---

- name: Install packages
  apt: name={{ item }}
  with_items:
  - amavisd-new
  - bsd-mailx
  - dovecot-core
  - dovecot-imapd
  - dovecot-ldap
  - dovecot-managesieved
  - dovecot-sieve
  - fcgiwrap
  - mailman
  - postfix
  - postfix-ldap
  - postfix-policyd-spf-python
  - postgrey
  - pyzor
  - razor
  - spamassassin

- name: Create vmail group
  group: name=vmail gid=500 state=present

- name: Create vmail user
  user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present

- name: Configure amavis
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - amavis/conf.d/15-content_filter_mode
  - amavis/conf.d/50-user
  notify: Restart amavis

- name: Create dovecot ssl directory
  file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot

- name: Create dovecot log directory
  file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail

- name: Configure dovecot
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - dovecot/dovecot-ldap.conf.ext
  - dovecot/local.conf
  notify: Restart dovecot

- name: Configure logrotate for dovecot
  copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot

- name: Ensure dovecot certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt
  notify: Restart dovecot

- name: Ensure correct dovecot certificate permissions
  file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400
  notify: Restart dovecot

- name: Configure mailman
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - mailman/mm_cfg.py
  notify: Restart postfix

- name: Configure mailman vhost
  template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman
  notify: Restart nginx

- name: Enable mailman vhost
  file: src=/etc/nginx/sites-available/mailman dest=/etc/nginx/sites-enabled/mailman state=link
  notify: Restart nginx

- name: Ensure mailman certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt
  notify: Restart nginx

- name: Ensure correct mailman certificate permissions
  file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
  notify: Restart nginx

- name: Configure policyd
  copy: src={{ item }} dest=/etc/{{ item }}
  with_items:
  - postfix-policyd-spf-python/policyd-spf.conf

- name: Create postfix ssl directory
  file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix

- name: Configure postfix
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - postfix/main.cf
  - postfix/master.cf
  notify: Restart postfix

- name: Configure postfix maps
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
  - postfix/helo_access
  - postfix/ldap-aliases.cf
  - postfix/ldap-virtual-maps.cf
  - postfix/recipient_access
  - postfix/transport
  - postfix/virtual-alias
  notify: Run postmap

- name: Ensure postfix chroot has an up2date ca-certificates.crt file
  copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt

- name: Ensure postfix certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
  notify: Restart postfix

- name: Ensure correct postfix certificate permissions
  file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400
  notify: Restart postfix

- name: Create razor directory structure
  command: razor-admin -create chdir=/var/lib/amavis creates=/var/lib/amavis/.razor
  become: yes
  become_user: amavis

- name: Register razor
  command: razor-admin -register chdir=/var/lib/amavis creates=/var/lib/amavis/.razor/identity
  become: yes
  become_user: amavis

- name: Download GPG key for Sought ruleset
  get_url: url=http://yerp.org/rules/GPG.KEY dest=/etc/spamassassin/sought.key

- name: Import GPG key for Sought ruleset
  become: yes
  become_user: debian-spamd
  shell: sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys --import /etc/spamassassin/sought.key && touch sought.imported chdir=/var/lib/spamassassin creates=sought.imported

- name: Enable sa-update cron-job
  cron: name=sa-update minute="0" hour="*/6" job="/usr/bin/sa-update -v --gpghomedir /var/lib/spamassassin/sa-update-keys --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org"

- name: Enable spamd cron-job
  copy: src={{ item }} dest=/etc/{{ item }}
  with_items:
  - default/spamassassin

- name: Configure certificate manager
  template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf
  notify: Run acertmgr

- name: Configure certificate manager for mailman
  template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf
  notify: Run acertmgr

- name: Start amavis
  service: name=amavis state=started enabled=yes
  tags: mail

- name: Start dovecot
  service: name=dovecot state=started enabled=yes
  tags: mail

- name: Start fcgiwrap
  service: name=fcgiwrap state=started enabled=yes
  tags: mail

- name: Start postfix
  service: name=postfix state=started enabled=yes
  tags: mail

- name: Start postgrey
  service: name=postgrey state=started enabled=yes
  tags: mail