forked from infra/ansible
Fix mail-related certificate handling.
This commit is contained in:
parent
4b22d48931
commit
157577dfcb
@ -8,6 +8,7 @@ ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de
|
||||
ldap_bindpw: svcpwd
|
||||
|
||||
mail_domain: binary-kitchen.de
|
||||
mail_server: mail.binary-kitchen.de
|
||||
mailman_domain: lists.binary-kitchen.de
|
||||
|
||||
nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
|
||||
|
@ -100,10 +100,40 @@
|
||||
notify: Run postmap
|
||||
tags: mail
|
||||
|
||||
- name: Ensure postfix certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||
notify: Restart postfix
|
||||
tags: mail
|
||||
|
||||
- name: Ensure correct postfix certificate permissions
|
||||
file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=root mode=0400
|
||||
notify: Restart postfix
|
||||
tags: mail
|
||||
|
||||
- name: Ensure dovecot certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/dovecot/ssl/{{ mail_server }}.key -out /etc/dovecot/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/dovecot/ssl/{{ mail_server }}.crt
|
||||
notify: Restart dovecot
|
||||
tags: mail
|
||||
|
||||
- name: Ensure correct dovecot certificate permissions
|
||||
file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=root mode=0400
|
||||
notify: Restart dovecot
|
||||
tags: mail
|
||||
|
||||
- name: Configure certificate manager
|
||||
template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}_mail.conf
|
||||
tags: mail
|
||||
|
||||
- name: Ensure mailman certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ mailman_domain }}.key -out /etc/nginx/ssl/{{ mailman_domain }}.crt -days 730 -subj "/CN={{ mailman_domain }}" creates=/etc/nginx/ssl/{{ mailman_domain }}.crt
|
||||
notify: Restart nginx
|
||||
tags: mail
|
||||
|
||||
- name: Ensure correct mailman certificate permissions
|
||||
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
|
||||
notify: Restart nginx
|
||||
tags: mail
|
||||
|
||||
- name: Configure certificate manager for mailman
|
||||
template: src=mailman/certs.j2 dest=/etc/acme/domains.d/{{ mailman_domain }}_mailman.conf
|
||||
tags: mail
|
||||
|
@ -1,25 +1,25 @@
|
||||
---
|
||||
|
||||
{{ ansible_fqdn }}:
|
||||
- path: /etc/postfix/ssl/{{ ansible_fqdn }}.crt
|
||||
{{ mail_server }}:
|
||||
- path: /etc/postfix/ssl/{{ mail_server }}.crt
|
||||
user: postfix
|
||||
group: postfix
|
||||
perm: '400'
|
||||
format: crt
|
||||
notify: 'service postfix reload'
|
||||
- path: /etc/postfix/ssl/{{ ansible_fqdn }}.key
|
||||
- path: /etc/postfix/ssl/{{ mail_server }}.key
|
||||
user: postfix
|
||||
group: postfix
|
||||
perm: '400'
|
||||
format: key
|
||||
notify: 'service postfix reload'
|
||||
- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.crt
|
||||
- path: /etc/dovecot/ssl/{{ mail_server }}.crt
|
||||
user: dovecot
|
||||
group: dovecot
|
||||
perm: '400'
|
||||
format: crt
|
||||
notify: 'service dovecot reload'
|
||||
- path: /etc/dovecot/ssl/{{ ansible_fqdn }}.key
|
||||
- path: /etc/dovecot/ssl/{{ mail_server }}.key
|
||||
user: dovecot
|
||||
group: dovecot
|
||||
perm: '400'
|
||||
|
@ -16,8 +16,8 @@ mail_uid = vmail
|
||||
mail_gid = vmail
|
||||
|
||||
ssl = yes
|
||||
ssl_cert = </etc/dovecot/ssl/{{ ansible_fqdn }}.crt
|
||||
ssl_key = </etc/dovecot/ssl/{{ ansible_fqdn }}.key
|
||||
ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
|
||||
ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key
|
||||
#ssl_ca = TODO
|
||||
ssl_protocols = !SSLv2 !SSLv3
|
||||
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
||||
|
@ -30,8 +30,8 @@ relayhost =
|
||||
smtp_use_tls = yes
|
||||
smtp_tls_loglevel = 2
|
||||
|
||||
smtpd_tls_cert_file=/etc/postfix/ssl/{{ ansible_fqdn }}.crt
|
||||
smtpd_tls_key_file=/etc/postfix/ssl/{{ ansible_fqdn }}.key
|
||||
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
||||
#smtpd_tls_CAfile=TODO
|
||||
smtpd_use_tls=yes
|
||||
|
||||
|
@ -13,12 +13,12 @@
|
||||
tags: nginx
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn}}.key -out /etc/nginx/ssl/{{ ansible_fqdn}}.crt -days 730 -subj "/CN={{ ansible_fqdn}}" creates=/etc/nginx/ssl/{{ ansible_fqdn}}.crt
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||
notify: Restart nginx
|
||||
tags: nginx
|
||||
|
||||
- name: Ensure correct certificate permissions
|
||||
file: path=/etc/nginx/ssl/{{ ansible_fqdn}}.key owner=root mode=0400
|
||||
file: path=/etc/nginx/ssl/{{ ansible_fqdn }}.key owner=root mode=0400
|
||||
notify: Restart nginx
|
||||
tags: nginx
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user