|
|
- - include_role:
- name: service
- # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
- vars:
- service_name: dovecot
- service_packages:
- - dovecot-ldap
- - dovecot-imapd
- - rsyslog
-
- - lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = dovecot" state=present
- notify: restart postfix
-
- - blockinfile:
- dest: /etc/postfix/master.cf
- block: |
- dovecot unix - n n - - pipe
- flags=DRhu user=postman:postman argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender}
- notify: restart postfix
-
- - name: create postman group
- group:
- name: postman
- state: present
-
- - name: create postman user
- user:
- name: postman
- state: present
- shell: /dev/null
-
- - name: edit dovecot configuration
- lineinfile:
- dest: /etc/dovecot/conf.d/10-master.conf
- line: ' port = 143'
- insertafter: 'inet_listener imap {'
- state: present
- notify: restart dovecot
-
- - blockinfile:
- dest: /etc/dovecot/conf.d/10-master.conf
- insertafter: 'inet_listener imaps {'
- marker: '#{mark} ANSIBLE BLOCK FOR IMAPS PORT'
- block: |
- port = 993
- ssl = yes
- notify: restart dovecot
-
- - blockinfile:
- dest: "/etc/dovecot/conf.d/10-master.conf"
- insertafter: "unix_listener auth-userdb {"
- marker: '#{mark} ANSIBLE BLOCK FOR AUTH USER'
- block: |
- group = postman
- mode = 0664
- user = postman
- notify: restart dovecot
-
- - lineinfile:
- dest: /etc/dovecot/conf.d/10-mail.conf
- regexp: "{{ item.regexp }}"
- line: "{{ item.line }}"
- state: present
- with_items:
- - { regexp: '^mail_location = ', line: 'mail_location = maildir:/home/postman/%d/%n' }
- - { regexp: 'mail_gid = ', line: 'mail_gid = postman' }
- - { regexp: 'mail_uid = ', line: 'mail_uid = postman' }
- notify: restart dovecot
-
- - lineinfile:
- dest: /etc/dovecot/conf.d/10-auth.conf
- regexp: "{{ item.regexp }}"
- line: "{{ item.line }}"
- state: "{{ item.state }}"
- with_items:
- - { regexp: None, line: 'mail_location = maildir:/home/postman/%d/%n', state: 'absent'}
- - { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
- - { regexp: 'auth_default_realm =', line: 'auth_default_realm = {{ domain }}', state: 'present'}
- - { regexp: 'auth_mechanisms =', line: 'auth_mechanisms = login plain', state: 'present'}
- - { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
- notify: restart dovecot
-
- - name: enable ssl key
- blockinfile:
- dest: /etc/dovecot/conf.d/10-ssl.conf
- block: |
- ssl = yes
- ssl_cert = </etc/dovecot/dovecot.cert
- ssl_key = </etc/dovecot/private/dovecot.key
-
- - name: generate the RSA key
- # TODO: reenable openssl_privatekey when moving to ansible 2.3
- # openssl_privatekey:
- # path: "/etc/dovecot/private/dovecot.key"
- # size: 2048
- # state: present
- # type: RSA
- shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
- args:
- creates: /etc/dovecot/private/dovecot.key
- notify: restart dovecot
-
- - name: generate CSR
- # TODO: reenable openssl_csr when moving to ansible 2.3
- # openssl_csr:
- # commonName: "{{ fqdn_domain }}"
- # countryName: "IT"
- # digest: sha256
- # localityName: "TUSCANY"
- # organizationName: "IT"
- # path: "/etc/dovecot/private/dovecot.csr"
- # privatekey_path: "/etc/dovecot/private/dovecot.key"
- # state: present
- # stateOrProvinceName: "ITALY"
- shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
- args:
- creates: /etc/dovecot/private/dovecot.csr
- notify: restart dovecot
-
- - name: lookup ssl ca key
- set_fact:
- ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"
-
- - name: Update ssl CA key
- copy:
- content: "{{ ssl_ca_key }}"
- dest: "/etc/dovecot/ssl_ca.crt"
-
- - name: check if dovecot cert is valid
- command: 'openssl verify -CAfile /etc/dovecot/ssl_ca.crt /etc/dovecot/dovecot.cert'
- register: dovecot_cert_is_valid
- changed_when: false
- failed_when: false
-
- - block:
- - name: get pub key
- slurp:
- src: "/etc/dovecot/private/dovecot.csr"
- register: pub_key
-
- - debug:
- var: pub_key
- verbosity: 2
-
- - name: generate host request
- set_fact:
- ca_request:
- type: 'sign_request'
- request:
- keyType: 'ssl_host'
- hostName: '{{ inventory_hostname }}.lilik.it'
- keyData: "{{ pub_key.content| b64decode}}"
-
- - debug:
- var: ca_request
- verbosity: 2
-
- - name: start sign request
- include: ca-dialog.yaml
-
- - debug:
- var: request_result
- verbosity: 2
-
- - set_fact:
- request_output: "{{ request_result.stdout|string|from_json }}"
-
- - debug:
- var: request_result
-
- - name: generate get request
- set_fact:
- ca_request:
- type: 'get_certificate'
- requestID: '{{ request_output.requestID }}'
-
- - debug:
- var: ca_request
- verbosity: 2
-
- - debug:
- msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
-
- - name: wait for cert
- include: ca-dialog.yaml
-
- - debug:
- var: request_result
- verbosity: 2
-
- - set_fact:
- cert_key: "{{ request_result.stdout|string|from_json }}"
-
- - debug:
- var: request_result
- verbosity: 2
-
- - name: set pub key
- copy:
- content: "{{ cert_key.result }}"
- dest: "/etc/dovecot/dovecot.cert"
- register: set_pub_key
-
- when: 'dovecot_cert_is_valid.rc != 0'
-
- - template:
- src: dovecot-ldap.conf.ext.j2
- dest: /etc/dovecot/dovecot-ldap.conf.ext
- notify: restart dovecot
|