Files @ c10934519e18
Branch filter:

Location: majic-ansible-roles/roles/mail_server/tasks/main.yml

c10934519e18 7.8 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-218: Switch to using fully-qualified collection names for all tasks:

- Ensures there is no ambiguity when invoking a module.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
---

- name: Install rsync
  ansible.builtin.apt:
    name: rsync
    state: present

- name: Install Dovecot packages
  ansible.builtin.apt:
    name:
      - dovecot-imapd
      - dovecot-ldap
      - dovecot-sieve
      - dovecot-managesieved
    state: present

- name: Install Postfix packages
  ansible.builtin.apt:
    name:
      - postfix
      - postfix-ldap
    state: present

- name: Purge Exim configuration
  ansible.builtin.apt:
    name: "exim4*"
    state: absent
    purge: true

- name: Allow Postfix user to traverse the directory with TLS private keys
  ansible.builtin.user:
    name: postfix
    append: true
    groups: ssl-cert

- name: Allow Dovecot user to traverse the directory with TLS private keys
  ansible.builtin.user:
    name: dovecot
    append: true
    groups: ssl-cert

- name: Deploy SMTP TLS private key
  ansible.builtin.copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.key"
    content: "{{ smtp_tls_key }}"
    mode: "0640"
    owner: root
    group: root
  notify:
    - Restart Postfix

- name: Deploy SMTP TLS certificate
  ansible.builtin.copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem"
    content: "{{ smtp_tls_certificate }}"
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart Postfix

- name: Generate the SMTP server Diffie-Hellman parameter
  community.crypto.openssl_dhparam:
    owner: root
    group: root
    mode: "0640"
    path: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.dh.pem"
    size: 2048
  notify:
    - Restart Postfix

- name: Deploy IMAP TLS private key
  ansible.builtin.copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_imap.key"
    content: "{{ imap_tls_key }}"
    mode: "0640"
    owner: root
    group: root
  notify:
    - Restart Dovecot

- name: Deploy IMAP TLS certificate
  ansible.builtin.copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem"
    content: "{{ imap_tls_certificate }}"
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart Dovecot

- name: Generate the IMAP server Diffie-Hellman parameter
  community.crypto.openssl_dhparam:
    owner: root
    group: root
    mode: "0640"
    path: "/etc/ssl/private/{{ ansible_fqdn }}_imap.dh.pem"
    size: 2048
  notify:
    - Restart Dovecot

- name: Deploy configuration files for checking certificate validity via cron
  ansible.builtin.copy:
    content: "/etc/ssl/certs/{{ ansible_fqdn }}_{{ item }}.pem"
    dest: "/etc/check_certificate/{{ ansible_fqdn }}_{{ item }}.conf"
    owner: root
    group: root
    mode: "0644"
  with_items:
    - smtp
    - imap

- name: Install SWAKS
  ansible.builtin.apt:
    name: swaks
    state: present

- name: Install milter packages
  ansible.builtin.apt:
    name: clamav-milter
    state: present

- name: Configure ClamAV Milter
  ansible.builtin.copy:
    dest: "/etc/clamav/clamav-milter.conf"
    src: "clamav-milter.conf"
    mode: "0644"
    owner: root
    group: root
  notify:
    - Restart ClamAV Milter

- name: Set-up privileges for directories within Postfix chroot
  ansible.builtin.file:
    dest: "{{ item }}"
    mode: "0755"
    state: directory
    owner: root
    group: root
  with_items:
    - /var/spool/postfix/var
    - /var/spool/postfix/var/run

- name: Set-up privileges for directories within Postfix chroot
  ansible.builtin.file:
    dest: "{{ item }}"
    state: directory
    owner: clamav
    group: clamav
    mode: "0755"
  with_items:
    - /var/spool/postfix/var/run/clamav

- name: Deploy the LDAP TLS truststore in default location
  ansible.builtin.copy:
    content: "{{ mail_ldap_tls_truststore }}"
    dest: "/etc/ssl/certs/mail_ldap_tls_truststore.pem"
    owner: root
    group: root
    mode: "0644"

