Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

209 lines
5.7 KiB

- include_role:
name: service
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
vars:
service_name: dovecot
service_packages:
- dovecot-ldap
- dovecot-imapd
- rsyslog
- lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = dovecot" state=present
notify: restart postfix
- blockinfile:
dest: /etc/postfix/master.cf
block: |
dovecot unix - n n - - pipe
flags=DRhu user=postman:postman argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender}
notify: restart postfix
- name: create postman group
group:
name: postman
state: present
- name: create postman user
user:
name: postman
state: present
shell: /dev/null
- name: edit dovecot configuration
lineinfile:
dest: /etc/dovecot/conf.d/10-master.conf
line: ' port = 143'
insertafter: 'inet_listener imap {'
state: present
notify: restart dovecot
- blockinfile:
dest: /etc/dovecot/conf.d/10-master.conf
insertafter: 'inet_listener imaps {'
marker: '#{mark} ANSIBLE BLOCK FOR IMAPS PORT'
block: |
port = 993
ssl = yes
notify: restart dovecot
- blockinfile:
dest: "/etc/dovecot/conf.d/10-master.conf"
insertafter: "unix_listener auth-userdb {"
marker: '#{mark} ANSIBLE BLOCK FOR AUTH USER'
block: |
group = postman
mode = 0664
user = postman
notify: restart dovecot
- lineinfile:
dest: /etc/dovecot/conf.d/10-mail.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- { regexp: '^mail_location = ', line: 'mail_location = maildir:/home/postman/%d/%n' }
- { regexp: 'mail_gid = ', line: 'mail_gid = postman' }
- { regexp: 'mail_uid = ', line: 'mail_uid = postman' }
notify: restart dovecot
- lineinfile:
dest: /etc/dovecot/conf.d/10-auth.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: "{{ item.state }}"
with_items:
- { regexp: None, line: 'mail_location = maildir:/home/postman/%d/%n', state: 'absent'}
- { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
- { regexp: 'auth_default_realm =', line: 'auth_default_realm = {{ domain }}', state: 'present'}
- { regexp: 'auth_mechanisms =', line: 'auth_mechanisms = login plain', state: 'present'}
- { regexp: None, line: '!include auth-ldap.conf.ext', state: 'present'}
notify: restart dovecot
- name: enable ssl key
blockinfile:
dest: /etc/dovecot/conf.d/10-ssl.conf
block: |
ssl = yes
ssl_cert = </etc/dovecot/dovecot.cert
ssl_key = </etc/dovecot/private/dovecot.key
- name: generate the RSA key
# TODO: reenable openssl_privatekey when moving to ansible 2.3
# openssl_privatekey:
# path: "/etc/dovecot/private/dovecot.key"
# size: 2048
# state: present
# type: RSA
shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
args:
creates: /etc/dovecot/private/dovecot.key
notify: restart dovecot
- name: generate CSR
# TODO: reenable openssl_csr when moving to ansible 2.3
# openssl_csr:
# commonName: "{{ fqdn_domain }}"
# countryName: "IT"
# digest: sha256
# localityName: "TUSCANY"
# organizationName: "IT"
# path: "/etc/dovecot/private/dovecot.csr"
# privatekey_path: "/etc/dovecot/private/dovecot.key"
# state: present
# stateOrProvinceName: "ITALY"
shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
args:
creates: /etc/dovecot/private/dovecot.csr
notify: restart dovecot
- name: lookup ssl ca key
set_fact:
ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"
- name: Update ssl CA key
copy:
content: "{{ ssl_ca_key }}"
dest: "/etc/dovecot/ssl_ca.crt"
- name: check if dovecot cert is valid
command: 'openssl verify -CAfile /etc/dovecot/ssl_ca.crt /etc/dovecot/dovecot.cert'
register: dovecot_cert_is_valid
changed_when: false
failed_when: false
- block:
- name: get pub key
slurp:
src: "/etc/dovecot/private/dovecot.csr"
register: pub_key
- debug:
var: pub_key
verbosity: 2
- name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssl_host'
hostName: '{{ inventory_hostname }}.lilik.it'
keyData: "{{ pub_key.content| b64decode}}"
- debug:
var: ca_request
verbosity: 2
- name: start sign request
include: ca-dialog.yaml
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.stdout|string|from_json }}"
- debug:
var: request_result
- name: generate get request
set_fact:
ca_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: ca_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
include: ca-dialog.yaml
- debug:
var: request_result
verbosity: 2
- set_fact:
cert_key: "{{ request_result.stdout|string|from_json }}"
- debug:
var: request_result
verbosity: 2
- name: set pub key
copy:
content: "{{ cert_key.result }}"
dest: "/etc/dovecot/dovecot.cert"
register: set_pub_key
when: 'dovecot_cert_is_valid.rc != 0'
- template:
src: dovecot-ldap.conf.ext.j2
dest: /etc/dovecot/dovecot-ldap.conf.ext
notify: restart dovecot