 8' /etc/redhat-release; then 29 | sed -i '/^mirror/d;s/#\(baseurl=http:\/\/\)mirror/\1vault/' /etc/yum.repos.d/*.repo 30 | fi 31 | if grep -q 'CentOS Linux release 7.9' /etc/redhat-release; then 32 | sed -i '/^mirror/d;s/#\?\(baseurl=http:\/\/\)mirror/\1vault/' /etc/yum.repos.d/*.repo 33 | fi 34 | discover: 35 | - name: Prepare managed node 36 | how: fmf 37 | where: managed_node 38 | filter: tag:prep_managed_node 39 | url: https://github.com/linux-system-roles/tft-tests 40 | ref: main 41 | - name: Run test playbooks from control_node 42 | how: fmf 43 | where: control_node 44 | filter: tag:test_playbooks 45 | url: https://github.com/linux-system-roles/tft-tests 46 | ref: main 47 | # Uncomment this step for troubleshooting 48 | # This is required because currently testing-farm cli doesn't support running multi-node plans 49 | # You can set ID_RSA_PUB in the environment section above to your public key to distribute it to nodes 50 | # - name: Inject your ssh public key to test systems 51 | # how: fmf 52 | # where: control_node 53 | # filter: tag:reserve_system 54 | # url: https://github.com/linux-system-roles/tft-tests 55 | # ref: main 56 | adjust: 57 | - when: distro == rhel-9 or distro == centos-stream-9 or distro == rhel-10 or distro == centos-stream-10 58 | prepare+: 59 | - how: feature 60 | epel: enabled 61 | order: 10 62 | execute: 63 | how: tmt 64 | -------------------------------------------------------------------------------- /tasks/selinux.yml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: MIT 2 | --- 3 | - name: Manage SELinux for postfix ports 4 | when: postfix_manage_selinux | bool 5 | block: 6 | - name: Manage firewall for postfix ports 7 | when: 8 | - postfix_manage_firewall | bool 9 | - ansible_facts['os_family'] == 'RedHat' 10 | - ansible_facts['distribution_version'] is version('7', '>=') 11 | block: 12 | - name: Get the smtp related tcp service ports 13 | shell: |- 14 | set -euo pipefail 15 | ports="$(firewall-cmd --info-service="{{ item }}" | \ 16 | grep -E " +ports: +" | sed -e "s/ *ports: //")" || : 17 | if [ -z "$ports" ]; then 18 | include="$(firewall-cmd --info-service="{{ item }}" | \ 19 | awk '/^ +includes:/ {print $2}')" || : 20 | if [ -n "$include" ]; then 21 | ports="$(firewall-cmd --info-service="$include" | \ 22 | grep -E " +ports: +" | sed -e "s/ *ports: //")" 23 | fi 24 | fi 25 | if [ -z "$ports" ]; then 26 | exit 1 27 | fi 28 | echo "$ports" 29 | register: __ports 30 | changed_when: false 31 | loop: "{{ __postfix_smtp_services }}" 32 | 33 | - name: Initialize _postfix_selinux 34 | set_fact: 35 | _postfix_selinux: [] 36 | 37 | - name: Add the smtp related service ports to _postfix_selinux 38 | set_fact: 39 | _postfix_selinux: "{{ _postfix_selinux + 40 | [{'ports': _pair[0], 'proto': _pair[1], 'setype': 'smtp_port_t', 41 | 'state': 'present', 'local': 'true'}] }}" 42 | vars: 43 | _pair: "{{ item.stdout.split('/') | list }}" 44 | when: 45 | - _pair | length > 0 46 | loop: "{{ __ports.results }}" 47 | 48 | - name: "Set hardcoded ports to _postfix_selinux for 49 | no firewall or rhel-6 or not redhat" 50 | set_fact: 51 | _postfix_selinux: 52 | - {'ports': 25, 'proto': 'tcp', 'setype': 'smtp_port_t', 53 | 'state': 'present', 'local': 'true'} 54 | - {'ports': 465, 'proto': 'tcp', 'setype': 'smtp_port_t', 55 | 'state': 'present', 'local': 'true'} 56 | - {'ports': 587, 'proto': 'tcp', 'setype': 'smtp_port_t', 57 | 'state': 'present', 'local': 'true'} 58 | when: 59 | - (not postfix_manage_firewall | bool) or 60 | (ansible_facts['os_family'] != 'RedHat') or 61 | (ansible_facts['distribution_version'] is version('7', '<')) 62 | 63 | - name: Ensure the service and the ports status with the selinux role 64 | include_role: 65 | name: fedora.linux_system_roles.selinux 66 | vars: 67 | selinux_ports: "{{ _postfix_selinux }}" 68 | -------------------------------------------------------------------------------- /contributing.md: -------------------------------------------------------------------------------- 1 | # Contributing to the postfix Linux System Role 2 | 3 | ## Where to start 4 | 5 | The first place to go is [Contribute](https://linux-system-roles.github.io/contribute.html). 6 | This has all of the common information that all role developers need: 7 | 8 | * Role structure and layout 9 | * Development tools - How to run tests and checks 10 | * Ansible recommended practices 11 | * Basic git and github information 12 | * How to create git commits and submit pull requests 13 | 14 | **Bugs and needed implementations** are listed on 15 | [Github Issues](https://github.com/linux-system-roles/postfix/issues). 16 | Issues labeled with 17 | [**help wanted**](https://github.com/linux-system-roles/postfix/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) 18 | are likely to be suitable for new contributors! 19 | 20 | **Code** is managed on [Github](https://github.com/linux-system-roles/postfix), using 21 | [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests). 22 | 23 | ## Running CI Tests Locally 24 | 25 | ### Use tox-lsr with qemu 26 | 27 | The latest version of tox-lsr supports qemu testing. 28 | 29 | 30 | **Steps:** 31 | 32 | 1. If you are using RHEL or CentOS, enable the EPEL repository for your 33 | platform - 34 | 35 | 2. Use yum or dnf to install `standard-test-roles-inventory-qemu` 36 | * If for some reason dnf/yum do not work, just download the script from 37 | 38 | * copy to your `$PATH`, and make sure it is executable 39 | 40 | 3. Install tox 41 | * Use yum/dnf to install `python3-tox` - if that does not work, then use 42 | `pip install --user tox`, then make sure `~/.local/bin` is in your `$PATH` 43 | 44 | 4. Install tox-lsr 45 | 46 | ```bash 47 | pip install --user git+https://github.com/linux-system-roles/tox-lsr@main 48 | ``` 49 | 50 | 5. Download the config file to `~/.config/linux-system-roles.json` from 51 | 52 | 53 | 6. Assuming you are in a git clone of a role repo which has a tox.ini file - 54 | you can use e.g. 55 | 56 | ```bash 57 | tox -e qemu-ansible-core-2.14 -- --image-name centos-9 tests/tests_default.yml 58 | ``` 59 | 60 | There are many command line options and environment variables which can be used 61 | to control the behavior, and you can customize the testenv in tox.ini. See 62 | 63 | 64 | This method supports RHEL also - will download the latest image for a compose, 65 | and will set up the yum repos to point to internal composes. 66 | 67 | See for general 68 | development guidelines. 69 | -------------------------------------------------------------------------------- /.github/workflows/ansible-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ansible Lint 3 | on: # yamllint disable-line rule:truthy 4 | pull_request: 5 | merge_group: 6 | branches: 7 | - main 8 | types: 9 | - checks_requested 10 | push: 11 | branches: 12 | - main 13 | workflow_dispatch: 14 | env: 15 | LSR_ROLE2COLL_NAMESPACE: fedora 16 | LSR_ROLE2COLL_NAME: linux_system_roles 17 | permissions: 18 | contents: read 19 | jobs: 20 | ansible_lint: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - name: Update pip, git 24 | run: | 25 | set -euxo pipefail 26 | sudo apt update 27 | sudo apt install -y git 28 | 29 | - name: Checkout repo 30 | uses: actions/checkout@v6 31 | 32 | - name: Install tox, tox-lsr 33 | run: | 34 | set -euxo pipefail 35 | pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.14.0" 36 | 37 | - name: Convert role to collection format 38 | id: collection 39 | run: | 40 | set -euxo pipefail 41 | TOXENV=collection lsr_ci_runtox 42 | coll_dir=".tox/ansible_collections/$LSR_ROLE2COLL_NAMESPACE/$LSR_ROLE2COLL_NAME" 43 | # cleanup after collection conversion 44 | rm -rf "$coll_dir/.ansible" .tox/ansible-plugin-scan 45 | # ansible-lint action requires a .git directory??? 46 | # https://github.com/ansible/ansible-lint/blob/main/action.yml#L45 47 | mkdir -p "$coll_dir/.git" 48 | meta_req_file="${{ github.workspace }}/meta/collection-requirements.yml" 49 | test_req_file="${{ github.workspace }}/tests/collection-requirements.yml" 50 | if [ -f "$meta_req_file" ] && [ -f "$test_req_file" ]; then 51 | coll_req_file="${{ github.workspace }}/req.yml" 52 | python -c 'import sys; import yaml 53 | hsh1 = yaml.safe_load(open(sys.argv[1])) 54 | hsh2 = yaml.safe_load(open(sys.argv[2])) 55 | coll = {} 56 | for item in hsh1["collections"] + hsh2["collections"]: 57 | if isinstance(item, dict): 58 | name = item["name"] 59 | rec = item 60 | else: 61 | name = item # assume string 62 | rec = {"name": name} 63 | if name not in coll: 64 | coll[name] = rec 65 | hsh1["collections"] = list(coll.values()) 66 | yaml.safe_dump(hsh1, open(sys.argv[3], "w"))' "$meta_req_file" "$test_req_file" "$coll_req_file" 67 | echo merged "$coll_req_file" 68 | cat "$coll_req_file" 69 | elif [ -f "$meta_req_file" ]; then 70 | coll_req_file="$meta_req_file" 71 | elif [ -f "$test_req_file" ]; then 72 | coll_req_file="$test_req_file" 73 | else 74 | coll_req_file="" 75 | fi 76 | echo "coll_req_file=$coll_req_file" >> $GITHUB_OUTPUT 77 | 78 | - name: Run ansible-lint 79 | uses: ansible/ansible-lint@v25 80 | with: 81 | working_directory: ${{ github.workspace }}/.tox/ansible_collections/${{ env.LSR_ROLE2COLL_NAMESPACE }}/${{ env.LSR_ROLE2COLL_NAME }} 82 | requirements_file: ${{ steps.collection.outputs.coll_req_file }} 83 | env: 84 | ANSIBLE_COLLECTIONS_PATH: ${{ github.workspace }}/.tox 85 | -------------------------------------------------------------------------------- /.github/workflows/weekly_ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yamllint disable rule:line-length 3 | name: Weekly CI trigger 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | schedule: 7 | - cron: 0 17 * * 6 8 | env: 9 | BRANCH_NAME: weekly-ci 10 | COMMIT_MESSAGE: "ci: This PR is to trigger periodic CI testing" 11 | BODY_MESSAGE: >- 12 | This PR is for the purpose of triggering periodic CI testing. 13 | We don't currently have a way to trigger CI without a PR, 14 | so this PR serves that purpose. 15 | COMMENT: "[citest]" 16 | permissions: 17 | contents: read 18 | jobs: 19 | weekly_ci: 20 | runs-on: ubuntu-latest 21 | permissions: 22 | issues: write 23 | pull-requests: write 24 | contents: write 25 | steps: 26 | - name: Update pip, git 27 | run: | 28 | set -euxo pipefail 29 | sudo apt update 30 | sudo apt install -y git 31 | 32 | - name: Checkout latest code 33 | uses: actions/checkout@v6 34 | with: 35 | fetch-depth: 0 36 | - name: Create or rebase commit, add dump_packages callback 37 | run: | 38 | set -euxo pipefail 39 | 40 | git config --global user.name "github-actions[bot]" 41 | git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" 42 | git checkout ${{ env.BRANCH_NAME }} || git checkout -b ${{ env.BRANCH_NAME }} 43 | git rebase main 44 | if [ ! -d tests/callback_plugins ]; then 45 | mkdir -p tests/callback_plugins 46 | fi 47 | curl -L -s -o tests/callback_plugins/dump_packages.py https://raw.githubusercontent.com/linux-system-roles/auto-maintenance/main/callback_plugins/dump_packages.py 48 | git add tests/callback_plugins 49 | git commit --allow-empty -m "${{ env.COMMIT_MESSAGE }}" 50 | git push -f --set-upstream origin ${{ env.BRANCH_NAME }} 51 | 52 | - name: Create and comment pull request 53 | uses: actions/github-script@v8 54 | with: 55 | github-token: ${{ secrets.GH_PUSH_TOKEN }} 56 | script: | 57 | const head = [context.repo.owner, ":", "${{ env.BRANCH_NAME }}"].join(""); 58 | const response = await github.rest.pulls.list({ 59 | owner: context.repo.owner, 60 | repo: context.repo.repo, 61 | head: head, 62 | base: context.ref, 63 | state: "open" 64 | }); 65 | let pr_number = ''; 66 | if (response.data.length === 0) { 67 | pr_number = (await github.rest.pulls.create({ 68 | owner: context.repo.owner, 69 | repo: context.repo.repo, 70 | title: "${{ env.COMMIT_MESSAGE }}", 71 | body: "${{ env.BODY_MESSAGE }}", 72 | head: "${{ env.BRANCH_NAME }}", 73 | base: context.ref, 74 | draft: true 75 | })).data.number; 76 | } else { 77 | pr_number = response.data[0].number; 78 | } 79 | github.rest.issues.createComment({ 80 | owner: context.repo.owner, 81 | repo: context.repo.repo, 82 | issue_number: pr_number, 83 | body: "${{ env.COMMENT }}", 84 | }); 85 | -------------------------------------------------------------------------------- /.github/workflows/changelog_to_tag.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yamllint disable rule:line-length 3 | name: Tag, release, and publish role based on CHANGELOG.md push 4 | on: # yamllint disable-line rule:truthy 5 | push: 6 | branches: 7 | - main 8 | paths: 9 | - CHANGELOG.md 10 | permissions: 11 | contents: read 12 | jobs: 13 | tag_release_publish: 14 | runs-on: ubuntu-latest 15 | permissions: 16 | contents: write 17 | steps: 18 | - name: Update pip, git 19 | run: | 20 | set -euxo pipefail 21 | sudo apt update 22 | sudo apt install -y git 23 | 24 | - name: checkout PR 25 | uses: actions/checkout@v6 26 | 27 | - name: Get tag and message from the latest CHANGELOG.md commit 28 | id: tag 29 | run: | 30 | set -euxo pipefail 31 | print=false 32 | while read -r line; do 33 | if [[ "$line" =~ ^\[([0-9]+\.[0-9]+\.[0-9]+)\]\ -\ [0-9-]+ ]]; then 34 | if [ "$print" = false ]; then 35 | _tagname="${BASH_REMATCH[1]}" 36 | echo "$line" 37 | print=true 38 | else 39 | break 40 | fi 41 | elif [ "$print" = true ]; then 42 | echo "$line" 43 | fi 44 | done < CHANGELOG.md > ./.tagmsg.txt 45 | git fetch --all --tags 46 | for t in $( git tag -l ); do 47 | if [ "$t" = "$_tagname" ]; then 48 | echo INFO: tag "$t" already exists 49 | exit 1 50 | fi 51 | done 52 | # Get name of the branch that the change was pushed to 53 | _branch="${GITHUB_REF_NAME:-}" 54 | if [ "$_branch" = master ] || [ "$_branch" = main ]; then 55 | echo Using branch name ["$_branch"] as push branch 56 | else 57 | echo WARNING: GITHUB_REF_NAME ["$_branch"] is not main or master 58 | _branch=$( git branch -r | grep -o 'origin/HEAD -> origin/.*$' | \ 59 | awk -F'/' '{print $3}' || : ) 60 | fi 61 | if [ -z "$_branch" ]; then 62 | _branch=$( git branch --points-at HEAD --no-color --format='%(refname:short)' ) 63 | fi 64 | if [ -z "$_branch" ]; then 65 | echo ERROR: unable to determine push branch 66 | git branch -a 67 | exit 1 68 | fi 69 | echo "tagname=$_tagname" >> "$GITHUB_OUTPUT" 70 | echo "branch=$_branch" >> "$GITHUB_OUTPUT" 71 | - name: Create tag 72 | uses: mathieudutour/github-tag-action@v6.2 73 | with: 74 | github_token: ${{ secrets.GITHUB_TOKEN }} 75 | custom_tag: ${{ steps.tag.outputs.tagname }} 76 | tag_prefix: '' 77 | 78 | - name: Create Release 79 | id: create_release 80 | uses: ncipollo/release-action@v1 81 | with: 82 | tag: ${{ steps.tag.outputs.tagname }} 83 | name: Version ${{ steps.tag.outputs.tagname }} 84 | bodyFile: ./.tagmsg.txt 85 | makeLatest: true 86 | 87 | - name: Publish role to Galaxy 88 | uses: robertdebock/galaxy-action@1.2.1 89 | with: 90 | galaxy_api_key: ${{ secrets.galaxy_api_key }} 91 | git_branch: ${{ steps.tag.outputs.branch }} 92 | -------------------------------------------------------------------------------- /plans/README-plans.md: -------------------------------------------------------------------------------- 1 | # Introduction CI Testing Plans 2 | 3 | Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/postfix/blob/main/.github/workflows/tft.yml) GitHub workflow. 4 | 5 | The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes. 6 | `plans/test_playbooks_parallel.fmf` is generated centrally from `https://github.com/linux-system-roles/.github/`. 7 | The automation calculates the number of managed nodes to provision with this formula: 8 | 9 | ```plain 10 | number-of-test-playbooks / 10 + 1 11 | ``` 12 | 13 | The `plans/test_playbooks_parallel.fmf` plan does the following steps: 14 | 15 | 1. Provisions systems to be used as a control node and as managed nodes. 16 | 2. Does the required preparation on systems. 17 | 3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh). 18 | 19 | The [tft.yml](https://github.com/linux-system-roles/postfix/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access. 20 | This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm). 21 | 22 | ## Running Tests 23 | 24 | You can run tests locally with the `tmt try` cli or remotely in Testing Farm. 25 | 26 | ### Running Tests Locally 27 | 28 | 1. Install `tmt` as described in [Installation](https://tmt.readthedocs.io/en/stable/stories/install.html). 29 | 2. Change to the role repository directory. 30 | 3. Modify `plans/test_playbooks_parallel.fmf` to suit your requirements: 31 | 1. Due to [issue #3138](https://github.com/teemtee/tmt/issues/3138), comment out all managed nodes except for one. 32 | 2. Optionally modify environment variables to, e.g. run only specified test playbooks by modifying `SYSTEM_ROLES_ONLY_TESTS`. 33 | 4. Enter `tmt try -p plans/test_playbooks_parallel `. 34 | This command identifies the `plans/test_playbooks_parallel.fmf` plan and provisions local VMs, a control node and a managed node. 35 | 5. `tmt try` is in development and does not identify tests from URL automatically, so after provisioning the machines, you must type `t`, `p`, `t` from the interactive prompt to identify tests, run preparation steps, and run the tests. 36 | 37 | ### Running in Testing Farm 38 | 39 | 1. Install `testing-farm` as described in [Installation](https://gitlab.com/testing-farm/cli/-/blob/main/README.adoc#user-content-installation). 40 | 2. Change to the role repository directory. 41 | 3. If you want to run tests with edits in your branch, you need to commit and push changes first to some branch. 42 | 4. You can uncomment "Inject your ssh public key to test systems" discover step in the plan if you want to troubleshoot tests by SSHing into test systems in Testing Farm. 43 | 5. Enter `testing-farm request`. 44 | Edit to your needs. 45 | 46 | ```bash 47 | $ TESTING_FARM_API_TOKEN= \ 48 | testing-farm request --pipeline-type="tmt-multihost" \ 49 | --plan-filter="tag:playbooks_parallel" \ 50 | --git-url "https://github.com//postfix" \ 51 | --git-ref "" \ 52 | --compose CentOS-Stream-9 \ 53 | -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \ 54 | --no-wait 55 | ``` 56 | -------------------------------------------------------------------------------- /.github/workflows/build_docs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yamllint disable rule:line-length 3 | name: Convert README.md to HTML and push to docs branch 4 | on: # yamllint disable-line rule:truthy 5 | push: 6 | branches: 7 | - main 8 | paths: 9 | - README.md 10 | release: 11 | types: 12 | - published 13 | permissions: 14 | contents: read 15 | jobs: 16 | build_docs: 17 | runs-on: ubuntu-latest 18 | permissions: 19 | contents: write 20 | steps: 21 | - name: Update pip, git 22 | run: | 23 | set -euxo pipefail 24 | sudo apt update 25 | sudo apt install -y git 26 | 27 | - name: Check out code 28 | uses: actions/checkout@v6 29 | with: 30 | fetch-depth: 0 31 | - name: Ensure the docs branch 32 | run: | 33 | set -euxo pipefail 34 | branch=docs 35 | existed_in_remote=$(git ls-remote --heads origin $branch) 36 | 37 | if [ -z "${existed_in_remote}" ]; then 38 | echo "Creating $branch branch" 39 | git config --global user.name "${{ github.actor }}" 40 | git config --global user.email "${{ github.actor }}@users.noreply.github.com" 41 | git checkout --orphan $branch 42 | git reset --hard 43 | git commit --allow-empty -m "Initializing $branch branch" 44 | git push origin $branch 45 | echo "Created $branch branch" 46 | else 47 | echo "Branch $branch already exists" 48 | fi 49 | 50 | - name: Checkout the docs branch 51 | uses: actions/checkout@v6 52 | with: 53 | ref: docs 54 | 55 | - name: Fetch README.md and .pandoc_template.html5 template from the workflow branch 56 | uses: actions/checkout@v6 57 | with: 58 | sparse-checkout: | 59 | README.md 60 | .pandoc_template.html5 61 | sparse-checkout-cone-mode: false 62 | path: ref_branch 63 | - name: Set RELEASE_VERSION based on whether run on release or on push 64 | run: | 65 | set -euxo pipefail 66 | if [ ${{ github.event_name }} = release ]; then 67 | echo "RELEASE_VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV 68 | elif [ ${{ github.event_name }} = push ]; then 69 | echo "RELEASE_VERSION=latest" >> $GITHUB_ENV 70 | else 71 | echo Unsupported event 72 | exit 1 73 | fi 74 | 75 | - name: Ensure that version and docs directories exist 76 | run: mkdir -p ${{ env.RELEASE_VERSION }} docs 77 | 78 | - name: Remove badges from README.md prior to converting to HTML 79 | run: sed -i '1,8 {/^\[\!.*actions\/workflows/d}' ref_branch/README.md 80 | 81 | - name: Convert README.md to HTML and save to the version directory 82 | uses: docker://pandoc/core:latest 83 | with: 84 | args: >- 85 | --from gfm --to html5 --toc --shift-heading-level-by=-1 86 | --template ref_branch/.pandoc_template.html5 87 | --output ${{ env.RELEASE_VERSION }}/README.html ref_branch/README.md 88 | 89 | - name: Copy latest README.html to docs/index.html for GitHub pages 90 | if: env.RELEASE_VERSION == 'latest' 91 | run: cp ${{ env.RELEASE_VERSION }}/README.html docs/index.html 92 | 93 | - name: Upload README.html as an artifact 94 | uses: actions/upload-artifact@v5 95 | with: 96 | name: README.html 97 | path: ${{ env.RELEASE_VERSION }}/README.html 98 | 99 | - name: Commit changes 100 | run: | 101 | git config --global user.name "${{ github.actor }}" 102 | git config --global user.email "${{ github.actor }}@users.noreply.github.com" 103 | git add ${{ env.RELEASE_VERSION }}/README.html docs/index.html 104 | git commit -m "Update README.html for ${{ env.RELEASE_VERSION }}" 105 | 106 | - name: Push changes 107 | uses: ad-m/github-push-action@master 108 | with: 109 | github_token: ${{ secrets.GITHUB_TOKEN }} 110 | branch: docs 111 | -------------------------------------------------------------------------------- /.commitlintrc.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | parserPreset: 'conventional-changelog-conventionalcommits', 3 | rules: { 4 | 'body-leading-blank': [1, 'always'], 5 | 'body-max-line-length': [2, 'always', 100], 6 | 'footer-leading-blank': [1, 'always'], 7 | 'footer-max-line-length': [2, 'always', 100], 8 | 'header-max-length': [2, 'always', 100], 9 | 'subject-case': [ 10 | 2, 11 | 'never', 12 | ['start-case', 'pascal-case', 'upper-case'], 13 | ], 14 | 'subject-empty': [2, 'never'], 15 | 'subject-full-stop': [2, 'never', '.'], 16 | 'type-case': [2, 'always', 'lower-case'], 17 | 'type-empty': [2, 'never'], 18 | 'type-enum': [ 19 | 2, 20 | 'always', 21 | [ 22 | 'build', 23 | 'chore', 24 | 'ci', 25 | 'docs', 26 | 'feat', 27 | 'fix', 28 | 'perf', 29 | 'refactor', 30 | 'revert', 31 | 'style', 32 | 'test', 33 | 'tests', 34 | ], 35 | ], 36 | }, 37 | prompt: { 38 | questions: { 39 | type: { 40 | description: "Select the type of change that you're committing", 41 | enum: { 42 | feat: { 43 | description: 'A new feature', 44 | title: 'Features', 45 | emoji: '✨', 46 | }, 47 | fix: { 48 | description: 'A bug fix', 49 | title: 'Bug Fixes', 50 | emoji: '🐛', 51 | }, 52 | docs: { 53 | description: 'Documentation only changes', 54 | title: 'Documentation', 55 | emoji: '📚', 56 | }, 57 | style: { 58 | description: 59 | 'Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)', 60 | title: 'Styles', 61 | emoji: '💎', 62 | }, 63 | refactor: { 64 | description: 65 | 'A code change that neither fixes a bug nor adds a feature', 66 | title: 'Code Refactoring', 67 | emoji: '📦', 68 | }, 69 | perf: { 70 | description: 'A code change that improves performance', 71 | title: 'Performance Improvements', 72 | emoji: '🚀', 73 | }, 74 | test: { 75 | description: 'Adding missing tests or correcting existing tests', 76 | title: 'Tests', 77 | emoji: '🚨', 78 | }, 79 | tests: { 80 | description: 'Adding missing tests or correcting existing tests', 81 | title: 'Tests', 82 | emoji: '🚨', 83 | }, 84 | build: { 85 | description: 86 | 'Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)', 87 | title: 'Builds', 88 | emoji: '🛠', 89 | }, 90 | ci: { 91 | description: 92 | 'Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)', 93 | title: 'Continuous Integrations', 94 | emoji: '⚙️', 95 | }, 96 | chore: { 97 | description: "Other changes that don't modify src or test files", 98 | title: 'Chores', 99 | emoji: '♻️', 100 | }, 101 | revert: { 102 | description: 'Reverts a previous commit', 103 | title: 'Reverts', 104 | emoji: '🗑', 105 | }, 106 | }, 107 | }, 108 | scope: { 109 | description: 110 | 'What is the scope of this change (e.g. component or file name)', 111 | }, 112 | subject: { 113 | description: 114 | 'Write a short, imperative tense description of the change', 115 | }, 116 | body: { 117 | description: 'Provide a longer description of the change', 118 | }, 119 | isBreaking: { 120 | description: 'Are there any breaking changes?', 121 | }, 122 | breakingBody: { 123 | description: 124 | 'A BREAKING CHANGE commit requires a body. Please enter a longer description of the commit itself', 125 | }, 126 | breaking: { 127 | description: 'Describe the breaking changes', 128 | }, 129 | isIssueAffected: { 130 | description: 'Does this change affect any open issues?', 131 | }, 132 | issuesBody: { 133 | description: 134 | 'If issues are closed, the commit requires a body. Please enter a longer description of the commit itself', 135 | }, 136 | issues: { 137 | description: 'Add issue references (e.g. "fix #123", "re #123".)', 138 | }, 139 | }, 140 | }, 141 | }; 142 | -------------------------------------------------------------------------------- /.ostree/get_ostree_data.