---

- name: Install Postfix
  ansible.builtin.apt:
    name: postfix
    state: present

- name: Install procmail
  ansible.builtin.apt:
    name: procmail
    state: present

- name: Purge Exim configuration
  ansible.builtin.apt:
    name: "exim4*"
    state: absent
    purge: true

- name: Deploy the SMTP relay TLS truststore
  ansible.builtin.copy:
    content: "{{ smtp_relay_truststore }}"
    dest: "/etc/ssl/certs/smtp_relay_truststore.pem"
    owner: root
    group: root
    mode: "0644"

- name: Generate the SMTP server Diffie-Hellman parameter
  community.crypto.openssl_dhparam:
    owner: root
    group: root
    mode: "0640"
    path: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.dh.pem"
    size: 2048
  notify:
    - Restart Postfix

- name: Configure visible mail name of the system
  ansible.builtin.copy:
    content: "{{ inventory_hostname }}"
    dest: "/etc/mailname"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Deploy Postfix main configuration
  ansible.builtin.template:
    src: "main.cf.j2"
    dest: "/etc/postfix/main.cf"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Set-up local mail aliases
  ansible.builtin.lineinfile:
    dest: "/etc/aliases"
    line: "{{ item.key }}: {{ item.value }}"
    regexp: "^{{ item.key }}"
    state: present
  with_dict: "{{ local_mail_aliases }}"
  notify:
    - Rebuild mail aliases

- name: Enable and start postfix service
  ansible.builtin.service:
    name: postfix
    state: started
    enabled: true

- name: Retrieve IPv4 addresses of SMTP relay host
  ansible.builtin.shell: "getent ahostsv4 '{{ smtp_relay_host }}' | awk '{ print $1 }' | sort -u"  # noqa risky-shell-pipe
  # [risky-shell-pipe] Shells that use pipes should set the pipefail option
  #   The getent ahostsv4 command has non-zero exit code if the
  #   supplies name cannot be resolved. However, that is a valid
  #   use-case for extracting this information. It effectively means
  #   that no IPv4 firewall rules will be deployed for allowing
  #   incoming connections from the SMTP relay host.
  changed_when: false
  register: smtp_relay_host_ipv4

- name: Retrieve IPv6 addresses of SMTP relay host
  ansible.builtin.shell: "getent ahostsv6 '{{ smtp_relay_host }}' | awk '{ print $1 }' | grep -v '^::ffff:' | sort -u"  # noqa risky-shell-pipe
  # [risky-shell-pipe] Shells that use pipes should set the pipefail option
  #   The getent ahostsv6 command has non-zero exit code if the
  #   supplies name cannot be resolved. However, that is a valid
  #   use-case for extracting this information. It effectively means
  #   that no IPv6 firewall rules will be deployed for allowing
  #   incoming connections from the SMTP relay host.
  changed_when: false
  register: smtp_relay_host_ipv6

- name: Normalise the SMTP relay host IPv4 addresses variable
  ansible.builtin.set_fact:
    smtp_relay_host_ipv4: "{{ smtp_relay_host_ipv4.stdout_lines | reject('equalto', '') | list }}"
  when: "smtp_relay_host | length != 0"

- name: Normalise the SMTP relay host IPv6 addresses variable
  ansible.builtin.set_fact:
    smtp_relay_host_ipv6: "{{ smtp_relay_host_ipv6.stdout_lines | reject('equalto', '') | list }}"
  when: "smtp_relay_host | length != 0"

- name: Deploy firewall configuration for mail forwader
  ansible.builtin.template:
    src: "ferm_mail.conf.j2"
    dest: "/etc/ferm/conf.d/20-mail.conf"
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart ferm

- name: Install SWAKS
  ansible.builtin.apt:
    name: swaks
    state: present

- name: Explicitly run all handlers
  ansible.builtin.include_tasks: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers