---

- hosts: all
  tasks:

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: yes

- hosts: all
  tasks:

    - name: Set-up /etc/hosts entries
      lineinfile:
        dest: /etc/hosts
        line: "{{ item.value }} {{ item.key }}"
      with_dict:
        ldap-server: 10.31.127.10
        client1: 10.31.127.20
        client2: 10.31.127.21
        parameters-mandatory: 10.31.127.30
        parameters-optional: 10.31.127.31

- hosts: client
  tasks:

    - name: Install SWAKS for testing SMTP capability
      apt:
        name: swak
        state: installed

- hosts: ldap-server
  roles:
    - role: ldap_server
      ldap_admin_password: admin
      ldap_entries:

        # Users
        - dn: uid=john,ou=people,dc=local
          attributes:
            objectClass:
              - inetOrgPerson
              - simpleSecurityObject
            userPassword: johnpassword
            uid: john
            cn: John Doe
            sn: Doe
            mail: john.doe@domain1
        - dn: uid=jane,ou=people,dc=local
          attributes:
            objectClass:
              - inetOrgPerson
              - simpleSecurityObject
            userPassword: janepassword
            uid: jane
            cn: Jane Doe
            sn: Doe
            mail: jane.doe@domain2

        # Groups
        - dn: "cn=mail,ou=groups,dc=local"
          state: append
          attributes:
            uniqueMember:
              - uid=john,ou=people,dc=local
              - uid=jane,ou=people,dc=local

        # Domains
        - dn: dc=domain1,ou=domains,ou=mail,ou=services,dc=local
          attributes:
            objectClass: dNSDomain
            dc: domain1

        - dn: dc=domain2,ou=domains,ou=mail,ou=services,dc=local
          attributes:
            objectClass: dNSDomain
            dc: domain2

        # Aliases
        - dn: cn=postmaster@domain1,ou=aliases,ou=mail,ou=services,dc=local
          attributes:
            objectClass: nisMailAlias
            cn: postmaster@domain1
            rfc822MailMember: john.doe@domain1

        - dn: cn=webmaster@domain2,ou=aliases,ou=mail,ou=services,dc=local
          attributes:
            objectClass: nisMailAlias
            cn: webmaster@domain2
            rfc822MailMember: jane.doe@domain2

      ldap_server_consumers:
        - name: postfix
          password: postfixpassword
        - name: dovecot
          password: dovecotpoassword
          state: present

      ldap_server_domain: "local"
      ldap_server_groups:
        - name: mail
      ldap_server_organization: "Example"
      ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/ldap-server_ldap.cert.pem') }}"
      ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/ldap-server_ldap.key.pem') }}"

      # common
      ca_certificates:
        testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

      # ldap_client
      ldap_client_config:
        - comment: CA truststore
          option: TLS_CACERT
          value: /etc/ssl/certs/testca.cert.pem
        - comment: Ensure TLS is enforced
          option: TLS_REQCERT
          value: demand
        - comment: Base DN
          option: BASE
          value: dc=local
        - comment: URI
          option: URI
          value: ldapi:///

- hosts: parameters-mandatory
  roles:
    - role: mail_server
      mail_ldap_base_dn: dc=local
      mail_ldap_url: ldap://ldap-server/
      mail_ldap_postfix_password: postfixpassword
      mail_ldap_dovecot_password: dovecotpassword

      # Common parameters (general, not role).
      tls_certificate_dir: tests/data/x509/
      tls_private_key_dir: tests/data/x509/

- hosts: parameters-optional
  roles:
    - role: mail_server
      mail_ldap_base_dn: dc=local
      mail_ldap_url: ldap://ldap-server/
      mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
      mail_ldap_postfix_password: postfixpassword
      mail_ldap_dovecot_password: dovecotpassword
      mail_server_tls_protocols:
        - TLSv1.2
        - TLSv1.1
      mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA:!aNULL:!MD5:!EXPORT"
      mail_user: virtmail
      mail_user_uid: 5000
      mail_user_gid: 5000
      imap_max_user_connections_per_ip: 2
      imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_imap.cert.pem') }}"
      imap_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_imap.key.pem') }}"
      local_mail_aliases:
        root:
          - john.doe@parameters-optional.local
      smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_smtp.cert.pem') }}"
      smtp_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_smtp.key.pem') }}"
      imap_folder_separator: "."
      smtp_rbl:
        - bl.spamcop.net
        - zen.spamhaus.org

      mail_postmaster: "webmaster@parameters-optional.local"
      smtp_allow_relay_from:
        - 10.31.127.20