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | ostree_dir="${OSTREE_DIR:-"$(dirname "$(realpath "$0")")"}" 6 | 7 | if [ -z "${4:-}" ] || [ "${1:-}" = help ] || [ "${1:-}" = -h ]; then 8 | cat <&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH 64 | exit 2 65 | } 66 | 67 | get_packages() { 68 | local ostree_dir pkgtype pkgfile rolefile 69 | ostree_dir="$1" 70 | for pkgtype in "${pkgtypes[@]}"; do 71 | for suff in "" "-$distro" "-${distro}-${major_ver}" "-${distro}-${ver}"; do 72 | pkgfile="$ostree_dir/packages-${pkgtype}${suff}.txt" 73 | if [ -f "$pkgfile" ]; then 74 | cat "$pkgfile" 75 | fi 76 | done 77 | rolefile="$ostree_dir/roles-${pkgtype}.txt" 78 | if [ -f "$rolefile" ]; then 79 | local roles role rolepath 80 | roles="$(cat "$rolefile")" 81 | for role in $roles; do 82 | rolepath="$(get_rolepath "$ostree_dir" "$role")" 83 | if [ -z "$rolepath" ]; then 84 | 1>&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH 85 | exit 2 86 | fi 87 | get_packages "$rolepath" 88 | done 89 | fi 90 | done | sort -u 91 | } 92 | 93 | format_packages_json() { 94 | local comma pkgs pkg 95 | comma="" 96 | pkgs="[" 97 | while read -r pkg; do 98 | pkgs="${pkgs}${comma}\"${pkg}\"" 99 | comma=, 100 | done 101 | pkgs="${pkgs}]" 102 | echo "$pkgs" 103 | } 104 | 105 | format_packages_raw() { 106 | cat 107 | } 108 | 109 | format_packages_yaml() { 110 | while read -r pkg; do 111 | echo "- $pkg" 112 | done 113 | } 114 | 115 | format_packages_toml() { 116 | while read -r pkg; do 117 | echo "[[packages]]" 118 | echo "name = \"$pkg\"" 119 | echo "version = \"*\"" 120 | done 121 | } 122 | 123 | distro="${distro_ver%%-*}" 124 | ver="${distro_ver##*-}" 125 | if [[ "$ver" =~ ^([0-9]*) ]]; then 126 | major_ver="${BASH_REMATCH[1]}" 127 | else 128 | echo ERROR: cannot parse major version number from version "$ver" 129 | exit 1 130 | fi 131 | 132 | "get_$category" "$ostree_dir" | "format_${category}_$format" 133 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure ansible_facts required by role 3 | include_tasks: set_facts.yml 4 | 5 | # Distribution defaults are different from the postfix defaults, hence need to 6 | # reinstall the package 7 | - name: Remove postfix package(s) to restore config {{ __postfix_packages }} 8 | when: 9 | - postfix_conf.previous is defined 10 | - postfix_conf.previous == "replaced" 11 | - not __postfix_is_ostree 12 | block: 13 | # It is assumed that the only package providing config files that might 14 | # be modified is postfix - if this is not so, then additional 15 | # packages need to be added to this check 16 | - name: Get status of package(s) {{ __postfix_packages }} 17 | command: rpm -V {{ item }} # noqa command-instead-of-module 18 | loop: "{{ __postfix_packages }}" 19 | register: __postfix_packages_status 20 | failed_when: false 21 | changed_when: false 22 | 23 | - name: Remove package(s) to reset original confs {{ __postfix_packages }} 24 | package: 25 | name: "{{ __postfix_packages }}" 26 | state: absent 27 | register: __postfix_erased 28 | when: __postfix_packages_status.results | 29 | rejectattr('stdout', 'match', '^package .* is not installed') | 30 | selectattr('stdout', 'search', ' /etc/postfix/.*[.]cf($|\n)') | 31 | list | length > 0 32 | 33 | - name: Remove configuration for replacement 34 | when: 35 | - postfix_conf.previous | d() == "replaced" 36 | - __postfix_is_ostree | d(false) 37 | block: 38 | # It is assumed that the only package providing config files that might 39 | # be modified is postfix - if this is not so, then additional 40 | # packages need to be added to this check 41 | - name: Get status of config files 42 | command: rpm -V --nomtime {{ item }} # noqa command-instead-of-module 43 | loop: "{{ __postfix_packages }}" 44 | register: __postfix_packages_status 45 | failed_when: false 46 | changed_when: false 47 | 48 | - name: Remove config files - make empty 49 | copy: 50 | dest: "{{ item }}" 51 | content: "\n" # to make postconf -e happy 52 | mode: preserve 53 | loop: "{{ mod_cf_files }}" 54 | vars: 55 | mod_cf_files: "{{ __postfix_packages_status.results | 56 | map(attribute='stdout') | map('default', '') | 57 | map('regex_findall', ' (/etc/postfix/.*[.]cf)(?:$|\n)') | select | 58 | flatten | list }}" 59 | 60 | - name: Configure firewall 61 | include_tasks: firewall.yml 62 | 63 | - name: Configure selinux 64 | include_tasks: selinux.yml 65 | 66 | - name: Install Postfix 67 | package: 68 | name: "{{ __postfix_packages }}" 69 | state: present 70 | use: "{{ (__postfix_is_ostree | d(false)) | 71 | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" 72 | 73 | - name: Check for IPv6 enabled 74 | vars: 75 | ipv6_err: >- 76 | postconf: fatal: parameter inet_interfaces: no local interface found for ::1 77 | block: 78 | - name: Get default database type from postconf - 1 79 | command: postconf -h default_database_type 80 | changed_when: false 81 | register: __postfix_register_dbtype 82 | failed_when: 83 | - __postfix_register_dbtype is failed 84 | - __postfix_register_dbtype.stderr is not search(ipv6_err) 85 | 86 | - name: Configure postfix for no ipv6 87 | include_tasks: manage_config.yml 88 | vars: 89 | __postfix_conf: 90 | inet_protocols: ipv4 91 | __postfix_has_config_changed: True itemstr inet_protocols 92 | when: 93 | - __postfix_register_dbtype.rc == 1 94 | - __postfix_register_dbtype.stderr is search(ipv6_err) 95 | 96 | - name: Get default database type from postconf - 2 97 | command: postconf -h default_database_type 98 | changed_when: false 99 | register: __postfix_register_dbtype 100 | 101 | - name: Set postfix_default_database_type 102 | set_fact: 103 | postfix_default_database_type: "{{ __postfix_register_dbtype.stdout | trim }}" 104 | 105 | - name: Enable Postfix 106 | service: 107 | name: postfix 108 | state: started 109 | enabled: true 110 | 111 | - name: Get current config 112 | command: postconf 113 | register: __postfix_register_config 114 | changed_when: false 115 | when: postfix_conf | dict2items | rejectattr('key', 'match', '^previous$') 116 | | list | items2dict | d({}) | length > 0 117 | 118 | - name: Check given config against current config 119 | changed_when: false 120 | when: 121 | - postfix_conf | dict2items | rejectattr('key', 'match', '^previous$') 122 | | list | items2dict | d({}) | length > 0 123 | - __postfix_register_config is defined 124 | - __postfix_register_config.stdout_lines is defined 125 | set_fact: 126 | __postfix_has_config_changed: |- 127 | {% for key, val in postfix_conf.items() %} 128 | {% if key != 'previous' %} 129 | {% set space = ' ' if val else '' %} 130 | {% set itemstr = '{} ={}{}'.format(key, space, val) %} 131 | {% if itemstr not in __postfix_register_config.stdout_lines %} 132 | True itemstr {{ itemstr }} is not in __postfix_register_config 133 | {% endif %} 134 | {% endif %} 135 | {% endfor %} 136 | 137 | - name: Configure additional files 138 | copy: 139 | content: "{{ file['content'] }}" 140 | dest: /etc/postfix/{{ file['name'] }} 141 | owner: root 142 | group: root 143 | mode: '0640' 144 | loop: "{{ postfix_files }}" 145 | register: __postfix_postmap_files 146 | no_log: true 147 | loop_control: 148 | loop_var: file 149 | notify: 150 | - Check postfix 151 | - Restart postfix 152 | 153 | - name: Postmap files 154 | command: postmap {{ result["dest"] | quote }} 155 | when: 156 | - result["changed"] 157 | - result["file"]["postmap"] | d(false) 158 | no_log: true 159 | changed_when: true 160 | loop: "{{ __postfix_postmap_files['results'] }}" 161 | loop_control: 162 | loop_var: result 163 | 164 | - name: Apply changes 165 | include_tasks: manage_config.yml 166 | vars: 167 | __postfix_conf: "{{ postfix_conf }}" 168 | -------------------------------------------------------------------------------- /.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Default state for all rules 3 | default: true 4 | 5 | # Path to configuration file to extend 6 | extends: null 7 | 8 | # MD001/heading-increment/header-increment - Heading levels should only increment by one level at a time 9 | MD001: true 10 | 11 | # MD002/first-heading-h1/first-header-h1 - First heading should be a top-level heading 12 | MD002: 13 | # Heading level 14 | level: 1 15 | 16 | # MD003/heading-style/header-style - Heading style 17 | MD003: 18 | # Heading style 19 | style: "consistent" 20 | 21 | # MD004/ul-style - Unordered list style 22 | MD004: 23 | # List style 24 | style: "consistent" 25 | 26 | # MD005/list-indent - Inconsistent indentation for list items at the same level 27 | MD005: true 28 | 29 | # MD006/ul-start-left - Consider starting bulleted lists at the beginning of the line 30 | MD006: true 31 | 32 | # MD007/ul-indent - Unordered list indentation 33 | MD007: 34 | # Spaces for indent 35 | indent: 2 36 | # Whether to indent the first level of the list 37 | start_indented: false 38 | # Spaces for first level indent (when start_indented is set) 39 | start_indent: 2 40 | 41 | # MD009/no-trailing-spaces - Trailing spaces 42 | MD009: 43 | # Spaces for line break 44 | br_spaces: 2 45 | # Allow spaces for empty lines in list items 46 | list_item_empty_lines: false 47 | # Include unnecessary breaks 48 | strict: false 49 | 50 | # MD010/no-hard-tabs - Hard tabs 51 | MD010: 52 | # Include code blocks 53 | code_blocks: true 54 | # Fenced code languages to ignore 55 | ignore_code_languages: [] 56 | # Number of spaces for each hard tab 57 | spaces_per_tab: 1 58 | 59 | # MD011/no-reversed-links - Reversed link syntax 60 | MD011: true 61 | 62 | # MD012/no-multiple-blanks - Multiple consecutive blank lines 63 | MD012: 64 | # Consecutive blank lines 65 | maximum: 1 66 | 67 | # Modified for LSR 68 | # GFM does not limit line length 69 | # MD013/line-length - Line length 70 | MD013: false 71 | # # Number of characters 72 | # # line_length: 80 73 | # line_length: 999 74 | # # Number of characters for headings 75 | # heading_line_length: 80 76 | # # Number of characters for code blocks 77 | # code_block_line_length: 80 78 | # # Include code blocks 79 | # code_blocks: true 80 | # # Include tables 81 | # tables: true 82 | # # Include headings 83 | # headings: true 84 | # # Include headings 85 | # headers: true 86 | # # Strict length checking 87 | # strict: false 88 | # # Stern length checking 89 | # stern: false 90 | 91 | # MD014/commands-show-output - Dollar signs used before commands without showing output 92 | MD014: true 93 | 94 | # MD018/no-missing-space-atx - No space after hash on atx style heading 95 | MD018: true 96 | 97 | # MD019/no-multiple-space-atx - Multiple spaces after hash on atx style heading 98 | MD019: true 99 | 100 | # MD020/no-missing-space-closed-atx - No space inside hashes on closed atx style heading 101 | MD020: true 102 | 103 | # MD021/no-multiple-space-closed-atx - Multiple spaces inside hashes on closed atx style heading 104 | MD021: true 105 | 106 | # MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines 107 | MD022: 108 | # Blank lines above heading 109 | lines_above: 1 110 | # Blank lines below heading 111 | lines_below: 1 112 | 113 | # MD023/heading-start-left/header-start-left - Headings must start at the beginning of the line 114 | MD023: true 115 | 116 | # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content 117 | MD024: true 118 | 119 | # MD025/single-title/single-h1 - Multiple top-level headings in the same document 120 | MD025: 121 | # Heading level 122 | level: 1 123 | # RegExp for matching title in front matter 124 | front_matter_title: "^\\s*title\\s*[:=]" 125 | 126 | # MD026/no-trailing-punctuation - Trailing punctuation in heading 127 | MD026: 128 | # Punctuation characters not allowed at end of headings 129 | punctuation: ".,;:!。