--- - name: configure exim4-config debconf: name: 'exim4-config' question: '{{ item.key }}' vtype: 'string' value: '{{ item.value }}' with_dict: exim4/dc_smarthost: '{{ stmp_relay }}' exim4/dc_minimaldns: false exim4/dc_postmaster: exim4/dc_localdelivery: mbox format in /var/mail/ exim4/dc_readhost: exim4/dc_other_hostnames: '{{ ansible_hostname }}.lilik.it' exim4/dc_relay_nets: exim4/exim4-config-title: exim4/no_config: false exim4/mailname: '{{ ansible_hostname }}.lilik.it' exim4/use_split_config: false exim4/hide_mailname: false exim4/dc_relay_domains: notify: - update exim4 configuration - restart exim4 - name: configure exim4-config (sympa_transport) debconf: name: 'exim4-config' question: '{{ item.key }}' vtype: 'string' value: '{{ item.value }}' with_dict: exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail exim4/dc_local_interfaces: when: sympa_transport | bool notify: - update exim4 configuration - restart exim4 - name: configure exim4-config (smarthost) debconf: name: 'exim4-config' question: '{{ item.key }}' vtype: 'string' value: '{{ item.value }}' with_dict: exim4/dc_eximconfig_configtype: mail sent by smarthost; no local mail exim4/dc_local_interfaces: 127.0.0.1 ; ::1 when: not sympa_transport | bool notify: - update exim4 configuration - restart exim4 - block: - include_role: name: service # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485 vars: service_name: exim4 service_packages: - exim4 - name: generate the RSA key # TODO: reenable openssl_privatekey when moving to ansible 2.3 # openssl_privatekey: # path: "/etc/exim4/exim.key" # size: 2048 # state: present # type: RSA shell: "openssl genrsa -out /etc/exim4/exim.key 2048" args: creates: /etc/exim4/exim.key notify: restart exim4 - name: generate CSR # TODO: reenable openssl_csr when moving to ansible 2.3 # openssl_csr: # commonName: "{{ fqdn_domain }}" # countryName: "IT" # digest: sha256 # localityName: "TUSCANY" # organizationName: "IT" # path: "/etc/exim4/exim.csr" # privatekey_path: "/etc/exim4/exim.key" # state: present # stateOrProvinceName: "ITALY" shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/exim4/exim.key -out /etc/exim4/exim.csr' args: creates: /etc/exim4/exim.csr notify: restart exim4 - name: lookup ssl ca key set_fact: ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}" - name: Update ssl CA key copy: content: "{{ ssl_ca_key }}" dest: "/etc/exim4/ssl_ca.crt" - name: check if exim4 cert is valid command: 'openssl verify -CAfile /etc/exim4/ssl_ca.crt /etc/exim4/exim.crt' register: exim4_cert_is_valid changed_when: false failed_when: false - block: - name: generate host request cert_request: proto: 'ssl' host: '{{ inventory_hostname }}.lilik.it' path: "/etc/exim4/exim.csr" register: ca_request - name: start sign request include: ca-dialog.yaml - debug: var: request_result verbosity: 2 - set_fact: request_output: "{{ request_result.stdout|string|from_json }}" - debug: var: request_result - name: generate get request set_fact: ca_request: type: 'get_certificate' requestID: '{{ request_output.requestID }}' - debug: var: authorities_request verbosity: 2 - debug: msg: "Please manualy confirm sign request with id {{ request_output.requestID }}" - name: wait for cert include: ca-dialog.yaml - debug: var: request_result verbosity: 2 - set_fact: cert_key: "{{ request_result.stdout|string|from_json }}" - debug: var: request_result verbosity: 2 - name: set pub key copy: content: "{{ cert_key.result }}" dest: "/etc/exim4/exim.crt" register: set_pub_key when: 'exim4_cert_is_valid.rc != 0' - include_role: name: service vars: service_name: opendkim service_packages: - opendkim - opendkim-tools - name: create opendkim folder file: path: /etc/opendkim/ state: directory mode: 0750 owner: root group: Debian-exim - name: create opendkim key for lilik.it command: "opendkim-genkey -D /etc/opendkim/ -d {{ fqdn_domain }} -s {{ ansible_hostname }}" args: creates: '/etc/opendkim/{{ ansible_hostname }}.private' - name: check /etc/opendkim/{{ ansible_hostname }}.private permissions file: path: '/etc/opendkim/{{ ansible_hostname }}.private' owner: root group: Debian-exim mode: 0640 - name: exim4 macro for TLS, DKIM blockinfile: dest: /etc/exim4/exim4.conf.localmacros block: | MAIN_TLS_ENABLE = yes DKIM_CANON = relaxed DKIM_SELECTOR = {{ ansible_hostname}} DKIM_DOMAIN = {{ fqdn_domain }} DKIM_PRIVATE_KEY = /etc/opendkim/{{ ansible_hostname }}.private create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK 1" notify: - update exim4 configuration - restart exim4 - block: - name: exim4 macro for sympa aliases blockinfile: dest: /etc/exim4/exim4.conf.localmacros block: | #-------------- # Activating pipe transport in system_aliases router (pipes in /etc/aliases) .ifndef SYSTEM_ALIASES_PIPE_TRANSPORT SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe .endif .ifndef SYSTEM_ALIASES_USER SYSTEM_ALIASES_USER = sympa .endif .ifndef SYSTEM_ALIASES_GROUP SYSTEM_ALIASES_GROUP = sympa .endif #-------------- create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK 2" notify: - update exim4 configuration - restart exim4 - name: exim4 pipe for sympa aliases blockinfile: dest: /etc/exim4/exim4.conf.template block: | #-------------- # Using alias pipe definitions for the Sympa lists in /etc/mail/sympa/aliases sympa_aliases: debug_print = "R: system_aliases for $local_part@$domain" driver = redirect domains = +local_domains allow_fail allow_defer data = ${lookup{$local_part}lsearch{/etc/mail/sympa/aliases}} user = sympa group = sympa pipe_transport = address_pipe #-------------- insertbefore: 'system_aliases:' notify: - update-exim4.conf - restart exim4 when: sympa_transport | bool