Merge branch 'master' of git.workaround.org:ispmail/ispmail-buster-ansible

5 年前 · d5ae18a690
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -34,6 +34,10 @@ ispmail_postmaster_address: postmaster@example.org
 # that points to your server.
 ispmail_webmail_hostname: 10.0.0.100

 # Password for rspamd web interface authentication at
 # https://…/rspamd
 ispmail_rspamd_web_password: ChangeMeRspamd

 # Information for self-signed certificate
 ispmail_certificate_country: DE
 ispmail_certificate_state: Schleswig-Holstein
@@ -44,5 +48,3 @@ ispmail_certificate_domains:
  - example.org
 ispmail_certificate_email: postmaster@example.org
 ispmail_certificate_days_valid: 3650

 # TODO: Let's Encrypt email address
--- a/ansible/ispmail.yml
+++ b/ansible/ispmail.yml
@@ -25,5 +25,7 @@
      tags: dovecot
    - role: ispmail-webmail-apache-roundcube
      tags: roundcube
    - role: ispmail-rspamd
      tags: rspamd
    #  - ispmail-webmail-apache-horde
    #- ispmail-tests
--- a/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf
+++ b/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf
@@ -0,0 +1,80 @@
 ##
 ## Mailbox definitions
 ##

 # Each mailbox is specified in a separate mailbox section. The section name
 # specifies the mailbox name. If it has spaces, you can put the name
 # "in quotes". These sections can contain the following mailbox settings:
 #
 # auto:
 #   Indicates whether the mailbox with this name is automatically created
 #   implicitly when it is first accessed. The user can also be automatically
 #   subscribed to the mailbox after creation. The following values are
 #   defined for this setting:
 #
 #     no        - Never created automatically.
 #     create    - Automatically created, but no automatic subscription.
 #     subscribe - Automatically created and subscribed.
 #
 # special_use:
 #   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
 #   mailbox. There are no validity checks, so you could specify anything
 #   you want in here, but it's not a good idea to use flags other than the
 #   standard ones specified in the RFC:
 #
 #     \All      - This (virtual) mailbox presents all messages in the
 #                 user's message store.
 #     \Archive  - This mailbox is used to archive messages.
 #     \Drafts   - This mailbox is used to hold draft messages.
 #     \Flagged  - This (virtual) mailbox presents all messages in the
 #                 user's message store marked with the IMAP \Flagged flag.
 #     \Junk     - This mailbox is where messages deemed to be junk mail
 #                 are held.
 #     \Sent     - This mailbox is used to hold copies of messages that
 #                 have been sent.
 #     \Trash    - This mailbox is used to hold messages that have been
 #                 deleted.
 #
 # comment:
 #   Defines a default comment or note associated with the mailbox. This
 #   value is accessible through the IMAP METADATA mailbox entries
 #   "/shared/comment" and "/private/comment". Users with sufficient
 #   privileges can override the default value for entries with a custom
 #   value.

 # NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
 namespace inbox {
  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
    autoexpunge = 30d
  }
  mailbox Trash {
    special_use = \Trash
    autoexpunge = 30d
  }

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }

  # If you have a virtual "All messages" mailbox:
  #mailbox virtual/All {
  #  special_use = \All
  #  comment = All my messages
  #}

  # If you have a virtual "Flagged" mailbox:
  #mailbox virtual/Flagged {
  #  special_use = \Flagged
  #  comment = All my flagged messages
  #}
 }
--- a/ansible/roles/ispmail-dovecot/files/90-sieve.conf
+++ b/ansible/roles/ispmail-dovecot/files/90-sieve.conf
@@ -16,7 +16,7 @@
 #
 # location = [<type>:]path[;<option>[=<value>][;...]]
 #
 # If the type prefix is omitted, the script location type is 'file' and the 
 # If the type prefix is omitted, the script location type is 'file' and the
 # location is interpreted as a local filesystem path pointing to a Sieve script
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@@ -27,7 +27,7 @@ plugin {
  # delivery. The "include" extension uses this location for retrieving
  # :personal" scripts. This is also where the  ManageSieve service will store
  # the user's scripts, if supported.
  # 
  #
  # Currently only the 'file:' location type supports ManageSieve operation.
  # Other location types like 'dict:' and 'ldap:' can currently only
  # be used as a read-only script source ().
@@ -46,9 +46,9 @@ plugin {
  #     script.
  #sieve_default = /var/lib/dovecot/sieve/default.sieve

