|
|
- name: configure exim4-config
|
|
debconf:
|
|
name: 'exim4-config'
|
|
question: '{{ item.key }}'
|
|
vtype: 'string'
|
|
value: '{{ item.value }}'
|
|
with_dict:
|
|
exim4/dc_smarthost: '{{ stmp_relay }}'
|
|
exim4/dc_minimaldns: false
|
|
exim4/dc_postmaster:
|
|
exim4/dc_localdelivery: mbox format in /var/mail/
|
|
exim4/dc_readhost:
|
|
exim4/dc_other_hostnames: '{{ ansible_hostname }}.lilik.it'
|
|
exim4/dc_relay_nets:
|
|
exim4/exim4-config-title:
|
|
exim4/no_config: false
|
|
exim4/mailname: '{{ ansible_hostname }}.lilik.it'
|
|
exim4/use_split_config: false
|
|
exim4/hide_mailname: false
|
|
exim4/dc_relay_domains:
|
|
notify:
|
|
- update exim4 configuration
|
|
- restart exim4
|
|
|
|
- name: configure exim4-config (sympa_transport)
|
|
debconf:
|
|
name: 'exim4-config'
|
|
question: '{{ item.key }}'
|
|
vtype: 'string'
|
|
value: '{{ item.value }}'
|
|
with_dict:
|
|
exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail
|
|
exim4/dc_local_interfaces:
|
|
when: sympa_transport | bool
|
|
notify:
|
|
- update exim4 configuration
|
|
- restart exim4
|
|
|
|
|
|
- name: configure exim4-config (smarthost)
|
|
debconf:
|
|
name: 'exim4-config'
|
|
question: '{{ item.key }}'
|
|
vtype: 'string'
|
|
value: '{{ item.value }}'
|
|
with_dict:
|
|
exim4/dc_eximconfig_configtype: mail sent by smarthost; no local mail
|
|
exim4/dc_local_interfaces: 127.0.0.1 ; ::1
|
|
when: not sympa_transport | bool
|
|
notify:
|
|
- update exim4 configuration
|
|
- restart exim4
|
|
|
|
- block:
|
|
- include_role:
|
|
name: service
|
|
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
|
|
vars:
|
|
service_name: exim4
|
|
service_packages:
|
|
- exim4
|
|
|
|
- name: generate the RSA key
|
|
# TODO: reenable openssl_privatekey when moving to ansible 2.3
|
|
# openssl_privatekey:
|
|
# path: "/etc/exim4/exim.key"
|
|
# size: 2048
|
|
# state: present
|
|
# type: RSA
|
|
shell: "openssl genrsa -out /etc/exim4/exim.key 2048"
|
|
args:
|
|
creates: /etc/exim4/exim.key
|
|
notify: restart exim4
|
|
|
|
- name: generate CSR
|
|
# TODO: reenable openssl_csr when moving to ansible 2.3
|
|
# openssl_csr:
|
|
# commonName: "{{ fqdn_domain }}"
|
|
# countryName: "IT"
|
|
# digest: sha256
|
|
# localityName: "TUSCANY"
|
|
# organizationName: "IT"
|
|
# path: "/etc/exim4/exim.csr"
|
|
# privatekey_path: "/etc/exim4/exim.key"
|
|
# state: present
|
|
# stateOrProvinceName: "ITALY"
|
|
shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/exim4/exim.key -out /etc/exim4/exim.csr'
|
|
args:
|
|
creates: /etc/exim4/exim.csr
|
|
notify: restart exim4
|
|
|
|
- name: lookup ssl ca key
|
|
set_fact:
|
|
ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}"
|
|
|
|
- name: Update ssl CA key
|
|
copy:
|
|
content: "{{ ssl_ca_key }}"
|
|
dest: "/etc/exim4/ssl_ca.crt"
|
|
|
|
- name: check if exim4 cert is valid
|
|
command: 'openssl verify -CAfile /etc/exim4/ssl_ca.crt /etc/exim4/exim.crt'
|
|
register: exim4_cert_is_valid
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- block:
|
|
- name: get pub key
|
|
slurp:
|
|
src: "/etc/exim4/exim.csr"
|
|
register: pub_key
|
|
|
|
- debug:
|
|
var: pub_key
|
|
verbosity: 2
|
|
|
|
- name: generate host request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'sign_request'
|
|
request:
|
|
keyType: 'ssl_host'
|
|
hostName: '{{ inventory_hostname }}.lilik.it'
|
|
