From 24a36c13536dc4cb247aab7a7e147861114d51cc Mon Sep 17 00:00:00 2001
From: Nemo <contact@wirebrass.fr>
Date: Sun, 2 Aug 2020 18:18:01 +0200
Subject: [PATCH] Mail server playbook and role (not finished)

---
 playbook_mail_deploy.yml                    |  4 ++
 roles/mail_server/.gitignore                |  2 +
 roles/mail_server/.travis.yml               | 18 ++++++++
 roles/mail_server/LICENSE                   | 20 ++++++++
 roles/mail_server/README.md                 | 45 ++++++++++++++++++
 roles/mail_server/defaults/main.yml         | 15 ++++++
 roles/mail_server/handlers/main.yml         |  6 +++
 roles/mail_server/meta/.galaxy_install_info |  1 +
 roles/mail_server/meta/main.yml             | 23 ++++++++++
 roles/mail_server/tasks/alias.yml           |  9 ++++
 roles/mail_server/tasks/dkim.yml            | 17 +++++++
 roles/mail_server/tasks/main.yml            |  9 ++++
 roles/mail_server/tasks/package.yml         | 51 +++++++++++++++++++++
 roles/mail_server/tasks/postfix.yml         | 21 +++++++++
 roles/mail_server/vars/Debian.yml           |  2 +
 roles/mail_server/vars/Gentoo.yml           |  2 +
 roles/mail_server/vars/RedHat.yml           |  2 +
 17 files changed, 247 insertions(+)
 create mode 100644 playbook_mail_deploy.yml
 create mode 100644 roles/mail_server/.gitignore
 create mode 100644 roles/mail_server/.travis.yml
 create mode 100644 roles/mail_server/LICENSE
 create mode 100644 roles/mail_server/README.md
 create mode 100644 roles/mail_server/defaults/main.yml
 create mode 100644 roles/mail_server/handlers/main.yml
 create mode 100644 roles/mail_server/meta/.galaxy_install_info
 create mode 100644 roles/mail_server/meta/main.yml
 create mode 100644 roles/mail_server/tasks/alias.yml
 create mode 100644 roles/mail_server/tasks/dkim.yml
 create mode 100644 roles/mail_server/tasks/main.yml
 create mode 100644 roles/mail_server/tasks/package.yml
 create mode 100644 roles/mail_server/tasks/postfix.yml
 create mode 100644 roles/mail_server/vars/Debian.yml
 create mode 100644 roles/mail_server/vars/Gentoo.yml
 create mode 100644 roles/mail_server/vars/RedHat.yml

diff --git a/playbook_mail_deploy.yml b/playbook_mail_deploy.yml
new file mode 100644
index 0000000..a240e5e
--- /dev/null
+++ b/playbook_mail_deploy.yml
@@ -0,0 +1,4 @@
+---
+- hosts: mail_server
+  roles:
+    - mail_server
diff --git a/roles/mail_server/.gitignore b/roles/mail_server/.gitignore
new file mode 100644
index 0000000..c9b2377
--- /dev/null
+++ b/roles/mail_server/.gitignore
@@ -0,0 +1,2 @@
+*.retry
+tests/test.sh
diff --git a/roles/mail_server/.travis.yml b/roles/mail_server/.travis.yml
new file mode 100644
index 0000000..e4a7f31
--- /dev/null
+++ b/roles/mail_server/.travis.yml
@@ -0,0 +1,18 @@
+---
+services: docker
+
+env:
+  - distro: centos7
+  - distro: ubuntu1604
+  - distro: debian9
+
+script:
+  # Download test shim.
+  - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/
+  - chmod +x ${PWD}/tests/test.sh
+
+  # Run tests.
+  - ${PWD}/tests/test.sh
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/
diff --git a/roles/mail_server/LICENSE b/roles/mail_server/LICENSE
new file mode 100644
index 0000000..4275cf3
--- /dev/null
+++ b/roles/mail_server/LICENSE
@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Jeff Geerling
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/roles/mail_server/README.md b/roles/mail_server/README.md
new file mode 100644
index 0000000..37d5f53
--- /dev/null
+++ b/roles/mail_server/README.md
@@ -0,0 +1,45 @@
+# Ansible Role: Mail Server
+
+Installs postfix on RedHat/CentOS, Gentoo or Debian/Ubuntu.
