Merge pull request #1634 from voxpupuli/add-arch-mail-packages

TheMeier · web-flow · commit f45871440dcf · 2025-06-04T10:06:25.000+02:00
Disable mail relay in nginx 1.14
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -77,6 +77,7 @@ The following parameters are available in the `nginx` class:
 
 * [`include_modules_enabled`](#-nginx--include_modules_enabled)
 * [`passenger_package_name`](#-nginx--passenger_package_name)
+* [`mail_package_name`](#-nginx--mail_package_name)
 * [`nginx_version`](#-nginx--nginx_version)
 * [`debug_connections`](#-nginx--debug_connections)
 * [`service_config_check`](#-nginx--service_config_check)
@@ -257,7 +258,8 @@ The following parameters are available in the `nginx` class:
 Data type: `Boolean`
 
 When set, nginx will include module configurations files installed in the
-/etc/nginx/modules-enabled directory.
+/etc/nginx/modules-enabled directory. This is also enabled if mail is
+being configured (to allow the module to be loaded).
 
 Default value: `$nginx::params::include_modules_enabled`
 
@@ -266,10 +268,19 @@ Default value: `$nginx::params::include_modules_enabled`
 Data type: `String[1]`
 
 The name of the package to install in order for the passenger module of
-nginx being usable.
+nginx to be usable.
 
 Default value: `$nginx::params::passenger_package_name`
 
+##### <a name="-nginx--mail_package_name"></a>`mail_package_name`
+
+Data type: `Optional[String[1]]`
+
+The name of the package to install in order for the mail module of
+nginx to be usable.
+
+Default value: `$nginx::params::mail_package_name`
+
 ##### <a name="-nginx--nginx_version"></a>`nginx_version`
 
 Data type: `String[1]`
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -199,6 +199,12 @@
     }
   }
 
+  if ($include_modules_enabled or $nginx::mail) {
+    file { "${conf_dir}/modules-enabled":
+      ensure => directory,
+    }
+  }
+
   file { $log_dir:
     ensure  => directory,
     mode    => $log_mode,
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -10,11 +10,16 @@
 #
 # @param include_modules_enabled
 #   When set, nginx will include module configurations files installed in the
-#   /etc/nginx/modules-enabled directory.
+#   /etc/nginx/modules-enabled directory. This is also enabled if mail is
+#   being configured (to allow the module to be loaded).
 #
 # @param passenger_package_name
 #   The name of the package to install in order for the passenger module of
-#   nginx being usable.
+#   nginx to be usable.
+#
+# @param mail_package_name
+#   The name of the package to install in order for the mail module of
+#   nginx to be usable.
 #
 # @param nginx_version
 #   The version of nginx installed (or being installed).
@@ -375,6 +380,8 @@
   Optional[String] $repo_release                             = undef,
   String $passenger_package_ensure                           = installed,
   String[1] $passenger_package_name                          = $nginx::params::passenger_package_name,
+  # This is optional, to allow it to be set to undef for systems that install it with nginx always
+  Optional[String[1]] $mail_package_name                     = $nginx::params::mail_package_name,
   Optional[Stdlib::HTTPUrl] $repo_source                     = undef,
   ### END Package Configuration ###
 
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -14,6 +14,7 @@
     'log_mode'                => '0750',
     'package_name'            => 'nginx',
     'passenger_package_name'  => 'passenger',
+    'mail_package_name'       => undef,
     'manage_repo'             => false,
     'include_modules_enabled' => false,
     'mime_types'              => {
@@ -104,11 +105,12 @@
   case $facts['os']['family'] {
     'ArchLinux': {
       $_module_os_overrides = {
-        'pid'          => false,
-        'daemon_user'  => 'http',
-        'log_user'     => 'http',
-        'log_group'    => 'log',
-        'package_name' => 'nginx-mainline',
+        'pid'               => false,
+        'daemon_user'       => 'http',
+        'log_user'          => 'http',
+        'log_group'         => 'log',
+        'package_name'      => 'nginx-mainline',
+        'mail_package_name' => 'nginx-mainline-mod-mail',
       }
     }
     'Debian': {
@@ -144,7 +146,8 @@
         }
       } else {
         $_module_os_overrides = {
-          'log_group' => 'nginx',
+          'log_group'         => 'nginx',
+          'mail_package_name' => 'nginx-mod-mail',
         }
       }
     }
@@ -212,6 +215,7 @@
   $root_group              = $_module_parameters['root_group']
   $package_name            = $_module_parameters['package_name']
   $passenger_package_name  = $_module_parameters['passenger_package_name']
+  $mail_package_name       = $_module_parameters['mail_package_name']
   $sites_available_group   = $_module_parameters['root_group']
   ### END Referenced Variables
 }
diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp
@@ -187,6 +187,27 @@
 ) {
   if ! defined(Class['nginx']) {
     fail('You must include the nginx base class before using any defined resources')
+  } elsif versioncmp($facts.get('nginx_version', $nginx::nginx_version), '1.15.0') < 0 {
+    fail('The mail module requires nginx 1.15 or newer')
+  } elsif ! $nginx::mail {
+    fail('nginx mail proxy requires the nginx::mail flag to be set true')
+  }
+
+  if $nginx::mail_package_name {
+    package { $nginx::mail_package_name:
+      ensure => 'installed',
+    }
+    $mail_load_content = $facts['os']['family'] ? {
+      'ArchLinux' => "load_module /usr/lib/nginx/modules/ngx_mail_module.so;\n",
+      'RedHat'    => "load_module /usr/lib64/nginx/modules/ngx_mail_module.so;\n",
+    }
+    file { '/etc/nginx/modules-enabled/mail.conf':
+      ensure  => 'file',
+      owner   => 'root',
+      mode    => '0644',
+      content => $mail_load_content,
+      require => File['/etc/nginx/modules-enabled'],
+    }
   }
 
   # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled
diff --git a/spec/acceptance/nginx_mail_spec.rb b/spec/acceptance/nginx_mail_spec.rb
@@ -3,17 +3,9 @@
 require 'spec_helper_acceptance'
 
 describe 'nginx::resource::mailhost define:' do
-  has_recent_mail_module = true
-
-  if fact('os.family') == 'RedHat' && fact('os.release.major') == '8'
-    # EPEL had recent nginx-mod-mail package for CentOS 7 but not CentOS 8
-    # Stream.  The base packages use an older version of nginx that does not
-    # work with the acceptance test configuration.
-    has_recent_mail_module = false
-  end
+  has_recent_mail_module = fact('os.family') != 'RedHat' || fact('os.release.major') != '8'
 
   it 'remove leftovers from previous tests', if: fact('os.family') == 'RedHat' do
-    shell('yum -y remove nginx nginx-filesystem passenger')
     # nginx-mod-mail is not available for all versions of nginx, the one
     # installed might be incompatible with the version of nginx-mod-mail we are
     # about to install so clean everything.
@@ -26,23 +18,15 @@
     }
     "
     apply_manifest(pp, catch_failures: true)
+    shell('yum -y remove nginx nginx-filesystem passenger nginx-mod-mail')
+    shell('yum clean all')
   end
 
   context 'actualy test the mail module', if: has_recent_mail_module do
     it 'runs successfully' do
       pp = "
-      if fact('os.family') == 'RedHat' {
-        package { 'nginx-mod-mail':
-          ensure => installed,
-        }
-      }
-
       class { 'nginx':
         mail            => true,
-        dynamic_modules => fact('os.family') ? {
-          'RedHat' => ['/usr/lib64/nginx/modules/ngx_mail_module.so'],
-          default  => [],
-        }
       }
       nginx::resource::mailhost { 'domain1.example':
         ensure      => present,
@@ -79,45 +63,5 @@ class { 'nginx':
     describe port(465) do
       it { is_expected.to be_listening }
     end
-
-    context 'when configured for nginx 1.14', if: !%w[Debian Archlinux].include?(fact('os.family')) do
-      it 'runs successfully' do
-        pp = "
-      if fact('os.family') == 'RedHat' {
-        package { 'nginx-mod-mail':
-          ensure => installed,
-        }
-      }
-
-      class { 'nginx':
-        mail            => true,
-        nginx_version   => '1.14.0',
-        dynamic_modules => fact('os.family') ? {
-          'RedHat' => ['/usr/lib64/nginx/modules/ngx_mail_module.so'],
-          default  => [],
-        }
-      }
-      nginx::resource::mailhost { 'domain1.example':
-        ensure      => present,
-        auth_http   => 'localhost/cgi-bin/auth',
-        protocol    => 'smtp',
-        listen_port => 587,
-        ssl         => true,
-        ssl_port    => 465,
-        ssl_cert    => '/etc/pki/tls/certs/blah.cert',
-        ssl_key     => '/etc/pki/tls/private/blah.key',
-        xclient     => 'off',
-      }
-        "
-
-        apply_manifest(pp, catch_failures: true)
-      end
-
-      describe file('/etc/nginx/conf.mail.d/domain1.example.conf') do
-        it 'does\'t contain `ssl` on `listen` line' do
-          is_expected.to contain 'listen                *:465;'
-        end
-      end
-    end
   end
 end
diff --git a/spec/classes/nginx_spec.rb b/spec/classes/nginx_spec.rb
@@ -16,6 +16,7 @@
           nginx_servers_defaults: { 'listen_options' => 'default_server' },
           nginx_locations: { 'test2.local' => { 'server' => 'test2.local', 'www_root' => '/' } },
           nginx_locations_defaults: { 'expires' => '@12h34m' },
+          mail: true,
           nginx_mailhosts: { 'smtp.test2.local' => { 'auth_http' => 'server2.example/cgi-bin/auth', 'protocol' => 'smtp', 'listen_port' => 587 } },
           nginx_mailhosts_defaults: { 'listen_options' => 'default_server_smtp' },
           nginx_streamhosts: { 'streamhost1' => { 'proxy' => 'streamproxy' } }
diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb
@@ -16,7 +16,7 @@
           ipv6_enable: true
         }
       end
-      let(:pre_condition) { ['include nginx'] }
+      let(:pre_condition) { ['class { "nginx": mail => true }'] }
 
       describe 'os-independent items' do
         describe 'basic assumptions' do
@@ -243,7 +243,7 @@
             end
           end
           context 'mail proxy parameters' do
-            let(:pre_condition) { ['class { "nginx": nginx_version => "1.20.0"}'] }
+            let(:pre_condition) { ['class { "nginx": nginx_version => "1.20.0", mail => true,}'] }
             let(:params) do
               {
                 listen_port: 25,
@@ -689,7 +689,7 @@
                 facts.merge(nginx_version: '1.16.0')
               end
 
-              let(:pre_condition) { ['include nginx'] }
+              let(:pre_condition) { ['class { "nginx": mail => true,}'] }
 
               it 'has `ssl` at end of listen directive' do
                 content = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content]
@@ -698,7 +698,7 @@
             end
 
             context 'when version comes from parameter' do
-              let(:pre_condition) { ['class { "nginx": nginx_version => "1.16.0"}'] }
+              let(:pre_condition) { ['class { "nginx": nginx_version => "1.16.0", mail => true,}'] }
 
               it 'also has `ssl` at end of listen directive' do
                 content = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content]
@@ -707,7 +707,7 @@
             end
 
             context 'mail proxy parameters' do
-              let(:pre_condition) { ['class { "nginx": nginx_version => "1.20.0"}'] }
+              let(:pre_condition) { ['class { "nginx": nginx_version => "1.20.0", mail => true,}'] }
 
               it 'configures mail proxy settings' do
                 content = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content]
diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb
@@ -6,6 +6,7 @@ load_module "<%= mod_item -%>";
 load_module "modules/<%= mod_item -%>.so";
   <%- end -%>
 <%- end -%>
+
 <% if @daemon -%>
 daemon <%= @daemon %>;
 <% end -%>
@@ -23,7 +24,7 @@ pcre_jit <%= @pcre_jit %>;
 <% if @pid -%>
 pid        <%= @pid %>;
 <% end -%>
-<% if @include_modules_enabled -%>
+<% if @include_modules_enabled or @mail -%>
 include /etc/nginx/modules-enabled/*.conf;
 <% end -%>
 <% if @nginx_cfg_prepend -%>
diff --git a/templates/mailhost/mailhost_ssl.epp b/templates/mailhost/mailhost_ssl.epp
@@ -14,16 +14,13 @@
 server {
 <%= $mailhost_prepend -%>
 <%- $listen_ip.each |$ip| { -%>
-  listen                <%= $ip %>:<%= $ssl_port %><% if versioncmp($nginx_version, '1.15.0') >= 0 { %> ssl<% } %>;
+  listen                <%= $ip %>:<%= $ssl_port %> ssl;
 <%- } -%>
 <%- $ipv6_listen_ip.each |$ipv6| { -%>
   listen                [<%= $ipv6 %>]:<%= $ssl_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>;
 <%- } -%>
 <%= $mailhost_common -%>
 
-<%- if versioncmp($nginx_version, '1.15.0') < 0 { -%>
-  ssl                   on;
-<% } %>
   starttls              off;
 
 <%= $mailhost_ssl_settings -%>

Original file line number	Diff line number	Diff line change
`@@ -199,6 +199,12 @@`
`199`	`199`	`}`
`200`	`200`	`}`
`201`	`201`
	`202`	`+ if ($include_modules_enabled or $nginx::mail) {`
	`203`	`+ file { "${conf_dir}/modules-enabled":`
	`204`	`+ ensure => directory,`
	`205`	`+ }`
	`206`	`+ }`
	`207`	`+`
`202`	`208`	`file { $log_dir:`
`203`	`209`	`ensure => directory,`
`204`	`210`	`mode => $log_mode,`