Decouple the mailserver role

2022-01-16 23:35:02 +01:00 · 2022-01-16 23:35:02 +01:00 · 782550346f
parent 39aa982cbe
commit 782550346f
13 changed files with 75 additions and 89 deletions
--- a/roles/mailserver/defaults/main.yml
+++ b/roles/mailserver/defaults/main.yml
@ -1,11 +1,17 @@
 ---
-mailname: mail.example.org
+mailserver_become: true
+mailserver_become_user: root
+
+mailserver_mailname: mail.example.org

 mailserver_auth_database: /etc/dovecot/authdb.sqlite

-vmail_dir: /var/vmail
+mailserver_vmail_dir: /var/vmail
 # On Debian group "mail" has gid 8.
-vmail_gid: 8
-vmail_group: mail
-vmail_uid: 150
-vmail_user: vmail
+mailserver_vmail_gid: 8
+mailserver_vmail_group: mail
+mailserver_vmail_uid: 150
+mailserver_vmail_user: vmail
+
+mailserver_tls_cert_file: "/var/lib/dehydrated/certs/{{ mailserver_mailname }}/fullchain.pem"
+mailserver_tls_key_file: "/var/lib/dehydrated/certs/{{ mailserver_mailname }}/privkey.pem"
--- a/roles/mailserver/tasks/dovecot.yml
+++ b/roles/mailserver/tasks/dovecot.yml
@ -1,7 +1,7 @@
 ---

 - name: install dovecot
-  apt:
+  ansible.builtin.apt:
    name:
      - dovecot-core
      - dovecot-imapd
@ -10,12 +10,11 @@
      - dovecot-sqlite
    update_cache: true
    cache_valid_time: 3600
-  become: true

 - import_tasks: sqlite.yml

 - name: disable auth-system.conf.ext and enable auth-sql.conf.ext
-  lineinfile:
+  ansible.builtin.lineinfile:
    path: /etc/dovecot/conf.d/10-auth.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
@ -24,24 +23,21 @@
      line: "#!include auth-system.conf.ext"
    - regexp: "^#!include auth-sql.conf.ext"
      line: "!include auth-sql.conf.ext"
-  become: true

 - name: install dovecot 10-mail.conf
-  template:
+  ansible.builtin.template:
    src: etc/dovecot/conf.d/10-mail.conf.j2
    dest: /etc/dovecot/conf.d/10-mail.conf
  register: dovecot_10_mail_conf
-  become: true

 - name: install dovecot 10-master.conf
-  template:
+  ansible.builtin.template:
    src: etc/dovecot/conf.d/10-master.conf.j2
    dest: /etc/dovecot/conf.d/10-master.conf
  register: dovecot_10_master_conf
-  become: true

 - name: configure 10-ssl.conf
-  lineinfile:
+  ansible.builtin.lineinfile:
    path: /etc/dovecot/conf.d/10-ssl.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
@ -49,46 +45,40 @@
    - regexp: "^ssl = yes"
      line: "ssl = required"
    - regexp: "^ssl_cert = "
-      line: "ssl_cert = </var/lib/dehydrated/certs/{{ mailname }}/fullchain.pem"
+      line: "ssl_cert = <{{ mailserver_tls_cert_file }}"
    - regexp: "^ssl_key = "
-      line: "ssl_key = </var/lib/dehydrated/certs/{{ mailname }}/privkey.pem"
-  become: true
+      line: "ssl_key = <{{ mailserver_tls_key_file }}"

 - name: configure 15-lda.conf
-  lineinfile:
+  ansible.builtin.lineinfile:
    path: /etc/dovecot/conf.d/15-lda.conf
    regexp: "^  #mail_plugins ="
    line: "  mail_plugins = $mail_plugins sieve"
-  become: true

 - name: configure 15-mailboxes.conf
-  copy:
+  ansible.builtin.copy:
    src: etc/dovecot/conf.d/15-mailboxes.conf
    dest: /etc/dovecot/conf.d/15-mailboxes.conf
    owner: root
    group: root
-  become: true

