diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-06-28 23:21:51 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:06 +0200 |
| commit | ebab80fc4e8e1999833f9295649766133eb4d6fa (patch) | |
| tree | 910023d4e5b5c1ddadb7792cdad0b693736c3238 | |
| parent | 9692d409658ce552ab3e0d9f41aadca1c7bcb407 (diff) | |
Generate certs for Dovecot and Nginx if they are not there.
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 4 | ||||
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 16 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 2 | ||||
| -rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 4 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 18 |
5 files changed, 37 insertions, 7 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index c727f4b..c5e61d7 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -4,42 +4,42 @@ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required # No need for SSL if the packets are protected by IPSec. local 172.16.0.1 { protocol imap { disable_plaintext_auth = no ssl = no } protocol sieve { disable_plaintext_auth = no ssl = no } } # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/dovecot/dovecot.pem -ssl_key = </etc/dovecot/private/dovecot.pem +ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem +ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index 6191a50..c9471f3 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -45,48 +45,60 @@ - name: Create virtual mailboxes copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual owner=root group=root mode=0644 with_items: - all - flagged - recent - unseen - name: Create directory /home/mail/spamspool # There is no possibility for a name clash, since 'spamspool' isn't a # valid domain file: path=/home/mail/spamspool state=directory owner=vmail group=vmail mode=0700 +- name: Generate a private key and a X.509 certificate for Dovecot + command: genkeypair.sh x509 + --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem + --privkey=/etc/dovecot/ssl/imap.fripost.org.key + --dns imap.fripost.org + -t rsa -b 4096 -h sha512 + register: r1 + changed_when: r1.rc == 0 + failed_when: r1.rc > 1 + notify: + - Restart Dovecot + - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 - register: r + register: r2 with_items: - conf.d/10-auth.conf - conf.d/10-logging.conf - conf.d/10-mail.conf - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf - conf.d/20-imap.conf - conf.d/20-lmtp.conf - conf.d/90-plugin.conf - conf.d/90-sieve.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext - dovecot-ldap-userdb.conf.ext notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started - when: not r.changed + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index d773c1c..0dbf3e1 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -1,32 +1,32 @@ - name: Install strongSwan apt: pkg=strongswan-ikev2 - name: Generate a private key and a X.509 certificate for IPSec command: genkeypair.sh x509 --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key --dns {{ inventory_hostname }} -t ecdsa -b secp521r1 -h sha512 register: r1 - failed_when: r1.rc > 1 changed_when: r1.rc == 0 + failed_when: r1.rc > 1 notify: - Restart IPSec - name: Fetch the public part of IPSec's host key sudo: False # Ensure we don't fetch private data fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem dest=certs/ipsec/ fail_on_missing=yes flat=yes # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. - name: Copy IPSec host pubkeys (except ours) copy: src=certs/ipsec/{{ item }}.pem dest=/etc/ipsec.d/certs/{{ item }}.pem owner=root group=root mode=0644 with_items: groups.all | difference([inventory_hostname]) register: r2 diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 161b940..0c54bf2 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -3,42 +3,42 @@ server { listen 80; listen [::]:80 ipv6only=on; server_name mail.fripost.org; access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; return 301 https://$host$request_uri; } server { listen 443; listen [::]:443 ipv6only=on; server_name mail.fripost.org; root /var/lib/roundcube; include ssl/config; - ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; - ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem; + ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files, or files under hidden # directories. location ~ /\. { return 404; } access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index c737fd1..d79304e 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -61,37 +61,55 @@ backrefs=yes owner=root group=root mode=0644 with_items: - classic - larry - name: Configure Roundcube plugins template: src=usr/share/roundcube/plugins/{{ item }}/config.inc.php.j2 dest=/usr/share/roundcube/plugins/{{ item }}/config.inc.php owner=root group=root mode=0644 with_items: - additional_message_headers - managesieve - password - name: Start php5-fpm service: name=php5-fpm state=started +- name: Generate a private key and a X.509 certificate for Nginx + command: genkeypair.sh x509 + --pubkey=/etc/nginx/ssl/mail.fripost.org.pem + --privkey=/etc/nginx/ssl/mail.fripost.org.key + --dns mail.fripost.org + -t rsa -b 4096 -h sha512 + register: r1 + changed_when: r1.rc == 0 + failed_when: r1.rc > 1 + notify: + - Restart Nginx + - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 + register: r2 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes + register: r3 notify: - Restart Nginx +- name: Start Nginx + service: name=nginx state=started + when: not (r1.changed or r2.changed or r3.changed) + - meta: flush_handlers |