,;:!" 130 | 131 | # MD027/no-multiple-space-blockquote - Multiple spaces after blockquote symbol 132 | MD027: true 133 | 134 | # MD028/no-blanks-blockquote - Blank line inside blockquote 135 | MD028: true 136 | 137 | # MD029/ol-prefix - Ordered list item prefix 138 | MD029: 139 | # List style 140 | style: "one_or_ordered" 141 | 142 | # MD030/list-marker-space - Spaces after list markers 143 | MD030: 144 | # Spaces for single-line unordered list items 145 | ul_single: 1 146 | # Spaces for single-line ordered list items 147 | ol_single: 1 148 | # Spaces for multi-line unordered list items 149 | ul_multi: 1 150 | # Spaces for multi-line ordered list items 151 | ol_multi: 1 152 | 153 | # MD031/blanks-around-fences - Fenced code blocks should be surrounded by blank lines 154 | MD031: 155 | # Include list items 156 | list_items: true 157 | 158 | # MD032/blanks-around-lists - Lists should be surrounded by blank lines 159 | MD032: true 160 | 161 | # MD033/no-inline-html - Inline HTML 162 | MD033: 163 | # Allowed elements 164 | allowed_elements: [] 165 | 166 | # MD034/no-bare-urls - Bare URL used 167 | MD034: true 168 | 169 | # MD035/hr-style - Horizontal rule style 170 | MD035: 171 | # Horizontal rule style 172 | style: "consistent" 173 | 174 | # MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading 175 | MD036: 176 | # Punctuation characters 177 | punctuation: ".,;:!?。,;:!?" 178 | 179 | # MD037/no-space-in-emphasis - Spaces inside emphasis markers 180 | MD037: true 181 | 182 | # MD038/no-space-in-code - Spaces inside code span elements 183 | MD038: true 184 | 185 | # MD039/no-space-in-links - Spaces inside link text 186 | MD039: true 187 | 188 | # MD040/fenced-code-language - Fenced code blocks should have a language specified 189 | MD040: 190 | # List of languages 191 | allowed_languages: [] 192 | # Require language only 193 | language_only: false 194 | 195 | # MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading 196 | MD041: 197 | # Heading level 198 | level: 1 199 | # RegExp for matching title in front matter 200 | front_matter_title: "^\\s*title\\s*[:=]" 201 | 202 | # MD042/no-empty-links - No empty links 203 | MD042: true 204 | 205 | # Modified for LSR 206 | # Disabling, we do not need this 207 | # MD043/required-headings/required-headers - Required heading structure 208 | MD043: false 209 | # # List of headings 210 | # headings: [] 211 | # # List of headings 212 | # headers: [] 213 | # # Match case of headings 214 | # match_case: false 215 | 216 | # MD044/proper-names - Proper names should have the correct capitalization 217 | MD044: 218 | # List of proper names 219 | names: [] 220 | # Include code blocks 221 | code_blocks: true 222 | # Include HTML elements 223 | html_elements: true 224 | 225 | # MD045/no-alt-text - Images should have alternate text (alt text) 226 | MD045: true 227 | 228 | # MD046/code-block-style - Code block style 229 | MD046: 230 | # Block style 231 | style: "consistent" 232 | 233 | # MD047/single-trailing-newline - Files should end with a single newline character 234 | MD047: true 235 | 236 | # MD048/code-fence-style - Code fence style 237 | MD048: 238 | # Code fence style 239 | style: "consistent" 240 | 241 | # MD049/emphasis-style - Emphasis style should be consistent 242 | MD049: 243 | # Emphasis style should be consistent 244 | style: "consistent" 245 | 246 | # MD050/strong-style - Strong style should be consistent 247 | MD050: 248 | # Strong style should be consistent 249 | style: "consistent" 250 | 251 | # MD051/link-fragments - Link fragments should be valid 252 | MD051: true 253 | 254 | # MD052/reference-links-images - Reference links and images should use a label that is defined 255 | MD052: true 256 | 257 | # MD053/link-image-reference-definitions - Link and image reference definitions should be needed 258 | MD053: 259 | # Ignored definitions 260 | ignored_definitions: 261 | - "//" 262 | -------------------------------------------------------------------------------- /.github/workflows/tft.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Run integration tests in Testing Farm 3 | on: 4 | issue_comment: 5 | types: 6 | - created 7 | permissions: 8 | contents: read 9 | # This is required for the ability to create/update the Pull request status 10 | statuses: write 11 | jobs: 12 | prepare_vars: 13 | name: Get info from role and PR to determine if and how to test 14 | # The concurrency key is used to prevent multiple workflows from running at the same time 15 | concurrency: 16 | # group name contains reponame-pr_num to allow simualteneous runs in different PRs 17 | group: testing-farm-${{ github.event.repository.name }}-${{ github.event.issue.number }} 18 | cancel-in-progress: true 19 | # Let's schedule tests only on user request. NOT automatically. 20 | # Only repository owner or member can schedule tests 21 | if: | 22 | github.event.issue.pull_request 23 | && contains(github.event.comment.body, '[citest]') 24 | && (contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association) 25 | || contains('systemroller', github.event.comment.user.login)) 26 | runs-on: ubuntu-latest 27 | outputs: 28 | supported_platforms: ${{ steps.supported_platforms.outputs.supported_platforms }} 29 | head_sha: ${{ steps.head_sha.outputs.head_sha }} 30 | memory: ${{ steps.memory.outputs.memory }} 31 | steps: 32 | - name: Dump github context 33 | run: echo "$GITHUB_CONTEXT" 34 | shell: bash 35 | env: 36 | GITHUB_CONTEXT: ${{ toJson(github) }} 37 | 38 | - name: Checkout repo 39 | uses: actions/checkout@v6 40 | 41 | - name: Get head sha of the PR 42 | id: head_sha 43 | run: | 44 | head_sha=$(gh api "repos/$REPO/pulls/$PR_NO" --jq '.head.sha') 45 | echo "head_sha=$head_sha" >> $GITHUB_OUTPUT 46 | env: 47 | REPO: ${{ github.repository }} 48 | PR_NO: ${{ github.event.issue.number }} 49 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 50 | 51 | - name: Checkout PR 52 | uses: actions/checkout@v6 53 | with: 54 | ref: ${{ steps.head_sha.outputs.head_sha }} 55 | 56 | - name: Get memory 57 | id: memory 58 | run: | 59 | if [ -d tests/provision.fmf ]; then 60 | memory=$(grep -rPo ' m: \K(.*)' tests/provision.fmf) 61 | fi 62 | if [ -n "$memory" ]; then 63 | echo "memory=$memory" >> $GITHUB_OUTPUT 64 | else 65 | echo "memory=2048" >> $GITHUB_OUTPUT 66 | fi 67 | 68 | - name: Get supported platforms 69 | id: supported_platforms 70 | run: | 71 | supported_platforms="" 72 | meta_main=meta/main.yml 73 | # All Fedora are supported, add latest Fedora versions to supported_platforms 74 | if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qi fedora$; then 75 | supported_platforms+=" Fedora-41" 76 | supported_platforms+=" Fedora-42" 77 | fi 78 | # Specific Fedora versions supported 79 | if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qiP 'fedora\d+$'; then 80 | for fedora_ver in $(yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -iPo 'fedora\K(\d+$)'); do 81 | supported_platforms+=" Fedora-$fedora_ver" 82 | done 83 | fi 84 | if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qi el7; then 85 | supported_platforms+=" CentOS-7-latest" 86 | fi 87 | for ver in 8 9 10; do 88 | if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qi el"$ver"; then 89 | supported_platforms+=" CentOS-Stream-$ver" 90 | fi 91 | done 92 | echo "supported_platforms=$supported_platforms" >> $GITHUB_OUTPUT 93 | 94 | testing-farm: 95 | name: ${{ matrix.platform }}/ansible-${{ matrix.ansible_version }} 96 | needs: prepare_vars 97 | strategy: 98 | fail-fast: false 99 | matrix: 100 | include: 101 | - platform: Fedora-41 102 | ansible_version: 2.17 103 | - platform: Fedora-42 104 | ansible_version: 2.19 105 | - platform: CentOS-7-latest 106 | ansible_version: 2.9 107 | - platform: CentOS-Stream-8 108 | ansible_version: 2.9 109 | # On CentOS-Stream-8, latest supported Ansible is 2.16 110 | - platform: CentOS-Stream-8 111 | ansible_version: 2.16 112 | - platform: CentOS-Stream-9 113 | ansible_version: 2.17 114 | - platform: CentOS-Stream-10 115 | ansible_version: 2.17 116 | runs-on: ubuntu-latest 117 | env: 118 | ARTIFACTS_DIR_NAME: "tf_${{ github.event.repository.name }}-${{ github.event.issue.number }}_\ 119 | ${{ matrix.platform }}-${{ matrix.ansible_version }}_\ 120 | ${{ needs.prepare_vars.outputs.datetime }}/artifacts" 121 | ARTIFACT_TARGET_DIR: /srv/pub/alt/${{ vars.SR_LSR_USER }}/logs 122 | steps: 123 | - name: Set variables with DATETIME and artifact location 124 | id: set_vars 125 | run: | 126 | printf -v DATETIME '%(%Y%m%d-%H%M%S)T' -1 127 | ARTIFACTS_DIR_NAME="tf_${{ github.event.repository.name }}-${{ github.event.issue.number }}_\ 128 | ${{ matrix.platform }}-${{ matrix.ansible_version }}_$DATETIME/artifacts" 129 | ARTIFACTS_TARGET_DIR=/srv/pub/alt/${{ vars.SR_LSR_USER }}/logs 130 | ARTIFACTS_DIR=$ARTIFACTS_TARGET_DIR/$ARTIFACTS_DIR_NAME 131 | ARTIFACTS_URL=https://dl.fedoraproject.org/pub/alt/${{ vars.SR_LSR_USER }}/logs/$ARTIFACTS_DIR_NAME 132 | echo "DATETIME=$DATETIME" >> $GITHUB_OUTPUT 133 | echo "ARTIFACTS_DIR=$ARTIFACTS_DIR" >> $GITHUB_OUTPUT 134 | echo "ARTIFACTS_URL=$ARTIFACTS_URL" >> $GITHUB_OUTPUT 135 | 136 | - name: Set commit status as pending 137 | if: contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform) 138 | uses: myrotvorets/set-commit-status-action@master 139 | with: 140 | sha: ${{ needs.prepare_vars.outputs.head_sha }} 141 | status: pending 142 | context: ${{ matrix.platform }}|ansible-${{ matrix.ansible_version }} 143 | description: Test started 144 | targetUrl: "" 145 | 146 | - name: Set commit status as success with a description that platform is skipped 147 | if: "!contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform)" 148 | uses: myrotvorets/set-commit-status-action@master 149 | with: 150 | sha: ${{ needs.prepare_vars.outputs.head_sha }} 151 | status: success 152 | context: ${{ matrix.platform }}|ansible-${{ matrix.ansible_version }} 153 | description: The role does not support this platform. Skipping. 154 | targetUrl: "" 155 | 156 | - name: Run test in testing farm 157 | uses: sclorg/testing-farm-as-github-action@v4 158 | if: contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform) 159 | with: 160 | git_ref: main 161 | pipeline_settings: '{ "type": "tmt-multihost" }' 162 | environment_settings: '{ "provisioning": { "tags": { "BusinessUnit": "system_roles" } } }' 163 | # Keeping SR_ARTIFACTS_URL at the bottom makes the link in logs clickable 164 | variables: "SR_ANSIBLE_VER=${{ matrix.ansible_version }};\ 165 | SR_REPO_NAME=${{ github.event.repository.name }};\ 166 | SR_GITHUB_ORG=${{ github.repository_owner }};\ 167 | SR_PR_NUM=${{ github.event.issue.number }};\ 168 | SR_ARTIFACTS_DIR=${{ steps.set_vars.outputs.ARTIFACTS_DIR }};\ 169 | SR_TEST_LOCAL_CHANGES=false;\ 170 | SR_LSR_USER=${{ vars.SR_LSR_USER }};\ 171 | SR_ARTIFACTS_URL=${{ steps.set_vars.outputs.ARTIFACTS_URL }}" 172 | # Note that LINUXSYSTEMROLES_SSH_KEY must be single-line, TF doesn't read multi-line variables fine. 173 | secrets: "SR_LSR_DOMAIN=${{ secrets.SR_LSR_DOMAIN }};\ 174 | SR_LSR_SSH_KEY=${{ secrets.SR_LSR_SSH_KEY }}" 175 | compose: ${{ matrix.platform }} 176 | # There are two blockers for using public ranch: 177 | # 1. multihost is not supported in public https://github.com/teemtee/tmt/issues/2620 178 | # 2. Security issue that leaks long secrets - Jira TFT-2698 179 | tf_scope: private 180 | api_key: ${{ secrets.TF_API_KEY_RH }} 181 | update_pull_request_status: false 182 | tmt_plan_filter: "tag:playbooks_parallel,postfix" 183 | 184 | - name: Set final commit status 185 | uses: myrotvorets/set-commit-status-action@master 186 | if: always() && contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform) 187 | with: 188 | sha: ${{ needs.prepare_vars.outputs.head_sha }} 189 | status: ${{ job.status }} 190 | context: ${{ matrix.platform }}|ansible-${{ matrix.ansible_version }} 191 | description: Test finished 192 | targetUrl: ${{ steps.set_vars.outputs.ARTIFACTS_URL }} 193 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # postfix 2 | 3 | [![ansible-lint.yml](https://github.com/linux-system-roles/postfix/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/postfix/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/postfix/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/postfix/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/postfix/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/qemu-kvm-integration-tests.yml) [![tft.yml](https://github.com/linux-system-roles/postfix/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/postfix/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/postfix/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/postfix/actions/workflows/woke.yml) 4 | 5 | This role can install, configure and start Postfix MTA. 6 | 7 | ## Requirements 8 | 9 | See below 10 | 11 | ### Collection requirements 12 | 13 | The role requires the `firewall` role and the `selinux` role from the 14 | `fedora.linux_system_roles` collection, if `postfix_manage_firewall` 15 | and `postfix_manage_selinux` is set to true, respectively. 16 | (Please see also [`postfix_manage_firewall`](#postfix_manage_firewall) 17 | and [`postfix_manage_selinux`](#postfix_manage_selinux)) 18 | 19 | If the `postfix` is a role from the `fedora.linux_system_roles` 20 | collection or from the Fedora RPM package, the requirement is already 21 | satisfied. 22 | 23 | The role requires additional collections to manage `rpm-ostree` systems. 24 | If you need to manage `rpm-ostree` systems, run the below command to 25 | install the collections. 26 | 27 | ```bash 28 | ansible-galaxy collection install -r meta/collection-requirements.yml 29 | ``` 30 | 31 | ## Role Variables 32 | 33 | ### postfix_conf 34 | 35 | ```yaml 36 | postfix_conf: 37 | relayhost: example.com 38 | ``` 39 | 40 | This is a dictionary which can hold key/value pairs of all supported Postfix 41 | configuration parameters. Keys not supported by the installed Postfix are 42 | ignored. The default is empty `{}`. 43 | 44 | You can specify `previous: replaced` within the `postfix_conf` dictionary to 45 | remove any existing configuration and apply the desired configuration on top of 46 | clean postfix installation. 47 | 48 | **WARNING**: If you specify `previous: replaced`, the role reinstalls the postfix 49 | package and replaces the existing `/etc/postfix/main.cf` and 50 | `/etc/postfix/master.cf` files. 51 | Ensure to back up those files to preserve your settings. 52 | 53 | **WARNING**: When managing `rpm-ostree` systems, the role cannot reinstall the 54 | postfix package, so it just replaces the modified config files with empty files. 55 | This is not idempotent. 56 | 57 | If you specify only `previous: replaced` under the `postfix_conf` dictionary, 58 | the role re-installs the `postfix` package and enables the `postfix` service 59 | without applying any configuration. 60 | 61 | For example, to remove existing configuration and set `relayhost: example.com` 62 | on top of clean postfix installation, use `postfix_conf` like this: 63 | 64 | ```yaml 65 | postfix_conf: 66 | previous: replaced 67 | relayhost: example.com 68 | ``` 69 | 70 | ### postfix_files 71 | 72 | ```yaml 73 | postfix_files: 74 | - name: sasl_passwd 75 | content: example.com user:password 76 | postmap: true 77 | - name: sender_canonical_maps 78 | content: /.+/ info@example.com 79 | ``` 80 | 81 | This is a list of files that will be placed in /etc/postfix and that can be converted into Postfix Lookup Tables if needed. 82 | 83 | It's meant as a simple mechanism to configure things such as SASL credentials and other small snippets. 84 | 85 | ### postfix_check 86 | 87 | ```yaml 88 | postfix_check: false 89 | ``` 90 | 91 | This is a boolean which determines if `postfix check` is run before starting 92 | Postfix if the configuration has changed. The default is `true`. 93 | 94 | ### postfix_backup 95 | 96 | ```yaml 97 | postfix_backup: true 98 | ``` 99 | 100 | This is a boolean which determines if the role will make a single backup copy of 101 | the configuration - for example, 102 | `cp /etc/postfix/main.cf /etc/postfix/main.cf.backup`, 103 | thus overwriting the previous backup, if any. The default is `false`. NOTE: If 104 | you want to set this to `true`, you must also set `postfix_backup_multiple: 105 | false` - see below. 106 | 107 | ### postfix_backup_multiple 108 | 109 | ```yaml 110 | postfix_backup_multiple: false 111 | ``` 112 | 113 | This is a boolean which determines if the role will make a timestamped backup copy of 114 | the configuration - for example, 115 | `cp /etc/postfix/main.cf /etc/postfix/main.cf.$(date -Isec)`, 116 | thus keeping multiple backup copies. The default is `true`. NOTE: This setting 117 | overrides `postfix_backup`, so you must set this to `false` if you want to use 118 | `postfix_backup`. 119 | 120 | ### postfix_manage_firewall 121 | 122 | Boolean flag allowing to configure firewall using the firewall role. 123 | Manage the smtp related ports, 25/tcp, 465/tcp, and 587/tcp. 124 | If the variable is set to `false`, the `postfix role` does not manage the 125 | firewall. 126 | Default to `false`. 127 | 128 | NOTE: `postfix_manage_firewall` is limited to *adding* ports. 129 | It cannot be used for *removing* ports. 130 | If you want to remove ports, you will need to use the firewall system 131 | role directly. 132 | 133 | NOTE: the firewall management is not supported on RHEL 6. 134 | 135 | ### postfix_manage_selinux 136 | 137 | Boolean flag allowing to configure selinux using the selinux role. 138 | Assign `smtp_port_t` to the smtp related ports. 139 | If the variable is set to false, the `postfix role` does not manage the 140 | selinux 141 | 142 | NOTE: `postfix_manage_selinux` is limited to *adding* policy. 143 | It cannot be used for *removing* policy. 144 | If you want to remove policy, you will need to use the selinux system 145 | role directly. 146 | 147 | ## Variables Exported by the Role 148 | 149 | ### postfix_default_database_type 150 | 151 | This is a string which specifies the default database type used by postfix, 152 | which is obtained by using `postconf -h default_database_type`. This can be 153 | used to set configuration which depends on the type. **NOTE** this is *not* 154 | supported with Ansible 2.9. 155 | 156 | ```yaml 157 | - name: Manage postfix 158 | hosts: all 159 | vars: 160 | postfix_conf: 161 | relay_domains: "{{ postfix_default_database_type }}:/etc/postfix/relay_domains" 162 | roles: 163 | - linux-system-roles.postfix 164 | ``` 165 | 166 | ## Limitations 167 | 168 | There is no way to remove separate configuration parameters. 169 | As a workaround, you can use `postfix_conf`'s `previous: replaced` to remove the existing configuration and then apply 170 | the desired configuration on top of clean postfix installation. 171 | For more information, see [`postfix_conf`](#postfix_conf). 172 | 173 | ## Example Playbook 174 | 175 | Install and enable postfix. Configure `relay_domains=$mydestination` and 176 | `relayhost=example.com`. 177 | 178 | ```yaml 179 | --- 180 | - name: Manage postfix 181 | hosts: all 182 | vars: 183 | postfix_conf: 184 | relay_domains: $mydestination 185 | relayhost: example.com 186 | roles: 187 | - linux-system-roles.postfix 188 | ``` 189 | 190 | Install and enable postfix. Do not run 'postfix check' before restarting 191 | postfix: 192 | 193 | ```yaml 194 | --- 195 | - name: Manage postfix with no check 196 | hosts: all 197 | vars: 198 | postfix_check: false 199 | roles: 200 | - linux-system-roles.postfix 201 | ``` 202 | 203 | Install and enable postfix. Do single backup of main.cf (older backup will be 204 | rewritten) and configure `relayhost=example.com`: 205 | 206 | ```yaml 207 | --- 208 | - name: Manage postfix with relayhost 209 | hosts: all 210 | vars: 211 | postfix_conf: 212 | relayhost: example.com 213 | postfix_backup: true 214 | roles: 215 | - linux-system-roles.postfix 216 | ``` 217 | 218 | Install and enable postfix. Do timestamped backup of main.cf and 219 | configure `relayhost=example.com` (if `postfix_backup_multiple` is 220 | set to true `postfix_backup` is ignored): 221 | 222 | ```yaml 223 | --- 224 | - name: Manage postfix with multiple backups 225 | hosts: all 226 | vars: 227 | postfix_conf: 228 | relayhost: example.com 229 | postfix_backup_multiple: true 230 | roles: 231 | - linux-system-roles.postfix 232 | ``` 233 | 234 | ## rpm-ostree 235 | 236 | See README-ostree.md 237 | 238 | ## License 239 | 240 | Copyright (C) 2017 Jaroslav Škarvada 241 | 242 | This program is free software: you can redistribute it and/or modify 243 | it under the terms of the GNU General Public License as published by 244 | the Free Software Foundation, either version 3 of the License, or 245 | (at your option) any later version. 246 | 247 | This program is distributed in the hope that it will be useful, 248 | but WITHOUT ANY WARRANTY; without even the implied warranty of 249 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 250 | GNU General Public License for more details. 251 | 252 | You should have received a copy of the GNU General Public License 253 | along with this program. If not, see . 254 | -------------------------------------------------------------------------------- /.github/workflows/qemu-kvm-integration-tests.