diff options
Diffstat (limited to 'roles/dovecot/tasks')
-rw-r--r-- | roles/dovecot/tasks/freeipa.yml | 109 | ||||
-rw-r--r-- | roles/dovecot/tasks/main.yml | 127 | ||||
-rw-r--r-- | roles/dovecot/tasks/rspamd.yml | 43 | ||||
-rw-r--r-- | roles/dovecot/tasks/solr.yml | 40 |
4 files changed, 319 insertions, 0 deletions
diff --git a/roles/dovecot/tasks/freeipa.yml b/roles/dovecot/tasks/freeipa.yml new file mode 100644 index 0000000..1e1ee29 --- /dev/null +++ b/roles/dovecot/tasks/freeipa.yml @@ -0,0 +1,109 @@ +- name: create IMAP access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ dovecot_access_group }}' + description: users with IMAP access + nonposix: yes + state: present + run_once: True + +- name: create service principals + ipaservice: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ item }}/{{ ansible_fqdn }}' + state: present + loop: + - imap + - sieve + +- name: retrieve service keytabs + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ item }}/{{ ansible_fqdn }}' + keytab_path: '{{ dovecot_keytab }}' + loop: + - imap + - sieve + +- name: configure gssproxy + include_role: + name: gssproxy_client + vars: + gssproxy_name: dovecot + gssproxy_section: service/dovecot + gssproxy_keytab: '{{ dovecot_keytab }}' + gssproxy_client_keytab: '{{ dovecot_keytab }}' + gssproxy_cred_usage: both + gssproxy_euid: dovecot + +- name: create SELinux policy for dovecot to access gssproxy + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: dovecot_gssproxy + selinux_policy_te: '{{ dovecot_selinux_policy_te }}' + tags: selinux + +- name: generate PAM configuration for dovecot + copy: + content: | + auth required pam_sss.so + account required pam_sss.so + dest: /etc/pam.d/dovecot + +- name: create HBAC service + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ dovecot_hbac_service }}' + description: Dovecot IMAP server + state: present + run_once: True + +- name: create imap-servers hostgroup + ipahostgroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ dovecot_hbac_hostgroup }}' + description: IMAP Servers + host: "{{ groups[dovecot_hbac_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}" + state: present + run_once: True + +# Note: we explicitly allow all here. SSSD will only be consulted when a user performs +# a PLAIN login, falling back to PAM authentication. Users with a valid Kerberos ticket +# bypass the PAM stack entirely, so a restrictive HBAC rule is pointless. +- name: create HBAC rule + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: allow_dovecot_on_imap_servers + description: Allow IMAP on imap servers + hostgroup: + - '{{ dovecot_hbac_hostgroup }}' + usercategory: all + hbacsvc: + - '{{ dovecot_hbac_service }}' + run_once: True + +- name: create systemd override directory + file: + path: /etc/systemd/system/dovecot.service.d + state: directory + +- name: create systemd override file + copy: + src: etc/systemd/system/dovecot.service.d/override.conf + dest: /etc/systemd/system/dovecot.service.d/override.conf + notify: restart dovecot + register: dovecot_systemd_unit + +- name: reload systemd daemons + systemd: + daemon_reload: yes + when: dovecot_systemd_unit.changed diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml new file mode 100644 index 0000000..09f2e2e --- /dev/null +++ b/roles/dovecot/tasks/main.yml @@ -0,0 +1,127 @@ +- name: install dovecot + dnf: + name: '{{ dovecot_packages }}' + state: present + +- name: add vmail user + user: + name: '{{ dovecot_vmail_user }}' + system: yes + home: '{{ dovecot_vmail_dir }}' + shell: /sbin/nologin + create_home: no + register: dovecot_vmail_user_result + +- name: create vmail directory + file: + path: '{{ dovecot_vmail_dir }}' + state: directory + owner: '{{ dovecot_vmail_user }}' + group: '{{ dovecot_vmail_user }}' + setype: mail_spool_t + mode: 0770 + +- name: set selinux context for vmail directory + sefcontext: + target: '{{ dovecot_vmail_dir }}(/.