Decouple the mailserver role
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
39aa982cbe
commit
782550346f
|
@ -1,11 +1,17 @@
|
|||
---
|
||||
mailname: mail.example.org
|
||||
mailserver_become: true
|
||||
mailserver_become_user: root
|
||||
|
||||
mailserver_mailname: mail.example.org
|
||||
|
||||
mailserver_auth_database: /etc/dovecot/authdb.sqlite
|
||||
|
||||
vmail_dir: /var/vmail
|
||||
mailserver_vmail_dir: /var/vmail
|
||||
# On Debian group "mail" has gid 8.
|
||||
vmail_gid: 8
|
||||
vmail_group: mail
|
||||
vmail_uid: 150
|
||||
vmail_user: vmail
|
||||
mailserver_vmail_gid: 8
|
||||
mailserver_vmail_group: mail
|
||||
mailserver_vmail_uid: 150
|
||||
mailserver_vmail_user: vmail
|
||||
|
||||
mailserver_tls_cert_file: "/var/lib/dehydrated/certs/{{ mailserver_mailname }}/fullchain.pem"
|
||||
mailserver_tls_key_file: "/var/lib/dehydrated/certs/{{ mailserver_mailname }}/privkey.pem"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: install dovecot
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- dovecot-core
|
||||
- dovecot-imapd
|
||||
|
@ -10,12 +10,11 @@
|
|||
- dovecot-sqlite
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
become: true
|
||||
|
||||
- import_tasks: sqlite.yml
|
||||
|
||||
- name: disable auth-system.conf.ext and enable auth-sql.conf.ext
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/dovecot/conf.d/10-auth.conf
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
|
@ -24,24 +23,21 @@
|
|||
line: "#!include auth-system.conf.ext"
|
||||
- regexp: "^#!include auth-sql.conf.ext"
|
||||
line: "!include auth-sql.conf.ext"
|
||||
become: true
|
||||
|
||||
- name: install dovecot 10-mail.conf
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/dovecot/conf.d/10-mail.conf.j2
|
||||
dest: /etc/dovecot/conf.d/10-mail.conf
|
||||
register: dovecot_10_mail_conf
|
||||
become: true
|
||||
|
||||
- name: install dovecot 10-master.conf
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/dovecot/conf.d/10-master.conf.j2
|
||||
dest: /etc/dovecot/conf.d/10-master.conf
|
||||
register: dovecot_10_master_conf
|
||||
become: true
|
||||
|
||||
- name: configure 10-ssl.conf
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/dovecot/conf.d/10-ssl.conf
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
|
@ -49,46 +45,40 @@
|
|||
- regexp: "^ssl = yes"
|
||||
line: "ssl = required"
|
||||
- regexp: "^ssl_cert = "
|
||||
line: "ssl_cert = </var/lib/dehydrated/certs/{{ mailname }}/fullchain.pem"
|
||||
line: "ssl_cert = <{{ mailserver_tls_cert_file }}"
|
||||
- regexp: "^ssl_key = "
|
||||
line: "ssl_key = </var/lib/dehydrated/certs/{{ mailname }}/privkey.pem"
|
||||
become: true
|
||||
line: "ssl_key = <{{ mailserver_tls_key_file }}"
|
||||
|
||||
- name: configure 15-lda.conf
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/dovecot/conf.d/15-lda.conf
|
||||
regexp: "^ #mail_plugins ="
|
||||
line: " mail_plugins = $mail_plugins sieve"
|
||||
become: true
|
||||
|
||||
- name: configure 15-mailboxes.conf
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: etc/dovecot/conf.d/15-mailboxes.conf
|
||||
dest: /etc/dovecot/conf.d/15-mailboxes.conf
|
||||
owner: root
|
||||
group: root
|
||||
become: true
|
||||
|
||||
- name: configure 95-stats.conf
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/dovecot/conf.d/95-stats.conf.j2
|
||||
dest: /etc/dovecot/conf.d/95-stats.conf
|
||||
owner: root
|
||||
group: root
|
||||
become: true
|
||||
|
||||
- name: configure dovecot-sql.conf.ext
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/dovecot/dovecot-sql.conf.ext.j2
|
||||
dest: /etc/dovecot/dovecot-sql.conf.ext
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
register: dovecot_sql_conf_ext
|
||||
become: true
|
||||
|
||||
- name: reload dovecot on config
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: dovecot
|
||||
state: reloaded
|
||||
become: true
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
---
|
||||
- block:
|
||||
|
||||
- import_tasks: vmail.yml
|
||||
- import_tasks: postfix.yml
|
||||
- import_tasks: dovecot.yml
|
||||
- import_tasks: rspamd.yml
|
||||
- import_tasks: vmail.yml
|
||||
- import_tasks: postfix.yml
|
||||
- import_tasks: dovecot.yml
|
||||
- import_tasks: rspamd.yml
|
||||
|
||||
become: "{{ mailserver_become }}"
|
||||
become_user: "{{ mailserver_become_user }}"
|
||||
|
|
|
@ -1,37 +1,33 @@
|
|||
---
|
||||
|
||||
- name: install postfix
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- postfix
|
||||
- postfix-sqlite
|
||||
state: present
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
become: true
|
||||
|
||||
- name: configure mailname
|
||||
copy:
|
||||
content: "{{ mailname }}"
|
||||
ansible.builtin.copy:
|
||||
content: "{{ mailserver_mailname }}"
|
||||
dest: /etc/mailname
|
||||
become: true
|
||||
|
||||
- name: install postfix master.cf
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/postfix/master.cf.j2
|
||||
dest: /etc/postfix/master.cf
|
||||
register: postfix_master_cf
|
||||
become: true
|
||||
|
||||
- name: install postfix main.cf
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: etc/postfix/main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
register: postfix_main_cf
|
||||
become: true
|
||||
|
||||
- name: install configuration for virtual tables
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/{{ item }}"
|
||||
group: postfix
|
||||
|
@ -40,11 +36,9 @@
|
|||
- etc/postfix/sqlite_virtual_alias_maps.cf
|
||||
- etc/postfix/sqlite_virtual_domains_maps.cf
|
||||
- etc/postfix/sqlite_virtual_mailbox_maps.cf
|
||||
become: true
|
||||
|
||||
- name: reload postfix on config change
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: postfix
|
||||
state: reloaded
|
||||
when: postfix_master_cf.changed or postfix_main_cf.changed
|
||||
become: true
|
||||
|
|
|
@ -1,16 +1,15 @@
|
|||
---
|
||||
|
||||
- name: install rspamd
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- rspamd
|
||||
- redis
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
become: true
|
||||
|
||||
- name: copy rspamd configuration files
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: etc/rspamd/local.d/{{ item }}
|
||||
dest: /etc/rspamd/local.d/{{ item }}
|
||||
loop:
|
||||
|
@ -18,10 +17,8 @@
|
|||
- classifier-bayes.conf
|
||||
- milter_headers.conf
|
||||
- redis.conf
|
||||
become: true
|
||||
|
||||
- name: reload rspamd
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: rspamd
|
||||
state: reloaded
|
||||
become: true
|
||||
|
|
|
@ -7,7 +7,6 @@
|
|||
name: sqlite3
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
become: true
|
||||
|
||||
- name: import schema
|
||||
shell: |
|
||||
|
@ -43,7 +42,6 @@
|
|||
active CHAR(1) NOT NULL default 'Y'
|
||||
);
|
||||
EOF
|
||||
become: true
|
||||
|
||||
- name: ensure /etc/dovecot/authdb.sqlite is owned by dovecot
|
||||
file:
|
||||
|
@ -51,4 +49,3 @@
|
|||
owner: dovecot
|
||||
group: root
|
||||
mode: "0600"
|
||||
become: true
|
||||
|
|
|
@ -1,20 +1,18 @@
|
|||
---
|
||||
|
||||
- name: ensure vmail user exists
|
||||
user:
|
||||
name: "{{ vmail_user }}"
|
||||
uid: "{{ vmail_uid }}"
|
||||
group: "{{ vmail_group }}"
|
||||
home: "{{ vmail_dir }}"
|
||||
ansible.builtin.user:
|
||||
name: "{{ mailserver_vmail_user }}"
|
||||
uid: "{{ mailserver_vmail_uid }}"
|
||||
group: "{{ mailserver_vmail_group }}"
|
||||
home: "{{ mailserver_vmail_dir }}"
|
||||
shell: /usr/sbin/nologin
|
||||
system: true
|
||||
become: true
|
||||
|
||||
- name: restrict vmail directory to vmail user and group
|
||||
file:
|
||||
path: "{{ vmail_dir }}"
|
||||
ansible.builtin.file:
|
||||
path: "{{ mailserver_vmail_dir }}"
|
||||
state: directory
|
||||
owner: "{{ vmail_user }}"
|
||||
group: "{{ vmail_group }}"
|
||||
owner: "{{ mailserver_vmail_user }}"
|
||||
group: "{{ mailserver_vmail_group }}"
|
||||
mode: "0770"
