LILiK
/
lilik_playbook

- include_role:
    name: service
  # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
  vars:
    service_name: dovecot
    service_packages:
      - dovecot-ldap
      - dovecot-imapd
      - rsyslog

- lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = dovecot" state=present
  notify: restart postfix

- blockinfile:
    dest: /etc/postfix/master.cf
    block: |
      dovecot   unix  -       n       n       -       -       pipe
        flags=DRhu user=postman:postman argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender}
  notify: restart postfix

- name: create postman group
  group:
    name: postman
    state: present

- name: create postman user
  user:
    name: postman
    state: present
    shell: /dev/null

- name: edit dovecot configuration
  lineinfile:
    dest: /etc/dovecot/conf.d/10-master.conf
    line: '    port = 143'
    insertafter: 'inet_listener imap {'
    state: present
  notify: restart dovecot

- blockinfile:
    dest: /etc/dovecot/conf.d/10-master.conf
    insertafter: 'inet_listener imaps {'
    marker: '#{mark} ANSIBLE BLOCK FOR IMAPS PORT'
    block: |
                  port = 993
                  ssl = yes
  notify: restart dovecot

- blockinfile:
    dest: "/etc/dovecot/conf.d/10-master.conf"
    insertafter: "unix_listener auth-userdb {"
    marker: '#{mark} ANSIBLE BLOCK FOR AUTH USER'
    block: |
        group = postman
        mode = 0664
        user = postman
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-mail.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  with_items:
    - { regexp: '^mail_location = ', line: 'mail_location = maildir:/home/postman/%d/%n' }
    - { regexp: 'mail_gid = ', line: 'mail_gid = postman' }
    - { regexp: 'mail_uid = ', line: 'mail_uid = postman' }
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-auth.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: "{{ item.state }}"
  with_items:
    - { regexp: None, line: 'mail_location = maildir:/home/postman/%d/%n', state: 'absent'}
    - { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
    - { regexp: 'auth_default_realm =', line: 'auth_default_realm =  {{ domain }}', state: 'present'}
    - { regexp: 'auth_mechanisms =', line: 'auth_mechanisms =  login plain', state: 'present'}
    - { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
  notify: restart dovecot

- name: enable ssl key
  blockinfile:
    dest: /etc/dovecot/conf.d/10-ssl.conf
    block: |
        ssl = yes
        ssl_cert = </etc/dovecot/dovecot.cert
        ssl_key = </etc/dovecot/private/dovecot.key

- name: generate the RSA key
# TODO: reenable openssl_privatekey when moving to ansible 2.3
# openssl_privatekey:
#   path: "/etc/dovecot/private/dovecot.key"
#   size: 2048
#   state: present
#   type: RSA
  shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
  args:
    creates: /etc/dovecot/private/dovecot.key
  notify: restart dovecot

- name: generate CSR
  # TODO: reenable openssl_csr when moving to ansible 2.3
  # openssl_csr:
  #   commonName: "{{ fqdn_domain }}"
  #   countryName: "IT"
  #   digest: sha256
  #   localityName: "TUSCANY"
  #   organizationName: "IT"
  #   path: "/etc/dovecot/private/dovecot.csr"
  #   privatekey_path: "/etc/dovecot/private/dovecot.key"
  #   state: present
  #   stateOrProvinceName: "ITALY"
  shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
  args:
    creates: /etc/dovecot/private/dovecot.csr
  notify: restart dovecot

- name: lookup ssl ca key
  set_fact:
    ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"

- name: Update ssl CA key
  copy:
    content: "{{ ssl_ca_key }}"
    dest: "/etc/dovecot/ssl_ca.crt"

- name: check if dovecot cert is valid
  command: 'openssl verify -CAfile /etc/dovecot/ssl_ca.crt /etc/dovecot/dovecot.cert'
  register: dovecot_cert_is_valid
  changed_when: false
  failed_when: false

- block:
    - name: get pub key
      slurp:
        src: "/etc/dovecot/private/dovecot.csr"
      register: pub_key

    - debug:
        var: pub_key
        verbosity: 2

    - name: generate host request
      set_fact:
        ca_request:
          type: 'sign_request'
          request:
            keyType: 'ssl_host'
            hostName: '{{ inventory_hostname }}.lilik.it'
            keyData: "{{ pub_key.content| b64decode}}"

    - debug:
        var: ca_request
        verbosity: 2

    - name: start sign request
      include: ca-dialog.yaml

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
        request_output: "{{ request_result.stdout|string|from_json }}"

    - debug:
        var: request_result

    - name: generate get request
      set_fact:
        ca_request:
          type: 'get_certificate'
          requestID: '{{ request_output.requestID }}'

    - debug:
        var: ca_request
        verbosity: 2

    - debug:
        msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"

    - name: wait for cert
      include: ca-dialog.yaml

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
        cert_key: "{{ request_result.stdout|string|from_json }}"

    - debug:
        var: request_result
        verbosity: 2

    - name: set pub key
      copy:
        content: "{{ cert_key.result }}"
        dest: "/etc/dovecot/dovecot.cert"
      register: set_pub_key

  when: 'dovecot_cert_is_valid.rc != 0'

- template:
    src: dovecot-ldap.conf.ext.j2
    dest: /etc/dovecot/dovecot-ldap.conf.ext
  notify: restart dovecot