backend.yml

---

# Set up the *mail-backend* service.

- include_tasks: keystore.yml

- apt:
    name: "{{ packages }}"
    state: present
  vars:
    packages:
      - dovecot-lmtpd
      - dovecot-sieve
      - dovecot-managesieved
      - dovecot-exporter
      - imapproxy
      - libpam-authclient
      - libpam-sso
      - spamassassin
      - spamass-milter
      - sa-compile
      - pyzor
      - auth-sasl-server
      - libdbd-mysql-perl

# Postfix setup

- name: Add postfix user to the sasl group
  user:
    name: postfix
    groups: auth-sasl-server
    append: yes

- set_fact:
    postfix_instances:
      - { name: "" }
      - { name: "delivery" }
      - { name: "webmail" }

- include_tasks: postfix_instance.yml
  with_items: "{{ postfix_instances }}"
  loop_control:
    loop_var: postfix_instance

# Set up policyd-rate-limit for the postfix-webmail instance.
- include_tasks: policyd_rate_limit.yml
  vars:
    postfix_instance: postfix-webmail
    limit_by_sasl: true
    limit_by_sender: false

# Dovecot setup

- user:
    name: dovecot
    groups: auth-server,dovecot-keylookupd
    append: yes

- include_tasks: dovecot.yml
  vars:
    dovecot_instance: backend

# TODO: remove once we have upgraded to 2.3
- file:
    path: "/etc/dovecot/conf.d/90-stats.conf"
    state: absent

- name: Configure auth-server dovecot service
  template:
    src: auth-server/dovecot.yml.j2
    dest: /etc/auth-server/services.d/dovecot.yml
    owner: root
    group: auth-server
    mode: 0750
  notify: restart auth-server

- name: Create dovecot sieve directory
  file:
    path: /var/lib/dovecot/sieve
    state: directory
    mode: 0755

- set_fact:
    sieve_filters:
      - default.sieve
      - report-spam.sieve
      - report-ham.sieve

- name: Install default sieve filters
  copy:
    src: "{{ item }}"
    dest: "/var/lib/dovecot/sieve/{{ item }}"
    mode: 0644
  loop: "{{ sieve_filters }}"
  register: dovecot_sieve_scripts

# This task will fail on the first installation, as Dovecot hasn't
# been reloaded yet, and it does not know about our sieve plugins.
- name: Compile the default sieve filters
  shell: "env HOME=/tmp sievec /var/lib/dovecot/sieve/{{ item.0 }}"
  when: "item.1.changed"
  loop: "{{ sieve_filters | zip(dovecot_sieve_scripts.results) | list }}"
  ignore_errors: true

- name: Create dovecot sieve scripts directory
  file:
    path: /usr/lib/dovecot/sieve
    state: directory
    mode: 0755

- name: Install dovecot sieve scripts
  copy:
    src: "{{ item }}"
    dest: "/usr/lib/dovecot/sieve/{{ item }}"
    mode: 0755
  loop:
    - "learn-spam.sh"
    - "learn-ham.sh"

# Copy some other various files, for instance because they are outside
# the /etc/dovecot tree, or because they need special permissions.

- template:
    src: templates/dovecot.pam
    dest: /etc/pam.d/dovecot

- name: Tweak inotify instances for dovecot backend
  copy:
    src: files/dovecot-backend.sysctl
    dest: /etc/sysctl.d/dovecot-backend.conf
    mode: 0444
  notify: reload sysctl

- name: Setup dovecot-purge cron job
  copy:
    src: dovecot-purge.cron
    dest: /etc/cron.d/dovecot-purge

# Set up imapproxy

- name: Configure imapproxy
  template:
    src: imapproxy.conf.j2
    dest: /etc/imapproxy.conf
  notify: restart imapproxy

# Set up the instance of auth-sasl-server for postfix-webmail, and the
# associated systemd units. Make the Docker webmail service depend on
# the authentication socket.
- file:
    path: /etc/systemd/system/docker-mail-backend-http.service.d
    state: directory

- copy:
    dest: /etc/systemd/system/docker-mail-backend-http.service.d/sasl.conf
    content: "[Unit]\nAfter=auth-sasl-server@webmail.socket\n"

- include_tasks: sasl-auth.yml
  vars:
    instance: webmail

# Set up the local 'mail' mysql instance, used to store Roundcube and
# Spamassassin user-specific data.

- include_role:
    name: mariadb
  vars:
    mariadb_instance: mail
    mariadb_port: 3308
    mariadb_metrics_port: 9308
    mariadb_settings:
      skip-log-bin: true

# Spamassassin setup

- name: Install Spamassassin config (dirs)
  file:
    path: "/etc/spamassassin/{{ item.path }}"
    state: directory
    owner: root
    group: debian-spamd
    mode: 0750
  with_filetree: "templates/spamassassin/"
  when: item.state == 'directory'

- name: Install Spamassassin config (files)
  template:
    src: "{{ item.src }}"
    dest: "/etc/spamassassin/{{ item.path }}"
    owner: root
    group: debian-spamd
    mode: 0640
  with_filetree: "templates/spamassassin/"
  when: item.state == 'file'
  notify: "reload spamassassin"

- copy:
    src: spamassassin.default
    dest: /etc/default/spamassassin
  notify: "reload spamassassin"

- template:
    src: spamassassin-openphish.cron.j2
    dest: /etc/cron.d/spamassassin-openphish

- template:
    src: spamassassin-cleanup-txrep.sh.j2
    dest: /usr/local/bin/spamassassin-cleanup-txrep.sh
    mode: 0755

- copy:
    src: spamassassin-cleanup-txrep.cron
    dest: /etc/cron.d/spamassassin-cleanup-txrep

- copy:
    src: spamass-milter.default
    dest: /etc/default/spamass-milter
  notify: "reload spamass-milter"

- name: Create Spamassassin MySQL user
  mysql_user:
    name: spamassassin
    host: "{{ item }}"
    password: "{{ spamassassin_db_password }}"
    login_unix_socket: "/var/run/mariadb-mail/server.sock"
    priv: "ai_spam.*:ALL"
    state: present
  loop:
    - localhost
    - "%"

- name: Create Spamassassin MySQL database
  mysql_db:
    name: ai_spam
    state: present
    login_unix_socket: "/var/run/mariadb-mail/server.sock"
  register: spamassassin_mysql_db

- name: Initialize Spamassassin MySQL database
  shell: "/usr/local/bin/mysql-mail ai_spam < /etc/spamassassin/schema.sql"
  when: spamassassin_mysql_db.changed

- name: Create .pyzor dir
  file:
    path: "/var/lib/spamassassin/.pyzor"
    state: directory

- name: Configure Pyzor
  copy:
    dest: "/var/lib/spamassassin/.pyzor/servers"
    content: "public.pyzor.org:24441\n"

# Roundcube

- name: Create Roundcube MySQL user
  mysql_user:
    name: roundcube
    host: "{{ item }}"
    password: "{{ roundcube_db_password }}"
    login_unix_socket: "/var/run/mariadb-mail/server.sock"
    priv: "ai_roundcube.*:ALL"
    state: present
  loop:
    - localhost
    - "%"

- name: Create Roundcube MySQL database
  mysql_db:
    name: ai_roundcube
    state: present
    login_unix_socket: "/var/run/mariadb-mail/server.sock"

- name: Create /etc/roundcube
  file:
    path: "/etc/roundcube"
    state: directory
    owner: root
    group: docker-mail-backend
    mode: 0750

- name: Install Roundcube config
  template:
    src: "{{ item.src }}"
    dest: "/etc/roundcube/{{ item.path }}"
    owner: root
    group: docker-mail-backend
    mode: 0640
  with_filetree: "templates/roundcube/"
  when: item.state == 'file'

- name: Install default sieve filter for Roundcube
  copy:
    src: default.sieve
    dest: /etc/roundcube/default.sieve
    mode: 0644

- name: Create Roundcube cache dir
  file:
    path: "/var/lib/roundcube/{{ item }}"
    state: directory
    owner: docker-mail-backend
    group: docker-mail-backend
    mode: 0700
  with_items:
    - ""
    - logs
    - temp

- name: Create .htaccess files in Roundcube cache dirs
  copy:
    dest: "/var/lib/roundcube/{{ item }}/.htaccess"
    content: "Require all denied"
  with_items:
    - logs
    - temp

- name: Create Roundcube SSO session key
  shell: "dd if=/dev/urandom of=/etc/roundcube/sso_session.key bs=32 count=1"
  args:
    creates: /etc/roundcube/sso_session.key

- name: Install roundcube maintenance cron job
  copy:
    src: roundcube.cron
    dest: "/etc/cron.d/roundcube"

- include_role:
    name: account-automation-backend-mail