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Test 3 | on: # yamllint disable-line rule:truthy 4 | pull_request: 5 | merge_group: 6 | branches: 7 | - main 8 | types: 9 | - checks_requested 10 | push: 11 | branches: 12 | - main 13 | workflow_dispatch: 14 | 15 | permissions: 16 | contents: read 17 | # This is required for the ability to create/update the Pull request status 18 | statuses: write 19 | jobs: 20 | scenario: 21 | runs-on: ubuntu-latest 22 | 23 | strategy: 24 | fail-fast: false 25 | matrix: 26 | scenario: 27 | # QEMU 28 | - { image: "centos-9", env: "qemu-ansible-core-2.16" } 29 | - { image: "centos-10", env: "qemu-ansible-core-2.17" } 30 | - { image: "fedora-42", env: "qemu-ansible-core-2.19" } 31 | - { image: "fedora-43", env: "qemu-ansible-core-2.19" } 32 | - { image: "leap-15.6", env: "qemu-ansible-core-2.18" } 33 | 34 | # container 35 | - { image: "centos-9", env: "container-ansible-core-2.16" } 36 | - { image: "centos-9-bootc", env: "container-ansible-core-2.16" } 37 | # broken on non-running dbus 38 | # - { image: "centos-10", env: "container-ansible-core-2.17" } 39 | - { image: "centos-10-bootc", env: "container-ansible-core-2.17" } 40 | - { image: "fedora-42", env: "container-ansible-core-2.17" } 41 | - { image: "fedora-43", env: "container-ansible-core-2.19" } 42 | - { image: "fedora-42-bootc", env: "container-ansible-core-2.17" } 43 | - { image: "fedora-43-bootc", env: "container-ansible-core-2.19" } 44 | 45 | env: 46 | TOX_ARGS: "--skip-tags tests::infiniband,tests::nvme,tests::scsi" 47 | 48 | steps: 49 | - name: Checkout repo 50 | uses: actions/checkout@v6 51 | 52 | - name: Check if platform is supported 53 | id: check_platform 54 | run: | 55 | set -euxo pipefail 56 | image="${{ matrix.scenario.image }}" 57 | image="${image%-bootc}" 58 | 59 | # convert image to tag formats 60 | platform= 61 | platform_version= 62 | case "$image" in 63 | centos-*) platform=el; platform_version=el"${image#centos-}" ;; 64 | fedora-*) platform=fedora; platform_version="${image/-/}" ;; 65 | leap-*) platform=leap; platform_version="${image}" ;; 66 | esac 67 | supported= 68 | if yq -e '.galaxy_info.galaxy_tags[] | select(. == "'${platform_version}'" or . == "'${platform}'")' meta/main.yml; then 69 | supported=true 70 | fi 71 | 72 | # bootc build support (in buildah) has a separate flag 73 | if [ "${{ matrix.scenario.image }}" != "$image" ]; then 74 | if ! yq -e '.galaxy_info.galaxy_tags[] | select(. == "containerbuild")' meta/main.yml; then 75 | supported= 76 | fi 77 | else 78 | # roles need to opt into support for running in a system container 79 | env="${{ matrix.scenario.env }}" 80 | if [ "${env#container}" != "$env" ] && 81 | ! yq -e '.galaxy_info.galaxy_tags[] | select(. == "container")' meta/main.yml; then 82 | supported= 83 | fi 84 | fi 85 | 86 | echo "supported=$supported" >> "$GITHUB_OUTPUT" 87 | 88 | - name: Set up /dev/kvm 89 | if: steps.check_platform.outputs.supported 90 | run: | 91 | echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm.rules 92 | sudo udevadm control --reload-rules 93 | sudo udevadm trigger --name-match=kvm --settle 94 | ls -l /dev/kvm 95 | 96 | - name: Disable man-db to speed up package install 97 | if: steps.check_platform.outputs.supported 98 | run: | 99 | echo "set man-db/auto-update false" | sudo debconf-communicate 100 | sudo dpkg-reconfigure man-db 101 | 102 | - name: Install test dependencies 103 | if: steps.check_platform.outputs.supported 104 | run: | 105 | set -euxo pipefail 106 | python3 -m pip install --upgrade pip 107 | sudo apt update 108 | sudo apt install -y --no-install-recommends git ansible-core genisoimage qemu-system-x86 109 | pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.14.0" 110 | 111 | # HACK: Drop this when moving this workflow to 26.04 LTS 112 | - name: Update podman to 5.x for compatibility with bootc-image-builder's podman 5 113 | if: steps.check_platform.outputs.supported && endsWith(matrix.scenario.image, '-bootc') 114 | run: | 115 | sed 's/noble/plucky/g' /etc/apt/sources.list.d/ubuntu.sources | sudo tee /etc/apt/sources.list.d/plucky.sources >/dev/null 116 | cat </dev/null 117 | Package: podman buildah golang-github-containers-common crun libgpgme11t64 libgpg-error0 golang-github-containers-image catatonit conmon containers-storage 118 | Pin: release n=plucky 119 | Pin-Priority: 991 120 | 121 | Package: libsubid4 netavark passt aardvark-dns containernetworking-plugins libslirp0 slirp4netns 122 | Pin: release n=plucky 123 | Pin-Priority: 991 124 | 125 | Package: * 126 | Pin: release n=plucky 127 | Pin-Priority: 400 128 | EOF 129 | 130 | sudo apt update 131 | sudo apt install -y podman crun conmon containers-storage 132 | 133 | - name: Configure tox-lsr 134 | if: steps.check_platform.outputs.supported 135 | run: >- 136 | curl -o ~/.config/linux-system-roles.json 137 | https://raw.githubusercontent.com/linux-system-roles/linux-system-roles.github.io/master/download/linux-system-roles.json 138 | 139 | - name: Run qemu integration tests 140 | if: steps.check_platform.outputs.supported && startsWith(matrix.scenario.env, 'qemu') 141 | run: >- 142 | tox -e ${{ matrix.scenario.env }} -- --image-name ${{ matrix.scenario.image }} --make-batch 143 | --log-level debug $TOX_ARGS --skip-tags tests::bootc-e2e 144 | --lsr-report-errors-url DEFAULT -- 145 | 146 | - name: Qemu result summary 147 | if: steps.check_platform.outputs.supported && startsWith(matrix.scenario.env, 'qemu') && always() 148 | run: | 149 | set -euo pipefail 150 | # some platforms may have setup/cleanup playbooks - need to find the 151 | # actual test playbook that starts with tests_ 152 | while read code start end test_files; do 153 | for f in $test_files; do 154 | test_file="$f" 155 | f="$(basename $test_file)" 156 | if [[ "$f" =~ ^tests_ ]]; then 157 | break 158 | fi 159 | done 160 | if [ "$code" = "0" ]; then 161 | echo -n "PASS: " 162 | mv "$test_file.log" "${test_file}-SUCCESS.log" 163 | else 164 | echo -n "FAIL: " 165 | mv "$test_file.log" "${test_file}-FAIL.log" 166 | fi 167 | echo "$f" 168 | done < batch.report 169 | 170 | - name: Run container tox integration tests 171 | if: steps.check_platform.outputs.supported && startsWith(matrix.scenario.env, 'container') 172 | run: | 173 | set -euo pipefail 174 | # HACK: debug.py/profile.py setup is broken 175 | export LSR_CONTAINER_PROFILE=false 176 | export LSR_CONTAINER_PRETTY=false 177 | rc=0 178 | for t in tests/tests_*.yml; do 179 | if tox -e ${{ matrix.scenario.env }} -- --image-name ${{ matrix.scenario.image }} $t > ${t}.log 2>&1; then 180 | echo "PASS: $(basename $t)" 181 | mv "${t}.log" "${t}-SUCCESS.log" 182 | else 183 | echo "FAIL: $(basename $t)" 184 | mv "${t}.log" "${t}-FAIL.log" 185 | rc=1 186 | fi 187 | done 188 | exit $rc 189 | 190 | - name: Run bootc validation tests in QEMU 191 | if: steps.check_platform.outputs.supported && 192 | startsWith(matrix.scenario.env, 'container') && 193 | endsWith(matrix.scenario.image, '-bootc') 194 | run: | 195 | set -euxo pipefail 196 | env=$(echo "${{ matrix.scenario.env }}" | sed 's/^container-/qemu-/') 197 | 198 | for image_file in $(ls tests/tmp/*/qcow2/disk.qcow2 2>/dev/null); do 199 | test="tests/$(basename $(dirname $(dirname $image_file))).yml" 200 | if tox -e "$env" -- --image-file "$(pwd)/$image_file" \ 201 | --log-level debug $TOX_ARGS \ 202 | --lsr-report-errors-url DEFAULT \ 203 | -e '{"__bootc_validation": true}' \ 204 | -- "$test" >out 2>&1; then 205 | mv out "${test}-PASS.log" 206 | else 207 | mv out "${test}-FAIL.log" 208 | exit 1 209 | fi 210 | done 211 | 212 | - name: Upload test logs on failure 213 | if: failure() 214 | uses: actions/upload-artifact@v5 215 | with: 216 | name: "logs-${{ matrix.scenario.image }}-${{ matrix.scenario.env }}" 217 | path: | 218 | tests/*.log 219 | artifacts/default_provisioners.log 220 | artifacts/*.qcow2.*.log 221 | batch.txt 222 | batch.report 223 | retention-days: 30 224 | 225 | - name: Show test log failures 226 | if: steps.check_platform.outputs.supported && failure() 227 | run: | 228 | set -euo pipefail 229 | # grab check_logs.py script 230 | curl -s -L -o check_logs.py https://raw.githubusercontent.com/linux-system-roles/auto-maintenance/refs/heads/main/check_logs.py 231 | chmod +x check_logs.py 232 | declare -a cmdline=(./check_logs.py --github-action-format) 233 | for log in tests/*-FAIL.log; do 234 | cmdline+=(--lsr-error-log "$log") 235 | done 236 | "${cmdline[@]}" 237 | 238 | - name: Set commit status as success with a description that platform is skipped 239 | if: ${{ steps.check_platform.outputs.supported == '' }} 240 | uses: myrotvorets/set-commit-status-action@master 241 | with: 242 | status: success 243 | context: "${{ github.workflow }} / scenario (${{ matrix.scenario.image }}, ${{ matrix.scenario.env }}) (pull_request)" 244 | description: The role does not support this platform. Skipping. 245 | targetUrl: "" 246 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | Changelog 2 | ========= 3 | 4 | [1.6.5] - 2025-11-17 5 | -------------------- 6 | 7 | ### Bug Fixes 8 | 9 | - fix: cannot use community-general version 12 - no py27 and py36 support (#207) 10 | 11 | ### Other Changes 12 | 13 | - ci: bump actions/checkout from 4 to 5 (#193) 14 | - ci: rollout several recent changes to CI testing (#195) 15 | - ci: support openSUSE Leap in qemu/kvm test matrix (#196) 16 | - ci: use the new epel feature to enable EPEL for testing farm (#197) 17 | - ci: use tox-lsr 3.12.0 for osbuild_config.yml feature (#199) 18 | - ci: use JSON format for __bootc_validation (#200) 19 | - ci: bump actions/github-script from 7 to 8 (#201) 20 | - ci: bump actions/upload-artifact from 4 to 5 (#202) 21 | - ci: use versioned upload-artifact instead of master; bump codeql-action to v4; bump upload-artifact to v5 (#203) 22 | - ci: bump tox-lsr to 3.13.0 (#204) 23 | - ci: bump tox-lsr to 3.14.0 - this moves standard-inventory-qcow2 to tox-lsr (#205) 24 | 25 | [1.6.4] - 2025-08-01 26 | -------------------- 27 | 28 | ### Other Changes 29 | 30 | - test: tag tests::reboot for tests_disable_ipv6.yml (#191) 31 | 32 | [1.6.3] - 2025-07-24 33 | -------------------- 34 | 35 | ### Other Changes 36 | 37 | - test: accept empty relayhost as unset (#189) 38 | 39 | [1.6.2] - 2025-07-15 40 | -------------------- 41 | 42 | ### Bug Fixes 43 | 44 | - fix: configure postfix to listen only to IPv4 if IPv6 is disabled (#187) 45 | 46 | [1.6.1] - 2025-07-09 47 | -------------------- 48 | 49 | ### Other Changes 50 | 51 | - ci: ansible-plugin-scan is disabled for now (#168) 52 | - ci: bump ansible-lint to v25; provide collection requirements for ansible-lint (#171) 53 | - ci: Check spelling with codespell (#172) 54 | - ci: Add test plan that runs CI tests and customize it for each role (#173) 55 | - ci: In test plans, prefix all relate variables with SR_ (#174) 56 | - ci: Fix bug with ARTIFACTS_URL after prefixing with SR_ (#175) 57 | - ci: several changes related to new qemu test, ansible-lint, python versions, ubuntu versions (#176) 58 | - ci: use tox-lsr 3.6.0; improve qemu test logging (#177) 59 | - ci: skip storage scsi, nvme tests in github qemu ci (#178) 60 | - ci: Bump sclorg/testing-farm-as-github-action from 3 to 4 (#179) 61 | - ci: bump tox-lsr to 3.8.0; rename qemu/kvm tests (#180) 62 | - ci: Add Fedora 42; use tox-lsr 3.9.0; use lsr-report-errors for qemu tests (#181) 63 | - ci: Add support for bootc end-to-end validation tests (#182) 64 | - ci: Use ansible 2.19 for fedora 42 testing; support python 3.13 (#183) 65 | - refactor: support ansible 2.19 (#184) 66 | 67 | [1.6.0] - 2024-12-04 68 | -------------------- 69 | 70 | ### New Features 71 | 72 | - feat: support postfix_default_database_type (#165) 73 | 74 | ### Other Changes 75 | 76 | - ci: Use Fedora 41, drop Fedora 39 (#164) 77 | - ci: Use Fedora 41, drop Fedora 39 - part two (#166) 78 | 79 | [1.5.2] - 2024-10-30 80 | -------------------- 81 | 82 | ### Other Changes 83 | 84 | - ci: Improvements to tmt workflows (#144) 85 | - ci: Fix quotes in citest_bad workflow (#145) 86 | - ci: Fix getting github author_association (#146) 87 | - ci: Fix url to linux-system-roles/tft-tests (#147) 88 | - ci: Improve citest_bad script (#149) 89 | - ci: Fix missing slash in ARTIFACTS_URL (#152) 90 | - ci: Add tags to TF workflow, allow more [citest bad] formats (#154) 91 | - ci: ansible-test action now requires ansible-core version (#157) 92 | - ci: add YAML header to github action workflow files (#158) 93 | - refactor: Use vars/RedHat_N.yml symlink for CentOS, Rocky, Alma wherever possible (#160) 94 | 95 | [1.5.1] - 2024-08-01 96 | -------------------- 97 | 98 | ### Other Changes 99 | 100 | - ci: Add tft plan and workflow (#136) 101 | - ci: Update fmf plan to add a separate job to prepare managed nodes (#139) 102 | - test: el10 now uses lmdb by default (#140) 103 | - ci: Bump sclorg/testing-farm-as-github-action from 2 to 3 (#141) 104 | - ci: Add workflow for ci_test bad, use remote fmf plan (#142) 105 | 106 | [1.5.0] - 2024-07-15 107 | -------------------- 108 | 109 | ### New Features 110 | 111 | - feat: Added postfix_files feature as a simple means to add extra files/maps to config (#129) 112 | 113 | ### Bug Fixes 114 | 115 | - fix: add support for EL10 (#134) 116 | 117 | ### Other Changes 118 | 119 | - ci: ansible-lint action now requires absolute directory (#133) 120 | 121 | [1.4.5] - 2024-06-11 122 | -------------------- 123 | 124 | ### Bug Fixes 125 | 126 | - fix: Reflect smtp-submission service rename in EL 10 and Fedora 40+ (#131) 127 | 128 | ### Other Changes 129 | 130 | - refactor: Modify backup task to use the 'copy' module instead of 'shell' (#2) 131 | - ci: use tox-lsr 3.3.0 which uses ansible-test 2.17 (#124) 132 | - ci: tox-lsr 3.4.0 - fix py27 tests; move other checks to py310 (#126) 133 | - ci: Add supported_ansible_also to .ansible-lint (#127) 134 | 135 | [1.4.4] - 2024-04-04 136 | -------------------- 137 | 138 | ### Other Changes 139 | 140 | - ci: fix python unit test - copy pytest config to tests/unit (#120) 141 | - ci: Bump ansible/ansible-lint from 6 to 24 (#121) 142 | - ci: Bump mathieudutour/github-tag-action from 6.1 to 6.2 (#122) 143 | 144 | [1.4.3] - 2024-01-16 145 | -------------------- 146 | 147 | ### Other Changes 148 | 149 | - ci: support ansible-lint and ansible-test 2.16 (#117) 150 | - ci: Use supported ansible-lint action; run ansible-lint against the collection (#118) 151 | 152 | [1.4.2] - 2023-12-08 153 | -------------------- 154 | 155 | ### Other Changes 156 | 157 | - ci: bump actions/github-script from 6 to 7 (#114) 158 | - refactor: get_ostree_data.sh use env shebang - remove from .sanity* (#115) 159 | 160 | [1.4.1] - 2023-11-29 161 | -------------------- 162 | 163 | ### Other Changes 164 | 165 | - refactor: improve support for ostree systems (#112) 166 | 167 | [1.4.0] - 2023-11-06 168 | -------------------- 169 | 170 | ### New Features 171 | 172 | - feat: support for ostree systems (#110) 173 | 174 | ### Other Changes 175 | 176 | - Bump actions/checkout from 3 to 4 (#102) 177 | - ci: ensure dependabot git commit message conforms to commitlint (#105) 178 | - ci: use dump_packages.py callback to get packages used by role (#107) 179 | - ci: tox-lsr version 3.1.1 (#109) 180 | 181 | [1.3.9] - 2023-09-08 182 | -------------------- 183 | 184 | ### Other Changes 185 | 186 | - ci: Add markdownlint, test_converting_readme, and build_docs workflows (#98) 187 | 188 | - markdownlint runs against README.md to avoid any issues with 189 | converting it to HTML 190 | - test_converting_readme converts README.md > HTML and uploads this test 191 | artifact to ensure that conversion works fine 192 | - build_docs converts README.md > HTML and pushes the result to the 193 | docs branch to publish dosc to GitHub pages site. 194 | - Fix markdown issues in README.md 195 | 196 | Signed-off-by: Sergei Petrosian 197 | 198 | - docs: Make badges consistent, run markdownlint on all .md files (#99) 199 | 200 | - Consistently generate badges for GH workflows in README RHELPLAN-146921 201 | - Run markdownlint on all .md files 202 | - Add custom-woke-action if not used already 203 | - Rename woke action to Woke for a pretty badge 204 | 205 | Signed-off-by: Sergei Petrosian 206 | 207 | - ci: Remove badges from README.md prior to converting to HTML (#100) 208 | 209 | - Remove thematic break after badges 210 | - Remove badges from README.md prior to converting to HTML 211 | 212 | Signed-off-by: Sergei Petrosian 213 | 214 | [1.3.8] - 2023-07-19 215 | -------------------- 216 | 217 | ### Bug Fixes 218 | 219 | - fix: facts being gathered unnecessarily (#96) 220 | 221 | ### Other Changes 222 | 223 | - ci: Add pull request template and run commitlint on PR title only (#93) 224 | - ci: Rename commitlint to PR title Lint, echo PR titles from env var (#94) 225 | - ci: ansible-lint - ignore var-naming[no-role-prefix] (#95) 226 | 227 | [1.3.7] - 2023-05-26 228 | -------------------- 229 | 230 | ### Other Changes 231 | 232 | - docs: Consistent contributing.md for all roles - allow role specific contributing.md section 233 | - docs: add Collection requirements section to README 234 | - docs: Update an outdated limitation and mention previous: replaced 235 | 236 | [1.3.6] - 2023-04-27 237 | -------------------- 238 | 239 | ### Other Changes 240 | 241 | - test: check generated files for ansible_managed, fingerprint 242 | - ci: Add commitlint GitHub action to ensure conventional commits with feedback 243 | 244 | [1.3.5] - 2023-04-13 245 | -------------------- 246 | 247 | ### Other Changes 248 | 249 | - ansible-lint - use changed_when for conditional tasks (#81) 250 | 251 | [1.3.4] - 2023-04-06 252 | -------------------- 253 | 254 | ### Other Changes 255 | 256 | - Add README-ansible.md to refer Ansible intro page on linux-system-roles.github.io (#78) 257 | - Fingerprint RHEL System Role managed config files (#79) 258 | 259 | [1.3.3] - 2023-01-23 260 | -------------------- 261 | 262 | ### New Features 263 | 264 | - none 265 | 266 | ### Bug Fixes 267 | 268 | - fix issues with jinja, ansible-lint (#70) 269 | 270 | ### Other Changes 271 | 272 | - none 273 | 274 | [1.3.2] - 2023-01-20 275 | -------------------- 276 | 277 | ### New Features 278 | 279 | - none 280 | 281 | ### Bug Fixes 282 | 283 | - ansible-lint 6.x fixes (#65) 284 | 285 | ### Other Changes 286 | 287 | - Add check for non-inclusive language (#64) 288 | - cleanup non-inclusive words. 289 | 290 | [1.3.1] - 2022-11-14 291 | -------------------- 292 | 293 | ### New Features 294 | 295 | - none 296 | 297 | ### Bug Fixes 298 | 299 | - none 300 | 301 | ### Other Changes 302 | 303 | - ansible-core 2.14 support (#58) 304 | 305 | Make the role work with ansible-core 2.14 306 | clean up ansible-lint 6.x issues 307 | 308 | [1.3.0] - 2022-11-01 309 | -------------------- 310 | 311 | ### New Features 312 | 313 | - Use the firewall role and the selinux role from the postfix role (#56) 314 | 315 | - Introduce postfix_manage_firewall to use the firewall role to 316 | manage the smtp services. 317 | Default to false - means the firewall role is not used. 318 | 319 | - Introduce postfix_manage_selinux to use the selinux role to 320 | manage the ports in the smtp services. 321 | Assign smtp_port_t to the smtp service ports. 322 | Default to false - means the selinux role is not used. 323 | 324 | - Add the test check task tasks/check_firewall_selinux.yml for 325 | verify the ports status. 326 | 327 | - Add meta/collection-requirements.yml. 328 | 329 | ### Bug Fixes 330 | 331 | - none 332 | 333 | ### Other Changes 334 | 335 | - none 336 | 337 | [1.2.4] - 2022-07-19 338 | -------------------- 339 | 340 | ### New Features 341 | 342 | - none 343 | 344 | ### Bug Fixes 345 | 346 | - none 347 | 348 | ### Other Changes 349 | 350 | - make min_ansible_version a string in meta/main.yml (#48) 351 | 352 | The Ansible developers say that `min_ansible_version` in meta/main.yml 353 | must be a `string` value like `"2.9"`, not a `float` value like `2.9`. 354 | 355 | - Add CHANGELOG.md (#49) 356 | 357 | [1.2.3] - 2022-05-06 358 | -------------------- 359 | 360 | ### New Features 361 | 362 | - none 363 | 364 | ### Bug Fixes 365 | 366 | - none 367 | 368 | ### Other Changes 369 | 370 | - bump tox-lsr version to 2.11.0; remove py37; add py310 371 | 372 | [1.2.2] - 2022-04-25 373 | -------------------- 374 | 375 | ### New Features 376 | 377 | - none 378 | 379 | ### Bug Fixes 380 | 381 | - fix ansible-lint issues 382 | 383 | ### Other Changes 384 | 385 | - none 386 | 387 | [1.2.1] - 2022-04-19 388 | -------------------- 389 | 390 | ### New Features 391 | 392 | - support gather\_facts: false; support setup-snapshot.yml 393 | 394 | ### Bug Fixes 395 | 396 | - none 397 | 398 | ### Other Changes 399 | 400 | - none 401 | 402 | [1.2.0] - 2022-02-24 403 | -------------------- 404 | 405 | ### New Features 406 | 407 | - Remove outdated ansible managed header and use {{ ansible\_managed | comment }} 408 | - Add "previous: replaced" functionality to postfix\_conf dict to reset postfix configuration 409 | 410 | ### Bug Fixes 411 | 412 | - Fix some issues in the role, more info in commits 413 | 414 | ### Other Changes 415 | 416 | - bump tox-lsr version to 2.10.1 417 | 418 | [1.1.3] - 2022-01-10 419 | -------------------- 420 | 421 | ### New Features 422 | 423 | - none 424 | 425 | ### Bug Fixes 426 | 427 | - none 428 | 429 | ### Other Changes 430 | 431 | - bump tox-lsr version to 2.8.3 432 | - change recursive role symlink to individual role dir symlinks 433 | 434 | [1.1.2] - 2021-11-08 435 | -------------------- 436 | 437 | ### New Features 438 | 439 | - support python 39, ansible-core 2.12, ansible-plugin-scan 440 | 441 | ### Bug Fixes 442 | 443 | - none 444 | 445 | ### Other Changes 446 | 447 | - update tox-lsr version to 2.7.1 448 | 449 | [1.1.1] - 2021-09-13 450 | -------------------- 451 | 452 | ### New Features 453 | 454 | - none 455 | 456 | ### Bug Fixes 457 | 458 | - none 459 | 460 | ### Other Changes 461 | 462 | - use tox-lsr version 2.5.1 463 | - use apt-get install -y 464 | 465 | [1.1.0] - 2021-08-10 466 | -------------------- 467 | 468 | ### New Features 469 | 470 | - Drop support for Ansible 2.8 by bumping the Ansible version to 2.9 471 | 472 | ### Bug Fixes 473 | 474 | - none 475 | 476 | ### Other Changes 477 | 478 | - Clean up Ansible 2.8 CI configuration entries 479 | 480 | [1.0.0] - 2021-05-25 481 | -------------------- 482 | 483 | ### Initial Release 484 | -------------------------------------------------------------------------------- /.pandoc_template.html5: -------------------------------------------------------------------------------- 1 | $--| GitHub HTML5 Pandoc Template" v2.2 | 2020/08/12 | pandoc v2.1.1 2 | 3 | 51 | $-------------------------------------------------------------------------> lang 52 | 53 | 54 | $--============================================================================= 55 | $-- METADATA 56 | $--============================================================================= 57 | 58 | 59 | 60 | $-----------------------------------------------------------------------> author 61 | $for(author-meta)$ 62 | 63 | $endfor$ 64 | $-------------------------------------------------------------------------> date 65 | $if(date-meta)$ 66 | 67 | $endif$ 68 | $---------------------------------------------------------------------> keywords 69 | $if(keywords)$ 70 | 71 | $endif$ 72 | $------------------------------------------------------------------> description 73 | $if(description)$ 74 | 75 | $endif$ 76 | $------------------------------------------------------------------------> title 77 | $if(title-prefix)$$title-prefix$ – $endif$$pagetitle$ 78 | $--=========================================================================== 79 | $-- CSS STYLESHEETS 80 | $--=========================================================================== 81 | $-- Here comes the placeholder (within double braces) that will be replaced 82 | $-- by the CSS file in the finalized template: 83 | 86 | $------------------------------------------------------------------------------- 87 | 88 | $------------------------------------------------------------------------------- 89 | $if(quotes)$ 90 | 91 | $endif$ 92 | $-------------------------------------------------------------> highlighting-css 93 | $if(highlighting-css)$ 94 | 97 | $endif$ 98 | $--------------------------------------------------------------------------> css 99 | $for(css)$ 100 | 101 | $endfor$ 102 | $-------------------------------------------------------------------------> math 103 | $if(math)$ 104 | $math$ 105 | $endif$ 106 | $------------------------------------------------------------------------------- 107 | 110 | $--------------------------------------------------------------> header-includes 111 | $for(header-includes)$ 112 | $header-includes$ 113 | $endfor$ 114 | $------------------------------------------------------------------------------- 115 | 116 | 117 |
118 | $---------------------------------------------------------------> include-before 119 | $for(include-before)$ 120 | $include-before$ 121 | $endfor$ 122 | $-->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> IF: title 123 | $if(title)$ 124 |
125 |