|
||||
become: true
|
||||
|
|
|
@ -29,7 +29,7 @@
|
|||
#
|
||||
# <doc/wiki/MailLocation.txt>
|
||||
#
|
||||
mail_home = {{ vmail_dir }}/%d/%n
|
||||
mail_home = {{ mailserver_vmail_dir }}/%d/%n
|
||||
mail_location = maildir:~/mail
|
||||
|
||||
# If you need to set multiple mailbox locations or want to change default
|
||||
|
@ -108,8 +108,8 @@ namespace inbox {
|
|||
# System user and group used to access mails. If you use multiple, userdb
|
||||
# can override these by returning uid or gid fields. You can use either numbers
|
||||
# or names. <doc/wiki/UserIds.txt>
|
||||
mail_uid = {{ vmail_user }}
|
||||
mail_gid = {{ vmail_group }}
|
||||
mail_uid = {{ mailserver_vmail_user }}
|
||||
mail_gid = {{ mailserver_vmail_group }}
|
||||
|
||||
# Group to enable temporarily for privileged operations. Currently this is
|
||||
# used only with INBOX when either its initial creation or dotlocking fails.
|
||||
|
@ -178,15 +178,15 @@ mail_privileged_group = mail
|
|||
# to make sure that users can't log in as daemons or other system users.
|
||||
# Note that denying root logins is hardcoded to dovecot binary and can't
|
||||
# be done even if first_valid_uid is set to 0.
|
||||
first_valid_uid = {{ vmail_uid }}
|
||||
last_valid_uid = {{ vmail_uid }}
|
||||
first_valid_uid = {{ mailserver_vmail_uid }}
|
||||
last_valid_uid = {{ mailserver_vmail_uid }}
|
||||
|
||||
# Valid GID range for users, defaults to non-root/wheel. Users having
|
||||
# non-valid GID as primary group ID aren't allowed to log in. If user
|
||||
# belongs to supplementary groups with non-valid GIDs, those groups are
|
||||
# not set.
|
||||
first_valid_gid = {{ vmail_gid }}
|
||||
last_valid_gid = {{ vmail_gid }}
|
||||
first_valid_gid = {{ mailserver_vmail_gid }}
|
||||
last_valid_gid = {{ mailserver_vmail_gid }}
|
||||
|
||||
# Maximum allowed length for mail keyword name. It's only forced when trying
|
||||
# to create new keywords.
|
||||
|
|
|
@ -101,8 +101,8 @@ service auth {
|
|||
# permissions (e.g. 0777 allows everyone full permissions).
|
||||
unix_listener auth-userdb {
|
||||
mode = 0660
|
||||
user = {{ vmail_user }}
|
||||
group = {{ vmail_group }}
|
||||
user = {{ mailserver_vmail_user }}
|
||||
group = {{ mailserver_vmail_group }}
|
||||
}
|
||||
|
||||
# Postfix smtp-auth
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
service stats {
|
||||
unix_listener stats-reader {
|
||||
user = {{ vmail_user }}
|
||||
group = {{ vmail_group }}
|
||||
user = {{ mailserver_vmail_user }}
|
||||
group = {{ mailserver_vmail_group }}
|
||||
mode = 0660
|
||||
}
|
||||
|
||||
unix_listener stats-writer {
|
||||
user = {{ vmail_user }}
|
||||
group = {{ vmail_group }}
|
||||
user = {{ mailserver_vmail_user }}
|
||||
group = {{ mailserver_vmail_group }}
|
||||
mode = 0660
|
