state: directory

    owner: root

    group: root

    mode: 0700

- name: Import private keys  # noqa no-changed-when

  # [no-changed-when] Commands should not change things if nothing needs doing

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc"

  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc"

  when: backup_additional_encryption_keys | length > 0

      with_items:

        - iptable_filter

        - iptable_nat

        - iptable_mangle

        - iptable_security

        - iptable_raw

        - ip6table_filter

        - ip6table_nat

        - ip6table_mangle

        - ip6table_security

        - ip6table_raw

      command: "iptables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'"

      with_items:

        - filter

        - nat

        - mangle

        - security

        - raw

      command: "ip6tables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'"

      with_items:

        - filter

        - nat

        - mangle

        - security

        - raw

    - name: Create deprecated directory for storing requirements files created using Python 3 (pip requirements upgrade checks)

      file:

        path: "/etc/pip_check_requirements_upgrades-py3"

        state: directory

  register: pam_umask

  notify:

    - Update PAM configuration

- name: Update PAM configuration  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

  #   In order to have consistent behaviour during the first and

  #   subsequent playbook runs, make sure the PAM configuration is

  #   updated immediatelly. This way any files created by commands etc

  #   should end-up with correct permissions straight away.

  command: "/usr/sbin/pam-auth-update --package"

  when: pam_umask.changed

- name: Set login UMASK

  lineinfile:

    dest: "/etc/login.defs"

    state: present

    backrefs: true

    regexp: '^UMASK(\s+)'

    line: 'UMASK\g<1>027'

- name: Set home directory mask

  lineinfile:

    dest: "/etc/adduser.conf"

    group: root

    mode: 0644

  with_dict: "{{ ca_certificates }}"

  register: deploy_ca_certificates_result

- name: Update CA certificate cache  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

  #   CA certificate cache must be updated immediatelly in order for

  #   applications depending on deployed CA certificates can use them to

  #   validate server/client certificates.

  command: "/usr/sbin/update-ca-certificates --fresh"

  when: deploy_ca_certificates_result.changed

- name: Set-up file diversions for custom files that overrride package-provided ones

  command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"

  register: "dpkg_divert"

  changed_when: "'Adding' in dpkg_divert.stdout"

  with_items:

    - "/usr/sbin/ferm"

  notify:

    - Restart ferm

- name: Deploy the patched ferm binary that disables use of legacy iptables

  copy:

    state: exact

    name: olcLogLevel

    values: "{{ ldap_server_log_level }}"

- name: Test if LDAP misc schema has been applied

  command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"

  register: ldap_misc_schema_present

  changed_when: false

- name: Deploy LDAP misc schema

  command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"

  when: not ldap_misc_schema_present.stdout

# Technically, the only thing this does is pick the size of DH

# parameters to use, with GnuTLS (against which slapd is linked

# against under Debian) picking a matching DH parameter from RFC-7919

# (https://www.ietf.org/rfc/rfc7919.txt).

- name: Generate the LDAP server Diffie-Hellman parameter

  openssl_dhparam:

    owner: root

    group: openldap

    mode: 0640

    path: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"

    size: 2048

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca/level1.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

        group: root

        mode: 0644

      notify:

        - Update CA certificate cache

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

- name: Prepare, helpers

  hosts: mail-servers

  become: true

  tasks:

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca/level1.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

    - name: Install SWAKS for testing SMTP capability

      apt:

        name: swaks

        state: present

    - name: Set-up port forwarding

      command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport 27 -j REDIRECT --to-ports 25"

      changed_when: false

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

- name: Prepare, test fixtures

  hosts: parameters-optional

  become: true

  tasks:

      file:

        path: /vagrant/

        mode: 0711

    - name: Create directory for storing ClamAV database files

      file:

        path: /vagrant/clamav-database

        state: directory

        owner: vagrant

        group: vagrant

        mode: 0755

      become: true

      become_user: vagrant

      command: "/var/lib/cvdupdate/bin/cvd config set --dbdir /vagrant/clamav-database/"

      become: true

      become_user: vagrant

      command: "/var/lib/cvdupdate/bin/cvd update"

    - name: Allow all users to read ClamAV database files

      file:

        path: "/vagrant/clamav-database/"

        mode: "g=u-w,o=u-w"

        recurse: true

    - name: Deploy nginx TLS private key

      copy:

            mode: 0644

          notify:

            - Restart Postfix

        - name: Enable Postfix service

          service:

            name: postfix

            state: started

            enabled: true

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

- name: Prepare, helpers

  hosts: ldap-server

  become: true

  roles:

    - ldap_server

    - backup_server

      user:

        name: user

        group: user

        shell: /bin/bash

  handlers:

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

      command: "/usr/bin/newaliases"

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca/level1.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

        group: root

        mode: 0644

      notify:

        - Update CA certificate cache

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

      user:

        name: user

        group: user

        shell: /bin/bash

  handlers:

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

      command: "/usr/bin/newaliases"

          password: mickpassword

          server: domain3

          security: tls

          nickname: mick.doe

        - jid: noxmpp@domain1

          password: noxmpppassword

          server: domain1

          security: tls

          nickname: noxmpp

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

- name: Prepare, helpers

  hosts: ldap-server

  become: true

  roles:

    - ldap_server

    - backup_server

- name: Prepare, test fixtures

  hosts: ldap-server

  become: true

  tasks: