From 8cce1ff3e54c89dbfb80851cf51dfbb7232f2d76 Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sat, 6 Apr 2024 19:51:43 +0100
Subject: Add dovecot role

---
 roles/dovecot/files/dovecot.conf | 74 ++++++++++++++++++++++++++++++++++++++++
 roles/dovecot/files/dovecot.sh   |  3 ++
 roles/dovecot/files/users        | 12 +++++++
 roles/dovecot/handlers/main.yml  |  7 ++++
 roles/dovecot/meta/main.yml      |  2 ++
 roles/dovecot/tasks/main.yml     | 63 ++++++++++++++++++++++++++++++++++
 6 files changed, 161 insertions(+)
 create mode 100644 roles/dovecot/files/dovecot.conf
 create mode 100644 roles/dovecot/files/dovecot.sh
 create mode 100644 roles/dovecot/files/users
 create mode 100644 roles/dovecot/handlers/main.yml
 create mode 100644 roles/dovecot/meta/main.yml
 create mode 100644 roles/dovecot/tasks/main.yml

(limited to 'roles/dovecot')

diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf
new file mode 100644
index 0000000..35e8c3f
--- /dev/null
+++ b/roles/dovecot/files/dovecot.conf
@@ -0,0 +1,74 @@
+# Protocols we want to be serving.
+protocols = imap pop3
+
+# Path to the mail directory.
+mail_location = maildir:/var/mail/%d/%n/Maildir
+
+# Path to SSL certificate files.
+ssl_cert = </etc/letsencrypt/live/mail.ilvokhin.com/fullchain.pem
+ssl_key = </etc/letsencrypt/live/mail.ilvokhin.com/privkey.pem
+
+# Disable plaintext authentication, only SSL is allowed.
+disable_plaintext_auth = yes
+
+service auth {
+    # Postfix smtp-auth.
+    unix_listener /var/spool/postfix/private/auth {
+        mode = 0666
+        user = postfix
+        group = postfix
+    }
+}
+
+namespace {
+    inbox = yes
+    separator = /
+
+    # Create usual mail hierarchy.
+    mailbox Sent {
+        auto = subscribe
+        special_use = \Sent
+    }
+
+    mailbox Drafts {
+        auto = subscribe
+        special_use = \Drafts
+    }
+
+    mailbox Trash {
+        auto = subscribe
+        special_use = \Trash
+    }
+
+    mailbox Junk {
+        auto = subscribe
+        special_use = \Junk
+    }
+}
+
+# Use separate passwd file for storing passwords.
+passdb {
+    driver = passwd-file
+    args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/passwd
+}
+
+# Use the same separate passwd file for user lookup.
+userdb {
+    driver = passwd-file
+    args = username_format=%u /etc/dovecot/passwd
+    override_fields = uid=vmail gid=vmail
+}
+
+service imap-login {
+    # Do not listen for plain IMAP.
+    inet_listener imap {
+        port = 0
+    }
+}
+
+service pop3-login {
+    # Do not listen for plain POP3.
+    inet_listener pop3 {
+        port = 0
+    }
+}
diff --git a/roles/dovecot/files/dovecot.sh b/roles/dovecot/files/dovecot.sh
new file mode 100644
index 0000000..bd6f8e4
--- /dev/null
+++ b/roles/dovecot/files/dovecot.sh
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+systemctl reload devecot
diff --git a/roles/dovecot/files/users b/roles/dovecot/files/users
new file mode 100644
index 0000000..3d8ff46
--- /dev/null
+++ b/roles/dovecot/files/users
@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+37323432633565656236383639613864336138366164656335373766626564653964396236336333
+6335343039363064613365346137323065663236663030340a643765636631623065616430663463
+30616434376436393766643737343138336265616264336564653066343535623362333830616266
+6366333835653135340a303934613561333635326135636533303731636630643264643564393963
+30653131353566663238313162343130666433313235316236343937333135653565656330613930
+32373535613234346336643663323339653138316134353338326237383863326565366437613165
+32616531646233616536623634646537633239633266356230616136636161323061326562363963
+31336663323935383630353562656138396437643162396436656331356238303534373535363239
+66323938343637303764633639316164383831356232633533653664333233363335626266666630
+33333334383061363936306438613338393535336532643730336166616537386563623930386139
+613934363439326132643462623463633933
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..fba419a
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: Reload dovecot
+  ansible.builtin.service:
+    name: dovecot
+    state: reloaded
+
+- name: Check dovecot
+  ansible.builtin.command: doveconf > /dev/null 
diff --git a/roles/dovecot/meta/main.yml b/roles/dovecot/meta/main.yml
new file mode 100644
index 0000000..f645703
--- /dev/null
+++ b/roles/dovecot/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: certmail
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..3ed1a46
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,63 @@
+- name: Install dovecot
+  ansible.builtin.package:
+    name:
+      - dovecot
+    state: present
+
+- name: Create vmail group
+  ansible.builtin.group:
+    name: vmail
+    gid: 5000
+    state: present
+
+- name: Create vmail user
+  ansible.builtin.user:
+    name: vmail
+    uid: 5000
+    group: vmail
+    shell: /usr/bin/nologin
+    state: present
+
+- name: Setup dovecot config directory
+  ansible.builtin.file:
+    path: /etc/dovecot
+    state: directory
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+
+# Note: use `doveadm pw -s SHA512-CRYPT` to generate a new password.
+- name: Copy dovecot passwd file
+  ansible.builtin.copy:
+    src: files/users
+    dest: /etc/dovecot/passwd
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+  notify:
+    - Reload dovecot
+
+- name: Configure dovecot
+  ansible.builtin.copy:
+    src: files/dovecot.conf
+    dest: /etc/dovecot/dovecot.conf
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+  notify:
+    - Check dovecot
+    - Reload dovecot
+
+- name: Copy dovecot certificate renewal hook
+  ansible.builtin.copy:
+    src: files/dovecot.sh
+    dest: /etc/letsencrypt/renewal-hooks/deploy/dovecot.sh
+    owner: root
+    group: root
+    mode: u+rwx,g+r,o+r
+
+- name: Enable dovecot systemd service
+  ansible.builtin.service:
+    name: dovecot
+    enabled: yes
+    state: started
-- 
cgit v1.2.3-70-g09d2