||||
}
|
||||
}
|
||||
|
|
|
@ -130,8 +130,8 @@ password_query = \
|
|||
# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
|
||||
#
|
||||
user_query = \
|
||||
SELECT '{{ vmail_dir }}/%d/%n' as home, 'maildir:{{ vmail_dir }}/%d/%n/mail' as mail, \
|
||||
{{ vmail_uid }} AS uid, {{ vmail_gid }} AS gid \
|
||||
SELECT '{{ mailserver_vmail_dir }}/%d/%n' as home, 'maildir:{{ mailserver_vmail_dir }}/%d/%n/mail' as mail, \
|
||||
{{ mailserver_vmail_uid }} AS uid, {{ mailserver_vmail_gid }} AS gid \
|
||||
FROM mailbox WHERE username = '%u' AND active = 'Y'
|
||||
|
||||
# If you wish to avoid two SQL lookups (passdb + userdb), you can use
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Ansible managed.
|
||||
# {{ ansible_managed }}
|
||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||
|
||||
|
||||
|
@ -26,9 +26,9 @@ compatibility_level = 2
|
|||
smtp_tls_ciphers = high
|
||||
smtp_tls_protocols = !SSLv2, !SSLv3
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtpd_tls_cert_file=/var/lib/dehydrated/certs/{{ mailname }}/fullchain.pem
|
||||
smtpd_tls_cert_file={{ mailserver_tls_cert_file }}
|
||||
smtpd_tls_ciphers = high
|
||||
smtpd_tls_key_file=/var/lib/dehydrated/certs/{{ mailname }}/privkey.pem
|
||||
smtpd_tls_key_file={{ mailserver_tls_key_file }}
|
||||
smtpd_tls_protocols = !SSLv2, !SSLv3
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
|
@ -73,21 +73,21 @@ smtpd_relay_restrictions =
|
|||
|
||||
smtpd_sender_login_maps = $virtual_mailbox_maps
|
||||
|
||||
myhostname = {{ mailname }}
|
||||
myhostname = {{ mailserver_mailname }}
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
myorigin = /etc/mailname
|
||||
mydestination = $myhostname, localhost
|
||||
relayhost =
|
||||
relayhost =
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = all
|
||||
inet_protocols = all
|
||||
|
||||
virtual_mailbox_base = {{ vmail_dir }}
|
||||
virtual_gid_maps = static:{{ vmail_gid }}
|
||||
virtual_uid_maps = static:{{ vmail_uid }}
|
||||
virtual_mailbox_base = {{ mailserver_vmail_dir }}
|
||||
virtual_gid_maps = static:{{ mailserver_vmail_gid }}
|
||||
virtual_uid_maps = static:{{ mailserver_vmail_uid }}
|
||||
virtual_mailbox_limit = 51200000
|
||||
virtual_mailbox_maps = sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf
|
||||
virtual_alias_maps = sqlite:/etc/postfix/sqlite_virtual_alias_maps.cf
|
||||
|
|
|
@ -127,4 +127,4 @@ mailman unix - n n - - pipe
|
|||
${nexthop} ${user}
|
||||
# Dovecot integration.
|
||||
dovecot unix - n n - - pipe
|
||||
flags=DRhu user={{ vmail_user }}:{{ vmail_group }} argv=/usr/lib/dovecot/dovecot-lda -d $(recipient)
|
||||
flags=DRhu user={{ mailserver_vmail_user }}:{{ mailserver_vmail_group }} argv=/usr/lib/dovecot/dovecot-lda -d $(recipient)
|
||||
|
|
Loading…
Reference in a new issue