+
+## Requirements
+
+If you're using this as an SMTP relay server, you will need to do that on your own, and open TCP port 25 in your server firewall.
+
+## Role Variables
+
+Available variables are listed below, along with default values (see `defaults/main.yml`):
+
+    postfix_config_file: /etc/postfix/main.cf
+    aliases_config_file: /etc/aliases
+
+The path to the Postfix `main.cf` and aliases configuration file.
+
+    postfix_service_state: started
+    postfix_service_enabled: yes
+
+The state in which the Postfix service should be after this role runs, and whether to enable the service on startup.
+
+    postfix_inet_interfaces: localhost
+    postfix_inet_protocols: all
+
+Options for values `inet_interfaces` and `inet_protocols` in the `main.cf` file.
+
+    alias_email: "{{ system_admin_email }}"
+
+The email address of admin user (to receive system notification).
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+    - hosts: all
+      roles:
+        - postfix
+
+## License
+
+MIT / BSD
+
diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
new file mode 100644
index 0000000..0534550
--- /dev/null
+++ b/roles/mail_server/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+postfix_config_file: /etc/postfix/main.cf
+aliases_config_file: /etc/aliases
+
+postfix_service_state: started
+postfix_service_enabled: yes
+
+postfix_inet_interfaces: localhost
+postfix_inet_protocols: all
+
+alias_email: "{{ system_admin_email }}"
+
+dkim_mail_key: ""
+dkim_mail_txt: ""
+dkim_mail_domain: ""
diff --git a/roles/mail_server/handlers/main.yml b/roles/mail_server/handlers/main.yml
new file mode 100644
index 0000000..80d18eb
--- /dev/null
+++ b/roles/mail_server/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart postfix
+  service: name=postfix state=restarted
+
+- name: update aliases
+  command: postalias {{ aliases_config_file }}
diff --git a/roles/mail_server/meta/.galaxy_install_info b/roles/mail_server/meta/.galaxy_install_info
new file mode 100644
index 0000000..cbb7927
--- /dev/null
+++ b/roles/mail_server/meta/.galaxy_install_info
@@ -0,0 +1 @@
+{install_date: 'Sun Jul 12 12:53:58 2020', version: 2.0.0}
diff --git a/roles/mail_server/meta/main.yml b/roles/mail_server/meta/main.yml
new file mode 100644
index 0000000..ac04dfe
--- /dev/null
+++ b/roles/mail_server/meta/main.yml
@@ -0,0 +1,23 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: nemo
+  description: Mail server for RedHat/CentOS or Debian/Ubuntu.
+  company: "Wirebrass"
+  license: "license (BSD, MIT)"
+  min_ansible_version: 1.8
+  platforms:
+    - name: EL
+      versions:
+      - all
+    - name: Debian
+      versions:
+      - all
+    - name: Ubuntu
+      versions:
+      - all
+  galaxy_tags:
+    - networking
+    - system
+    - mail
diff --git a/roles/mail_server/tasks/alias.yml b/roles/mail_server/tasks/alias.yml
new file mode 100644
index 0000000..b930fb9
--- /dev/null
+++ b/roles/mail_server/tasks/alias.yml
@@ -0,0 +1,9 @@
+---
+- name: Update mail aliases.
+  lineinfile:
+    dest: "{{ aliases_config_file }}"
+    line: "root: {{ alias_email }}"
+    regexp: "^root:"
+  when: alias_email != "root"
+  notify: update aliases
+
diff --git a/roles/mail_server/tasks/dkim.yml b/roles/mail_server/tasks/dkim.yml
new file mode 100644
index 0000000..96cb8d6
--- /dev/null
+++ b/roles/mail_server/tasks/dkim.yml
@@ -0,0 +1,17 @@
+---
+- name: DKIM key deployed.
+  copy:
+    dest: "/etc/dkimkeys/{{ dkim_mail_domain }}.mail.key"
+    content: "{{ dkim_mail_key }}\n"
+    owner: _rspamd
+    group: root
+    mode: 0400
+
+- name: DKIM txt file with DNS record deployed.
+  copy:
+    dest: "/etc/dkimkeys/{{ dkim_mail_domain }}.mail.txt"
+    content: "{{ dkim_mail_txt }}\n"
+    owner: root
+    group: root
+    mode: 0600
+
diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml
new file mode 100644
index 0000000..d3d94c4
--- /dev/null
+++ b/roles/mail_server/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Include OS-specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+
+- import_tasks: package.yml
+- import_tasks: dkim.yml
+- import_tasks: alias.yml
+- import_tasks: postfix.yml
+
diff --git a/roles/mail_server/tasks/package.yml b/roles/mail_server/tasks/package.yml
new file mode 100644
index 0000000..633a943
--- /dev/null
+++ b/roles/mail_server/tasks/package.yml
@@ -0,0 +1,51 @@
+---
+- name: Ensure postfix is installed.
+  package:
+    name: postfix
+    state: present
+
+- name: Ensure dovecot-core is installed.
+  package:
+    name: dovecot-core
+    state: present
+
+- name: Ensure dovecot-antispam is installed.
+  package:
+    name: dovecot-antispam
+    state: present
+
+- name: Ensure dovecot-imapd is installed.
+  package:
+    name: dovecot-imapd
+    state: present
+
+- name: Ensure dovecot-sieve is installed.
+  package:
+    name: dovecot-sieve
+    state: present
+
+- name: Ensure fail2ban is installed.
+  package:
+    name: fail2ban
+    state: present
+
+- name: Ensure mailutils is installed.
+  package:
+    name: mailutils
+    state: present
+
+- name: Ensure rspamd is installed.
+  package:
+    name: rspamd
+    state: present
+
+- name: Ensure opendkim is installed.
+  package:
+    name: opendkim
+    state: present
+
+- name: Ensure opendkim-tools is installed.
+  package:
+    name: opendkim-tools
+    state: present
+
diff --git a/roles/mail_server/tasks/postfix.yml b/roles/mail_server/tasks/postfix.yml
new file mode 100644
index 0000000..855859c
--- /dev/null
+++ b/roles/mail_server/tasks/postfix.yml
@@ -0,0 +1,21 @@
+---
+- name: Update Postfix configuration.
+  lineinfile:
+    dest: "{{ postfix_config_file }}"
+    line: "{{ item.name }} = {{ item.value }}"
+    regexp: "^{{ item.name }} ="
+  with_items:
+    - name: inet_interfaces
+      value: "{{ postfix_inet_interfaces }}"
+    - name: inet_protocols
+      value: "{{ postfix_inet_protocols }}"
+    - name: myhostname
+      value: "{{ inventory_hostname }}"
+  notify: restart postfix
+
+- name: Ensure postfix is started and enabled at boot.
+  service:
+    name: postfix
+    enabled: "{{ postfix_service_enabled }}"
+  notify: restart postfix
+
diff --git a/roles/mail_server/vars/Debian.yml b/roles/mail_server/vars/Debian.yml
new file mode 100644
index 0000000..23c593e
--- /dev/null
+++ b/roles/mail_server/vars/Debian.yml
@@ -0,0 +1,2 @@
+---
+aliases_config_file: /etc/aliases
diff --git a/roles/mail_server/vars/Gentoo.yml b/roles/mail_server/vars/Gentoo.yml
new file mode 100644
index 0000000..e9edc07
--- /dev/null
+++ b/roles/mail_server/vars/Gentoo.yml
@@ -0,0 +1,2 @@
+---
+aliases_config_file: /etc/mail/aliases
diff --git a/roles/mail_server/vars/RedHat.yml b/roles/mail_server/vars/RedHat.yml
new file mode 100644
index 0000000..23c593e
--- /dev/null
+++ b/roles/mail_server/vars/RedHat.yml
@@ -0,0 +1,2 @@
+---
+aliases_config_file: /etc/aliases