  # The name by which the default Sieve script (as configured by the 
  # sieve_default setting) is visible to the user through ManageSieve. 
  #sieve_default_name = 
  # The name by which the default Sieve script (as configured by the
  # sieve_default setting) is visible to the user through ManageSieve.
  #sieve_default_name =

  # Location for ":global" include scripts as used by the "include" extension.
  #sieve_global =
@@ -63,7 +63,7 @@ plugin {
  #sieve_discard =

  # Location Sieve of scripts that need to be executed before the user's
  # personal script. If a 'file' location path points to a directory, all the 
  # personal script. If a 'file' location path points to a directory, all the
  # Sieve scripts contained therein (with the proper `.sieve' extension) are
  # executed. The order of execution within that directory is determined by the
  # file names, using a normal 8bit per-character comparison.
@@ -113,6 +113,7 @@ plugin {
  # (http://pigeonhole.dovecot.org) for available plugins.
  # The sieve_extprograms plugin is included in this release.
  #sieve_plugins =
  sieve_plugins = sieve_imapsieve sieve_extprograms

  # The separator that is expected between the :user and :detail
  # address parts introduced by the subaddress extension. This may
@@ -182,18 +183,18 @@ plugin {
  ## TRACE DEBUGGING
  # Trace debugging provides detailed insight in the operations performed by
  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
  # IMAPSIEVE plugin. 
  # IMAPSIEVE plugin.
  #
  # WARNING: On a busy server, this functionality can quickly fill up the trace
  # directory with a lot of trace files. Enable this only temporarily and as
  # selective as possible.
  

  # The directory where trace files are written. Trace debugging is disabled if
  # this setting is not configured or if the directory does not exist. If the 
  # this setting is not configured or if the directory does not exist. If the
  # path is relative or it starts with "~/" it is interpreted relative to the
  # current user's home directory.
  #sieve_trace_dir =
  

  # The verbosity level of the trace messages. Trace debugging is disabled if
  # this setting is not configured. Possible values are:
  #
@@ -204,12 +205,27 @@ plugin {
  #   "matching"       - Print all executed commands, performed tests and the
  #                      values matched in those tests.
  #sieve_trace_level =
  

  # Enables highly verbose debugging messages that are usually only useful for
  # developers.
  #sieve_trace_debug = no
  

  # Enables showing byte code addresses in the trace output, rather than only
  # the source line numbers.
  #sieve_trace_addresses = no 
  #sieve_trace_addresses = no

  # From elsewhere to Junk folder
  imapsieve_mailbox1_name = INBOX.Junk
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve

  # From Junk folder to elsewhere
  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = INBOX.Junk
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve

  sieve_pipe_bin_dir = /etc/dovecot/sieve

  sieve_global_extensions = +vnd.dovecot.pipe
 }
--- a/ansible/roles/ispmail-dovecot/files/learn-ham.sieve
+++ b/ansible/roles/ispmail-dovecot/files/learn-ham.sieve
@@ -0,0 +1,3 @@
 require ["vnd.dovecot.pipe", "copy", "imapsieve"];

 pipe :copy "rspamd-learn-ham.sh";
--- a/ansible/roles/ispmail-dovecot/files/learn-spam.sieve
+++ b/ansible/roles/ispmail-dovecot/files/learn-spam.sieve
@@ -0,0 +1,3 @@
 require ["vnd.dovecot.pipe", "copy", "imapsieve"];

 pipe :copy "rspamd-learn-spam.sh";
--- a/ansible/roles/ispmail-dovecot/files/rspamd-learn-ham.sh
+++ b/ansible/roles/ispmail-dovecot/files/rspamd-learn-ham.sh
@@ -0,0 +1,2 @@
 #!/bin/sh
 exec /usr/bin/rspamc learn_ham
--- a/ansible/roles/ispmail-dovecot/files/rspamd-learn-spam.sh
+++ b/ansible/roles/ispmail-dovecot/files/rspamd-learn-spam.sh
@@ -0,0 +1,2 @@
 #!/bin/sh
 exec /usr/bin/rspamc learn_spam
--- a/ansible/roles/ispmail-dovecot/handlers/main.yml
+++ b/ansible/roles/ispmail-dovecot/handlers/main.yml
@@ -1,5 +1,3 @@
 ---
 - name: restart dovecot
  service: name=dovecot state=restarted
 - name: recompile sieve script
  command: sievec /etc/dovecot/sieve-after
--- a/ansible/roles/ispmail-dovecot/tasks/main.yml
+++ b/ansible/roles/ispmail-dovecot/tasks/main.yml
@@ -20,6 +20,9 @@
 - name: Copying SSL configuration (10-ssl.conf)
  template: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
  notify: restart dovecot
 - name: Set autoexpunge for Trash and Junk folders (15-mailboxes.conf)
  copy: src=15-mailboxes.conf dest=/etc/dovecot/conf.d/15-mailboxes.conf
  notify: restart dovecot
 - name: Copying LMTP configuration (20-lmtp.conf - enable sieve plugin)
  copy: src=20-lmtp.conf dest=/etc/dovecot/conf.d/20-lmtp.conf
  notify: restart dovecot
@@ -36,7 +39,12 @@
  file: path=/etc/dovecot/sieve-after state=directory
 - name: Create global sieve-after script to send spam to its mail folder
  copy: src=spam-to-folder.sieve dest=/etc/dovecot/sieve-after/spam-to-folder.sieve
  notify: recompile sieve script
  notify: recompile sieve scripts
 - name: Create sieve directory
  file:
    path: /etc/dovecot/sieve
    state: directory

