aboutsummaryrefslogtreecommitdiffstats
path: root/roles/dovecot/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/dovecot/tasks')
-rw-r--r--roles/dovecot/tasks/freeipa.yml109
-rw-r--r--roles/dovecot/tasks/main.yml127
-rw-r--r--roles/dovecot/tasks/rspamd.yml43
-rw-r--r--roles/dovecot/tasks/solr.yml40
4 files changed, 319 insertions, 0 deletions
diff --git a/roles/dovecot/tasks/freeipa.yml b/roles/dovecot/tasks/freeipa.yml
new file mode 100644
index 0000000..1e1ee29
--- /dev/null
+++ b/roles/dovecot/tasks/freeipa.yml
@@ -0,0 +1,109 @@
+- name: create IMAP access group
+ ipagroup:
+ ipaadmin_principal: '{{ ipa_user }}'
+ ipaadmin_password: '{{ ipa_pass }}'
+ name: '{{ dovecot_access_group }}'
+ description: users with IMAP access
+ nonposix: yes
+ state: present
+ run_once: True
+
+- name: create service principals
+ ipaservice:
+ ipaadmin_principal: '{{ ipa_user }}'
+ ipaadmin_password: '{{ ipa_pass }}'
+ name: '{{ item }}/{{ ansible_fqdn }}'
+ state: present
+ loop:
+ - imap
+ - sieve
+
+- name: retrieve service keytabs
+ include_role:
+ name: freeipa_keytab
+ vars:
+ keytab_principal: '{{ item }}/{{ ansible_fqdn }}'
+ keytab_path: '{{ dovecot_keytab }}'
+ loop:
+ - imap
+ - sieve
+
+- name: configure gssproxy
+ include_role:
+ name: gssproxy_client
+ vars:
+ gssproxy_name: dovecot
+ gssproxy_section: service/dovecot
+ gssproxy_keytab: '{{ dovecot_keytab }}'
+ gssproxy_client_keytab: '{{ dovecot_keytab }}'
+ gssproxy_cred_usage: both
+ gssproxy_euid: dovecot
+
+- name: create SELinux policy for dovecot to access gssproxy
+ include_role:
+ name: selinux_policy
+ apply:
+ tags: selinux
+ vars:
+ selinux_policy_name: dovecot_gssproxy
+ selinux_policy_te: '{{ dovecot_selinux_policy_te }}'
+ tags: selinux
+
+- name: generate PAM configuration for dovecot
+ copy:
+ content: |
+ auth required pam_sss.so
+ account required pam_sss.so
+ dest: /etc/pam.d/dovecot
+
+- name: create HBAC service
+ ipahbacsvc:
+ ipaadmin_principal: '{{ ipa_user }}'
+ ipaadmin_password: '{{ ipa_pass }}'
+ name: '{{ dovecot_hbac_service }}'
+ description: Dovecot IMAP server
+ state: present
+ run_once: True
+
+- name: create imap-servers hostgroup
+ ipahostgroup:
+ ipaadmin_principal: '{{ ipa_user }}'
+ ipaadmin_password: '{{ ipa_pass }}'
+ name: '{{ dovecot_hbac_hostgroup }}'
+ description: IMAP Servers
+ host: "{{ groups[dovecot_hbac_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}"
+ state: present
+ run_once: True
+
+# Note: we explicitly allow all here. SSSD will only be consulted when a user performs
+# a PLAIN login, falling back to PAM authentication. Users with a valid Kerberos ticket
+# bypass the PAM stack entirely, so a restrictive HBAC rule is pointless.
+- name: create HBAC rule
+ ipahbacrule:
+ ipaadmin_principal: '{{ ipa_user }}'
+ ipaadmin_password: '{{ ipa_pass }}'
+ name: allow_dovecot_on_imap_servers
+ description: Allow IMAP on imap servers
+ hostgroup:
+ - '{{ dovecot_hbac_hostgroup }}'
+ usercategory: all
+ hbacsvc:
+ - '{{ dovecot_hbac_service }}'
+ run_once: True
+
+- name: create systemd override directory
+ file:
+ path: /etc/systemd/system/dovecot.service.d
+ state: directory
+
+- name: create systemd override file
+ copy:
+ src: etc/systemd/system/dovecot.service.d/override.conf
+ dest: /etc/systemd/system/dovecot.service.d/override.conf
+ notify: restart dovecot
+ register: dovecot_systemd_unit
+
+- name: reload systemd daemons
+ systemd:
+ daemon_reload: yes
+ when: dovecot_systemd_unit.changed
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..09f2e2e
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,127 @@
+- name: install dovecot
+ dnf:
+ name: '{{ dovecot_packages }}'
+ state: present
+
+- name: add vmail user
+ user:
+ name: '{{ dovecot_vmail_user }}'
+ system: yes
+ home: '{{ dovecot_vmail_dir }}'
+ shell: /sbin/nologin
+ create_home: no
+ register: dovecot_vmail_user_result
+
+- name: create vmail directory
+ file:
+ path: '{{ dovecot_vmail_dir }}'
+ state: directory
+ owner: '{{ dovecot_vmail_user }}'
+ group: '{{ dovecot_vmail_user }}'
+ setype: mail_spool_t
+ mode: 0770
+
+- name: set selinux context for vmail directory
+ sefcontext:
+ target: '{{ dovecot_vmail_dir }}(/.*)?'
+ setype: mail_spool_t
+ state: present
+ register: dovecot_vmail_sefcontext
+
+- name: apply selinux context to vmail directory
+ command: 'restorecon -R {{ dovecot_vmail_dir }}'
+ when: dovecot_vmail_sefcontext.changed
+
+- name: set up FreeIPA integration for IMAP
+ import_tasks: freeipa.yml
+
+- name: request TLS certificate
+ include_role:
+ name: getcert_request
+ vars:
+ certificate_service: imap
+ certificate_path: '{{ dovecot_certificate_path }}'
+ certificate_key_path: '{{ dovecot_certificate_key_path }}'
+ certificate_owner: dovecot
+ certificate_hook: systemctl reload dovecot
+
+- name: generate dhparams
+ openssl_dhparam:
+ path: '{{ dovecot_dhparams_path }}'
+ size: 2048
+
+- name: configure Apache Solr for full-text search
+ import_tasks: solr.yml
+ tags: solr
+
+- name: create virtual config directory
+ file:
+ path: /etc/dovecot/virtual
+ state: directory
+
+- name: create global sieve directories
+ file:
+ path: '{{ item }}'
+ state: directory
+ recurse: yes
+ loop:
+ - '{{ dovecot_sieve_dir }}'
+ - '{{ dovecot_sieve_before_dir }}'
+ - '{{ dovecot_sieve_pipe_bin_dir }}'
+
+- name: create virtual mailbox definitions
+ copy:
+ src: etc/dovecot/virtual/
+ dest: /etc/dovecot/virtual/
+
+- name: generate dovecot configuration
+ template:
+ src: '{{ item.src }}'
+ dest: /etc/dovecot/{{ item.path | splitext | first }}
+ loop: "{{ lookup('filetree', '../templates/etc/dovecot', wantlist=True) }}"
+ loop_control:
+ label: '{{ item.path }}'
+ when: item.state == 'file'
+ notify: restart dovecot
+
+- name: copy quota warn script
+ template:
+ src: '{{ dovecot_quota_warning_script[1:] }}.j2'
+ dest: '{{ dovecot_quota_warning_script }}'
+ mode: 0555
+
+- name: start dovecot
+ systemd:
+ name: dovecot
+ enabled: yes
+ state: started
+
+- import_tasks: rspamd.yml
+
+- name: open firewall ports
+ firewalld:
+ service: '{{ item }}'
+ permanent: yes
+ immediate: yes
+ state: enabled
+ loop:
+ - imaps
+ - managesieve
+ tags: firewalld
+
+- name: open firewall ports
+ firewalld:
+ port: '{{ item }}'
+ permanent: yes
+ immediate: yes
+ state: enabled
+ loop:
+ - '{{ dovecot_quota_status_port }}/tcp'
+ - '{{ dovecot_lmtp_port }}/tcp'
+ tags: firewalld
+
+- name: generate archive script
+ template:
+ src: '{{ dovecot_archive_script[1:] }}.j2'
+ dest: '{{ dovecot_archive_script }}'
+ mode: 0555
diff --git a/roles/dovecot/tasks/rspamd.yml b/roles/dovecot/tasks/rspamd.yml
new file mode 100644
index 0000000..90686ee
--- /dev/null
+++ b/roles/dovecot/tasks/rspamd.yml
@@ -0,0 +1,43 @@
+- name: install rspamd
+ dnf:
+ name: rspamd
+ state: present
+
+- name: copy rspamd X-SPAM sieve script
+ copy:
+ src: '{{ dovecot_sieve_before_dir[1:] }}/10-rspamd.sieve'
+ dest: '{{ dovecot_sieve_before_dir }}/10-rspamd.sieve'
+ register: dovecot_rspamd_sieve_script
+
+- name: compile rspamd X-SPAM sieve script
+ command: sievec '{{ dovecot_sieve_before_dir }}/10-rspamd.sieve'
+ when: dovecot_rspamd_sieve_script.changed
+
+- name: copy rspamd sieve reporting scripts
+ copy:
+ src: '{{ dovecot_sieve_dir[1:] }}/{{ item }}'
+ dest: '{{ dovecot_sieve_dir }}/{{ item }}'
+ loop:
+ - report-spam.sieve
+ - report-ham.sieve
+ register: dovecot_rspamd_report_sieve_scripts
+
+- name: compile rspamd sieve reporting scripts
+ command: sievec {{ dovecot_sieve_dir }}/{{ item }}
+ when: dovecot_rspamd_report_sieve_scripts.results[index].changed
+ loop:
+ - report-spam.sieve
+ - report-ham.sieve
+ loop_control:
+ index_var: index
+
+- name: generate rpsmad bash reporting scripts
+ template:
+ src: '{{ dovecot_sieve_pipe_bin_dir[1:] }}/{{ item }}.j2'
+ dest: '{{ dovecot_sieve_pipe_bin_dir }}/{{ item }}'
+ owner: root
+ group: dovecot
+ mode: 0550
+ loop:
+ - report-spam.sh
+ - report-ham.sh
diff --git a/roles/dovecot/tasks/solr.yml b/roles/dovecot/tasks/solr.yml
new file mode 100644
index 0000000..0751192
--- /dev/null
+++ b/roles/dovecot/tasks/solr.yml
@@ -0,0 +1,40 @@
+- name: add solr collection for dovecot
+ command:
+ cmd: '{{ solr_install_dir }}/bin/solr create -c dovecot'
+ creates: '{{ solr_data_dir }}/dovecot'
+ become: True
+ become_user: solr
+
+- name: check if dovecot schema exists
+ stat:
+ path: '{{ solr_data_dir }}/dovecot/conf/schema.xml.bak'
+ register: schema_xml_bak
+
+- name: copy dovecot solr schema
+ copy:
+ src: '{{ solr_data_dir[1:] }}/dovecot/conf/schema.xml'
+ dest: '{{ solr_data_dir }}/dovecot/conf/schema.xml'
+ owner: solr
+ group: solr
+ register: solr_schema
+ changed_when: no
+
+- name: stat new schema
+ stat:
+ path: '{{ solr_data_dir }}/dovecot/conf/schema.xml'
+ register: schema_xml
+
+- name: remove managed-schema file
+ file:
+ path: '{{ solr_data_dir }}/dovecot/conf/managed-schema.xml'
+ state: absent
+ when: (not schema_xml_bak.stat.exists) or (schema_xml_bak.stat.checksum != schema_xml.stat.checksum)
+ notify: restart solr
+
+- name: generate dovecot solr config
+ template:
+ src: '{{ solr_data_dir[1:] }}/dovecot/conf/solrconfig.xml.j2'
+ dest: '{{ solr_data_dir }}/dovecot/conf/solrconfig.xml'
+ owner: solr
+ group: solr
+ notify: restart solr
generated by cgit (git 2.34.1) at 2024-09-19 17:14:56 -0400