You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
209 lines
5.7 KiB
209 lines
5.7 KiB
- include_role:
|
|
name: service
|
|
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
|
|
vars:
|
|
service_name: dovecot
|
|
service_packages:
|
|
- dovecot-ldap
|
|
- dovecot-imapd
|
|
- rsyslog
|
|
|
|
- lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = dovecot" state=present
|
|
notify: restart postfix
|
|
|
|
- blockinfile:
|
|
dest: /etc/postfix/master.cf
|
|
block: |
|
|
dovecot unix - n n - - pipe
|
|
flags=DRhu user=postman:postman argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender}
|
|
notify: restart postfix
|
|
|
|
- name: create postman group
|
|
group:
|
|
name: postman
|
|
state: present
|
|
|
|
- name: create postman user
|
|
user:
|
|
name: postman
|
|
state: present
|
|
shell: /dev/null
|
|
|
|
- name: edit dovecot configuration
|
|
lineinfile:
|
|
dest: /etc/dovecot/conf.d/10-master.conf
|
|
line: ' port = 143'
|
|
insertafter: 'inet_listener imap {'
|
|
state: present
|
|
notify: restart dovecot
|
|
|
|
- blockinfile:
|
|
dest: /etc/dovecot/conf.d/10-master.conf
|
|
insertafter: 'inet_listener imaps {'
|
|
marker: '#{mark} ANSIBLE BLOCK FOR IMAPS PORT'
|
|
block: |
|
|
port = 993
|
|
ssl = yes
|
|
notify: restart dovecot
|
|
|
|
- blockinfile:
|
|
dest: "/etc/dovecot/conf.d/10-master.conf"
|
|
insertafter: "unix_listener auth-userdb {"
|
|
marker: '#{mark} ANSIBLE BLOCK FOR AUTH USER'
|
|
block: |
|
|
group = postman
|
|
mode = 0664
|
|
user = postman
|
|
notify: restart dovecot
|
|
|
|
- lineinfile:
|
|
dest: /etc/dovecot/conf.d/10-mail.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
with_items:
|
|
- { regexp: '^mail_location = ', line: 'mail_location = maildir:/home/postman/%d/%n' }
|
|
- { regexp: 'mail_gid = ', line: 'mail_gid = postman' }
|
|
- { regexp: 'mail_uid = ', line: 'mail_uid = postman' }
|
|
notify: restart dovecot
|
|
|
|
- lineinfile:
|
|
dest: /etc/dovecot/conf.d/10-auth.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: "{{ item.state }}"
|
|
with_items:
|
|
- { regexp: None, line: 'mail_location = maildir:/home/postman/%d/%n', state: 'absent'}
|
|
- { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
|
|
- { regexp: 'auth_default_realm =', line: 'auth_default_realm = {{ domain }}', state: 'present'}
|
|
- { regexp: 'auth_mechanisms =', line: 'auth_mechanisms = login plain', state: 'present'}
|
|
- { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
|
|
notify: restart dovecot
|
|
|
|
- name: enable ssl key
|
|
blockinfile:
|
|
dest: /etc/dovecot/conf.d/10-ssl.conf
|
|
block: |
|
|
ssl = yes
|
|
ssl_cert = </etc/dovecot/dovecot.cert
|
|
ssl_key = </etc/dovecot/private/dovecot.key
|
|
|
|
- name: generate the RSA key
|
|
# TODO: reenable openssl_privatekey when moving to ansible 2.3
|
|
# openssl_privatekey:
|
|
# path: "/etc/dovecot/private/dovecot.key"
|
|
# size: 2048
|
|
# state: present
|
|
# type: RSA
|
|
shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
|
|
args:
|
|
creates: /etc/dovecot/private/dovecot.key
|
|
notify: restart dovecot
|
|
|
|
- name: generate CSR
|
|
# TODO: reenable openssl_csr when moving to ansible 2.3
|
|
# openssl_csr:
|
|
# commonName: "{{ fqdn_domain }}"
|
|
# countryName: "IT"
|
|
# digest: sha256
|
|
# localityName: "TUSCANY"
|
|
# organizationName: "IT"
|
|
# path: "/etc/dovecot/private/dovecot.csr"
|
|
# privatekey_path: "/etc/dovecot/private/dovecot.key"
|
|
# state: present
|
|
# stateOrProvinceName: "ITALY"
|
|
shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
|
|
args:
|
|
creates: /etc/dovecot/private/dovecot.csr
|
|
notify: restart dovecot
|
|
|
|
- name: lookup ssl ca key
|
|
set_fact:
|
|
ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}"
|
|
|
|
- name: Update ssl CA key
|
|
copy:
|
|
content: "{{ ssl_ca_key }}"
|
|
dest: "/etc/dovecot/ssl_ca.crt"
|
|
|
|
- name: check if dovecot cert is valid
|
|
command: 'openssl verify -CAfile /etc/dovecot/ssl_ca.crt /etc/dovecot/dovecot.cert'
|
|
register: dovecot_cert_is_valid
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- block:
|
|
- name: get pub key
|
|
slurp:
|
|
src: "/etc/dovecot/private/dovecot.csr"
|
|
register: pub_key
|
|
|
|
- debug:
|
|
var: pub_key
|
|
verbosity: 2
|
|
|
|
- name: generate host request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'sign_request'
|
|
request:
|
|
keyType: 'ssl_host'
|
|
hostName: '{{ inventory_hostname }}.lilik.it'
|
|
keyData: "{{ pub_key.content| b64decode}}"
|
|
|
|
- debug:
|
|
var: authorities_request
|
|
verbosity: 2
|
|
|
|
- name: start sign request
|
|
include: ca-dialog.yaml
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
request_output: "{{ request_result.stdout|string|from_json }}"
|
|
|
|
- debug:
|
|
var: request_result
|
|
|
|
- name: generate get request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- debug:
|
|
var: authorities_request
|
|
verbosity: 2
|
|
|
|
- debug:
|
|
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
|
|
|
|
- name: wait for cert
|
|
include: ca-dialog.yaml
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
cert_key: "{{ request_result.stdout|string|from_json }}"
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- name: set pub key
|
|
copy:
|
|
content: "{{ cert_key.result }}"
|
|
dest: "/etc/dovecot/dovecot.cert"
|
|
register: set_pub_key
|
|
|
|
when: 'dovecot_cert_is_valid.rc != 0'
|
|
|
|
- template:
|
|
src: dovecot-ldap.conf.ext.j2
|
|
dest: /etc/dovecot/dovecot-ldap.conf.ext
|
|
notify: restart dovecot
|