LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
327 Commits
12 Branches
967 KiB
Tree: 0f75220c72
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0f75220c72'
${ noResults }
lilik_playbook/roles/exim4/tasks/main.yaml

254 lines
6.8 KiB
Raw Normal View History

integrate debug in ca-dialog move debug messages from roles in task ca-dialog
6 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
move service task and handler to a separate role (see ansible issue 23389, 20603, 15902) Resolves #13
8 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
7 years ago
fix exim4 opendkim
7 years ago
add new ssh and ssl CA
7 years ago
fix exim4 opendkim
7 years ago
use module cert_request where possible this module read a file containing a public key and prepares the sign_request for a ssl_host or ssh_host request
6 years ago
fix exim4 opendkim
7 years ago
add new ssh and ssl CA
7 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
7 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
7 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
7 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
7 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
7 years ago
fix exim4 opendkim
7 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
add opendkim to exim4 and postfix
7 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
fix exim4 opendkim
7 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
 
  1. ---

  2. - name: configure exim4-config

  3.   debconf:

  4.       name: 'exim4-config'

  5.       question: '{{ item.key }}'

  6.       vtype: 'string'

  7.       value: '{{ item.value }}'

  8.   with_dict:

  9.     exim4/dc_smarthost: '{{ stmp_relay }}'

  10.     exim4/dc_minimaldns: false

  11.     exim4/dc_postmaster:

  12.     exim4/dc_localdelivery: mbox format in /var/mail/

  13.     exim4/dc_readhost:

  14.     exim4/dc_other_hostnames: '{{ ansible_hostname }}.lilik.it'

  15.     exim4/dc_relay_nets:

  16.     exim4/exim4-config-title:

  17.     exim4/no_config: false

  18.     exim4/mailname: '{{ ansible_hostname }}.lilik.it'

  19.     exim4/use_split_config: false

  20.     exim4/hide_mailname: false

  21.     exim4/dc_relay_domains:

  22.   notify:

  23.     - update exim4 configuration

  24.     - restart exim4

  25. 

  26. - name: configure exim4-config (sympa_transport)

  27.   debconf:

  28.       name: 'exim4-config'

  29.       question: '{{ item.key }}'

  30.       vtype: 'string'

  31.       value: '{{ item.value }}'

  32.   with_dict:

  33.     exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail

  34.     exim4/dc_local_interfaces:

  35.   when: sympa_transport | bool

  36.   notify:

  37.     - update exim4 configuration

  38.     - restart exim4

  39. 

  40. 

  41. - name: configure exim4-config (smarthost)

  42.   debconf:

  43.       name: 'exim4-config'

  44.       question: '{{ item.key }}'

  45.       vtype: 'string'

  46.       value: '{{ item.value }}'

  47.   with_dict:

  48.     exim4/dc_eximconfig_configtype: mail sent by smarthost; no local mail

  49.     exim4/dc_local_interfaces: 127.0.0.1 ; ::1

  50.   when: not sympa_transport | bool

  51.   notify:

  52.     - update exim4 configuration

  53.     - restart exim4

  54. 

  55. - block:

  56.   - include_role:

  57.       name: service

  58.     # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485

  59.     vars:

  60.       service_name: exim4

  61.       service_packages:

  62.         - exim4

  63. 

  64. - name: generate the RSA key

  65. # TODO: reenable openssl_privatekey when moving to ansible 2.3

  66. # openssl_privatekey:

  67. #   path: "/etc/exim4/exim.key"

  68. #   size: 2048

  69. #   state: present

  70. #   type: RSA

  71.   shell: "openssl genrsa -out /etc/exim4/exim.key 2048"

  72.   args:

  73.     creates: /etc/exim4/exim.key

  74.   notify: restart exim4

  75. 

  76. - name: generate CSR

  77.   # TODO: reenable openssl_csr when moving to ansible 2.3

  78.   # openssl_csr:

  79.   #   commonName: "{{ fqdn_domain }}"

  80.   #   countryName: "IT"

  81.   #   digest: sha256

  82.   #   localityName: "TUSCANY"

  83.   #   organizationName: "IT"

  84.   #   path: "/etc/exim4/exim.csr"

  85.   #   privatekey_path: "/etc/exim4/exim.key"

  86.   #   state: present

  87.   #   stateOrProvinceName: "ITALY"

  88.   shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/exim4/exim.key -out /etc/exim4/exim.csr'

  89.   args:

  90.     creates: /etc/exim4/exim.csr

  91.   notify: restart exim4

  92. 

  93. - name: lookup ssl ca key

  94.   set_fact:

  95.     ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}"

  96. 

  97. - name: Update ssl CA key

  98.   copy:

  99.     content: "{{ ssl_ca_key }}"

  100.     dest: "/etc/exim4/ssl_ca.crt"

  101. 

  102. - name: check if exim4 cert is valid

  103.   command: 'openssl verify -CAfile /etc/exim4/ssl_ca.crt /etc/exim4/exim.crt'

  104.   register: exim4_cert_is_valid

  105.   changed_when: false

  106.   failed_when: false

  107. 

