LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
255 Commits
12 Branches
967 KiB
Tree: 2de8869ba3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2de8869ba3'
${ noResults }
lilik_playbook/roles/exim4/tasks/main.yaml

269 lines
7.1 KiB
Raw Normal View History

add exim4 role (RELAY/sympa_transport)
8 years ago
move service task and handler to a separate role (see ansible issue 23389, 20603, 15902) Resolves #13
8 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
8 years ago
fix exim4 opendkim
7 years ago
add new ssh and ssl CA
7 years ago
fix exim4 opendkim
7 years ago
add new ssh and ssl CA
7 years ago
fix exim4 opendkim
7 years ago
add new ssh and ssl CA
7 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
8 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
8 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
8 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
8 years ago
fix exim4 opendkim
7 years ago
add opendkim to exim4 and postfix
8 years ago
fix exim4 opendkim
7 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
add opendkim to exim4 and postfix
8 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
fix exim4 opendkim
7 years ago
add exim4 role (RELAY/sympa_transport)
8 years ago
 
  1. 

  2. - name: configure exim4-config

  3.   debconf:

  4.       name: 'exim4-config'

  5.       question: '{{ item.key }}'

  6.       vtype: 'string'

  7.       value: '{{ item.value }}'

  8.   with_dict:

  9.     exim4/dc_smarthost: '{{ stmp_relay }}'

  10.     exim4/dc_minimaldns: false

  11.     exim4/dc_postmaster:

  12.     exim4/dc_localdelivery: mbox format in /var/mail/

  13.     exim4/dc_readhost:

  14.     exim4/dc_other_hostnames: '{{ ansible_hostname }}.lilik.it'

  15.     exim4/dc_relay_nets:

  16.     exim4/exim4-config-title:

  17.     exim4/no_config: false

  18.     exim4/mailname: '{{ ansible_hostname }}.lilik.it'

  19.     exim4/use_split_config: false

  20.     exim4/hide_mailname: false

  21.     exim4/dc_relay_domains:

  22.   notify:

  23.     - update exim4 configuration

  24.     - restart exim4

  25. 

  26. - name: configure exim4-config (sympa_transport)

  27.   debconf:

  28.       name: 'exim4-config'

  29.       question: '{{ item.key }}'

  30.       vtype: 'string'

  31.       value: '{{ item.value }}'

  32.   with_dict:

  33.     exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail

  34.     exim4/dc_local_interfaces:

  35.   when: sympa_transport | bool

  36.   notify:

  37.     - update exim4 configuration

  38.     - restart exim4

  39. 

  40. 

  41. - name: configure exim4-config (smarthost)

  42.   debconf:

  43.       name: 'exim4-config'

  44.       question: '{{ item.key }}'

  45.       vtype: 'string'

  46.       value: '{{ item.value }}'

  47.   with_dict:

  48.     exim4/dc_eximconfig_configtype: mail sent by smarthost; no local mail

  49.     exim4/dc_local_interfaces: 127.0.0.1 ; ::1

  50.   when: not sympa_transport | bool

  51.   notify:

  52.     - update exim4 configuration

  53.     - restart exim4

  54. 

  55. - block:

  56.   - include_role:

  57.       name: service

  58.     # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485

  59.     vars:

  60.       service_name: exim4

  61.       service_packages:

  62.         - exim4

  63. 

  64. - name: generate the RSA key

  65. # TODO: reenable openssl_privatekey when moving to ansible 2.3

  66. # openssl_privatekey:

  67. #   path: "/etc/exim4/exim.key"

  68. #   size: 2048

  69. #   state: present

  70. #   type: RSA

  71.   shell: "openssl genrsa -out /etc/exim4/exim.key 2048"

  72.   args:

  73.     creates: /etc/exim4/exim.key

  74.   notify: restart exim4

  75. 

  76. - name: generate CSR

  77.   # TODO: reenable openssl_csr when moving to ansible 2.3

  78.   # openssl_csr:

  79.   #   commonName: "{{ fqdn_domain }}"

  80.   #   countryName: "IT"

  81.   #   digest: sha256

  82.   #   localityName: "TUSCANY"

  83.   #   organizationName: "IT"

  84.   #   path: "/etc/exim4/exim.csr"

  85.   #   privatekey_path: "/etc/exim4/exim.key"

  86.   #   state: present

  87.   #   stateOrProvinceName: "ITALY"

  88.   shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/exim4/exim.key -out /etc/exim4/exim.csr'

  89.   args:

  90.     creates: /etc/exim4/exim.csr

  91.   notify: restart exim4

  92. 

  93. - name: lookup ssl ca key

  94.   set_fact:

  95.     ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}"

  96. 

  97. - name: Update ssl CA key

  98.   copy:

  99.     content: "{{ ssl_ca_key }}"

  100.     dest: "/etc/exim4/ssl_ca.crt"

  101. 

  102. - name: check if exim4 cert is valid

  103.   command: 'openssl verify -CAfile /etc/exim4/ssl_ca.crt /etc/exim4/exim.crt'

  104.   register: exim4_cert_is_valid

  105.   changed_when: false

  106.   failed_when: false

  107. 

  108. - block:

  109.     - name: get pub key

  110.       slurp:

  111.         src: "/etc/exim4/exim.csr"

  112.       register: pub_key

  113. 

  114.     - debug:

  115.         var: pub_key

  116.         verbosity: 2

  117. 