- name: Deploy the LDAP TLS truststore in Postfix chroot
  ansible.builtin.copy:
    content: "{{ mail_ldap_tls_truststore }}"
    dest: "/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Configure visible mail name of the system
  ansible.builtin.copy:
    content: "{{ inventory_hostname }}"
    dest: "/etc/mailname"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Deploy Postfix configurations files for LDAP look-ups
  ansible.builtin.template:
    src: "{{ item }}.cf.j2"
    dest: "/etc/postfix/{{ item }}.cf"
    owner: root
    group: postfix
    mode: "0640"
  with_items:
    - ldap-virtual-alias-maps
    - ldap-virtual-mailbox-domains
    - ldap-virtual-mailbox-maps
  notify:
    - Restart Postfix

- name: Deploy Postfix main configuration
  ansible.builtin.template:
    src: "main.cf.j2"
    dest: "/etc/postfix/main.cf"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Set-up local mail aliases
  ansible.builtin.lineinfile:
    dest: "/etc/aliases"
    line: "{{ item.key }}: {{ item.value }}"
    regexp: "^{{ item.key }}"
    state: present
  with_dict: "{{ local_mail_aliases }}"
  notify:
    - Rebuild mail aliases

- name: Create mail owner group
  ansible.builtin.group:
    name: "{{ mail_user }}"
    gid: "{{ mail_user_gid | default(omit) }}"
    state: present

- name: Create mail owner user
  ansible.builtin.user:
    name: "{{ mail_user }}"
    uid: "{{ mail_user_uid | default(omit) }}"
    group: "{{ mail_user }}"
    home: "/var/{{ mail_user }}"
    state: present

- name: Disable Dovecot system authentication
  ansible.builtin.lineinfile:
    dest: "/etc/dovecot/conf.d/10-auth.conf"
    line: "!include auth-system.conf.ext"
    state: absent
  notify:
    - Restart Dovecot

- name: Deploy Dovecot configuration file with overrides
  ansible.builtin.template:
    src: "99-local.conf.j2"
    dest: "/etc/dovecot/conf.d/99-local.conf"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Dovecot

- name: Deploy Dovecot configuration file for LDAP look-ups
  ansible.builtin.template:
    src: "dovecot-ldap.conf.ext.j2"
    dest: "/etc/dovecot/dovecot-ldap.conf.ext"
    owner: root
    group: root
    mode: "0600"
  notify:
    - Restart Dovecot

- name: Deploy Postifx master process configuration
  ansible.builtin.template:
    src: "master.cf.j2"
    dest: "/etc/postfix/master.cf"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart Postfix

- name: Enable and start ClamAV database update service (freshclam)
  ansible.builtin.service:
    name: clamav-freshclam
    state: started
    enabled: true

- name: Check availability of ClamAV database files
  ansible.builtin.stat:
    path: "{{ item }}"
  with_items:
    - /var/lib/clamav/bytecode.cld
    - /var/lib/clamav/daily.cld
    - /var/lib/clamav/main.cld
  register: clamav_db_files

- name: Wait for ClamAV database to be available (up to 10 minutes)
  when: not item.stat.exists
  with_items: "{{ clamav_db_files.results }}"
  ansible.builtin.wait_for:
    path: "{{ item.item | replace('.cld', '.cvd') }}"
    timeout: 600

- name: Enable and start ClamAV daemon and milter services
  ansible.builtin.service:
    name: "{{ item }}"
    state: started
    enabled: true
  with_items:
    - clamav-daemon
    - clamav-milter

# It may take ClamAV a while to read all the necessary database files etc.
- name: Wait for ClamAV to become available (up to 5 minutes)
  ansible.builtin.wait_for:
    path: "/var/run/clamav/clamd.ctl"
    timeout: 300

- name: Enable and start Postfix service
  ansible.builtin.service:
    name: postfix
    state: started
    enabled: true

- name: Enable and start Dovecot service
  ansible.builtin.service:
    name: dovecot
    state: started
    enabled: true

- name: Deploy firewall configuration for mail server
  ansible.builtin.copy:
    src: "ferm_mail.conf"
    dest: "/etc/ferm/conf.d/20-mail.conf"
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  ansible.builtin.include_tasks: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers
This site is powered by Kallithea 0.7.0, which is © 2010–2024 by various authors & licensed under GPLv3.