 - name: Copying Sieve plugin configuration (90-sieve.conf)
  copy: src=90-sieve.conf dest=/etc/dovecot/conf.d/90-sieve.conf
  notify: restart dovecot
@@ -49,3 +57,28 @@
    dest: /usr/local/bin/quota-warning.sh
    mode: 0750
  notify: restart dovecot
 - name: Copy learn sieve scripts
  copy:
    src: "{{item}}"
    dest: "/etc/dovecot/sieve/{{item}}"
  with_items:
    - learn-ham.sieve
    - learn-spam.sieve

 - name: Copy ham/spam learning scripts
  copy:
    src: "rspamd-learn-{{item}}.sh"
    dest: "/etc/dovecot/sieve/rspamd-learn-{{item}}.sh"
    mode: 0700
  with_items:
    - ham
    - spam

 - name: recompile sieve scripts
  command:
    cmd: "sievec /etc/dovecot/{{item}}.sieve"
    creates: "/etc/dovecot/{{item}}.svbin"
  with_items:
    - sieve-after/spam-to-folder
    - sieve/learn-ham
    - sieve/learn-spam
--- a/ansible/roles/ispmail-packages/tasks/main.yml
+++ b/ansible/roles/ispmail-packages/tasks/main.yml
@@ -28,4 +28,5 @@
      - fail2ban
      - ca-certificates
      - mutt
      - redis
 # TODO: shorewall
--- a/ansible/roles/ispmail-postfix/tasks/main.yml
+++ b/ansible/roles/ispmail-postfix/tasks/main.yml
@@ -79,6 +79,15 @@
 - name: Make Postfix listen on all interfaces
  command: postconf inet_interfaces=all

 - name: Set rspamd milter for smtpd
  command: postconf smtpd_milters=inet:127.0.0.1:11332

 - name: Set rspamd milter for local mails
  command: postconf non_smtpd_milters=inet:127.0.0.1:11332

 - name: Set rspamd milter macros
  command: postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}'"

 - name: Enable user quota checking
  command: "postconf 'smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/quota-status'"

--- a/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf
+++ b/ansible/roles/ispmail-rspamd/files/classifier-bayes.conf
@@ -0,0 +1,5 @@
 classifier "bayes" {
   users_enabled = true;
   backend = "redis";
   autolearn = true;
 }
--- a/ansible/roles/ispmail-rspamd/files/milter_headers.conf
+++ b/ansible/roles/ispmail-rspamd/files/milter_headers.conf
@@ -0,0 +1 @@
 extended_spam_headers = true;
--- a/ansible/roles/ispmail-rspamd/files/redis.conf
+++ b/ansible/roles/ispmail-rspamd/files/redis.conf
@@ -0,0 +1 @@
 servers = "127.0.0.1";
--- a/ansible/roles/ispmail-rspamd/files/statistic.conf
+++ b/ansible/roles/ispmail-rspamd/files/statistic.conf
@@ -0,0 +1,3 @@
 classifier "bayes" {
   users_enabled = true;
 }
--- a/ansible/roles/ispmail-rspamd/handlers/site.yml
+++ b/ansible/roles/ispmail-rspamd/handlers/site.yml
@@ -0,0 +1,5 @@
 ---
 - name: restart rspamd
  service:
    name: rspamd
    state: restarted
--- a/ansible/roles/ispmail-rspamd/tasks/main.yml
+++ b/ansible/roles/ispmail-rspamd/tasks/main.yml
@@ -0,0 +1,41 @@
 ---
 - name: Enable rspamd autolearning
  copy:
    src: classifier-bayes.conf
    dest: /etc/rspamd/override.d/classifier-bayes.conf
  notify: restart rspamd

 - name: Enable rspamd extended headers
  copy:
    src: milter_headers.conf
    dest: /etc/rspamd/override.d/milter_headers.conf
  notify: restart rspamd

 - name: Enable rspamd per-user bayes training
  copy:
    src: statistic.conf
    dest: /etc/rspamd/override.d/statistic.conf
  notify: restart rspamd

 - name: Enable rspamd redis backend
  copy:
    src: redis.conf
    dest: /etc/rspamd/override.d/redis.conf
  notify: restart rspamd

 - name: Hash the rspamd web interface password
  shell: "rspamadm pw -p {{ispmail_rspamd_web_password}}"
  register: ispmail_rspamd_web_password_hashed
  notify: restart rspamd

 - name: Set rspamd admin web interface password
  template:
    src: worker-controller.conf.j2
    dest: /etc/rspamd/local.d/worker-controller.inc
  notify: restart rspamd

 - name: Enable redis module in rspamd
  copy:
    src: redis.conf
    dest: /etc/rspamd/override.d/redis.conf
  notify: restart rspamd
--- a/ansible/roles/ispmail-rspamd/templates/worker-controller.conf.j2
+++ b/ansible/roles/ispmail-rspamd/templates/worker-controller.conf.j2
@@ -0,0 +1 @@
 password = "{{ispmail_rspamd_web_password_hashed.stdout}}";
--- a/ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml
@@ -3,3 +3,8 @@
  service:
    name: apache2
    state: restarted

 - name: restart rspamd
  service:
    name: rspamd
    state: restarted
--- a/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml
@@ -22,20 +22,20 @@
 - name: Deploying Roundcube managesieve plugin configuration
  template:
    src: plugins/managesieve/config.inc.php.j2
    dest: /etc/roundcube/plugins/managesieve/config.inc.php 
    dest: /etc/roundcube/plugins/managesieve/config.inc.php
    owner: root
    group: www-data
    mode: 0640
 - name: Deploying Roundcube password plugin configuration
  template: 
    src: plugins/password/config.inc.php.j2 
    dest: /etc/roundcube/plugins/password/config.inc.php 
    owner: root 
    group: www-data 
  template:
    src: plugins/password/config.inc.php.j2
    dest: /etc/roundcube/plugins/password/config.inc.php
    owner: root
    group: www-data
    mode: 0640
 - name: Copy ISPmail logo
  copy: 
    src: ispmail-logo.png 
  copy:
    src: ispmail-logo.png
    dest: /var/lib/roundcube/skins/larry/
 - name: Enable Apache rewrite and ssl module
  shell: a2enmod {{item}}
@@ -76,3 +76,9 @@
  args:
    creates: /etc/apache2/sites-enabled/{{ispmail_fqdn}}-https.conf
  notify: restart apache

 - name: Enable Apache mod_proxy for rspamd admin web interface
  command:
    cmd: a2enmod proxy_http
    creates: /etc/apache2/mods-enabled/proxy_http.load
  notify: restart apache
--- a/ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2
@@ -32,7 +32,7 @@ include_once("/etc/roundcube/debian-db-roundcube.php");
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %s - domain name after the '@' from e-mail address provided at login screen
 // For example %n = mail.domain.tld, %t = domain.tld
 $config['default_host'] = 'localhost';
 $config['default_host'] = 'tls://{{ispmail_fqdn}}';

 // SMTP server host (for sending mails).
 // Enter hostname with prefix tls:// to use STARTTLS, or use
@@ -44,7 +44,7 @@ $config['default_host'] = 'localhost';
 // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
 // %z - IMAP domain (IMAP hostname without the first part)
 // For example %n = mail.domain.tld, %t = domain.tld
 $config['smtp_server'] = 'localhost';
 $config['smtp_server'] = 'tls://{{ispmail_fqdn}}';

 // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
 // deprecated SSL over SMTP (aka SMTPS))
--- a/ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2
@@ -2,9 +2,16 @@
  ServerName {{ispmail_fqdn}}
  DocumentRoot /var/lib/roundcube

  # Adminer
  Alias /adminer /usr/share/adminer/adminer

  # Roundcube
  Include /etc/roundcube/apache.conf

  # Rspamd admin interface
  ProxyPass "/rspamd" "http://localhost:11334"
  ProxyPassReverse "/rspamd" "http://localhost:11334"

  SSLEngine on
  SSLCertificateKeyFile /etc/ssl/private/mailserver.pem
  SSLCertificateFile /etc/ssl/certs/mailserver.pem