From 17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 5 Jun 2016 17:30:00 +0200
Subject: Use stunnel to secure the connection from the webmail to
 ldap.fripost.org.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We should use IPSec instead, but doing so would force us to weaken
slapd.conf's ‘security’ setting.
---
 roles/webmail/tasks/ldap.yml | 32 ++++++++++++++++++++++++++++++++
 roles/webmail/tasks/main.yml |  6 ++++++
 2 files changed, 38 insertions(+)
 create mode 100644 roles/webmail/tasks/ldap.yml

(limited to 'roles/webmail/tasks')

diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
new file mode 100644
index 0000000..6df3324
--- /dev/null
+++ b/roles/webmail/tasks/ldap.yml
@@ -0,0 +1,32 @@
+- name: Create /etc/stunnel/certs
+  file: path=/etc/stunnel/certs
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy the ldap's X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/stunnel/certs/ldap.pem
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart stunnel@ldap
+
+- name: Configure stunnel
+  copy: src=etc/stunnel/ldap.conf
+        dest=/etc/stunnel/ldap.conf
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel@ldap
+
+- name: Enable stunnel@ldap
+  service: name=stunnel4@ldap enabled=yes
+
+- name: Start stunnel@ldap
+  service: name=stunnel4@ldap state=started
+  when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml
index 8ee50bd..9c40a34 100644
--- a/roles/webmail/tasks/main.yml
+++ b/roles/webmail/tasks/main.yml
@@ -3,6 +3,12 @@
   tags:
     - postfix
     - mail
+    - stunnel
+- include: ldap.yml
+  when: "'LDAP-provider' not in group_names"
+  tags:
+    - ldap
+    - stunnel
 - include: roundcube.yml
   tags:
     - roundcube
-- 
cgit v1.2.3