summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf4
-rw-r--r--roles/IMAP/tasks/imap.yml16
-rw-r--r--roles/common/tasks/ipsec.yml2
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube4
-rw-r--r--roles/webmail/tasks/roundcube.yml18
5 files changed, 37 insertions, 7 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index c727f4b..c5e61d7 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -4,42 +4,42 @@
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
# No need for SSL if the packets are protected by IPSec.
local 172.16.0.1 {
protocol imap {
disable_plaintext_auth = no
ssl = no
}
protocol sieve {
disable_plaintext_auth = no
ssl = no
}
}
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.pem
+ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
+ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 6191a50..c9471f3 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -45,48 +45,60 @@
- name: Create virtual mailboxes
copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual
dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual
owner=root group=root
mode=0644
with_items:
- all
- flagged
- recent
- unseen
- name: Create directory /home/mail/spamspool
# There is no possibility for a name clash, since 'spamspool' isn't a
# valid domain
file: path=/home/mail/spamspool
state=directory
owner=vmail group=vmail
mode=0700
+- name: Generate a private key and a X.509 certificate for Dovecot
+ command: genkeypair.sh x509
+ --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
+ --privkey=/etc/dovecot/ssl/imap.fripost.org.key
+ --dns imap.fripost.org
+ -t rsa -b 4096 -h sha512
+ register: r1
+ changed_when: r1.rc == 0
+ failed_when: r1.rc > 1
+ notify:
+ - Restart Dovecot
+
- name: Configure Dovecot
copy: src=etc/dovecot/{{ item }}
dest=/etc/dovecot/{{ item }}
owner=root group=root
mode=0644
- register: r
+ register: r2
with_items:
- conf.d/10-auth.conf
- conf.d/10-logging.conf
- conf.d/10-mail.conf
- conf.d/10-master.conf
- conf.d/10-ssl.conf
- conf.d/15-mailboxes.conf
- conf.d/20-imap.conf
- conf.d/20-lmtp.conf
- conf.d/90-plugin.conf
- conf.d/90-sieve.conf
- conf.d/auth-ldap.conf.ext
- dovecot-ldap.conf.ext
- dovecot-ldap-userdb.conf.ext
notify:
- Restart Dovecot
- name: Start Dovecot
service: name=dovecot state=started
- when: not r.changed
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index d773c1c..0dbf3e1 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -1,32 +1,32 @@
- name: Install strongSwan
apt: pkg=strongswan-ikev2
- name: Generate a private key and a X.509 certificate for IPSec
command: genkeypair.sh x509
--pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
--privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key
--dns {{ inventory_hostname }}
-t ecdsa -b secp521r1 -h sha512
register: r1
- failed_when: r1.rc > 1
changed_when: r1.rc == 0
+ failed_when: r1.rc > 1
notify:
- Restart IPSec
- name: Fetch the public part of IPSec's host key
sudo: False
# Ensure we don't fetch private data
fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
dest=certs/ipsec/
fail_on_missing=yes
flat=yes
# Don't copy our pubkey due to a possible race condition. Only the
# remote machine has authority regarding its key.
- name: Copy IPSec host pubkeys (except ours)
copy: src=certs/ipsec/{{ item }}.pem
dest=/etc/ipsec.d/certs/{{ item }}.pem
owner=root group=root
mode=0644
with_items: groups.all | difference([inventory_hostname])
register: r2
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 161b940..0c54bf2 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -3,42 +3,42 @@ server {
listen 80;
listen [::]:80 ipv6only=on;
server_name mail.fripost.org;
access_log /var/log/nginx/roundcube.access.log;
error_log /var/log/nginx/roundcube.error.log info;
return 301 https://$host$request_uri;
}
server {
listen 443;
listen [::]:443 ipv6only=on;
server_name mail.fripost.org;
root /var/lib/roundcube;
include ssl/config;
- ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
- ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+ ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem;
+ ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key;
location = /favicon.ico {
root /usr/share/roundcube/skins/default/images;
log_not_found off;
access_log off;
expires max;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files, or files under hidden
# directories.
location ~ /\. { return 404; }
access_log /var/log/nginx/roundcube.access.log;
error_log /var/log/nginx/roundcube.error.log info;
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index c737fd1..d79304e 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -61,37 +61,55 @@
backrefs=yes
owner=root group=root
mode=0644
with_items:
- classic
- larry
- name: Configure Roundcube plugins
template: src=usr/share/roundcube/plugins/{{ item }}/config.inc.php.j2
dest=/usr/share/roundcube/plugins/{{ item }}/config.inc.php
owner=root group=root
mode=0644
with_items:
- additional_message_headers
- managesieve
- password
- name: Start php5-fpm
service: name=php5-fpm state=started
+- name: Generate a private key and a X.509 certificate for Nginx
+ command: genkeypair.sh x509
+ --pubkey=/etc/nginx/ssl/mail.fripost.org.pem
+ --privkey=/etc/nginx/ssl/mail.fripost.org.key
+ --dns mail.fripost.org
+ -t rsa -b 4096 -h sha512
+ register: r1
+ changed_when: r1.rc == 0
+ failed_when: r1.rc > 1
+ notify:
+ - Restart Nginx
+
- name: Copy /etc/nginx/sites-available/roundcube
copy: src=etc/nginx/sites-available/roundcube
dest=/etc/nginx/sites-available/roundcube
owner=root group=root
mode=0644
+ register: r2
notify:
- Restart Nginx
- name: Create /etc/nginx/sites-enabled/roundcube
file: src=../sites-available/roundcube
dest=/etc/nginx/sites-enabled/roundcube
owner=root group=root
state=link force=yes
+ register: r3
notify:
- Restart Nginx
+- name: Start Nginx
+ service: name=nginx state=started
+ when: not (r1.changed or r2.changed or r3.changed)
+
- meta: flush_handlers
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-15 10:47:03 +0000