diff options
| author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
|---|---|---|
| committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
| commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
| tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/dovecot/tasks/freeipa.yml | |
| download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip | |
initial commit
Diffstat (limited to 'roles/dovecot/tasks/freeipa.yml')
| -rw-r--r-- | roles/dovecot/tasks/freeipa.yml | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/roles/dovecot/tasks/freeipa.yml b/roles/dovecot/tasks/freeipa.yml new file mode 100644 index 0000000..1e1ee29 --- /dev/null +++ b/roles/dovecot/tasks/freeipa.yml @@ -0,0 +1,109 @@ +- name: create IMAP access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ dovecot_access_group }}' + description: users with IMAP access + nonposix: yes + state: present + run_once: True + +- name: create service principals + ipaservice: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ item }}/{{ ansible_fqdn }}' + state: present + loop: + - imap + - sieve + +- name: retrieve service keytabs + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ item }}/{{ ansible_fqdn }}' + keytab_path: '{{ dovecot_keytab }}' + loop: + - imap + - sieve + +- name: configure gssproxy + include_role: + name: gssproxy_client + vars: + gssproxy_name: dovecot + gssproxy_section: service/dovecot + gssproxy_keytab: '{{ dovecot_keytab }}' + gssproxy_client_keytab: '{{ dovecot_keytab }}' + gssproxy_cred_usage: both + gssproxy_euid: dovecot + +- name: create SELinux policy for dovecot to access gssproxy + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: dovecot_gssproxy + selinux_policy_te: '{{ dovecot_selinux_policy_te }}' + tags: selinux + +- name: generate PAM configuration for dovecot + copy: + content: | + auth required pam_sss.so + account required pam_sss.so + dest: /etc/pam.d/dovecot + +- name: create HBAC service + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ dovecot_hbac_service }}' + description: Dovecot IMAP server + state: present + run_once: True + +- name: create imap-servers hostgroup + ipahostgroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ dovecot_hbac_hostgroup }}' + description: IMAP Servers + host: "{{ groups[dovecot_hbac_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}" + state: present + run_once: True + +# Note: we explicitly allow all here. SSSD will only be consulted when a user performs +# a PLAIN login, falling back to PAM authentication. Users with a valid Kerberos ticket +# bypass the PAM stack entirely, so a restrictive HBAC rule is pointless. +- name: create HBAC rule + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: allow_dovecot_on_imap_servers + description: Allow IMAP on imap servers + hostgroup: + - '{{ dovecot_hbac_hostgroup }}' + usercategory: all + hbacsvc: + - '{{ dovecot_hbac_service }}' + run_once: True + +- name: create systemd override directory + file: + path: /etc/systemd/system/dovecot.service.d + state: directory + +- name: create systemd override file + copy: + src: etc/systemd/system/dovecot.service.d/override.conf + dest: /etc/systemd/system/dovecot.service.d/override.conf + notify: restart dovecot + register: dovecot_systemd_unit + +- name: reload systemd daemons + systemd: + daemon_reload: yes + when: dovecot_systemd_unit.changed |