๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible-playbooks/roles/postfix/tasks/main.yml

205 lines
4.8 KiB

2 years ago
- name: set postfix_cfg
set_fact:
postfix_cfg: "{{ postfix_default_config | d({}) | combine(postfix_config | d({}), recursive=true) }}"
- name: install postfix
include_tasks: tasks/install_packages.yml
vars:
package:
- postfix
- postfix-openrc
- postfix-pgsql
- postfix-pcre
- name: create user and group
include_tasks: tasks/create_user.yml
vars:
user:
name: "{{ postfix_user }}"
group: "{{ postfix_group }}"
- name: ensure postfix spool directory is owned by root
file:
path: /var/spool/postfix
state: directory
owner: root
group: root
- name: create postfix directory structure
file:
path: "{{ item }}"
state: directory
mode: 0700
loop:
- "{{ postfix_conf_dir }}"
- "{{ postfix_sql_dir }}"
- "{{ postfix_tls_dir }}"
- name: generate dh params
include_role:
name: ca
vars:
function: dhparams
dh_params:
path: "{{ postfix_tls_dh2048 }}"
mode: '0400'
remote_gen: yes
notify: restart postfix
- name: remove unneeded postfix files
file:
path: "{{ postfix_conf_dir ~ '/' ~ item }}"
state: absent
loop:
- access
- aliases
- canonical
- generic
- header_checks
- main.cf.proto
- master.cf.proto
- relocated
- transport
- virtual
notify: restart postfix
- name: template postfix configuration
template:
src: "{{ item if item is string else item.src }}.j2"
dest: "{{ postfix_conf_dir ~ '/' ~ ((item ~ '.cf') if item is string else item.dest) }}"
force: yes
mode: 0400
lstrip_blocks: yes
loop:
- { src: postscreen_connect, dest: filter_postscreen_connect.cidr }
- { src: smtpd_helo, dest: filter_smtpd_helo.pcre }
- { src: submission_header, dest: filter_submission_header.pcre }
- main
- master
- { src: smtpd_checks_relaxed, dest: smtpd_checks_relaxed.hash }
notify: restart postfix
- name: template postfix sql snippets
template:
src: sql.j2
dest: "{{ postfix_sql_dir ~ '/' ~ item }}.cf"
force: yes
mode: 0400
vars:
query: "{{ postfix_sql_queries[item] }}"
loop:
- aliases
- domains
- forwards
- no_reply
- self_users
- shared_users
- tls_policies
- users
notify: restart postfix
- name: install mta resolver
include_role:
name: mta-sts
vars:
mta_sts_log_verbosity: info
mta_sts_config:
port: "{{ mail_server.mta_sts_port }}"
- name: add extra cname record
include_role:
name: ns
vars:
function: add_records
ns_add_default_record: no
ns_records:
- name: "{{ mail_server.mta_actual_hostname }}"
type: CNAME
value: "{{ host_fqdn }}"
when: mail_server.mta_actual_hostname is defined
- name: add records to external ns
include_role:
name: external_ns
vars:
nse_items:
- {name: '{{ mail_server.mta_actual_hostname }}', type: 'CNAME', value: '@'}
- {name: '@', type: 'MX', value: '0 {{ mail_server.mta_actual_hostname ~ "." ~ mail_server.tld ~ "." }}'}
- {name: '@', type: 'TXT', value: 'v=spf1 ip4:{{ mail_server.allowed_spf | join(" ip4:") }} ~all'}
- {name: '_adsp._domainkey', type: 'TXT', value: 'dkim=all'}
- {name: '_dmarc', type: 'TXT', value: 'v=DMARC1;p=reject;sp=reject;rua=mailto:dmarc-report@{{ mail_server.tld }}'}
- {name: '_report._domainkey', type: 'TXT', value: 'ra=dkim-report rr=o:s:u:v'}
- {name: '_smtp._tls', type: 'TXT', value: 'v=TLSRPTv1;rua=mailto:smtp-tls-report@{{ mail_server.tld }}'}
- {name: '_mta-sts', type: 'TXT', value: 'v=STSv1; id={{ mail_server.mta_sts_id | d("sts2022") }}'}
nse_function: add_records
nse_instant: yes
- name: deploy certs
include_role:
name: certs
vars:
common:
owner: root
group: root
post_hook: service postfix restart
notify: restart postfix
ecc: no
hostname: "{{ mail_server.mta_actual_hostname }}"
certs:
- id: postfix-ecc-ext
cert: "{{ postfix_tls_ext_ecc384_cert }}"
key: "{{ postfix_tls_ext_ecc384_key }}"
ecc: yes
tld: "{{ mail_server.tld }}"
- id: postfix-ecc-int
cert: "{{ postfix_tls_int_ecc384_cert }}"
key: "{{ postfix_tls_int_ecc384_key }}"
ecc: yes
- id: postfix-rsa-ext
cert: "{{ postfix_tls_ext_rsa2048_cert }}"
key: "{{ postfix_tls_ext_rsa2048_key }}"
tld: "{{ mail_server.tld }}"
- id: postfix-rsa-int
cert: "{{ postfix_tls_int_rsa2048_cert }}"
key: "{{ postfix_tls_int_rsa2048_key }}"
- name: flush handlers
meta: flush_handlers
- name: add directories to backup plan
include_role:
name: backup
vars:
function: add
backup_items:
- "{{ postfix_conf_dir }}"
- "{{ postfix_sql_dir }}"
- "{{ postfix_tls_dir }}"
- name: enable and start postfix
service:
name: postfix
enabled: yes
state: started