- name: set postfix_cfg
  set_fact:
    postfix_cfg: "{{ postfix_default_config | d({}) | combine(postfix_config | d({}), recursive=true) }}"


- name: install postfix
  include_tasks: tasks/install_packages.yml
  vars:
    package:
      - postfix
      - postfix-openrc
      - postfix-pgsql
      - postfix-pcre


- name: create user and group
  include_tasks: tasks/create_user.yml
  vars:
    user:
      name: "{{ postfix_user }}"
      group: "{{ postfix_group }}"


- name: ensure postfix spool directory is owned by root
  file:
    path: /var/spool/postfix
    state: directory
    owner: root
    group: root


- name: create postfix directory structure
  file:
    path: "{{ item }}"
    state: directory
    mode: 0700
  loop:
    - "{{ postfix_conf_dir }}"
    - "{{ postfix_sql_dir }}"
    - "{{ postfix_tls_dir }}"


- name: generate dh params
  include_role:
    name: ca
  vars:
    function: dhparams
    dh_params:
      path: "{{ postfix_tls_dh2048 }}"
      mode: '0400'
      remote_gen: yes
      notify: restart postfix


- name: remove unneeded postfix files
  file:
    path: "{{ postfix_conf_dir ~ '/' ~ item }}"
    state: absent
  loop:
    - access
    - aliases
    - canonical
    - generic
    - header_checks
    - main.cf.proto
    - master.cf.proto
    - relocated
    - transport
    - virtual
  notify: restart postfix


- name: template postfix configuration
  template:
    src: "{{ item if item is string else item.src }}.j2"
    dest: "{{ postfix_conf_dir ~ '/' ~ ((item ~ '.cf') if item is string else item.dest) }}"
    force: yes
    mode: 0400
    lstrip_blocks: yes
  loop:
    - { src: postscreen_connect, dest: filter_postscreen_connect.cidr }
    - { src: smtpd_helo, dest: filter_smtpd_helo.pcre }
    - { src: submission_header, dest: filter_submission_header.pcre }
    - main
    - master
    - { src: smtpd_checks_relaxed, dest: smtpd_checks_relaxed.hash }
  notify: restart postfix


- name: template postfix sql snippets
  template:
    src: sql.j2
    dest: "{{ postfix_sql_dir ~ '/' ~ item }}.cf"
    force: yes
    mode: 0400
  vars:
    query: "{{ postfix_sql_queries[item] }}"
  loop:
    - aliases
    - domains
    - forwards
    - no_reply
    - self_users
    - shared_users
    - tls_policies
    - users
  notify: restart postfix


- name: install mta resolver
  include_role:
    name: mta-sts
  vars:
    mta_sts_log_verbosity: info
    mta_sts_config:
      port: "{{ mail_server.mta_sts_port }}"


- name: add extra cname record
  include_role:
    name: ns
  vars:
    function: add_records
    ns_add_default_record: no
    ns_records:
      - name: "{{ mail_server.mta_actual_hostname }}"
        type: CNAME
        value: "{{ host_fqdn }}"
  when: mail_server.mta_actual_hostname is defined


- name: add records to external ns
  include_role:
    name: external_ns
  vars:
    nse_items:
      - {name: '{{ mail_server.mta_actual_hostname }}', type: 'CNAME', value: '@'}
      - {name: '@', type: 'MX', value: '0 {{ mail_server.mta_actual_hostname ~ "." ~ mail_server.tld ~ "." }}'}

      - {name: '@', type: 'TXT', value: 'v=spf1 ip4:{{ mail_server.allowed_spf | join(" ip4:") }} ~all'}
      - {name: '_adsp._domainkey', type: 'TXT', value: 'dkim=all'}
      - {name: '_dmarc', type: 'TXT', value: 'v=DMARC1;p=reject;sp=reject;rua=mailto:dmarc-report@{{ mail_server.tld }}'}
      - {name: '_report._domainkey', type: 'TXT', value: 'ra=dkim-report rr=o:s:u:v'}
      - {name: '_smtp._tls', type: 'TXT', value: 'v=TLSRPTv1;rua=mailto:smtp-tls-report@{{ mail_server.tld }}'}

      - {name: '_mta-sts', type: 'TXT', value: 'v=STSv1; id={{ mail_server.mta_sts_id | d("sts2022") }}'}

    nse_function: add_records
    nse_instant: yes


- name: deploy certs
  include_role:
    name: certs
  vars:
    common:
      owner: root
      group: root
      post_hook: service postfix restart
      notify: restart postfix
      ecc: no
      hostname: "{{ mail_server.mta_actual_hostname }}"
    certs:
      - id: postfix-ecc-ext
        cert: "{{ postfix_tls_ext_ecc384_cert }}"
        key: "{{ postfix_tls_ext_ecc384_key }}"
        ecc: yes
        tld: "{{ mail_server.tld }}"

      - id: postfix-ecc-int
        cert: "{{ postfix_tls_int_ecc384_cert }}"
        key: "{{ postfix_tls_int_ecc384_key }}"
        ecc: yes

      - id: postfix-rsa-ext
        cert: "{{ postfix_tls_ext_rsa2048_cert }}"
        key: "{{ postfix_tls_ext_rsa2048_key }}"
        tld: "{{ mail_server.tld }}"

      - id: postfix-rsa-int
        cert: "{{ postfix_tls_int_rsa2048_cert }}"
        key: "{{ postfix_tls_int_rsa2048_key }}"


- name: flush handlers
  meta: flush_handlers


- name: add directories to backup plan
  include_role:
    name: backup
  vars:
    function: add
    backup_items:
      - "{{ postfix_conf_dir }}"
      - "{{ postfix_sql_dir }}"
      - "{{ postfix_tls_dir }}"


- name: enable and start postfix
  service:
    name: postfix
    enabled: yes
    state: started