majic-ansible-roles Files · roles/mail

Files @ 9ca9c3ada58a
Branch filter:
Location: majic-ansible-roles/roles/mail_server/tasks/main.yml

9ca9c3ada58a 7.2 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-181: Use Debian-provided Prosody package for testing optional parameter:

- Still properly tests the role, while at the same time making it
possible to use custom apt repository for Debian Buster (due to
Prosody project dropping all repository archives for it).
---

- name: Install rsync
  apt:
    name: rsync
    state: present

- name: Install Dovecot packages
  apt:
    name:
      - dovecot-imapd
      - dovecot-ldap
      - dovecot-sieve
      - dovecot-managesieved
    state: present

- name: Install Postfix packages
  apt:
    name:
      - postfix
      - postfix-ldap
    state: present

- name: Purge Exim configuration
  apt:
    name: "exim4*"
    state: absent
    purge: true

- name: Allow Postfix user to traverse the directory with TLS private keys
  user:
    name: postfix
    append: true
    groups: ssl-cert

- name: Allow Dovecot user to traverse the directory with TLS private keys
  user:
    name: dovecot
    append: true
    groups: ssl-cert

- name: Deploy SMTP TLS private key
  copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.key"
    content: "{{ smtp_tls_key }}"
    mode: 0640
    owner: root
    group: root
  notify:
    - Restart Postfix

- name: Deploy SMTP TLS certificate
  copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem"
    content: "{{ smtp_tls_certificate }}"
    mode: 0644
    owner: root
    group: root
  notify:
    - Restart Postfix

- name: Generate the SMTP server Diffie-Hellman parameter
  openssl_dhparam:
    owner: root
    group: root
    mode: 0640
    path: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.dh.pem"
    size: 2048
  notify:
    - Restart Postfix

- name: Deploy IMAP TLS private key
  copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_imap.key"
    content: "{{ imap_tls_key }}"
    mode: 0640
    owner: root
    group: root
  notify:
    - Restart Dovecot

- name: Deploy IMAP TLS certificate
  copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem"
    content: "{{ imap_tls_certificate }}"
    mode: 0644
    owner: root
    group: root
  notify:
    - Restart Dovecot

- name: Generate the IMAP server Diffie-Hellman parameter
  openssl_dhparam:
    owner: root
    group: root
    mode: 0640
    path: "/etc/ssl/private/{{ ansible_fqdn }}_imap.dh.pem"
    size: 2048
  notify:
    - Restart Dovecot

- name: Deploy configuration files for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ ansible_fqdn }}_{{ item }}.pem"
    dest: "/etc/check_certificate/{{ ansible_fqdn }}_{{ item }}.conf"
    owner: root
    group: root
    mode: 0644
  with_items:
    - smtp
    - imap

- name: Install SWAKS
  apt:
    name: swaks
    state: present

- name: Install milter packages
  apt:
    name: clamav-milter
    state: present

- name: Configure ClamAV Milter
  copy:
    dest: "/etc/clamav/clamav-milter.conf"
    src: "clamav-milter.conf"
    mode: 0644
    owner: root
    group: root
  notify:
    - Restart ClamAV Milter

- name: Set-up privileges for directories within Postfix chroot
  file:
    dest: "{{ item }}"
    mode: 0755
    state: directory
    owner: root
    group: root
  with_items:
    - /var/spool/postfix/var
    - /var/spool/postfix/var/run

- name: Set-up privileges for directories within Postfix chroot
  file:
    dest: "{{ item }}"
    state: directory
    owner: clamav
    group: clamav
    mode: 0755
  with_items:
    - /var/spool/postfix/var/run/clamav

- name: Deploy the LDAP TLS truststore in default location
  copy:
    content: "{{ mail_ldap_tls_truststore }}"
    dest: "/etc/ssl/certs/mail_ldap_tls_truststore.pem"
    owner: root
    group: root
    mode: 0644

- name: Deploy the LDAP TLS truststore in Postfix chroot
  copy:
    content: "{{ mail_ldap_tls_truststore }}"
    dest: "/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart Postfix

- name: Configure visible mail name of the system
  copy:
    content: "{{ inventory_hostname }}"
    dest: "/etc/mailname"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart Postfix

- name: Deploy Postfix configurations files for LDAP look-ups
  template:
    src: "{{ item }}.cf.j2"
    dest: "/etc/postfix/{{ item }}.cf"
    owner: root
    group: postfix
    mode: 0640
  with_items:
    - ldap-virtual-alias-maps
    - ldap-virtual-mailbox-domains
    - ldap-virtual-mailbox-maps
  notify:
    - Restart Postfix

- name: Deploy Postfix main configuration
  template:
    src: "main.cf.j2"
    dest: "/etc/postfix/main.cf"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart Postfix

- name: Set-up local mail aliases
  lineinfile:
    dest: "/etc/aliases"
    line: "{{ item.key }}: {{ item.value }}"
    regexp: "^{{ item.key }}"
    state: present
  with_dict: "{{ local_mail_aliases }}"
  notify:
    - Rebuild mail aliases

- name: Create mail owner group
  group:
    name: "{{ mail_user }}"
    gid: "{{ mail_user_gid | default(omit) }}"
    state: present

- name: Create mail owner user
  user:
    name: "{{ mail_user }}"
    uid: "{{ mail_user_uid | default(omit) }}"
    group: "{{ mail_user }}"
    home: "/var/{{ mail_user }}"
    state: present

- name: Disable Dovecot system authentication
  lineinfile:
    dest: "/etc/dovecot/conf.d/10-auth.conf"
    line: "!include auth-system.conf.ext"
    state: absent
  notify:
    - Restart Dovecot

- name: Deploy Dovecot configuration file with overrides
  template:
    src: "99-local.conf.j2"
    dest: "/etc/dovecot/conf.d/99-local.conf"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart Dovecot

- name: Deploy Dovecot configuration file for LDAP look-ups
  template:
    src: "dovecot-ldap.conf.ext.j2"
    dest: "/etc/dovecot/dovecot-ldap.conf.ext"
    owner: root
    group: root
    mode: 0600
  notify:
    - Restart Dovecot

- name: Deploy Postifx master process configuration
  template:
    src: "master.cf.j2"
    dest: "/etc/postfix/master.cf"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart Postfix

- name: Enable and start ClamAV database update service (freshclam)
  service:
    name: clamav-freshclam
    state: started
    enabled: true

- name: Check availability of ClamAV database files
  stat:
    path: "{{ item }}"
  with_items:
    - /var/lib/clamav/bytecode.cld
    - /var/lib/clamav/daily.cld
    - /var/lib/clamav/main.cld
  register: clamav_db_files

- name: Wait for ClamAV database to be available (up to 10 minutes)
  when: not item.stat.exists
  with_items: "{{ clamav_db_files.results }}"
  wait_for:
    path: "{{ item.item | replace('.cld', '.cvd') }}"
    timeout: 600

- name: Enable and start ClamAV daemon and milter services
  service:
    name: "{{ item }}"
    state: started
    enabled: true
  with_items:
    - clamav-daemon
    - clamav-milter

# It may take ClamAV a while to read all the necessary database files etc.
- name: Wait for ClamAV to become available (up to 5 minutes)
  wait_for:
    path: "/var/run/clamav/clamd.ctl"
    timeout: 300

- name: Enable and start Postfix service
  service:
    name: postfix
    state: started
    enabled: true

- name: Enable and start Dovecot service
  service:
    name: dovecot
    state: started
    enabled: true

- name: Deploy firewall configuration for mail server
  copy:
    src: "ferm_mail.conf"
    dest: "/etc/ferm/conf.d/20-mail.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers