- name: Install Postfix
  apt: pkg={{ packages }}
  vars:
    packages:
    - postfix
    - postfix-pcre
    - postfix-ldap
    - postfix-lmdb
    # The following is for reserved-alias.pl
    - libnet-ldap-perl
    - libauthen-sasl-perl

- name: Configure Postfix
  template: src=etc/postfix/{{ item }}.j2
            dest=/etc/postfix-{{ postfix_instance[inst].name }}/{{ item }}
            owner=root group=root
            mode=0644
  with_items:
    - main.cf
    - master.cf
    - access-list.cidr
  notify:
    - Reload Postfix

- name: Create directory /etc/postfix-.../virtual
  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
        state=directory
        owner=root group=root
        mode=0755

# trivial-rewrite(8) runs in a chroot.  We create an empty
# /usr/lib/sasl2 to avoid "No such file or directory" warnings.
# Cf. also #738989.
- name: Create directory /usr/lib/sasl2
  file: path=/var/spool/postfix-{{ postfix_instance[inst].name }}/{{ item }}
        state=directory
        owner=root group=root
        mode=0755
  with_items:
    - /usr/lib/sasl2
    - /usr/lib/{{ ansible_architecture }}-linux-gnu/sasl2
  notify:
    - Reload Postfix

- name: Copy lookup tables (1)
  copy: src=etc/postfix/virtual/{{ item }}
        dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
        owner=root group=root
        mode=0644
  with_items:
    - domains.cf
    # no need to reload upon change, as cleanup(8) is short-running
    - reserved_alias.pcre
    - alias.cf
    - mailbox.cf
    - list.cf
    - alias_domains.cf
    - catchall.cf

- name: Copy lookup tables (2)
  template: src=etc/postfix/virtual/transport.j2
            dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport
            owner=root group=root
            mode=0644

- name: Copy recipient access(5) map
  copy: src=etc/postfix/reject-unknown-client-hostname.cf
            dest=/etc/postfix-{{ postfix_instance[inst].name }}/reject-unknown-client-hostname.cf
            owner=root group=root
            mode=0644
  notify:
    - Reload Postfix

- name: Compile the Postfix transport maps
  # trivial-rewrite(8) is a long-running process, so it's safer to reload
  postmap: instance={{ postfix_instance[inst].name }}
           src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=lmdb
           owner=root group=root
           mode=0644
  notify:
    - Reload Postfix

- name: Copy reserved-alias.pl
  copy: src=usr/local/bin/reserved-alias.pl
        dest=/usr/local/bin/reserved-alias.pl
        owner=root group=staff
        mode=0755

- name: Create directory /etc/postfix/ssl
  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/ssl
        state=directory
        owner=root group=root
        mode=0755
  tags:
    - genkey

- meta: flush_handlers

- name: Start Postfix
  service: name=postfix state=started

- name: Fetch Postfix's X.509 certificate
  # Ensure we don't fetch private data
  become: False
  # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
  fetch_cmd: cmd="openssl x509 -noout -pubkey"
             stdin=/etc/postfix-{{ postfix_instance[inst].name }}/ssl/mx.fripost.org.pem
             dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pub
  tags:
    - genkey


- name: Install 'postfix_mailqueue_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
        dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
        owner=root group=root
        state=link force=yes
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node

- name: Install 'postfix_stats_' Munin wildcard plugin
  file: src=/usr/local/share/munin/plugins/postfix_stats_
        dest=/etc/munin/plugins/postfix_stats_{{ item }}_postfix-{{ postfix_instance[inst].name }}
        owner=root group=root
        state=link force=yes
  with_items:
    - postscreen
    - smtpd
    - qmgr
    - smtp
    - pipe
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node

# XXX we probaly want SPF verification for domains without DMARC
# policies
- name: Install OpenDMARC
  apt: pkg=opendmarc

- name: Copy OpenDMARC configuration
  copy: src=etc/opendmarc.conf
        dest=/etc/opendmarc.conf
        owner=root group=root
        mode=0644
  notify:
    - Stop OpenDMARC

- name: Create directory /etc/systemd/system/opendmarc.service.d
  file: path=/etc/systemd/system/opendmarc.service.d
        state=directory
        owner=root group=root
        mode=0755

- name: Harden OpenDMARC service unit
  copy: src=etc/systemd/system/opendmarc.service.d/override.conf
        dest=/etc/systemd/system/opendmarc.service.d/override.conf
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Stop OpenDMARC

- meta: flush_handlers

- name: Copy OpenDMARC socket unit
  copy: src=etc/systemd/system/opendmarc.socket
        dest=/etc/systemd/system/opendmarc.socket
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Restart OpenDMARC

- name: Disable OpenDMARC service
  service: name=opendmarc.service enabled=false

- name: Start OpenDMARC socket
  service: name=opendmarc.socket state=started enabled=true