Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

269 lines
7.1 KiB

- name: configure exim4-config
debconf:
name: 'exim4-config'
question: '{{ item.key }}'
vtype: 'string'
value: '{{ item.value }}'
with_dict:
exim4/dc_smarthost: '{{ stmp_relay }}'
exim4/dc_minimaldns: false
exim4/dc_postmaster:
exim4/dc_localdelivery: mbox format in /var/mail/
exim4/dc_readhost:
exim4/dc_other_hostnames: '{{ ansible_hostname }}.lilik.it'
exim4/dc_relay_nets:
exim4/exim4-config-title:
exim4/no_config: false
exim4/mailname: '{{ ansible_hostname }}.lilik.it'
exim4/use_split_config: false
exim4/hide_mailname: false
exim4/dc_relay_domains:
notify:
- update exim4 configuration
- restart exim4
- name: configure exim4-config (sympa_transport)
debconf:
name: 'exim4-config'
question: '{{ item.key }}'
vtype: 'string'
value: '{{ item.value }}'
with_dict:
exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail
exim4/dc_local_interfaces:
when: sympa_transport | bool
notify:
- update exim4 configuration
- restart exim4
- name: configure exim4-config (smarthost)
debconf:
name: 'exim4-config'
question: '{{ item.key }}'
vtype: 'string'
value: '{{ item.value }}'
with_dict:
exim4/dc_eximconfig_configtype: mail sent by smarthost; no local mail
exim4/dc_local_interfaces: 127.0.0.1 ; ::1
when: not sympa_transport | bool
notify:
- update exim4 configuration
- restart exim4
- block:
- include_role:
name: service
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
vars:
service_name: exim4
service_packages:
- exim4
- name: generate the RSA key
# TODO: reenable openssl_privatekey when moving to ansible 2.3
# openssl_privatekey:
# path: "/etc/exim4/exim.key"
# size: 2048
# state: present
# type: RSA
shell: "openssl genrsa -out /etc/exim4/exim.key 2048"
args:
creates: /etc/exim4/exim.key
notify: restart exim4
- name: generate CSR
# TODO: reenable openssl_csr when moving to ansible 2.3
# openssl_csr:
# commonName: "{{ fqdn_domain }}"
# countryName: "IT"
# digest: sha256
# localityName: "TUSCANY"
# organizationName: "IT"
# path: "/etc/exim4/exim.csr"
# privatekey_path: "/etc/exim4/exim.key"
# state: present
# stateOrProvinceName: "ITALY"
shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/exim4/exim.key -out /etc/exim4/exim.csr'
args:
creates: /etc/exim4/exim.csr
notify: restart exim4
- name: lookup ssl ca key
set_fact:
ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}"
- name: Update ssl CA key
copy:
content: "{{ ssl_ca_key }}"
dest: "/etc/exim4/ssl_ca.crt"
- name: check if exim4 cert is valid
command: 'openssl verify -CAfile /etc/exim4/ssl_ca.crt /etc/exim4/exim.crt'
register: exim4_cert_is_valid
changed_when: false
failed_when: false
- block:
- name: get pub key
slurp:
src: "/etc/exim4/exim.csr"
register: pub_key
- debug:
var: pub_key
verbosity: 2
- name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssl_host'
hostName: '{{ inventory_hostname }}.lilik.it'
keyData: "{{ pub_key.content| b64decode}}"
- debug:
var: authorities_request
verbosity: 2
- name: start sign request
include: ca-dialog.yaml
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.stdout|string|from_json }}"
- debug:
var: request_result
- name: generate get request
set_fact:
ca_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: authorities_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
include: ca-dialog.yaml
- debug:
var: request_result
verbosity: 2
- set_fact:
cert_key: "{{ request_result.stdout|string|from_json }}"
- debug:
var: request_result
verbosity: 2
- name: set pub key
copy:
content: "{{ cert_key.result }}"
dest: "/etc/exim4/exim.crt"
register: set_pub_key
when: 'exim4_cert_is_valid.rc != 0'
- include_role:
name: service
vars:
service_name: opendkim
service_packages:
- opendkim
- opendkim-tools
- name: create opendkim folder
file:
path: /etc/opendkim/
state: directory
mode: 0750
owner: root
group: Debian-exim
- name: create opendkim key for lilik.it
command: "opendkim-genkey -D /etc/opendkim/ -d {{ fqdn_domain }} -s {{ ansible_hostname }}"
args:
creates: '/etc/opendkim/{{ ansible_hostname }}.private'
- name: check /etc/opendkim/{{ ansible_hostname }}.private permissions
file:
path: '/etc/opendkim/{{ ansible_hostname }}.private'
owner: root
group: Debian-exim
mode: 0640
- name: exim4 macro for TLS, DKIM
blockinfile:
dest: /etc/exim4/exim4.conf.localmacros
block: |
MAIN_TLS_ENABLE = yes
DKIM_CANON = relaxed
DKIM_SELECTOR = {{ ansible_hostname}}
DKIM_DOMAIN = {{ fqdn_domain }}
DKIM_PRIVATE_KEY = /etc/opendkim/{{ ansible_hostname }}.private
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK 1"
notify:
- update exim4 configuration
- restart exim4
- block:
- name: exim4 macro for sympa aliases
blockinfile:
dest: /etc/exim4/exim4.conf.localmacros
block: |
#--------------
# Activating pipe transport in system_aliases router (pipes in /etc/aliases)
.ifndef SYSTEM_ALIASES_PIPE_TRANSPORT
SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
.endif
.ifndef SYSTEM_ALIASES_USER
SYSTEM_ALIASES_USER = sympa
.endif
.ifndef SYSTEM_ALIASES_GROUP
SYSTEM_ALIASES_GROUP = sympa
.endif
#--------------
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK 2"
notify:
- update exim4 configuration
- restart exim4
- name: exim4 pipe for sympa aliases
blockinfile:
dest: /etc/exim4/exim4.conf.template
block: |
#--------------
# Using alias pipe definitions for the Sympa lists in /etc/mail/sympa/aliases
sympa_aliases:
debug_print = "R: system_aliases for $local_part@$domain"
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/mail/sympa/aliases}}
user = sympa
group = sympa
pipe_transport = address_pipe
#--------------
insertbefore: 'system_aliases:'
notify:
- update-exim4.conf
- restart exim4
when: sympa_transport | bool