1
0
forked from infra/ansible
infra/roles/mail/tasks/main.yml
2020-02-29 20:51:28 +01:00

208 lines
6.3 KiB
YAML

---
- name: add rspamd apt key
apt_key: url="https://rspamd.com/apt-stable/gpg.key"
- name: add rspamd repository
apt_repository: repo="deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main"
- name: Install packages
apt: name={{ item }}
loop:
- bsd-mailx
- dovecot-core
- dovecot-imapd
- dovecot-lmtpd
- dovecot-ldap
- dovecot-managesieved
- dovecot-sieve
- fcgiwrap
- mailman
- mailman3-full
- python-psycopg2
- python3-psycopg2
- postgresql
- postfix
- redis-server
- redis-tools
- rspamd
- postsrsd
- name: Create vmail group
group: name=vmail gid=500 state=present
- name: Create vmail user
user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present
- name: Create dovecot ssl directory
file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
- name: Create dovecot log directory
file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail
- name: Create vmail sieve directory
file: path=/var/vmail/.sieve state=directory mode=0750 owner=vmail group=vmail
- name: Create vmail sieve-bin directory
file: path=/var/vmail/.sieve/bin state=directory mode=0750 owner=vmail group=vmail
- name: Configure redis
copy: src=redis.conf dest=/etc/redis/redis.conf
notify: Restart redis
- name: Copy static rspamd config
copy: src={{ item }} dest=/etc/rspamd/local.d/
notify: Restart rspamd
with_fileglob: "rspamd/local.d/*"
- name: Render rspamd config templates
template: src=rspamd/local.d/{{ item }}.j2 dest=/etc/rspamd/local.d/{{ item }}
notify: Restart rspamd
loop:
- options.inc
- settings.conf
- arc.conf
- dkim_signing.conf
- name: Copy spam learn/unlearn sieve and shell scripts
copy: src=dovecot/{{ item }} dest=/var/vmail/.sieve/{{ item }}
loop:
- bin/learn-spam.sh
- bin/learn-ham.sh
- move-spam.sieve
- report-spam.sieve
- report-ham.sieve
- name: Configure dovecot
template: src={{ item }}.j2 dest=/etc/{{ item }}
loop:
- dovecot/dovecot-ldap.conf.ext
- dovecot/dovecot-ldap.conf.lmtp
- dovecot/local.conf
notify: Restart dovecot
- name: Compile sieve scripts
shell: sievec /var/vmail/.sieve/{{ item|basename }}
loop:
- move-spam.sieve
- report-spam.sieve
- report-ham.sieve
- name: Ensure learn scripts are executable
file: mode=0750 path=/var/vmail/.sieve/bin/{{ item }}
loop:
- learn-spam.sh
- learn-ham.sh
- name: Configure logrotate for dovecot
copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot
- name: Ensure dovecot certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt
notify: Restart dovecot
- name: Ensure correct dovecot certificate permissions
file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400
notify: Restart dovecot
- name: Configure mailman
template: src={{ item }}.j2 dest=/etc/{{ item }}
loop:
- mailman/mm_cfg.py
notify: Restart postfix
- name: Configure mailman vhost
template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman
notify: Restart nginx
- name: Enable mailman vhost
file: src=/etc/nginx/sites-available/mailman dest=/etc/nginx/sites-enabled/mailman state=link
notify: Restart nginx
- name: Ensure mailman certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt
notify: Restart nginx
- name: Ensure correct mailman certificate permissions
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
notify: Restart nginx
- name: Configure PostgreSQL database
postgresql_db: name={{ mailman3_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ mailman3_dbname }} name={{ mailman3_dbuser }} password={{ mailman3_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Configure mailman3
template: src=mailman/mailman.cfg.j2 dest=/etc/mailman3/mailman.cfg
notify: Restart mailman3
- name: Create postfix ssl directory
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
- name: Configure postfix
template: src={{ item }}.j2 dest=/etc/{{ item }}
loop:
- postfix/main.cf
- postfix/master.cf
notify: Restart postfix
- name: Configure postsrsd
template: src={{ item }}.j2 dest=/etc/{{ item }}
loop:
- default/postsrsd
- postsrsd.secret
notify: Restart postsrsd
- name: Configure postfix maps
template: src={{ item }}.j2 dest=/etc/{{ item }}
loop:
- postfix/helo_access
- postfix/transport
- postfix/virtual-alias
notify: Run postmap
- name: Ensure postfix chroot has an up2date ca-certificates.crt file
copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
- name: Ensure postfix certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
notify: Restart postfix
- name: Ensure correct postfix certificate permissions
file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400
notify: Restart postfix
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf
notify: Run acertmgr
- name: Configure certificate manager for mailman
template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf
notify: Run acertmgr
- name: Start dovecot
service: name=dovecot state=started enabled=yes
- name: Start fcgiwrap
service: name=fcgiwrap state=started enabled=yes
- name: Start postfix
service: name=postfix state=started enabled=yes
- name: Start postsrsd
service: name=postfix state=started enabled=yes
- name: Start redis
service: name=redis-server state=started enabled=yes
- name: Start rspamd
service: name=rspamd state=started enabled=yes
- name: Start mailman3
service: name=mailman3 state=started enabled=yes