 - name: configure 95-stats.conf
-  template:
+  ansible.builtin.template:
    src: etc/dovecot/conf.d/95-stats.conf.j2
    dest: /etc/dovecot/conf.d/95-stats.conf
    owner: root
    group: root
-  become: true

 - name: configure dovecot-sql.conf.ext
-  template:
+  ansible.builtin.template:
    src: etc/dovecot/dovecot-sql.conf.ext.j2
    dest: /etc/dovecot/dovecot-sql.conf.ext
    owner: root
    group: root
    mode: 0600
  register: dovecot_sql_conf_ext
-  become: true

 - name: reload dovecot on config
-  systemd:
+  ansible.builtin.systemd:
    name: dovecot
    state: reloaded
-  become: true
--- a/roles/mailserver/tasks/main.yml
+++ b/roles/mailserver/tasks/main.yml
@ -1,6 +1,10 @@
 ---
+- block:

- import_tasks: vmail.yml
- import_tasks: postfix.yml
- import_tasks: dovecot.yml
- import_tasks: rspamd.yml
+  - import_tasks: vmail.yml
+  - import_tasks: postfix.yml
+  - import_tasks: dovecot.yml
+  - import_tasks: rspamd.yml
+
+  become: "{{ mailserver_become }}"
+  become_user: "{{ mailserver_become_user }}"
--- a/roles/mailserver/tasks/postfix.yml
+++ b/roles/mailserver/tasks/postfix.yml
@ -1,37 +1,33 @@
 ---

 - name: install postfix
-  apt:
+  ansible.builtin.apt:
    name:
      - postfix
      - postfix-sqlite
    state: present
    update_cache: true
    cache_valid_time: 3600
-  become: true

 - name: configure mailname
-  copy:
-    content: "{{ mailname }}"
+  ansible.builtin.copy:
+    content: "{{ mailserver_mailname }}"
    dest: /etc/mailname
-  become: true

 - name: install postfix master.cf
-  template:
+  ansible.builtin.template:
    src: etc/postfix/master.cf.j2
    dest: /etc/postfix/master.cf
  register: postfix_master_cf
-  become: true

 - name: install postfix main.cf
-  template:
+  ansible.builtin.template:
    src: etc/postfix/main.cf.j2
    dest: /etc/postfix/main.cf
  register: postfix_main_cf
-  become: true

 - name: install configuration for virtual tables
-  template:
+  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "/{{ item }}"
    group: postfix
@ -40,11 +36,9 @@
    - etc/postfix/sqlite_virtual_alias_maps.cf
    - etc/postfix/sqlite_virtual_domains_maps.cf
    - etc/postfix/sqlite_virtual_mailbox_maps.cf
-  become: true

 - name: reload postfix on config change
-  systemd:
+  ansible.builtin.systemd:
    name: postfix
    state: reloaded
  when: postfix_master_cf.changed or postfix_main_cf.changed
-  become: true
--- a/roles/mailserver/tasks/rspamd.yml
+++ b/roles/mailserver/tasks/rspamd.yml
@ -1,16 +1,15 @@
 ---

 - name: install rspamd
-  apt:
+  ansible.builtin.apt:
    name:
      - rspamd
      - redis
    update_cache: true
    cache_valid_time: 3600
-  become: true

 - name: copy rspamd configuration files
-  copy:
+  ansible.builtin.copy:
    src: etc/rspamd/local.d/{{ item }}
    dest: /etc/rspamd/local.d/{{ item }}
  loop:
@ -18,10 +17,8 @@
    - classifier-bayes.conf
    - milter_headers.conf
    - redis.conf
-  become: true

 - name: reload rspamd
-  systemd:
+  ansible.builtin.systemd:
    name: rspamd
    state: reloaded
-  become: true
--- a/roles/mailserver/tasks/sqlite.yml
+++ b/roles/mailserver/tasks/sqlite.yml
@ -7,7 +7,6 @@
    name: sqlite3
    update_cache: true
    cache_valid_time: 3600
-  become: true

 - name: import schema
  shell: |
@ -43,7 +42,6 @@
          active CHAR(1) NOT NULL default 'Y'
      );
    EOF
-  become: true

 - name: ensure /etc/dovecot/authdb.sqlite is owned by dovecot
  file:
@ -51,4 +49,3 @@
    owner: dovecot
    group: root
    mode: "0600"
-  become: true
--- a/roles/mailserver/tasks/vmail.yml
+++ b/roles/mailserver/tasks/vmail.yml
@ -1,20 +1,18 @@
 ---

 - name: ensure vmail user exists
-  user:
-    name: "{{ vmail_user }}"
-    uid: "{{ vmail_uid }}"
-    group: "{{ vmail_group }}"
-    home: "{{ vmail_dir }}"
+  ansible.builtin.user:
+    name: "{{ mailserver_vmail_user }}"
+    uid: "{{ mailserver_vmail_uid }}"
+    group: "{{ mailserver_vmail_group }}"
+    home: "{{ mailserver_vmail_dir }}"
    shell: /usr/sbin/nologin
    system: true
-  become: true

 - name: restrict vmail directory to vmail user and group
-  file:
-    path: "{{ vmail_dir }}"
+  ansible.builtin.file:
+    path: "{{ mailserver_vmail_dir }}"
    state: directory
-    owner: "{{ vmail_user }}"
-    group: "{{ vmail_group }}"
+    owner: "{{ mailserver_vmail_user }}"
+    group: "{{ mailserver_vmail_group }}"
    mode: "0770"
-  become: true
--- a/roles/mailserver/templates/etc/dovecot/conf.d/10-mail.conf.j2
+++ b/roles/mailserver/templates/etc/dovecot/conf.d/10-mail.conf.j2
@ -29,7 +29,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_home = {{ vmail_dir }}/%d/%n
+mail_home = {{ mailserver_vmail_dir }}/%d/%n
 mail_location = maildir:~/mail

 # If you need to set multiple mailbox locations or want to change default
@ -108,8 +108,8 @@ namespace inbox {
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
 # or names. <doc/wiki/UserIds.txt>
-mail_uid = {{ vmail_user }}
-mail_gid = {{ vmail_group }}
+mail_uid = {{ mailserver_vmail_user }}
+mail_gid = {{ mailserver_vmail_group }}

 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
@ -178,15 +178,15 @@ mail_privileged_group = mail
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-first_valid_uid = {{ vmail_uid }}
-last_valid_uid = {{ vmail_uid }}
+first_valid_uid = {{ mailserver_vmail_uid }}
+last_valid_uid = {{ mailserver_vmail_uid }}

 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-first_valid_gid = {{ vmail_gid }}
-last_valid_gid = {{ vmail_gid }}
+first_valid_gid = {{ mailserver_vmail_gid }}
+last_valid_gid = {{ mailserver_vmail_gid }}

 # Maximum allowed length for mail keyword name. It's only forced when trying
 # to create new keywords.
--- a/roles/mailserver/templates/etc/dovecot/conf.d/10-master.conf.j2
+++ b/roles/mailserver/templates/etc/dovecot/conf.d/10-master.conf.j2
@ -101,8 +101,8 @@ service auth {
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0660
-    user = {{ vmail_user }}
-    group = {{ vmail_group }}
+    user = {{ mailserver_vmail_user }}
+    group = {{ mailserver_vmail_group }}
  }

  # Postfix smtp-auth
--- a/roles/mailserver/templates/etc/dovecot/conf.d/95-stats.conf.j2
+++ b/roles/mailserver/templates/etc/dovecot/conf.d/95-stats.conf.j2
@ -1,13 +1,13 @@
 service stats {
    unix_listener stats-reader {
-        user = {{ vmail_user }}
-        group = {{ vmail_group }}
+        user = {{ mailserver_vmail_user }}
+        group = {{ mailserver_vmail_group }}
        mode = 0660
    }

    unix_listener stats-writer {
-        user = {{ vmail_user }}
-        group = {{ vmail_group }}
+        user = {{ mailserver_vmail_user }}
+        group = {{ mailserver_vmail_group }}
        mode = 0660
    }
 }
--- a/roles/mailserver/templates/etc/dovecot/dovecot-sql.conf.ext.j2
+++ b/roles/mailserver/templates/etc/dovecot/dovecot-sql.conf.ext.j2
@ -130,8 +130,8 @@ password_query = \
 #   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
 #
 user_query = \
-  SELECT '{{ vmail_dir }}/%d/%n' as home, 'maildir:{{ vmail_dir }}/%d/%n/mail' as mail, \
-  {{ vmail_uid }} AS uid, {{ vmail_gid }} AS gid \
+  SELECT '{{ mailserver_vmail_dir }}/%d/%n' as home, 'maildir:{{ mailserver_vmail_dir }}/%d/%n/mail' as mail, \
+  {{ mailserver_vmail_uid }} AS uid, {{ mailserver_vmail_gid }} AS gid \
  FROM mailbox WHERE username = '%u' AND active = 'Y'

 # If you wish to avoid two SQL lookups (passdb + userdb), you can use
--- a/roles/mailserver/templates/etc/postfix/main.cf.j2
+++ b/roles/mailserver/templates/etc/postfix/main.cf.j2
@ -1,4 +1,4 @@
-# Ansible managed.
+# {{ ansible_managed }}
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version


@ -26,9 +26,9 @@ compatibility_level = 2
 smtp_tls_ciphers = high
 smtp_tls_protocols = !SSLv2, !SSLv3
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtpd_tls_cert_file=/var/lib/dehydrated/certs/{{ mailname }}/fullchain.pem
+smtpd_tls_cert_file={{ mailserver_tls_cert_file }}
 smtpd_tls_ciphers = high
-smtpd_tls_key_file=/var/lib/dehydrated/certs/{{ mailname }}/privkey.pem
+smtpd_tls_key_file={{ mailserver_tls_key_file }}
 smtpd_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_security_level = may
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
@ -73,21 +73,21 @@ smtpd_relay_restrictions =

 smtpd_sender_login_maps = $virtual_mailbox_maps

-myhostname = {{ mailname }}
+myhostname = {{ mailserver_mailname }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost
-relayhost = 
+relayhost =
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all

-virtual_mailbox_base = {{ vmail_dir }}
-virtual_gid_maps = static:{{ vmail_gid }}
-virtual_uid_maps = static:{{ vmail_uid }}
+virtual_mailbox_base = {{ mailserver_vmail_dir }}
+virtual_gid_maps = static:{{ mailserver_vmail_gid }}
+virtual_uid_maps = static:{{ mailserver_vmail_uid }}
 virtual_mailbox_limit = 51200000
 virtual_mailbox_maps = sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf
 virtual_alias_maps = sqlite:/etc/postfix/sqlite_virtual_alias_maps.cf
--- a/roles/mailserver/templates/etc/postfix/master.cf.j2
+++ b/roles/mailserver/templates/etc/postfix/master.cf.j2
@ -127,4 +127,4 @@ mailman   unix  -       n       n       -       -       pipe
  ${nexthop} ${user}
 # Dovecot integration.
 dovecot      unix   -        n      n       -       -   pipe
-  flags=DRhu user={{ vmail_user }}:{{ vmail_group }} argv=/usr/lib/dovecot/dovecot-lda -d $(recipient)
+  flags=DRhu user={{ mailserver_vmail_user }}:{{ mailserver_vmail_group }} argv=/usr/lib/dovecot/dovecot-lda -d $(recipient)