  118.     - name: generate host request

  119.       set_fact:

  120.         ca_request:

  121.           type: 'sign_request'

  122.           request:

  123.             keyType: 'ssl_host'

  124.             hostName: '{{ inventory_hostname }}.lilik.it'

  125.             keyData: "{{ pub_key.content| b64decode}}"

  126. 

  127.     - debug:

  128.         var: authorities_request

  129.         verbosity: 2

  130. 

  131.     - name: start sign request

  132.       include: ca-dialog.yaml

  133. 

  134.     - debug:

  135.         var: request_result

  136.         verbosity: 2

  137. 

  138.     - set_fact:

  139.         request_output: "{{ request_result.stdout|string|from_json }}"

  140. 

  141.     - debug:

  142.         var: request_result

  143. 

  144.     - name: generate get request

  145.       set_fact:

  146.         ca_request:

  147.           type: 'get_certificate'

  148.           requestID: '{{ request_output.requestID }}'

  149. 

  150.     - debug:

  151.         var: authorities_request

  152.         verbosity: 2

  153. 

  154.     - debug:

  155.         msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"

  156. 

  157.     - name: wait for cert

  158.       include: ca-dialog.yaml

  159. 

  160.     - debug:

  161.         var: request_result

  162.         verbosity: 2

  163. 

  164.     - set_fact:

  165.         cert_key: "{{ request_result.stdout|string|from_json }}"

  166. 

  167.     - debug:

  168.         var: request_result

  169.         verbosity: 2

  170. 

  171.     - name: set pub key

  172.       copy:

  173.         content: "{{ cert_key.result }}"

  174.         dest: "/etc/exim4/exim.crt"

  175.       register: set_pub_key

  176. 

  177.   when: 'exim4_cert_is_valid.rc != 0'

  178. 

  179. - include_role:

  180.     name: service

  181.   vars:

  182.     service_name: opendkim

  183.     service_packages:

  184.            - opendkim

  185.            - opendkim-tools

  186. 

  187. - name: create opendkim folder

  188.   file:

  189.     path: /etc/opendkim/

  190.     state: directory

  191.     mode: 0750

  192.     owner: root

  193.     group: Debian-exim

  194. 

  195. - name: create opendkim key for lilik.it

  196.   command: "opendkim-genkey -D /etc/opendkim/ -d {{ fqdn_domain }} -s {{ ansible_hostname }}"

  197.   args:

  198.     creates: '/etc/opendkim/{{ ansible_hostname }}.private'

  199. 

  200. - name: check /etc/opendkim/{{ ansible_hostname }}.private permissions

  201.   file:

  202.     path: '/etc/opendkim/{{ ansible_hostname }}.private'

  203.     owner: root

  204.     group: Debian-exim

  205.     mode: 0640

  206. 

  207. - name: exim4 macro for TLS, DKIM

  208.   blockinfile:

  209.     dest: /etc/exim4/exim4.conf.localmacros

  210.     block: |

  211.             MAIN_TLS_ENABLE = yes

  212. 

  213.             DKIM_CANON = relaxed

  214.             DKIM_SELECTOR = {{ ansible_hostname}}

  215.             DKIM_DOMAIN = {{ fqdn_domain }}

  216.             DKIM_PRIVATE_KEY = /etc/opendkim/{{ ansible_hostname }}.private

  217.     create: yes

  218.     marker: 	"# {mark} ANSIBLE MANAGED BLOCK 1"

  219.   notify:

  220.     - update exim4 configuration

  221.     - restart exim4

  222. 

  223. - block:

  224.   - name: exim4 macro for sympa aliases

  225.     blockinfile:

  226.       dest: /etc/exim4/exim4.conf.localmacros

  227.       block: |

  228. 

  229. 

  230.               #--------------

  231.               # Activating pipe transport in system_aliases router (pipes in /etc/aliases)

  232.               .ifndef SYSTEM_ALIASES_PIPE_TRANSPORT

  233.               SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe

  234.               .endif

  235.               .ifndef SYSTEM_ALIASES_USER

  236.               SYSTEM_ALIASES_USER = sympa

  237.               .endif

  238.               .ifndef SYSTEM_ALIASES_GROUP

  239.               SYSTEM_ALIASES_GROUP = sympa

  240.               .endif

  241.               #--------------

  242.       create: yes

  243.       marker: 	"# {mark} ANSIBLE MANAGED BLOCK 2"

  244.     notify:

  245.       - update exim4 configuration

  246.       - restart exim4

  247. 

  248.   - name: exim4 pipe for sympa aliases

  249.     blockinfile:

  250.       dest: /etc/exim4/exim4.conf.template

  251.       block: |

  252.               #--------------

  253.               # Using alias pipe definitions for the Sympa lists in /etc/mail/sympa/aliases

  254.               sympa_aliases:

  255.                 debug_print = "R: system_aliases for $local_part@$domain"

  256.                 driver = redirect

  257.                 domains = +local_domains

  258.                 allow_fail

  259.                 allow_defer

  260.                 data = ${lookup{$local_part}lsearch{/etc/mail/sympa/aliases}}

  261.                 user = sympa

  262.                 group = sympa

  263.                 pipe_transport = address_pipe

  264.               #--------------

  265.       insertbefore: 'system_aliases:'

  266.     notify:

  267.       - update-exim4.conf

  268.       - restart exim4

  269.   when: sympa_transport | bool