diff options
Diffstat (limited to 'roles/webmail/tasks')
| -rw-r--r-- | roles/webmail/tasks/ldap.yml | 36 | ||||
| -rw-r--r-- | roles/webmail/tasks/mail.yml | 39 | ||||
| -rw-r--r-- | roles/webmail/tasks/main.yml | 12 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 241 |
4 files changed, 230 insertions, 98 deletions
diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml new file mode 100644 index 0000000..f0b461c --- /dev/null +++ b/roles/webmail/tasks/ldap.yml @@ -0,0 +1,36 @@ +- name: Copy stunnel4@ldap.socket + copy: src=etc/systemd/system/stunnel4@ldap.socket + dest=/etc/systemd/system/stunnel4@ldap.socket + owner=root group=root + mode=0644 + notify: + - systemctl daemon-reload + - Restart stunnel4@ldap.socket + +- name: Create /etc/stunnel/certs + file: path=/etc/stunnel/certs + state=directory + owner=root group=root + mode=0755 + +- name: Copy the slapd X.509 certificate + copy: src=certs/ldap/ldap.fripost.org.pem + dest=/etc/stunnel/certs/ldap.pem + owner=root group=root + mode=0644 + notify: + - Stop stunnel4@ldap.service + +- name: Configure stunnel + template: src=etc/stunnel/ldap.conf.j2 + dest=/etc/stunnel/ldap.conf + owner=root group=root + mode=0644 + notify: + - Stop stunnel4@ldap.service + +- name: Disable stunnel4@ldap.service + service: name=stunnel4@ldap.service enabled=false + +- name: Start stunnel4@ldap.socket socket + service: name=stunnel4@ldap.socket state=started enabled=true diff --git a/roles/webmail/tasks/mail.yml b/roles/webmail/tasks/mail.yml deleted file mode 100644 index 7603a56..0000000 --- a/roles/webmail/tasks/mail.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: Install stunnel - apt: pkg=stunnel4 - -- name: Auto-enable stunnel - lineinfile: dest=/etc/default/stunnel4 - regexp='^(\s*#)?\s*ENABLED=' - line='ENABLED=1' - owner=root group=root - mode=0644 - -- name: Create /etc/stunnel/certs - file: path=/etc/stunnel/certs - state=directory - owner=root group=root - mode=0755 - -- name: Copy the SMTP outgoing proxy's X.509 certificate - assemble: src=certs/postfix regexp="{{ groups.out | difference([inventory_hostname]) | join('|') }}\.pem$" remote_src=no - dest=/etc/stunnel/certs/postfix.pem - owner=root group=root - mode=0644 - register: r1 - notify: - - Restart stunnel - -- name: Configure stunnel - template: src=etc/stunnel/postfix.conf.j2 - dest=/etc/stunnel/postfix.conf - owner=root group=root - mode=0644 - register: r2 - notify: - - Restart stunnel - -- name: Start stunnel - service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started - when: not (r1.changed or r2.changed) - -- meta: flush_handlers diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml index 030a547..146c36f 100644 --- a/roles/webmail/tasks/main.yml +++ b/roles/webmail/tasks/main.yml @@ -1,3 +1,9 @@ -- include: mail.yml tags=postfix,mail - when: "'out' not in group_names" -- include: roundcube.yml tags=roundcube,webmail +- import_tasks: ldap.yml + when: "'LDAP_provider' not in group_names" + tags: + - ldap + - stunnel +- import_tasks: roundcube.yml + tags: + - roundcube + - webmail diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 5392242..bd174bc 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -1,117 +1,246 @@ - name: Install PHP - apt: pkg={{ item }} + apt: pkg={{ packages }} + vars: + packages: + - php-fpm + - php-ldap + - php-gd + - php + # spell-checking + - php-enchant + +## TODO: run php as a dedicated system user +- name: Configure PHP 7.4 Zend opcache + lineinfile: dest=/etc/php/7.4/fpm/php.ini + regexp='^;?{{ item.var }}\\s*=' + line="{{ item.var }} = {{ item.value }}" + owner=root group=root + mode=0644 with_items: - - php5-fpm - - php5-ldap - - php5-gd - - php5-pspell + - { var: opcache.memory_consumption, value: 128 } + - { var: opcache.revalidate_freq, value: 60 } + notify: + - Restart php7.4-fpm + +- name: Create '_roundcube' user + user: name=_roundcube system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Delete PHP 7.4 FPM's www pool + file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent + notify: + - Restart php7.4-fpm + +- name: Configure PHP 7.4 FPM's roundcube pool + copy: src=etc/php/fpm/pool.d/roundcube.conf + dest=/etc/php/7.4/fpm/pool.d/roundcube.conf + owner=root group=root + mode=0644 + notify: + - Restart php7.4-fpm + +- name: Start php7.4-fpm + service: name=php7.4-fpm state=started + +# Make it sticky: `dpkg-statoverride --add _roundcube nogroup 0700 /var/lib/roundcube/temp` +- name: Create cache directory /var/lib/roundcube/temp + file: path=/var/lib/roundcube/temp + state=directory + owner=_roundcube group=nogroup + mode=0700 + +# Make it sticky: `dpkg-statoverride --add _roundcube adm 0750 /var/log/roundcube` +- name: Create cache directory /var/log/roundcube + file: path=/var/log/roundcube + state=directory + owner=_roundcube group=adm + mode=0750 + +- name: Install GNU Aspell and some dictionaries + apt: pkg={{ packages }} + vars: + packages: + - aspell + - aspell-da + - aspell-de + - aspell-en + - aspell-es + - aspell-fr + - aspell-no + - aspell-sv - name: Install Roundcube - apt: pkg={{ item }} default_release={{ ansible_lsb.codename }}-backports - with_items: + apt: pkg={{ packages }} + vars: + packages: - roundcube-core - roundcube-mysql - roundcube-plugins + - roundcube-plugins-extra + +- name: Install plugin dependencies + apt: pkg={{ packages }} + vars: + packages: + - php-net-sieve - name: Copy fripost's logo - copy: src=var/lib/roundcube/skins/logo_webmail.png - dest=/var/lib/roundcube/skins/logo_webmail.png + copy: src=usr/share/roundcube/program/resources/{{ item }} + dest=/usr/share/roundcube/program/resources/{{ item }} owner=root group=root mode=0644 + with_items: + - fripost_logo_black.png + - fripost_logo_white.png - name: Configure Roundcube - lineinfile: dest=/etc/roundcube/main.inc.php - "regexp=^\\s*\\$rcmail_config\\['{{ item.var }}'\\]\\s*=" - "line=$rcmail_config['{{ item.var }}'] = {{ item.value }};" - owner=root group=www-data - mode=0640 + lineinfile: dest=/etc/roundcube/config.inc.php + regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*=' + line='$config[\'{{ item.var }}\'] = {{ item.value }};' + owner=_roundcube group=nogroup + mode=0600 with_items: # Logging/Debugging - - { var: smtp_log, value: "FALSE" } + - { var: smtp_log, value: "false" } # IMAP - - { var: default_host, value: "'localhost'" } - - { var: default_port, value: "143" } - - { var: imap_auth_type, value: "'plain'" } - - { var: imap_cache, value: "null" } - - { var: messages_cache, value: "null" } + # WARNING: After hostname change update of mail_host column in users + # table is required to match old user data records with the new host. + - { var: default_host, value: "'{{ imapsvr_addr | ansible.utils.ipaddr }}'" } + - { var: default_port, value: "143" } + - { var: imap_auth_type, value: "'PLAIN'" } + - { var: imap_cache, value: "null" } + - { var: imap_timeout, value: "180" } + - { var: imap_force_ns, value: "true" } + - { var: messages_cache, value: "false" } # SMTP - - { var: smtp_server, value: "'localhost'" } - - { var: smtp_port, value: "2525" } + - { var: smtp_server, value: "'{{ postfix_instance.MSA.addr | ansible.utils.ipaddr }}'" } + - { var: smtp_port, value: "{{ postfix_instance.MSA.port }}" } + - { var: smtp_auth_type, value: "'PLAIN'" } + - { var: smtp_user, value: "'%u'" } + - { var: smtp_pass, value: "'%p'" } + # avoid timeout + - { var: max_recipients, value: "15" } # System - - { var: force_https, value: "TRUE" } - - { var: login_autocomplete, value: "2" } - - { var: skin_logo, value: "'skins/logo_webmail.png'" } - - { var: username_domain, value: "'fripost.org'" } - - { var: product_name, value: "'Fripost'" } + - { var: force_https, value: "true" } + - { var: login_autocomplete, value: "2" } + - { var: username_domain, value: "'fripost.org'" } + - { var: product_name, value: "'Fripost Webmail'" } + - { var: password_charset, value: "'UTF-8'" } + - { var: skin_logo, value: 