--- - name: add rspamd apt key apt_key: url="https://rspamd.com/apt-stable/gpg.key" - name: add rspamd repository apt_repository: repo="deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main" - name: Install packages apt: name={{ item }} loop: - bsd-mailx - dovecot-core - dovecot-imapd - dovecot-lmtpd - dovecot-ldap - dovecot-managesieved - dovecot-sieve - fcgiwrap - mailman - mailman3-full - python-psycopg2 - python3-psycopg2 - postgresql - postfix - redis-server - redis-tools - rspamd - postsrsd - name: Create vmail group group: name=vmail gid=500 state=present - name: Create vmail user user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present - name: Create dovecot ssl directory file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot - name: Create dovecot log directory file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail - name: Create vmail sieve directory file: path=/var/vmail/.sieve state=directory mode=0750 owner=vmail group=vmail - name: Create vmail sieve-bin directory file: path=/var/vmail/.sieve/bin state=directory mode=0750 owner=vmail group=vmail - name: Configure redis copy: src=redis.conf dest=/etc/redis/redis.conf notify: Restart redis - name: Copy static rspamd config copy: src={{ item }} dest=/etc/rspamd/local.d/ notify: Restart rspamd with_fileglob: "rspamd/local.d/*" - name: Render rspamd config templates template: src=rspamd/local.d/{{ item }}.j2 dest=/etc/rspamd/local.d/{{ item }} notify: Restart rspamd loop: - options.inc - settings.conf - arc.conf - dkim_signing.conf - name: Copy spam learn/unlearn sieve and shell scripts copy: src=dovecot/{{ item }} dest=/var/vmail/.sieve/{{ item }} loop: - bin/learn-spam.sh - bin/learn-ham.sh - move-spam.sieve - report-spam.sieve - report-ham.sieve - name: Configure dovecot template: src={{ item }}.j2 dest=/etc/{{ item }} loop: - dovecot/dovecot-ldap.conf.ext - dovecot/dovecot-ldap.conf.lmtp - dovecot/local.conf notify: Restart dovecot - name: Compile sieve scripts shell: sievec /var/vmail/.sieve/{{ item|basename }} loop: - move-spam.sieve - report-spam.sieve - report-ham.sieve - name: Ensure learn scripts are executable file: mode=0750 path=/var/vmail/.sieve/bin/{{ item }} loop: - learn-spam.sh - learn-ham.sh - name: Configure logrotate for dovecot copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot - name: Ensure dovecot certificates are available command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt notify: Restart dovecot - name: Ensure correct dovecot certificate permissions file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400 notify: Restart dovecot - name: Configure mailman template: src={{ item }}.j2 dest=/etc/{{ item }} loop: - mailman/mm_cfg.py notify: Restart postfix - name: Configure mailman vhost template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman notify: Restart nginx - name: Enable mailman vhost file: src=/etc/nginx/sites-available/mailman dest=/etc/nginx/sites-enabled/mailman state=link notify: Restart nginx - name: Ensure mailman certificates are available command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt notify: Restart nginx - name: Ensure correct mailman certificate permissions file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400 notify: Restart nginx - name: Configure PostgreSQL database postgresql_db: name={{ mailman3_dbname }} become: true become_user: postgres - name: Configure PostgreSQL user postgresql_user: db={{ mailman3_dbname }} name={{ mailman3_dbuser }} password={{ mailman3_dbpass }} priv=ALL state=present become: true become_user: postgres - name: Configure mailman3 template: src=mailman/mailman.cfg.j2 dest=/etc/mailman3/mailman.cfg notify: Restart mailman3 - name: Create postfix ssl directory file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix - name: Configure postfix template: src={{ item }}.j2 dest=/etc/{{ item }} loop: - postfix/main.cf - postfix/master.cf notify: Restart postfix - name: Configure postsrsd template: src={{ item }}.j2 dest=/etc/{{ item }} loop: - default/postsrsd - postsrsd.secret notify: Restart postsrsd - name: Configure postfix maps template: src={{ item }}.j2 dest=/etc/{{ item }} loop: - postfix/helo_access - postfix/transport - postfix/virtual-alias notify: Run postmap - name: Ensure postfix chroot has an up2date ca-certificates.crt file copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt - name: Ensure postfix certificates are available command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt notify: Restart postfix - name: Ensure correct postfix certificate permissions file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400 notify: Restart postfix - name: Configure certificate manager template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf notify: Run acertmgr - name: Configure certificate manager for mailman template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf notify: Run acertmgr - name: Start dovecot service: name=dovecot state=started enabled=yes - name: Start fcgiwrap service: name=fcgiwrap state=started enabled=yes - name: Start postfix service: name=postfix state=started enabled=yes - name: Start postsrsd service: name=postfix state=started enabled=yes - name: Start redis service: name=redis-server state=started enabled=yes - name: Start rspamd service: name=rspamd state=started enabled=yes - name: Start mailman3 service: name=mailman3 state=started enabled=yes