1 files changed, 92 insertions, 51 deletions

diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 0c55535..c2bdca9 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -1,156 +1,197 @@
 - name: Install Dovecot
-  apt: pkg={{ item }}
-  with_items:
+  apt: pkg={{ packages }}
+  vars:
+    packages:
     - dovecot-core
     - dovecot-ldap
     - dovecot-imapd
     - dovecot-lmtpd
     - dovecot-antispam
     - dovecot-managesieved
     - dovecot-sieve
 
 - name: Create a user 'vmail'
   user: name=vmail system=yes
         createhome=no
         home=/home/mail
         shell=/usr/sbin/nologin
         password=!
         state=present
 
-## TODO: make a LDAP query listing all users using iterate_attrs and
-## iterate_filter.  (Alternatively, use a dict, see
-## https://www.opensource.apple.com/source/dovecot/dovecot-293/dovecot.Config/dovecot-dict-auth.conf.ext)
-## Required for dbox, see
-## http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
-#- name: Create a nightly cron job to purge expunged messages
-#  cron: name="Purge expunged messages"
-#        minute=7 hour=5
-#        user=vmail cron_file=doveadm-purge
-#        job="/usr/bin/doveadm purge -A"
+- name: Install Net::LDAP and Authen::SASL
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - libnet-ldap-perl
+    - libauthen-sasl-perl
+
+- name: Copy dovecot auth proxy
+  copy: src=usr/local/bin/dovecot-auth-proxy.pl
+        dest=/usr/local/bin/dovecot-auth-proxy.pl
+        owner=root group=staff
+        mode=0755
+
+# Required for IDLE as all imap processes have the same UID (vmail).
+- name: Set per user maximum number of inotify instances to 512
+  sysctl: name=fs.inotify.max_user_instances value=512 sysctl_set=yes
+  tags:
+   - sysctl
+
+- name: Create '_dovecot-auth-proxy' user
+  user: name=_dovecot-auth-proxy system=yes
+        group=nogroup
+        createhome=no
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        password=!
+        state=present
+
+- name: Copy dovecot auth proxy systemd unit files
+  copy: src=etc/systemd/system/{{ item }}
+        dest=/etc/systemd/system/{{ item }}
+        owner=root group=root
+        mode=0644
+  with_items:
+    - dovecot-auth-proxy.service
+    - dovecot-auth-proxy.socket
+  notify:
+    - systemctl daemon-reload
+
+- meta: flush_handlers
+
+- name: Enable dovecot auth proxy
+  service: name=dovecot-auth-proxy.socket state=started enabled=yes
 
 # The ownership and permissions ensure that dovecot won't try to
 # deliver mails under an umounted mountpoint.
 - name: Create a home directory for user 'vmail'
   file: path=/home/mail
         state=directory
         owner=root group=root
         mode=0755
 
-- name: Create /home/mail/virtual
-  file: path=/home/mail/virtual
+- name: Mount /home/mail
+  mount: src=/dev/mapper/luksMail
+         path=/home/mail
+         fstype=ext4
+         opts=noauto
+         state=mounted
+
+- name: Create /home/mail/{virtual,attachments,spamspool}
+  file: path=/home/mail/{{ item }}
         state=directory
         owner=vmail group=vmail
         mode=0700
+  with_items:
+    - virtual
+    - attachments
+    - spamspool
+
+- name: Create a cronjob for purging and SIS deduplication
+  copy: src=etc/cron.d/doveadm
+        dest=/etc/cron.d/doveadm
+        owner=root group=root
+        mode=0644
 
 - name: Create virtual mailbox directories
   file: path=/etc/dovecot/virtual/{{ item }}
         state=directory
         owner=root group=root
         mode=0755
   with_items:
     - all
     - flagged
     - recent
     - unseen
 
 - name: Create virtual mailboxes
   copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual
         dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual
         owner=root group=root
         mode=0644
   with_items:
     - all
     - flagged
     - recent
     - unseen
 
-- name: Create directory /home/mail/spamspool
-  file: path=/home/mail/spamspool
-        state=directory
-        owner=vmail group=vmail
-        mode=0700
-
 - name: Create directory /etc/dovecot/ssl
   file: path=/etc/dovecot/ssl
         state=directory
         owner=root group=root
         mode=0755
 
-- name: Generate a private key and a X.509 certificate for Dovecot
-  command: genkeypair.sh x509
-                         --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
-                         --privkey=/etc/dovecot/ssl/imap.fripost.org.key
-                         --ou=IMAP --cn=imap.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Dovecot
-  tags:
-    - genkey
 
 - name: Fetch Dovecot's X.509 certificate
   # Ensure we don't fetch private data
-  sudo: False
-  fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem
-         dest=certs/dovecot/
-         fail_on_missing=yes
-         flat=yes
+  become: False
+  fetch_cmd: cmd="openssl x509 -noout -pubkey"
+             stdin=/etc/dovecot/ssl/imap.fripost.org.pem
+             dest=certs/public/imap.fripost.org.pub
   tags:
     - genkey
 
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   with_items:
     - conf.d/10-auth.conf
-    - conf.d/10-logging.conf
-    - conf.d/10-mail.conf
-    - conf.d/10-master.conf
-    - conf.d/10-ssl.conf
-    - conf.d/15-mailboxes.conf
-    - conf.d/20-imap.conf
-    - conf.d/20-lmtp.conf
-    - conf.d/90-plugin.conf
-    - conf.d/90-sieve.conf
     - conf.d/auth-ldap.conf.ext
     - dovecot-ldap.conf.ext
     - dovecot-ldap-userdb.conf.ext
   notify:
     - Restart Dovecot
 
+- name: Configure Dovecot (2)
+  template: src=etc/dovecot/{{ item }}.j2
+            dest=/etc/dovecot/{{ item }}
+            owner=root group=root
+            mode=0644
+  register: r2
+  with_items:
+    - conf.d/99-local.conf
+  notify:
+    - Restart Dovecot
+
+# TODO bookworm remove the below and inline the !include_try
+- name: Copy /etc/dovecot/ssl/config workaround
+  copy: src=etc/dovecot/ssl/config
+        dest=/etc/dovecot/ssl/config
+        owner=root group=root
+        mode=0600
+  notify:
+    - Restart Dovecot
+
 - name: Tell Dovecot we have a remote IMAP proxy
-  # XXX: we should have an automatic lookup here
   lineinfile: dest=/etc/dovecot/dovecot.conf
               regexp='^(\s*#)?\s*login_trusted_networks\s*='
-              line='login_trusted_networks = 171.25.193.76/32'
+              line="login_trusted_networks = {{ ipsec_subnet }}"
               state=present
               create=yes
               owner=root group=root
               mode=0644
   register: r3
-  when: "'IMAP' in group_names and 'webmail' not in group_names"
+  when: "groups.all | length > 1"
   notify:
     - Restart Dovecot
 
 - name: Start Dovecot
   service: name=dovecot state=started
   when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
 
 - name: Install 'dovecot_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/dovecot_stats_
         dest=/etc/munin/plugins/dovecot_stats_fripost.org
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node