'array("classic:*" => "program/resources/fripost_logo_black.png", "larry:*" => "program/resources/fripost_logo_white.png", "elastic:login[favicon]" => "", "elastic:login" => "program/resources/fripost_logo_black.png")' } # Plugins - - { var: plugins, value: "array('additional_message_headers','managesieve','password')" } + - { var: plugins, value: "array('archive','additional_message_headers','attachment_reminder','authres_status','emoticons','hide_blockquote','html5_notifier','managesieve','password','thunderbird_labels','vcard_attachments')" } + # Spell Checking + - { var: enable_spellcheck, value: "'true'" } + - { var: spellcheck_engine, value: "'enchant'" } + - { var: spellcheck_languages, value: "array('da','de','en','es','fr','no','sv')" } # User Interface - - { var: skin, value: "'classic'" } - - { var: language, value: "'sv_SE'" } - - { var: create_default_folders, value: "TRUE" } + - { var: skin, value: "'elastic'" } + - { var: language, value: "'sv_SE'" } + - { var: create_default_folders, value: "true" } + - { var: support_url, value: "'https://fripost.org/kontakt/'" } # User Preferences - - { var: htmleditor, value: "TRUE" } - - { var: skip_deleted, value: "TRUE" } - - { var: check_all_folders, value: "FALSE" } + - { var: htmleditor, value: "3" } + - { var: skip_deleted, value: "true" } + - { var: check_all_folders, value: "false" } + - { var: hide_blockquote_limit, value: "8" } + - { var: attachment_reminder, value: "true" } + # Don't allow overriding these settings + - { var: dont_override, value: "array('use_fallback_verifier', 'trusted_mtas')" } - name: Make the logo a hyperlink to the website lineinfile: dest=/usr/share/roundcube/skins/{{ item }}/templates/login.html - regexp='^(<roundcube:object name="logo" src="/images/roundcube_logo.png"[^>]* />)$' - line='<a href="https://fripost.org">\1</a>' + regexp='^(\s*)(<roundcube:object name="logo" src="[^"]*"[^>]* />)' + line='\1<a href="https://fripost.org">\2</a>' backrefs=yes owner=root group=root mode=0644 with_items: - classic - larry + - elastic - name: Configure Roundcube plugins - template: src=usr/share/roundcube/plugins/{{ item }}/config.inc.php.j2 - dest=/usr/share/roundcube/plugins/{{ item }}/config.inc.php + copy: src=etc/roundcube/plugins/{{ item }}/config.inc.php + dest=/etc/roundcube/plugins/{{ item }}/config.inc.php + owner=root group=root + mode=0644 + with_items: + - additional_message_headers + - authres_status + - password + - html5_notifier + - thunderbird_labels + +- name: Configure Roundcube plugins (2) + template: src=etc/roundcube/plugins/{{ item }}/config.inc.php.j2 + dest=/etc/roundcube/plugins/{{ item }}/config.inc.php owner=root group=root mode=0644 with_items: - - additional_message_headers - managesieve - - password -- name: Start php5-fpm - service: name=php5-fpm state=started +- name: Start php7.4-fpm + service: name=php7.4-fpm state=started -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/mail.fripost.org.pem - --privkey=/etc/nginx/ssl/mail.fripost.org.key - --ou=WWW --cn=mail.fripost.org --dns=mail.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey +- name: Copy /etc/cron.d/roundcube-core + copy: src=etc/cron.d/roundcube-core + dest=/etc/cron.d/roundcube-core + owner=root group=root + mode=0644 + +- name: Tweak /etc/logrotate.d/roundcube-core + lineinfile: dest=/etc/logrotate.d/roundcube-core + regexp='^(\s*)create\s+[0-9]+\s+\S+\s+adm$' + backrefs=yes + line='\1create 0640 _roundcube adm' + owner=root group=root + mode=0644 - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes + register: r2 + notify: + - Restart Nginx + +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/mail.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 register: r3 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers + +- name: Fetch Nginx's X.509 certificate + # Ensure we don't fetch private data + become: False + fetch_cmd: cmd="openssl x509 -noout -pubkey" + stdin=/etc/nginx/ssl/mail.fripost.org.pem + dest=certs/public/mail.fripost.org.pub + tags: + - genkey |