From 9e1252b6585b7702ad51a0578b7f22d8a536ad42 Mon Sep 17 00:00:00 2001
From: MichiK <michik@michik.net>
Date: Sun, 27 Oct 2019 16:39:49 +0100
Subject: [PATCH] Adapt Postfix config and add Dovecot

---
 dovecot.yml                            | 10 ++++++++++
 host_vars/gabriel.c3heaven.de          |  7 +++++++
 inventory                              |  6 ++++++
 roles/dovecot-pop3d/meta/main.yml      |  4 ++++
 roles/dovecot-pop3d/tasks/main.yml     |  7 +++++++
 roles/dovecot/defaults/main.yml        |  7 +++++++
 roles/dovecot/handlers/main.yml        |  5 +++++
 roles/dovecot/meta/main.yml            |  4 ++++
 roles/dovecot/tasks/main.yml           | 18 ++++++++++++++++++
 roles/dovecot/templates/10-ssl.conf.j2 |  8 ++++++++
 roles/postfix/defaults/main.yml        |  1 +
 roles/postfix/templates/main.cf.j2     |  3 +++
 12 files changed, 80 insertions(+)
 create mode 100644 dovecot.yml
 create mode 100644 roles/dovecot-pop3d/meta/main.yml
 create mode 100644 roles/dovecot-pop3d/tasks/main.yml
 create mode 100644 roles/dovecot/defaults/main.yml
 create mode 100644 roles/dovecot/handlers/main.yml
 create mode 100644 roles/dovecot/meta/main.yml
 create mode 100644 roles/dovecot/tasks/main.yml
 create mode 100644 roles/dovecot/templates/10-ssl.conf.j2

diff --git a/dovecot.yml b/dovecot.yml
new file mode 100644
index 0000000..996bad9
--- /dev/null
+++ b/dovecot.yml
@@ -0,0 +1,10 @@
+# Install and configure Dovecot and its dependencies
+#
+# Please run services-base.yml first.
+
+- name: install and configure Dovecot
+  hosts: dovecot
+  become: yes
+  roles:
+   - dovecot
+   - dovecot-pop3d
diff --git a/host_vars/gabriel.c3heaven.de b/host_vars/gabriel.c3heaven.de
index c4990c5..a765fdc 100644
--- a/host_vars/gabriel.c3heaven.de
+++ b/host_vars/gabriel.c3heaven.de
@@ -87,6 +87,10 @@ nginx_https_sites:
         proxy_pass http://127.0.0.1:3000;
         proxy_cache_bypass $http_upgrade;
         proxy_redirect off;
+    - location: "~ ^/liste/?$"
+      config: |-
+        return 301 https://$host/Liste;
+
  - name: "sso.c3heaven.de"
    locations:
     - location: "/"
@@ -146,6 +150,7 @@ rspamd_enabled: true
 
 postfix_mydestination: "localhost, $myhostname, c3heaven.de"
 postfix_myorigin: "c3heaven.de"
+postfix_mynetworks: "127.0.0.1/32 159.69.40.72/32 10.23.42.0/24 [::1]/128 [2a01:4f8:c2c:df32::]/64 [2a01:4f8:c2c:b190::]/64 [fe80::9400:ff:fe31:9902]/128 [fe80::8400:ff:fe34:27e5]/128"
 postfix_generic_map:
  - "www-data@c3heaven.de noreply@c3heaven.de"
 postfix_additional_admin_aliases:
@@ -159,3 +164,5 @@ postfix_virtual_alias_domains:
  - "lists.c3heaven.de"
 postfix_virtual_alias_maps:
  - "hash:/var/lib/mailman/data/virtual-mailman"
+
+# vim: set ft=yaml:
diff --git a/inventory b/inventory
index 7d705f6..8383ea7 100644
--- a/inventory
+++ b/inventory
@@ -22,3 +22,9 @@ ticket.c3heaven.de
 # These are the Keycloak SSO servers (typically just one)
 [keycloak]
 gabriel.c3heaven.de
+
+# Dovecot mail servers
+#
+# These are all servers that are serving mails via Dovecot
+[dovecot]
+gabriel.c3heaven.de
diff --git a/roles/dovecot-pop3d/meta/main.yml b/roles/dovecot-pop3d/meta/main.yml
new file mode 100644
index 0000000..463cf7f
--- /dev/null
+++ b/roles/dovecot-pop3d/meta/main.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - { role: dovecot }
diff --git a/roles/dovecot-pop3d/tasks/main.yml b/roles/dovecot-pop3d/tasks/main.yml
new file mode 100644
index 0000000..744f7d8
--- /dev/null
+++ b/roles/dovecot-pop3d/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+
+# Install and configure the Dovecot POP3 server
+
+- name: install dovecot-pop3d
+  apt: name=dovecot-pop3d state=present
+  tags: [apt, packages, dovecot]
diff --git a/roles/dovecot/defaults/main.yml b/roles/dovecot/defaults/main.yml
new file mode 100644
index 0000000..3ae6571
--- /dev/null
+++ b/roles/dovecot/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+
+dovecot_hostname: "{{ inventory_hostname }}"
+dovecot_ssl_ciphers: "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
+
+dovecot_min_ssl_protocol: "TLSv1.2"
+dovecot_prefer_server_ciphers: true
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..af633a5
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: restart dovecot
+  service: name=dovecot state=restarted
+  tags: [handlers, services, dovecot]
diff --git a/roles/dovecot/meta/main.yml b/roles/dovecot/meta/main.yml
new file mode 100644
index 0000000..197b0be
--- /dev/null
+++ b/roles/dovecot/meta/main.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - { role: acmetool }
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..9b25082
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+
+# Install and configure the core of the Dovecot mail server
+
+- name: install dovecot-core
+  apt: name=dovecot-core state=present
+  tags: [apt, packages, dovecot]
+
+- name: dovecot ssl configuration
+  template:
+    src: "10-ssl.conf.j2"
+    dest: "/etc/dovecot/conf.d/10-ssl.conf"
+  notify: restart dovecot
+  tags: [config, dovecot]
+
+- name: start/enable dovecot
+  service: name=dovecot state=started enabled=yes
+  tags: [services, dovecot]
diff --git a/roles/dovecot/templates/10-ssl.conf.j2 b/roles/dovecot/templates/10-ssl.conf.j2
new file mode 100644
index 0000000..8fc06d5
--- /dev/null
+++ b/roles/dovecot/templates/10-ssl.conf.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+ssl = required
+ssl_cert = </var/lib/acme/live/{{ dovecot_hostname }}/fullchain
+ssl_key = </var/lib/acme/live/{{ dovecot_hostname }}/privkey
+ssl_min_protocol = {{ dovecot_min_ssl_protocol }}
+ssl_prefer_server_ciphers = {{ "yes" if dovecot_prefer_server_ciphers else "no" }}
+ssl_cipher_list = '{{ dovecot_ssl_ciphers }}'
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
index 5475eb6..bbbdfbe 100644
--- a/roles/postfix/defaults/main.yml
+++ b/roles/postfix/defaults/main.yml
@@ -1,5 +1,6 @@
 postfix_mydestination: "localhost, $myhostname"
 postfix_myorigin: null
+postfix_mynetworks: null
 postfix_alias_maps:
  - "hash:/etc/aliases"
 postfix_virtual_alias_domains: []
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
index e8a8496..9cb2624 100644
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -9,6 +9,9 @@ mydestination = {{ postfix_mydestination }}
 {% if postfix_myorigin %}
 myorigin = {{ postfix_myorigin }}
 {% endif %}
+{% if postfix_mynetworks %}
+mynetworks = {{ postfix_mynetworks }}
+{% endif %}
 
 show_user_unknown_table_name = no
 alias_database = hash:/etc/aliases
-- 
GitLab