lilik_playbook/roles/dovecot/tasks/main.yaml

- include_role:
    name: service
  # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
  vars:
    service_name: dovecot
    service_packages:
      - dovecot-ldap
      - dovecot-imapd
      - rsyslog

- lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = dovecot" state=present
  notify: restart postfix

- blockinfile:
    dest: /etc/postfix/master.cf
    block: |
      dovecot   unix  -       n       n       -       -       pipe
        flags=DRhu user=postman:postman argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender}
  notify: restart postfix

- name: create postman group
  group:
    name: postman
    state: present

- name: create postman user
  user:
    name: postman
    state: present
    shell: /dev/null

- name: edit dovecot configuration
  lineinfile:
    dest: /etc/dovecot/conf.d/10-master.conf
    line: '    port = 143'
    insertafter: 'inet_listener imap {'
    state: present
  notify: restart dovecot

- blockinfile:
    dest: /etc/dovecot/conf.d/10-master.conf
    insertafter: 'inet_listener imaps {'
    marker: '#{mark} ANSIBLE BLOCK FOR IMAPS PORT'
    block: |
                  port = 993
                  ssl = yes
  notify: restart dovecot

- blockinfile:
    dest: "/etc/dovecot/conf.d/10-master.conf"
    insertafter: "unix_listener auth-userdb {"
    marker: '#{mark} ANSIBLE BLOCK FOR AUTH USER'
    block: |
        group = postman
        mode = 0664
        user = postman
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-mail.conf
    line: 'mail_location = maildir:/home/postman/%d/%n'
    regexp: '^mail_location = '
    state: present
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-mail.conf
    line: 'mail_gid :  postman'
    state: present
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-mail.conf
    line: 'mail_uid :  postman'
    state: present
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-auth.conf
    line: "!include auth-system.conf.ext"
    state: absent
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-auth.conf
    line: "!include auth-ldap.conf.ext"
    state: present
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-auth.conf
    line: "auth_default_realm :  {{ domain }}"
  notify: restart dovecot

- lineinfile:
    dest: /etc/dovecot/conf.d/10-auth.conf
    line: "auth_mechanisms :  login plain"
  notify: restart dovecot

- name: enable ssl key
  blockinfile:
    dest: /etc/dovecot/conf.d/10-ssl.conf
    block: |
        ssl = yes
        ssl_cert = </etc/dovecot/dovecot.cert
        ssl_key = </etc/dovecot/private/dovecot.key

- name: generate the RSA key
  openssl_privatekey:
    path: "/etc/dovecot/private/dovecot.key"
    size: 2048
    state: present
    type: RSA
  notify: restart dovecot

- name: generate CSR
  openssl_csr:
    commonName: "{{ fqdn_domain }}"
    countryName: "IT"
    digest: sha256
    localityName: "TUSCANY"
    organizationName: "IT"
    path: "/etc/dovecot/private/dovecot.csr"
    privatekey_path: "/etc/dovecot/private/dovecot.key"
    state: present
    stateOrProvinceName: "ITALY"
  notify: restart dovecot

- name: check if dovecot cert key exist
  stat:
    path: /etc/dovecot/dovecot.cert
  register: dovecot_cert_key

- block:
    - name: get pub key
      slurp:
        src: "/etc/dovecot/private/dovecot.csr"
      register: pub_key

    - debug:
        var: pub_key
        verbosity: 2

    - name: generate host request
      set_fact:
        ca_request:
          type: 'sign_request'
          request:
            keyType: 'ssl_host'
            hostName: '{{ inventory_hostname }}.lilik.it'
            keyData: "{{ pub_key.content| b64decode}}"

    - debug:
        var: ca_request
        verbosity: 2

    - name: start sign request
      include: ca-dialog.yaml

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
        request_output: "{{ request_result.stdout|string|from_json }}"

    - debug:
        var: request_result

    - name: generate get request
      set_fact:
        ca_request:
          type: 'get_certificate'
          requestID: '{{ request_output.requestID }}'

    - debug:
        var: ca_request
        verbosity: 2

    - debug:
        msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"

    - name: wait for cert
      include: ca-dialog.yaml

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
        cert_key: "{{ request_result.stdout|string|from_json }}"

    - debug:
        var: request_result
        verbosity: 2

    - name: set pub key
      copy:
        content: "{{ cert_key.result }}"
        dest: "/etc/dovecot/dovecot.cert"
      register: set_pub_key

  when: not dovecot_cert_key.stat.exists

- template:
    src: dovecot-ldap.conf.ext.j2
    dest: /etc/dovecot/dovecot-ldap.conf.ext
  notify: restart dovecot