- name: Install Dovecot
  apt: pkg={{ packages }}
  vars:
    packages:
    - dovecot-core
    - dovecot-ldap
    - dovecot-imapd
    - dovecot-lmtpd
    - dovecot-antispam
    - dovecot-managesieved
    - dovecot-sieve

- name: Create a user 'vmail'
  user: name=vmail system=yes
        createhome=no
        home=/home/mail
        shell=/usr/sbin/nologin
        password=!
        state=present

- name: Install Net::LDAP and Authen::SASL
  apt: pkg={{ packages }}
  vars:
    packages:
    - libnet-ldap-perl
    - libauthen-sasl-perl

- name: Copy dovecot auth proxy
  copy: src=usr/local/bin/dovecot-auth-proxy.pl
        dest=/usr/local/bin/dovecot-auth-proxy.pl
        owner=root group=staff
        mode=0755

# Required for IDLE as all imap processes have the same UID (vmail).
- name: Set per user maximum number of inotify instances to 512
  sysctl: name=fs.inotify.max_user_instances value=512 sysctl_set=yes
  tags:
   - sysctl

- name: Create '_dovecot-auth-proxy' user
  user: name=_dovecot-auth-proxy system=yes
        group=nogroup
        createhome=no
        home=/nonexistent
        shell=/usr/sbin/nologin
        password=!
        state=present

- name: Copy dovecot auth proxy systemd unit files
  copy: src=etc/systemd/system/{{ item }}
        dest=/etc/systemd/system/{{ item }}
        owner=root group=root
        mode=0644
  with_items:
    - dovecot-auth-proxy.service
    - dovecot-auth-proxy.socket
  notify:
    - systemctl daemon-reload

- meta: flush_handlers

- name: Enable dovecot auth proxy
  service: name=dovecot-auth-proxy.socket state=started enabled=yes

# The ownership and permissions ensure that dovecot won't try to
# deliver mails under an umounted mountpoint.
- name: Create a home directory for user 'vmail'
  file: path=/home/mail
        state=directory
        owner=root group=root
        mode=0755

- name: Mount /home/mail
  mount: src=/dev/mapper/luksMail
         path=/home/mail
         fstype=ext4
         opts=noauto
         state=mounted

- name: Create /home/mail/{virtual,attachments,spamspool}
  file: path=/home/mail/{{ item }}
        state=directory
        owner=vmail group=vmail
        mode=0700
  with_items:
    - virtual
    - attachments
    - spamspool

- name: Create a cronjob for purging and SIS deduplication
  copy: src=etc/cron.d/doveadm
        dest=/etc/cron.d/doveadm
        owner=root group=root
        mode=0644

- name: Create virtual mailbox directories
  file: path=/etc/dovecot/virtual/{{ item }}
        state=directory
        owner=root group=root
        mode=0755
  with_items:
    - all
    - flagged
    - recent
    - unseen

- name: Create virtual mailboxes
  copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual
        dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual
        owner=root group=root
        mode=0644
  with_items:
    - all
    - flagged
    - recent
    - unseen

- name: Create directory /etc/dovecot/ssl
  file: path=/etc/dovecot/ssl
        state=directory
        owner=root group=root
        mode=0755


- name: Fetch Dovecot's X.509 certificate
  # Ensure we don't fetch private data
  become: False
  fetch_cmd: cmd="openssl x509 -noout -pubkey"
             stdin=/etc/dovecot/ssl/imap.fripost.org.pem
             dest=certs/public/imap.fripost.org.pub
  tags:
    - genkey

- name: Configure Dovecot
  copy: src=etc/dovecot/{{ item }}
        dest=/etc/dovecot/{{ item }}
        owner=root group=root
        mode=0644
  register: r1
  with_items:
    - conf.d/10-auth.conf
    - conf.d/auth-ldap.conf.ext
    - dovecot-ldap.conf.ext
    - dovecot-ldap-userdb.conf.ext
  notify:
    - Restart Dovecot

- name: Configure Dovecot (2)
  template: src=etc/dovecot/{{ item }}.j2
            dest=/etc/dovecot/{{ item }}
            owner=root group=root
            mode=0644
  register: r2
  with_items:
    - conf.d/99-local.conf
  notify:
    - Restart Dovecot

# TODO bookworm remove the below and inline the !include_try
- name: Copy /etc/dovecot/ssl/config workaround
  copy: src=etc/dovecot/ssl/config
        dest=/etc/dovecot/ssl/config
        owner=root group=root
        mode=0600
  notify:
    - Restart Dovecot

- name: Tell Dovecot we have a remote IMAP proxy
  lineinfile: dest=/etc/dovecot/dovecot.conf
              regexp='^(\s*#)?\s*login_trusted_networks\s*='
              line="login_trusted_networks = {{ ipsec_subnet }}"
              state=present
              create=yes
              owner=root group=root
              mode=0644
  register: r3
  when: "groups.all | length > 1"
  notify:
    - Restart Dovecot

- name: Start Dovecot
  service: name=dovecot state=started
  when: not (r1.changed or r2.changed or r3.changed)

- meta: flush_handlers


- name: Install 'dovecot_stats_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/dovecot_stats_
        dest=/etc/munin/plugins/dovecot_stats_fripost.org
        owner=root group=root
        state=link force=yes
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node

- name: Install 'dovecot_logins' and 'dovecot_who' Munin plugin
  file: src=/usr/local/share/munin/plugins/{{ item }}
        dest=/etc/munin/plugins/{{ item }}
        owner=root group=root
        state=link force=yes
  with_items:
    - dovecot_logins
    - dovecot_who
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node