$title$

126 | $---------------------------------------------------------------------> subtitle 127 | $if(subtitle)$ 128 |

$subtitle$

129 | $endif$ 130 | $-----------------------------------------------------------------------> author 131 | $for(author)$ 132 |

$author$

133 | $endfor$ 134 | $-------------------------------------------------------------------------> date 135 | $if(date)$ 136 |

$date$

137 | $endif$ 138 | $----------------------------------------------------------------------> summary 139 | $if(summary)$ 140 |
141 | $summary$ 142 |
143 | $endif$ 144 | $------------------------------------------------------------------------------- 145 |
146 | $endif$ 147 | $--<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< END IF: title 148 | $--------------------------------------------------------------------------> toc 149 | $if(toc)$ 150 |
151 | 155 |
156 | $endif$ 157 | $-------------------------------------------------------------------------> body 158 | $body$ 159 | $----------------------------------------------------------------> include-after 160 | $for(include-after)$ 161 | $include-after$ 162 | $endfor$ 163 | $------------------------------------------------------------------------------- 164 |
165 | 166 | 167 | -------------------------------------------------------------------------------- /.README.html: -------------------------------------------------------------------------------- 1 | 2 | 50 | 51 | 52 | 53 | 54 | 55 | postfix 56 | 59 | 60 | 126 | 129 | 130 | 131 |
132 |
133 |

postfix

134 |
135 |
136 | 174 |
175 |

This role can install, configure and start Postfix MTA.

176 |

Requirements

177 |

See below

178 |

Collection requirements

179 |

The role requires the firewall role and the 180 | selinux role from the 181 | fedora.linux_system_roles collection, if 182 | postfix_manage_firewall and 183 | postfix_manage_selinux is set to true, respectively. 184 | (Please see also postfix_manage_firewall 186 | and postfix_manage_selinux)

188 |

If the postfix is a role from the 189 | fedora.linux_system_roles collection or from the Fedora RPM 190 | package, the requirement is already satisfied.

191 |

The role requires additional collections to manage 192 | rpm-ostree systems. If you need to manage 193 | rpm-ostree systems, run the below command to install the 194 | collections.

195 | 
ansible-galaxy collection install -r meta/collection-requirements.yml
197 |

Role Variables

198 |

postfix_conf

199 | 
postfix_conf:
201 |   relayhost: example.com
202 |

This is a dictionary which can hold key/value pairs of all supported 203 | Postfix configuration parameters. Keys not supported by the installed 204 | Postfix are ignored. The default is empty {}.

205 |

You can specify previous: replaced within the 206 | postfix_conf dictionary to remove any existing 207 | configuration and apply the desired configuration on top of clean 208 | postfix installation.

209 |

WARNING: If you specify 210 | previous: replaced, the role reinstalls the postfix package 211 | and replaces the existing /etc/postfix/main.cf and 212 | /etc/postfix/master.cf files. 213 | Ensure to back up those files to 214 | preserve your settings.

215 |

WARNING: When managing rpm-ostree 216 | systems, the role cannot reinstall the postfix package, so it just 217 | replaces the modified config files with empty files. This is not 218 | idempotent.

219 |

If you specify only previous: replaced under the 220 | postfix_conf dictionary, the role re-installs the 221 | postfix package and enables the postfix 222 | service without applying any configuration.

223 |

For example, to remove existing configuration and set 224 | relayhost: example.com on top of clean postfix 225 | installation, use postfix_conf like this:

226 | 
postfix_conf:
228 |   previous: replaced
229 |   relayhost: example.com
230 |

postfix_files

231 | 
postfix_files:
233 |   - name: sasl_passwd
234 |     content: example.com user:password
235 |     postmap: true
236 |   - name: sender_canonical_maps
237 |     content: /.+/  info@example.com
238 |

This is a list of files that will be placed in /etc/postfix and that 239 | can be converted into Postfix Lookup Tables if needed.

240 |

It's meant as a simple mechanism to configure things such as SASL 241 | credentials and other small snippets.

242 |

postfix_check

243 | 
postfix_check: false
245 |

This is a boolean which determines if postfix check is 246 | run before starting Postfix if the configuration has changed. The 247 | default is true.

248 |

postfix_backup

249 | 
postfix_backup: true
251 |

This is a boolean which determines if the role will make a single 252 | backup copy of the configuration - for example, 253 | cp /etc/postfix/main.cf /etc/postfix/main.cf.backup, thus 254 | overwriting the previous backup, if any. The default is 255 | false. NOTE: If you want to set this to true, 256 | you must also set postfix_backup_multiple: false - see 257 | below.

258 |

postfix_backup_multiple

259 | 
postfix_backup_multiple: false
261 |

This is a boolean which determines if the role will make a 262 | timestamped backup copy of the configuration - for example, 263 | cp /etc/postfix/main.cf /etc/postfix/main.cf.$(date -Isec), 264 | thus keeping multiple backup copies. The default is true. 265 | NOTE: This setting overrides postfix_backup, so you must 266 | set this to false if you want to use 267 | postfix_backup.

268 |

postfix_manage_firewall

269 |

Boolean flag allowing to configure firewall using the firewall role. 270 | Manage the smtp related ports, 25/tcp, 465/tcp, and 587/tcp. If the 271 | variable is set to false, the postfix role 272 | does not manage the firewall. Default to false.

273 |

NOTE: postfix_manage_firewall is limited to 274 | adding ports. It cannot be used for removing ports. If 275 | you want to remove ports, you will need to use the firewall system role 276 | directly.

277 |

NOTE: the firewall management is not supported on RHEL 6.

278 |

postfix_manage_selinux

279 |

Boolean flag allowing to configure selinux using the selinux role. 280 | Assign smtp_port_t to the smtp related ports. If the 281 | variable is set to false, the postfix role does not manage 282 | the selinux

283 |

NOTE: postfix_manage_selinux is limited to 284 | adding policy. It cannot be used for removing policy. 285 | If you want to remove policy, you will need to use the selinux system 286 | role directly.

287 |

Variables Exported by the 288 | Role

289 |

postfix_default_database_type

291 |

This is a string which specifies the default database type used by 292 | postfix, which is obtained by using 293 | postconf -h default_database_type. This can be used to set 294 | configuration which depends on the type. NOTE this is 295 | not supported with Ansible 2.9.

296 | 
- name: Manage postfix
298 |   hosts: all
299 |   vars:
300 |     postfix_conf:
301 |       relay_domains: "{{ postfix_default_database_type }}:/etc/postfix/relay_domains"
302 |   roles:
303 |     - linux-system-roles.postfix
304 |

Limitations

305 |

There is no way to remove separate configuration parameters. As a 306 | workaround, you can use postfix_conf's 307 | previous: replaced to remove the existing configuration and 308 | then apply the desired configuration on top of clean postfix 309 | installation. For more information, see postfix_conf.

311 |

Example Playbook

312 |

Install and enable postfix. Configure 313 | relay_domains=$mydestination and 314 | relayhost=example.com.

315 | 
---
317 | - name: Manage postfix
318 |   hosts: all
319 |   vars:
320 |     postfix_conf:
321 |       relay_domains: $mydestination
322 |       relayhost: example.com
323 |   roles:
324 |     - linux-system-roles.postfix
325 |

Install and enable postfix. Do not run 'postfix check' before 326 | restarting postfix:

327 | 
---
329 | - name: Manage postfix with no check
330 |   hosts: all
331 |   vars:
332 |     postfix_check: false
333 |   roles:
334 |     - linux-system-roles.postfix
335 |

Install and enable postfix. Do single backup of main.cf (older backup 336 | will be rewritten) and configure relayhost=example.com:

337 | 
---
339 | - name: Manage postfix with relayhost
340 |   hosts: all
341 |   vars:
342 |     postfix_conf:
343 |       relayhost: example.com
344 |     postfix_backup: true
345 |   roles:
346 |     - linux-system-roles.postfix
347 |

Install and enable postfix. Do timestamped backup of main.cf and 348 | configure relayhost=example.com (if 349 | postfix_backup_multiple is set to true 350 | postfix_backup is ignored):

351 | 
---
353 | - name: Manage postfix with multiple backups
354 |   hosts: all
355 |   vars:
356 |     postfix_conf:
357 |       relayhost: example.com
358 |     postfix_backup_multiple: true
359 |   roles:
360 |     - linux-system-roles.postfix
361 |

rpm-ostree

362 |

See README-ostree.md

363 |

License

364 |

Copyright (C) 2017 Jaroslav Škarvada jskarvad@redhat.com

366 |

This program is free software: you can redistribute it and/or modify 367 | it under the terms of the GNU General Public License as published by the 368 | Free Software Foundation, either version 3 of the License, or (at your 369 | option) any later version.

370 |

This program is distributed in the hope that it will be useful, but 371 | WITHOUT ANY WARRANTY; without even the implied warranty of 372 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General 373 | Public License for more details.

374 |

You should have received a copy of the GNU General Public License 375 | along with this program. If not, see http://www.gnu.org/licenses/.

377 |
378 | 379 | 380 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | --------------------------------------------------------------------------------