Generate certs for Dovecot and Nginx if they are not there.

2 files changed, 16 insertions, 4 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index c727f4b..c5e61d7 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -4,42 +4,42 @@
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
 ssl = required
 
 # No need for SSL if the packets are protected by IPSec.
 local 172.16.0.1 {
     protocol imap {
         disable_plaintext_auth = no
         ssl = no
     }
     protocol sieve {
         disable_plaintext_auth = no
         ssl = no
     }
 }
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.pem
+ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
+ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
 # root owned 0600 file by using ssl_key_password = <path.
 #ssl_key_password =
 
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca = 
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
 
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
 
 # Which field from certificate to use for username. commonName and
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 6191a50..c9471f3 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -45,48 +45,60 @@
 
 - name: Create virtual mailboxes
   copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual
         dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual
         owner=root group=root
         mode=0644
   with_items:
     - all
     - flagged
     - recent
     - unseen
 
 - name: Create directory /home/mail/spamspool
   # There is no possibility for a name clash, since 'spamspool' isn't a
   # valid domain
   file: path=/home/mail/spamspool
         state=directory
         owner=vmail group=vmail
         mode=0700
 
+- name: Generate a private key and a X.509 certificate for Dovecot
+  command: genkeypair.sh x509
+                         --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
+                         --privkey=/etc/dovecot/ssl/imap.fripost.org.key
+                         --dns imap.fripost.org
+                         -t rsa -b 4096 -h sha512
+  register: r1
+  changed_when: r1.rc == 0
+  failed_when: r1.rc > 1
+  notify:
+    - Restart Dovecot
+
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
-  register: r
+  register: r2
   with_items:
     - conf.d/10-auth.conf
     - conf.d/10-logging.conf
     - conf.d/10-mail.conf
     - conf.d/10-master.conf
     - conf.d/10-ssl.conf
     - conf.d/15-mailboxes.conf
     - conf.d/20-imap.conf
     - conf.d/20-lmtp.conf
     - conf.d/90-plugin.conf
     - conf.d/90-sieve.conf
     - conf.d/auth-ldap.conf.ext
     - dovecot-ldap.conf.ext
     - dovecot-ldap-userdb.conf.ext
   notify:
     - Restart Dovecot
 
 - name: Start Dovecot
   service: name=dovecot state=started
-  when: not r.changed
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers