Use stunnel to secure the connection from the webmail to ldap.fripost.org.

We should use IPSec instead, but doing so would force us to weaken
slapd.conf's ‘security’ setting.

2 files changed, 38 insertions, 0 deletions

diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
new file mode 100644
index 0000000..6df3324
--- /dev/null
+++ b/roles/webmail/tasks/ldap.yml
@@ -0,0 +1,32 @@
+- name: Create /etc/stunnel/certs
+  file: path=/etc/stunnel/certs
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy the ldap's X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/stunnel/certs/ldap.pem
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart stunnel@ldap
+
+- name: Configure stunnel
+  copy: src=etc/stunnel/ldap.conf
+        dest=/etc/stunnel/ldap.conf
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel@ldap
+
+- name: Enable stunnel@ldap
+  service: name=stunnel4@ldap enabled=yes
+
+- name: Start stunnel@ldap
+  service: name=stunnel4@ldap state=started
+  when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml
index 8ee50bd..9c40a34 100644
--- a/roles/webmail/tasks/main.yml
+++ b/roles/webmail/tasks/main.yml
@@ -3,6 +3,12 @@
   tags:
     - postfix
     - mail
+    - stunnel
+- include: ldap.yml
+  when: "'LDAP-provider' not in group_names"
+  tags:
+    - ldap
+    - stunnel
 - include: roundcube.yml
   tags:
     - roundcube