*)?' + setype: mail_spool_t + state: present + register: dovecot_vmail_sefcontext + +- name: apply selinux context to vmail directory + command: 'restorecon -R {{ dovecot_vmail_dir }}' + when: dovecot_vmail_sefcontext.changed + +- name: set up FreeIPA integration for IMAP + import_tasks: freeipa.yml + +- name: request TLS certificate + include_role: + name: getcert_request + vars: + certificate_service: imap + certificate_path: '{{ dovecot_certificate_path }}' + certificate_key_path: '{{ dovecot_certificate_key_path }}' + certificate_owner: dovecot + certificate_hook: systemctl reload dovecot + +- name: generate dhparams + openssl_dhparam: + path: '{{ dovecot_dhparams_path }}' + size: 2048 + +- name: configure Apache Solr for full-text search + import_tasks: solr.yml + tags: solr + +- name: create virtual config directory + file: + path: /etc/dovecot/virtual + state: directory + +- name: create global sieve directories + file: + path: '{{ item }}' + state: directory + recurse: yes + loop: + - '{{ dovecot_sieve_dir }}' + - '{{ dovecot_sieve_before_dir }}' + - '{{ dovecot_sieve_pipe_bin_dir }}' + +- name: create virtual mailbox definitions + copy: + src: etc/dovecot/virtual/ + dest: /etc/dovecot/virtual/ + +- name: generate dovecot configuration + template: + src: '{{ item.src }}' + dest: /etc/dovecot/{{ item.path | splitext | first }} + loop: "{{ lookup('filetree', '../templates/etc/dovecot', wantlist=True) }}" + loop_control: + label: '{{ item.path }}' + when: item.state == 'file' + notify: restart dovecot + +- name: copy quota warn script + template: + src: '{{ dovecot_quota_warning_script[1:] }}.j2' + dest: '{{ dovecot_quota_warning_script }}' + mode: 0555 + +- name: start dovecot + systemd: + name: dovecot + enabled: yes + state: started + +- import_tasks: rspamd.yml + +- name: open firewall ports + firewalld: + service: '{{ item }}' + permanent: yes + immediate: yes + state: enabled + loop: + - imaps + - managesieve + tags: firewalld + +- name: open firewall ports + firewalld: + port: '{{ item }}' + permanent: yes + immediate: yes + state: enabled + loop: + - '{{ dovecot_quota_status_port }}/tcp' + - '{{ dovecot_lmtp_port }}/tcp' + tags: firewalld + +- name: generate archive script + template: + src: '{{ dovecot_archive_script[1:] }}.j2' + dest: '{{ dovecot_archive_script }}' + mode: 0555 diff --git a/roles/dovecot/tasks/rspamd.yml b/roles/dovecot/tasks/rspamd.yml new file mode 100644 index 0000000..90686ee --- /dev/null +++ b/roles/dovecot/tasks/rspamd.yml @@ -0,0 +1,43 @@ +- name: install rspamd + dnf: + name: rspamd + state: present + +- name: copy rspamd X-SPAM sieve script + copy: + src: '{{ dovecot_sieve_before_dir[1:] }}/10-rspamd.sieve' + dest: '{{ dovecot_sieve_before_dir }}/10-rspamd.sieve' + register: dovecot_rspamd_sieve_script + +- name: compile rspamd X-SPAM sieve script + command: sievec '{{ dovecot_sieve_before_dir }}/10-rspamd.sieve' + when: dovecot_rspamd_sieve_script.changed + +- name: copy rspamd sieve reporting scripts + copy: + src: '{{ dovecot_sieve_dir[1:] }}/{{ item }}' + dest: '{{ dovecot_sieve_dir }}/{{ item }}' + loop: + - report-spam.sieve + - report-ham.sieve + register: dovecot_rspamd_report_sieve_scripts + +- name: compile rspamd sieve reporting scripts + command: sievec {{ dovecot_sieve_dir }}/{{ item }} + when: dovecot_rspamd_report_sieve_scripts.results[index].changed + loop: + - report-spam.sieve + - report-ham.sieve + loop_control: + index_var: index + +- name: generate rpsmad bash reporting scripts + template: + src: '{{ dovecot_sieve_pipe_bin_dir[1:] }}/{{ item }}.j2' + dest: '{{ dovecot_sieve_pipe_bin_dir }}/{{ item }}' + owner: root + group: dovecot + mode: 0550 + loop: + - report-spam.sh + - report-ham.sh diff --git a/roles/dovecot/tasks/solr.yml b/roles/dovecot/tasks/solr.yml new file mode 100644 index 0000000..0751192 --- /dev/null +++ b/roles/dovecot/tasks/solr.yml @@ -0,0 +1,40 @@ +- name: add solr collection for dovecot + command: + cmd: '{{ solr_install_dir }}/bin/solr create -c dovecot' + creates: '{{ solr_data_dir }}/dovecot' + become: True + become_user: solr + +- name: check if dovecot schema exists + stat: + path: '{{ solr_data_dir }}/dovecot/conf/schema.xml.bak' + register: schema_xml_bak + +- name: copy dovecot solr schema + copy: + src: '{{ solr_data_dir[1:] }}/dovecot/conf/schema.xml' + dest: '{{ solr_data_dir }}/dovecot/conf/schema.xml' + owner: solr + group: solr + register: solr_schema + changed_when: no + +- name: stat new schema + stat: + path: '{{ solr_data_dir }}/dovecot/conf/schema.xml' + register: schema_xml + +- name: remove managed-schema file + file: + path: '{{ solr_data_dir }}/dovecot/conf/managed-schema.xml' + state: absent + when: (not schema_xml_bak.stat.exists) or (schema_xml_bak.stat.checksum != schema_xml.stat.checksum) + notify: restart solr + +- name: generate dovecot solr config + template: + src: '{{ solr_data_dir[1:] }}/dovecot/conf/solrconfig.xml.j2' + dest: '{{ solr_data_dir }}/dovecot/conf/solrconfig.xml' + owner: solr + group: solr + notify: restart solr |