keyData: "{{ pub_key.content| b64decode}}"
|
|
|
|
- debug:
|
|
var: authorities_request
|
|
verbosity: 2
|
|
|
|
- name: start sign request
|
|
include: ca-dialog.yaml
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
request_output: "{{ request_result.stdout|string|from_json }}"
|
|
|
|
- debug:
|
|
var: request_result
|
|
|
|
- name: generate get request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- debug:
|
|
var: authorities_request
|
|
verbosity: 2
|
|
|
|
- debug:
|
|
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
|
|
|
|
- name: wait for cert
|
|
include: ca-dialog.yaml
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
cert_key: "{{ request_result.stdout|string|from_json }}"
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- name: set pub key
|
|
copy:
|
|
content: "{{ cert_key.result }}"
|
|
dest: "/etc/exim4/exim.crt"
|
|
register: set_pub_key
|
|
|
|
when: 'exim4_cert_is_valid.rc != 0'
|
|
|
|
- include_role:
|
|
name: service
|
|
vars:
|
|
service_name: opendkim
|
|
service_packages:
|
|
- opendkim
|
|
- opendkim-tools
|
|
|
|
- name: create opendkim folder
|
|
file:
|
|
path: /etc/opendkim/
|
|
state: directory
|
|
mode: 0750
|
|
owner: root
|
|
group: Debian-exim
|
|
|
|
- name: create opendkim key for lilik.it
|
|
command: "opendkim-genkey -D /etc/opendkim/ -d {{ fqdn_domain }} -s {{ ansible_hostname }}"
|
|
args:
|
|
creates: '/etc/opendkim/{{ ansible_hostname }}.private'
|
|
|
|
- name: check /etc/opendkim/{{ ansible_hostname }}.private permissions
|
|
file:
|
|
path: '/etc/opendkim/{{ ansible_hostname }}.private'
|
|
owner: root
|
|
group: Debian-exim
|
|
mode: 0640
|
|
|
|
- name: exim4 macro for TLS, DKIM
|
|
blockinfile:
|
|
dest: /etc/exim4/exim4.conf.localmacros
|
|
block: |
|
|
MAIN_TLS_ENABLE = yes
|
|
|
|
DKIM_CANON = relaxed
|
|
DKIM_SELECTOR = {{ ansible_hostname}}
|
|
DKIM_DOMAIN = {{ fqdn_domain }}
|
|
DKIM_PRIVATE_KEY = /etc/opendkim/{{ ansible_hostname }}.private
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK 1"
|
|
notify:
|
|
- update exim4 configuration
|
|
- restart exim4
|
|
|
|
- block:
|
|
- name: exim4 macro for sympa aliases
|
|
blockinfile:
|
|
dest: /etc/exim4/exim4.conf.localmacros
|
|
block: |
|
|
|
|
|
|
#--------------
|
|
# Activating pipe transport in system_aliases router (pipes in /etc/aliases)
|
|
.ifndef SYSTEM_ALIASES_PIPE_TRANSPORT
|
|
SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
|
|
.endif
|
|
.ifndef SYSTEM_ALIASES_USER
|
|
SYSTEM_ALIASES_USER = sympa
|
|
.endif
|
|
.ifndef SYSTEM_ALIASES_GROUP
|
|
SYSTEM_ALIASES_GROUP = sympa
|
|
.endif
|
|
#--------------
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK 2"
|
|
notify:
|
|
- update exim4 configuration
|
|
- restart exim4
|
|
|
|
- name: exim4 pipe for sympa aliases
|
|
blockinfile:
|
|
dest: /etc/exim4/exim4.conf.template
|
|
block: |
|
|
#--------------
|
|
# Using alias pipe definitions for the Sympa lists in /etc/mail/sympa/aliases
|
|
sympa_aliases:
|
|
debug_print = "R: system_aliases for $local_part@$domain"
|
|
driver = redirect
|
|
domains = +local_domains
|
|
allow_fail
|
|
allow_defer
|
|
data = ${lookup{$local_part}lsearch{/etc/mail/sympa/aliases}}
|
|
user = sympa
|
|
group = sympa
|
|
pipe_transport = address_pipe
|
|
#--------------
|
|
insertbefore: 'system_aliases:'
|
|
notify:
|
|
- update-exim4.conf
|
|
- restart exim4
|
|
when: sympa_transport | bool
|