  108. - block:

  109.     - name: generate host request

  110.       cert_request:

  111.         proto: 'ssl'

  112.         host: '{{ inventory_hostname }}.lilik.it'

  113.         path: "/etc/exim4/exim.csr"

  114.       register: ca_request

  115. 

  116.     - name: start sign request

  117.       include: ca-dialog.yaml

  118. 

  119.     - debug:

  120.         var: request_result

  121.         verbosity: 2

  122. 

  123.     - set_fact:

  124.         request_output: "{{ request_result.stdout|string|from_json }}"

  125. 

  126.     - debug:

  127.         var: request_result

  128. 

  129.     - name: generate get request

  130.       set_fact:

  131.         ca_request:

  132.           type: 'get_certificate'

  133.           requestID: '{{ request_output.requestID }}'

  134. 

  135.     - debug:

  136.         var: authorities_request

  137.         verbosity: 2

  138. 

  139.     - debug:

  140.         msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"

  141. 

  142.     - name: wait for cert

  143.       include: ca-dialog.yaml

  144. 

  145.     - debug:

  146.         var: request_result

  147.         verbosity: 2

  148. 

  149.     - set_fact:

  150.         cert_key: "{{ request_result.stdout|string|from_json }}"

  151. 

  152.     - debug:

  153.         var: request_result

  154.         verbosity: 2

  155. 

  156.     - name: set pub key

  157.       copy:

  158.         content: "{{ cert_key.result }}"

  159.         dest: "/etc/exim4/exim.crt"

  160.       register: set_pub_key

  161. 

  162.   when: 'exim4_cert_is_valid.rc != 0'

  163. 

  164. - include_role:

  165.     name: service

  166.   vars:

  167.     service_name: opendkim

  168.     service_packages:

  169.            - opendkim

  170.            - opendkim-tools

  171. 

  172. - name: create opendkim folder

  173.   file:

  174.     path: /etc/opendkim/

  175.     state: directory

  176.     mode: 0750

  177.     owner: root

  178.     group: Debian-exim

  179. 

  180. - name: create opendkim key for lilik.it

  181.   command: "opendkim-genkey -D /etc/opendkim/ -d {{ fqdn_domain }} -s {{ ansible_hostname }}"

  182.   args:

  183.     creates: '/etc/opendkim/{{ ansible_hostname }}.private'

  184. 

  185. - name: check /etc/opendkim/{{ ansible_hostname }}.private permissions

  186.   file:

  187.     path: '/etc/opendkim/{{ ansible_hostname }}.private'

  188.     owner: root

  189.     group: Debian-exim

  190.     mode: 0640

  191. 

  192. - name: exim4 macro for TLS, DKIM

  193.   blockinfile:

  194.     dest: /etc/exim4/exim4.conf.localmacros

  195.     block: |

  196.             MAIN_TLS_ENABLE = yes

  197. 

  198.             DKIM_CANON = relaxed

  199.             DKIM_SELECTOR = {{ ansible_hostname}}

  200.             DKIM_DOMAIN = {{ fqdn_domain }}

  201.             DKIM_PRIVATE_KEY = /etc/opendkim/{{ ansible_hostname }}.private

  202.     create: yes

  203.     marker: 	"# {mark} ANSIBLE MANAGED BLOCK 1"

  204.   notify:

  205.     - update exim4 configuration

  206.     - restart exim4

  207. 

  208. - block:

  209.   - name: exim4 macro for sympa aliases

  210.     blockinfile:

  211.       dest: /etc/exim4/exim4.conf.localmacros

  212.       block: |

  213. 

  214. 

  215.               #--------------

  216.               # Activating pipe transport in system_aliases router (pipes in /etc/aliases)

  217.               .ifndef SYSTEM_ALIASES_PIPE_TRANSPORT

  218.               SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe

  219.               .endif

  220.               .ifndef SYSTEM_ALIASES_USER

  221.               SYSTEM_ALIASES_USER = sympa

  222.               .endif

  223.               .ifndef SYSTEM_ALIASES_GROUP

  224.               SYSTEM_ALIASES_GROUP = sympa

  225.               .endif

  226.               #--------------

  227.       create: yes

  228.       marker: 	"# {mark} ANSIBLE MANAGED BLOCK 2"

  229.     notify:

  230.       - update exim4 configuration

  231.       - restart exim4

  232. 

  233.   - name: exim4 pipe for sympa aliases

  234.     blockinfile:

  235.       dest: /etc/exim4/exim4.conf.template

  236.       block: |

  237.               #--------------

  238.               # Using alias pipe definitions for the Sympa lists in /etc/mail/sympa/aliases

  239.               sympa_aliases:

  240.                 debug_print = "R: system_aliases for $local_part@$domain"

  241.                 driver = redirect

  242.                 domains = +local_domains

  243.                 allow_fail

  244.                 allow_defer

  245.                 data = ${lookup{$local_part}lsearch{/etc/mail/sympa/aliases}}

  246.                 user = sympa

  247.                 group = sympa

  248.                 pipe_transport = address_pipe

  249.               #--------------

  250.       insertbefore: 'system_aliases:'

  251.     notify:

  252.       - update-exim4.conf

  253.       - restart exim4

  254.   when: sympa_transport | bool