---

- name: Install rsync
  ansible.builtin.apt:
    name: rsync
    state: present

- name: Install Dovecot packages
  ansible.builtin.apt:
    name:
      - dovecot-imapd
      - dovecot-ldap
      - dovecot-sieve
      - dovecot-managesieved
    state: present

- name: Install Postfix packages
  ansible.builtin.apt:
    name:
      - postfix
      - postfix-ldap
    state: present

- name: Purge Exim configuration
  ansible.builtin.apt:
    name: "exim4*"
    state: absent
    purge: true

- name: Allow Postfix user to traverse the directory with TLS private keys
  ansible.builtin.user:
    name: postfix
    append: true
    groups: ssl-cert

- name: Allow Dovecot user to traverse the directory with TLS private keys
  ansible.builtin.user:
    name: dovecot
    append: true
    groups: ssl-cert

- name: Deploy SMTP TLS private key
  ansible.builtin.copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.key"
    content: "{{ smtp_tls_key }}"
    mode: "0640"
    owner: root
    group: root
  notify:
    - Restart Postfix

- name: Deploy SMTP TLS certificate
  ansible.builtin.copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem"
    content: "{{ smtp_tls_certificate }}"
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart Postfix

- name: Generate the SMTP server Diffie-Hellman parameter
  community.crypto.openssl_dhparam:
    owner: root
    group: root
    mode: "0640"
    path: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.dh.pem"
    size: 2048
  notify:
    - Restart Postfix

- name: Deploy IMAP TLS private key
  ansible.builtin.copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_imap.key"
    content: "{{ imap_tls_key }}"
    mode: "0640"
    owner: root
    group: root
  notify:
    - Restart Dovecot

- name: Deploy IMAP TLS certificate
  ansible.builtin.copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem"
    content: "{{ imap_tls_certificate }}"
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart Dovecot

- name: Generate the IMAP server Diffie-Hellman parameter
  community.crypto.openssl_dhparam:
    owner: root
    group: root
    mode: "0640"
    path: "/etc/ssl/private/{{ ansible_fqdn }}_imap.dh.pem"
    size: 2048
  notify:
    - Restart Dovecot

- name: Deploy configuration files for checking certificate validity via cron
  ansible.builtin.copy:
    content: "/etc/ssl/certs/{{ ansible_fqdn }}_{{ item }}.pem"
    dest: "/etc/check_certificate/{{ ansible_fqdn }}_{{ item }}.conf"
    owner: root
    group: root
    mode: "0644"
  with_items:
    - smtp
    - imap

- name: Install SWAKS
  ansible.builtin.apt:
    name: swaks
    state: present

- name: Install milter packages
  ansible.builtin.apt:
    name: clamav-milter
    state: present

- name: Configure ClamAV Milter
  ansible.builtin.copy:
    dest: "/etc/clamav/clamav-milter.conf"
    src: "clamav-milter.conf"
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart ClamAV Milter

- name: Set-up privileges for directories within Postfix chroot
  ansible.builtin.file:
    dest: "{{ item }}"
    mode: "0755"
    state: directory
    owner: root
    group: root
  with_items:
    - /var/spool/postfix/var
    - /var/spool/postfix/var/run

- name: Set-up privileges for directories within Postfix chroot
  ansible.builtin.file:
    dest: "{{ item }}"
    state: directory
    owner: clamav
    group: clamav
    mode: "0755"
  with_items:
    - /var/spool/postfix/var/run/clamav

- name: Deploy the LDAP TLS truststore in default location
  ansible.builtin.copy:
    content: "{{ mail_ldap_tls_truststore }}"
    dest: "/etc/ssl/certs/mail_ldap_tls_truststore.pem"
    owner: root
    group: root
    mode: "0644"

- name: Deploy the LDAP TLS truststore in Postfix chroot
  ansible.builtin.copy:
    content: "{{ mail_ldap_tls_truststore }}"
    dest: "/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Configure visible mail name of the system
  ansible.builtin.copy:
    content: "{{ inventory_hostname }}"
    dest: "/etc/mailname"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Deploy Postfix configurations files for LDAP look-ups
  ansible.builtin.template:
    src: "{{ item }}.cf.j2"
    dest: "/etc/postfix/{{ item }}.cf"
    owner: root
    group: postfix
    mode: "0640"
  with_items:
    - ldap-virtual-alias-maps
    - ldap-virtual-mailbox-domains
    - ldap-virtual-mailbox-maps
  notify:
    - Restart Postfix

- name: Deploy Postfix main configuration
  ansible.builtin.template:
    src: "main.cf.j2"
    dest: "/etc/postfix/main.cf"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Set-up local mail aliases
  ansible.builtin.lineinfile:
    dest: "/etc/aliases"
    line: "{{ item.key }}: {{ item.value }}"
    regexp: "^{{ item.key }}"
    state: present
  with_dict: "{{ local_mail_aliases }}"
  notify:
    - Rebuild mail aliases

- name: Create mail owner group
  ansible.builtin.group:
    name: "{{ mail_user }}"
    gid: "{{ mail_user_gid | default(omit) }}"
    state: present

- name: Create mail owner user
  ansible.builtin.user:
    name: "{{ mail_user }}"
    uid: "{{ mail_user_uid | default(omit) }}"
    group: "{{ mail_user }}"
    home: "/var/{{ mail_user }}"
    state: present

- name: Disable Dovecot system authentication
  ansible.builtin.lineinfile:
    dest: "/etc/dovecot/conf.d/10-auth.conf"
    line: "!include auth-system.conf.ext"
    state: absent
  notify:
    - Restart Dovecot

- name: Deploy Dovecot configuration file with overrides
  ansible.builtin.template:
    src: "99-local.conf.j2"
    dest: "/etc/dovecot/conf.d/99-local.conf"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Dovecot

- name: Deploy Dovecot configuration file for LDAP look-ups
  ansible.builtin.template:
    src: "dovecot-ldap.conf.ext.j2"
    dest: "/etc/dovecot/dovecot-ldap.conf.ext"
    owner: root
    group: root
    mode: "0600"
  notify:
    - Restart Dovecot

- name: Deploy Postifx master process configuration
  ansible.builtin.template:
    src: "master.cf.j2"
    dest: "/etc/postfix/master.cf"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Enable and start ClamAV database update service (freshclam)
  ansible.builtin.service:
    name: clamav-freshclam
    state: started
    enabled: true

- name: Check availability of ClamAV database files
  ansible.builtin.stat:
    path: "{{ item }}"
  with_items:
    - /var/lib/clamav/bytecode.cld
    - /var/lib/clamav/daily.cld
    - /var/lib/clamav/main.cld
  register: clamav_db_files

- name: Wait for ClamAV database to be available (up to 10 minutes)
  when: not item.stat.exists
  with_items: "{{ clamav_db_files.results }}"
  ansible.builtin.wait_for:
    path: "{{ item.item | replace('.cld', '.cvd') }}"
    timeout: 600

- name: Enable and start ClamAV daemon and milter services
  ansible.builtin.service:
    name: "{{ item }}"
    state: started
    enabled: true
  with_items:
    - clamav-daemon
    - clamav-milter

# It may take ClamAV a while to read all the necessary database files etc.
- name: Wait for ClamAV to become available (up to 5 minutes)
  ansible.builtin.wait_for:
    path: "/var/run/clamav/clamd.ctl"
    timeout: 300

- name: Enable and start Postfix service
  ansible.builtin.service:
    name: postfix
    state: started
    enabled: true

- name: Enable and start Dovecot service
  ansible.builtin.service:
    name: dovecot
    state: started
    enabled: true

- name: Deploy firewall configuration for mail server
  ansible.builtin.copy:
    src: "ferm_mail.conf"
    dest: "/etc/ferm/conf.d/20-mail.conf"
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  ansible.builtin.include_tasks: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers