Added ispmail-webmail role to install Roundcube

vor 10 Jahren · 3bdb67c1e2
--- a/group_vars/all
+++ b/group_vars/all
@@ -1,10 +1,13 @@
 ispmail_populate_test_data: true
 ispmail_install_webmail: true

 ispmail_mysql_mailuser_password: fLxsWdf5ABLqwhZr

 ispmail_dovecot_auth_mechanisms: plain login

 ispmail_postmaster_address: postmaster@example.org

 ispmail_populate_test_data: true
 ispmail_webmail_hostname: webmail.example.org

 ispmail_certificate_country: DE
 ispmail_certificate_state: Hamburg
--- a/ispmail.yml
+++ b/ispmail.yml
@@ -8,4 +8,5 @@
  - ispmail-database
  - ispmail-postfix
  - ispmail-dovecot
  - { role: ispmail-webmail, when: "ispmail_populate_test_data == true" }

--- a/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php
+++ b/roles/ispmail-webmail/files/roundcube-managesieve-config.inc.php
@@ -0,0 +1,101 @@
 // Taken from /usr/share/roundcube/plugins/managesieve/config.inc.php.dist
 <?php

 // managesieve server port. When empty the port will be determined automatically
 // using getservbyname() function, with 4190 as a fallback.
 $config['managesieve_port'] = 4190;

 // managesieve server address, default is localhost.
 // Replacement variables supported in host name:
 // %h - user's IMAP hostname
 // %n - http hostname ($_SERVER['SERVER_NAME'])
 // %d - domain (http hostname without the first part)
 // For example %n = mail.domain.tld, %d = domain.tld
 $config['managesieve_host'] = 'localhost';

 // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
 // or none. Optional, defaults to best method supported by server.
 $config['managesieve_auth_type'] = null;

 // Optional managesieve authentication identifier to be used as authorization proxy.
 // Authenticate as a different user but act on behalf of the logged in user.
 // Works with PLAIN and DIGEST-MD5 auth.
 $config['managesieve_auth_cid'] = null;

 // Optional managesieve authentication password to be used for imap_auth_cid
 $config['managesieve_auth_pw'] = null;

 // use or not TLS for managesieve server connection
 // Note: tls:// prefix in managesieve_host is also supported
 $config['managesieve_usetls'] = false;

 // Connection scket context options
 // See http://php.net/manual/en/context.ssl.php
 // The example below enables server certificate validation
 //$config['managesieve_conn_options'] = array(
 //  'ssl'         => array(
 //     'verify_peer'  => true,
 //     'verify_depth' => 3,
 //     'cafile'       => '/etc/openssl/certs/ca.crt',
 //   ),
 // );
 $config['managesieve_conn_options'] = null;

 // default contents of filters script (eg. default spam filter)
 $config['managesieve_default'] = '/etc/dovecot/sieve/global';

 // The name of the script which will be used when there's no user script
 $config['managesieve_script_name'] = 'managesieve';

 // Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
 // but some implementations does not covert UTF-8 to modified UTF-7.
 // Defaults to UTF7-IMAP
 $config['managesieve_mbox_encoding'] = 'UTF-8';

 // I need this because my dovecot (with listescape plugin) uses
 // ':' delimiter, but creates folders with dot delimiter
 $config['managesieve_replace_delimiter'] = '';

 // disabled sieve extensions (body, copy, date, editheader, encoded-character,
 // envelope, environment, ereject, fileinto, ihave, imap4flags, index,
 // mailbox, mboxmetadata, regex, reject, relational, servermetadata,
 // spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
 // Note: not all extensions are implemented
 $config['managesieve_disabled_extensions'] = array();

 // Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
 $config['managesieve_debug'] = false;

 // Enables features described in http://wiki.kolab.org/KEP:14
 $config['managesieve_kolab_master'] = false;

 // Script name extension used for scripts including. Dovecot uses '.sieve',
 // Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
 $config['managesieve_filename_extension'] = '.sieve';

 // List of reserved script names (without extension).
 // Scripts listed here will be not presented to the user.
 $config['managesieve_filename_exceptions'] = array();

 // List of domains limiting destination emails in redirect action
 // If not empty, user will need to select domain from a list
 $config['managesieve_domains'] = array();

 // Enables separate management interface for vacation responses (out-of-office)
 // 0 - no separate section (default),
 // 1 - add Vacation section,
 // 2 - add Vacation section, but hide Filters section
 $config['managesieve_vacation'] = 0;

 // Default vacation interval (in days).
 // Note: If server supports vacation-seconds extension it is possible
 // to define interval in seconds here (as a string), e.g. "3600s".
 $config['managesieve_vacation_interval'] = 0;

 // Some servers require vacation :addresses to be filled with all
 // user addresses (aliases). This option enables automatic filling
 // of these on initial vacation form creation.
 $config['managesieve_vacation_addresses_init'] = false;

 // Supported methods of notify extension. Default: 'mailto'
 $config['managesieve_notify_methods'] = array('mailto');
--- a/roles/ispmail-webmail/handlers/main.yml
+++ b/roles/ispmail-webmail/handlers/main.yml
@@ -0,0 +1,4 @@
 ---
 - name: restart apache
  service: name=apache2 state=restarted

--- a/roles/ispmail-webmail/tasks/main.yml
+++ b/roles/ispmail-webmail/tasks/main.yml
@@ -0,0 +1,28 @@
 ---
 - name: adding Jessie backports repository (for Roundcube)
  apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present
 - name: install required binary packages
  apt: name={{item}} state=installed
  with_items:
  - roundcube 
  - roundcube-plugins
  - apache2
  - libapache2-mod-php5
  notify: restart apache
 - name: Create Apache vhost configuration for Webmail
  template: src=webmail.conf.j2 dest=/etc/apache2/sites-available/webmail.conf
  notify: restart apache
 - name: Enable Apache vhost
  command: /usr/sbin/a2ensite webmail.conf creates=/etc/apache2/sites-enabled/webmail.conf
  notify: restart apache
 - name: Enabling Apache SSL module
  command: /usr/sbin/a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.conf
  notify: restart apache
 - name: Creating random des_key for Roundcube
  shell: pwgen 24
  register: roundcube_random_des_key
 - name: Deploying Roundcube configuration
  template: src=roundcube-config.inc.php.j2 dest=/etc/roundcube/config.inc.php owner=root group=www-data mode=640
 - name: Deploying Roundcube managesieve plugin configuration
  copy: src=roundcube-managesieve-config.inc.php dest=/etc/roundcube/plugins/managesieve/config.inc.php mode=0640

--- a/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2
+++ b/roles/ispmail-webmail/templates/roundcube-config.inc.php.j2
@@ -0,0 +1,82 @@
 <?php

 /*
 +-----------------------------------------------------------------------+
 | Local configuration for the Roundcube Webmail installation.           |
 |                                                                       |
 | This is a sample configuration file only containing the minimum       |
 | setup required for a functional installation. Copy more options       |
 | from defaults.inc.php to this file to override the defaults.          |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) 2005-2013, The Roundcube Dev Team                       |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 +-----------------------------------------------------------------------+
 */

 $config = array();

 /* Do not set db_dsnw here, use dpkg-reconfigure roundcube-core to configure database ! */
 include_once("/etc/roundcube/debian-db-roundcube.php");

 // The mail host chosen to perform the log-in.
 // Leave blank to show a textbox at login, give a list of hosts
 // to display a pulldown menu or set one host as string.
 // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
 // Supported replacement variables:
 // %n - hostname ($_SERVER['SERVER_NAME'])
 // %t - hostname without the first part
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %s - domain name after the '@' from e-mail address provided at login screen
 // For example %n = mail.domain.tld, %t = domain.tld
 $config['default_host'] = 'localhost';

 // SMTP server host (for sending mails).
 // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
 // If left blank, the PHP mail() function is used
 // Supported replacement variables:
 // %h - user's IMAP hostname
 // %n - hostname ($_SERVER['SERVER_NAME'])
 // %t - hostname without the first part
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %z - IMAP domain (IMAP hostname without the first part)
 // For example %n = mail.domain.tld, %t = domain.tld
 $config['smtp_server'] = 'localhost';

 // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
 // deprecated SSL over SMTP (aka SMTPS))
 $config['smtp_port'] = 25;

 // SMTP username (if required) if you use %u as the username Roundcube
 // will use the current username for login
 $config['smtp_user'] = '';

 // SMTP password (if required) if you use %p as the password Roundcube
 // will use the current user's password for login
 $config['smtp_pass'] = '';

 // provide an URL where a user can get support for this Roundcube installation
 // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
 $config['support_url'] = '';

 // Name your service. This is displayed on the login screen and in the window title
 $config['product_name'] = 'Roundcube Webmail';

 // this key is used to encrypt the users imap password which is stored
 // in the session record (and the client cookie if remember password is enabled).
 // please provide a string of exactly 24 chars.
 // YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
 $config['des_key'] = '{{roundcube_random_des_key.stdout}}';

 // List of active plugins (in plugins/ directory)
 $config['plugins'] = array(
 'archive',
 'zipdownload',
 'managesieve',
 );

 // skin name: folder from skins/
 $config['skin'] = 'larry';
--- a/roles/ispmail-webmail/templates/webmail.conf.j2
+++ b/roles/ispmail-webmail/templates/webmail.conf.j2
@@ -0,0 +1,140 @@
 <IfModule mod_ssl.c>
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost
 		ServerName {{ ispmail_webmail_hostname }}

 		#DocumentRoot /var/www/html
 		Include /etc/roundcube/apache.conf
 		Alias /roundcube /var/lib/roundcube

 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 		# error, crit, alert, emerg.
 		# It is also possible to configure the loglevel for particular
 		# modules, e.g.
 		#LogLevel info ssl:warn

 		ErrorLog ${APACHE_LOG_DIR}/webmail.error.log
 		CustomLog ${APACHE_LOG_DIR}/webmail.access.log combined

 		# For most configuration files from conf-available/, which are
 		# enabled or disabled at a global level, it is possible to
 		# include a line for only one particular virtual host. For example the
 		# following line enables the CGI configuration for this host only
 		# after it has been globally disabled with "a2disconf".
 		#Include conf-available/serve-cgi-bin.conf

 		#   SSL Engine Switch:
 		#   Enable/Disable SSL for this virtual host.
 		SSLEngine on

 		#   A self-signed (snakeoil) certificate can be created by installing
 		#   the ssl-cert package. See
 		#   /usr/share/doc/apache2/README.Debian.gz for more info.
 		#   If both key and certificate are stored in the same file, only the
 		#   SSLCertificateFile directive is needed.
 		SSLCertificateFile	/etc/ssl/certs/mailserver.pem
 		SSLCertificateKeyFile /etc/ssl/private/mailserver.pem

 		#   Server Certificate Chain:
 		#   Point SSLCertificateChainFile at a file containing the
 		#   concatenation of PEM encoded CA certificates which form the
 		#   certificate chain for the server certificate. Alternatively
 		#   the referenced file can be the same as SSLCertificateFile
 		#   when the CA certificates are directly appended to the server
 		#   certificate for convinience.
 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

 		#   Certificate Authority (CA):
 		#   Set the CA certificate verification path where to find CA
 		#   certificates for client authentication or alternatively one
 		#   huge file containing all of them (file must be PEM encoded)
 		#   Note: Inside SSLCACertificatePath you need hash symlinks
 		#		 to point to the certificate files. Use the provided
 		#		 Makefile to update the hash symlinks after changes.
 		#SSLCACertificatePath /etc/ssl/certs/
 		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

 		#   Certificate Revocation Lists (CRL):
 		#   Set the CA revocation path where to find CA CRLs for client
 		#   authentication or alternatively one huge file containing all
 		#   of them (file must be PEM encoded)
 		#   Note: Inside SSLCARevocationPath you need hash symlinks
 		#		 to point to the certificate files. Use the provided
 		#		 Makefile to update the hash symlinks after changes.
 		#SSLCARevocationPath /etc/apache2/ssl.crl/
 		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

 		#   Client Authentication (Type):
 		#   Client certificate verification type and depth.  Types are
 		#   none, optional, require and optional_no_ca.  Depth is a
 		#   number which specifies how deeply to verify the certificate
 		#   issuer chain before deciding the certificate is not valid.
 		#SSLVerifyClient require
 		#SSLVerifyDepth  10

 		#   SSL Engine Options:
 		#   Set various options for the SSL engine.
 		#   o FakeBasicAuth:
 		#	 Translate the client X.509 into a Basic Authorisation.  This means that
 		#	 the standard Auth/DBMAuth methods can be used for access control.  The
 		#	 user name is the `one line' version of the client's X.509 certificate.
 		#	 Note that no password is obtained from the user. Every entry in the user
 		#	 file needs this password: `xxj31ZMTZzkVA'.
 		#   o ExportCertData:
 		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
 		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
 		#	 server (always existing) and the client (only existing when client
 		#	 authentication is used). This can be used to import the certificates
 		#	 into CGI scripts.
 		#   o StdEnvVars:
 		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
 		#	 Per default this exportation is switched off for performance reasons,
 		#	 because the extraction step is an expensive operation and is usually
 		#	 useless for serving static content. So one usually enables the
 		#	 exportation for CGI and SSI requests only.
 		#   o OptRenegotiate:
 		#	 This enables optimized SSL connection renegotiation handling when SSL
 		#	 directives are used in per-directory context.
 		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 		<FilesMatch "\.(cgi|shtml|phtml|php)$">
 				SSLOptions +StdEnvVars
 		</FilesMatch>
 		<Directory /usr/lib/cgi-bin>
 				SSLOptions +StdEnvVars
 		</Directory>

 		#   SSL Protocol Adjustments:
 		#   The safe and default but still SSL/TLS standard compliant shutdown
 		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
 		#   the close notify alert from client. When you need a different shutdown
 		#   approach you can use one of the following variables:
 		#   o ssl-unclean-shutdown:
 		#	 This forces an unclean shutdown when the connection is closed, i.e. no
 		#	 SSL close notify alert is send or allowed to received.  This violates
 		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
 		#	 this when you receive I/O errors because of the standard approach where
 		#	 mod_ssl sends the close notify alert.
 		#   o ssl-accurate-shutdown:
 		#	 This forces an accurate shutdown when the connection is closed, i.e. a
 		#	 SSL close notify alert is send and mod_ssl waits for the close notify
 		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
 		#	 practice often causes hanging connections with brain-dead browsers. Use
 		#	 this only for browsers where you know that their SSL implementation
 		#	 works correctly.
 		#   Notice: Most problems of broken clients are also related to the HTTP
 		#   keep-alive facility, so you usually additionally want to disable
 		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
 		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 		#   "force-response-1.0" for this.
 		BrowserMatch "MSIE [2-6]" \
 				nokeepalive ssl-unclean-shutdown \
 				downgrade-1.0 force-response-1.0
 		# MSIE 7 and newer should be able to use keepalive
 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

 	</VirtualHost>
 </IfModule>

 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet