Roles packages, certificate and roundcube fixed

ansible/group_vars/all

@@ -2,8 +2,12 @@
 # Set this to true to create a john@example.org account with password 'summersun'
 ispmail_populate_test_data: true
 
+# Set the host name that will be used in the URL for webmail.
+# Make sure its properly set in your DNS zone.
+ispmail_fqdn: yoda.workaround.org
+
 # MySQL password for read-only user
-ispmail_mysql_mailuser_password: ChangeMe
+ispmail_mysql_mailserver_password: ChangeMe
 
 # MySQL password for administrative root user
 ispmail_mysql_root_password: ChangeMeRoot

ansible/hosts

@@ -1 +1,2 @@
-localhost ansible_connection=local
+localhost ansible_connection=local
+yoda.workaround.org

ansible/ispmail.yml

@@ -4,20 +4,23 @@
 
 - hosts: all
   tasks:
-  - name: "Checking operating system version"
-    assert:
-      that: ansible_distribution_release == 'buster'
-      fail_msg: 'This Ansible playbook is only supported on Debian Buster.'
-      success_msg: 'Debian Buster found - that makes me happy.'
+    - name: "Checking operating system version"
+      assert:
+        that: ansible_distribution_release == 'buster'
+        fail_msg: "This Ansible playbook is only supported on Debian Buster."
+        success_msg: "Debian Buster found - that makes me happy."
 
 - hosts: all
   roles:
-  #- dumpvars
-  - ispmail-packages
-#  - ispmail-certificate
-  - ispmail-database
-#  - ispmail-postfix
-#  - ispmail-dovecot
-#  - ispmail-webmail
-  - ispmail-webmail-apache-horde
-  - ispmail-tests
+    #- dumpvars
+    - role: ispmail-packages
+      tags: packages
+    - role: ispmail-certificate
+      tags: certificate
+    # - ispmail-database
+    #  - ispmail-postfix
+    #  - ispmail-dovecot
+    - role: ispmail-webmail-apache-roundcube
+      tags: roundcube
+    #  - ispmail-webmail-apache-horde
+    #- ispmail-tests

ansible/roles/ispmail-certificate/tasks/main.yml

@@ -12,4 +12,3 @@
     creates: /etc/ssl/certs/mailserver.pem
 - name: Restrict access permissions of the private key
   file: path=/etc/ssl/private/mailserver.pem mode=0640
-

ansible/roles/ispmail-database/tasks/main.yml

@@ -1,8 +1,16 @@
 ---
 - name: Installing required Python mysqldb module for Ansible to manage databases
-#  apt: name=python-mysqldb
+  #  apt: name=python-mysqldb
   apt: name=python-pymysql
 
+- name: Create .my.cnf
+  template:
+    src: "root-my-cnf.j2"
+    dest: "/root/.my.cnf"
+    owner: root
+    group: root
+    mode: 0600
+
 - name: Set a new root password
   mysql_user:
     check_implicit_admin: yes
@@ -14,49 +22,41 @@
     - localhost
     - 127.0.0.1
 
-- name: Create .my.cnf
-  template:
-   src: "root-my-cnf.j2"
-   dest: "/root/.my.cnf"
-   owner: root
-   group: root
-   mode: 0600
-
 - name: creating mailserver MySQL database
   #become: true
   mysql_db:
     name: mailserver
 
 # - name: creating Roundcube MySQL database
-#   mysql_db: 
+#   mysql_db:
 #     name: roundcube
 - name: copying MySQL database schema to server
-  copy: 
-    src: schema.sql 
+  copy:
+    src: schema.sql
     dest: /tmp
 - name: setting up SQL schema of mailserver database
-  mysql_db: 
-    name: mailserver 
-    state: import 
+  mysql_db:
+    name: mailserver
+    state: import
     target: /tmp/schema.sql
 - name: creating MySQL user to read the mailserver database
-  mysql_user: 
-    name: mailuser 
-    password: "{{ispmail_mysql_mailuser_password}}"
+  mysql_user:
+    name: mailuser
+    password: "{{ispmail_mysql_mailserver_password}}"
     priv: mailserver.*:SELECT,INSERT,UPDATE,DELETE
 # - name: creating MySQL user for roundcube
-#   mysql_user: 
-#     name: roundcube 
+#   mysql_user:
+#     name: roundcube
 #     password: "{{ispmail_mysql_roundcube_password}}"
 #     priv: roundcube.*:ALL
 - name: copying MySQL test data to server
-  copy: 
+  copy:
     src: test.sql
     dest: /tmp
   when: ispmail_populate_test_data == true
 - name: populating the database with test data
-  mysql_db: 
-    name: mailserver 
-    state: import 
+  mysql_db:
+    name: mailserver
+    state: import
     target: /tmp/test.sql
   when: ispmail_populate_test_data == true

ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2

@@ -141,7 +141,7 @@
 #iterate_query = SELECT username AS user FROM users
 
 driver = mysql
-connect = host=127.0.0.1 dbname=mailserver user=mailuser password={{ispmail_mysql_mailuser_password}}
+connect = host=127.0.0.1 dbname=mailserver user=mailuser password={{ispmail_mysql_mailserver_password}}
 default_pass_scheme = SHA256-CRYPT
 password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
 

ansible/roles/ispmail-packages/tasks/main.yml

@@ -5,23 +5,27 @@
     update_cache: yes
   vars:
     packages:
-    - etckeeper
-    - certbot
-    - pwgen
-    - mariadb-server
-    - postfix
-    - postfix-mysql
-    # - roundcube
-    # - roundcube-mysql
-    # - roundcube-plugins
-    # - roundcube-plugins-extra
-    - swaks
-    - dovecot-mysql
-    - dovecot-pop3d
-    - dovecot-imapd
-    - dovecot-lmtpd
-    - dovecot-managesieved
-    - adminer
-    - rspamd
-    - fail2ban
+      - etckeeper
+      - certbot
+      - pwgen
+      - mariadb-server
+      - postfix
+      - postfix-mysql
+      # - roundcube
+      # - roundcube-mysql
+      # - roundcube-plugins
+      # - roundcube-plugins-extra
+      - swaks
+      - dovecot-mysql
+      - dovecot-pop3d
+      - dovecot-imapd
+      - dovecot-lmtpd
+      - dovecot-managesieved
+      - apache2
+      - php
+      - adminer
+      - rspamd
+      - fail2ban
+      - ca-certificates
+      - mutt
 # TODO: shorewall

ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2

@@ -1,5 +1,5 @@
 user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT email FROM virtual_users WHERE email='%s'

ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2

@@ -1,5 +1,5 @@
 user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT destination FROM virtual_aliases WHERE source='%s'

ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2

@@ -1,5 +1,5 @@
 user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT 1 FROM virtual_domains WHERE name='%s'

ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2

@@ -1,5 +1,5 @@
 user = mailuser
-password = {{ispmail_mysql_mailuser_password}}
+password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT 1 FROM virtual_users WHERE email='%s'

ansible/roles/ispmail-webmail-apache-roundcube/files/roundcube-managesieve-config.inc.php

@@ -1,101 +0,0 @@
-// Taken from /usr/share/roundcube/plugins/managesieve/config.inc.php.dist
-<?php
-
-// managesieve server port. When empty the port will be determined automatically
-// using getservbyname() function, with 4190 as a fallback.
-$config['managesieve_port'] = 4190;
-
-// managesieve server address, default is localhost.
-// Replacement variables supported in host name:
-// %h - user's IMAP hostname
-// %n - http hostname ($_SERVER['SERVER_NAME'])
-// %d - domain (http hostname without the first part)
-// For example %n = mail.domain.tld, %d = domain.tld
-$config['managesieve_host'] = 'localhost';
-
-// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
-// or none. Optional, defaults to best method supported by server.
-$config['managesieve_auth_type'] = null;
-
-// Optional managesieve authentication identifier to be used as authorization proxy.
-// Authenticate as a different user but act on behalf of the logged in user.
-// Works with PLAIN and DIGEST-MD5 auth.
-$config['managesieve_auth_cid'] = null;
-
-// Optional managesieve authentication password to be used for imap_auth_cid
-$config['managesieve_auth_pw'] = null;
-
-// use or not TLS for managesieve server connection
-// Note: tls:// prefix in managesieve_host is also supported
-$config['managesieve_usetls'] = false;
-
-// Connection scket context options
-// See http://php.net/manual/en/context.ssl.php
-// The example below enables server certificate validation
-//$config['managesieve_conn_options'] = array(
-//  'ssl'         => array(
-//     'verify_peer'  => true,
-//     'verify_depth' => 3,
-//     'cafile'       => '/etc/openssl/certs/ca.crt',
-//   ),
-// );
-$config['managesieve_conn_options'] = null;
-
-// default contents of filters script (eg. default spam filter)
-$config['managesieve_default'] = '/etc/dovecot/sieve/global';
-
-// The name of the script which will be used when there's no user script
-$config['managesieve_script_name'] = 'managesieve';
-
-// Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
-// but some implementations does not covert UTF-8 to modified UTF-7.
-// Defaults to UTF7-IMAP
-$config['managesieve_mbox_encoding'] = 'UTF-8';
-
-// I need this because my dovecot (with listescape plugin) uses
-// ':' delimiter, but creates folders with dot delimiter
-$config['managesieve_replace_delimiter'] = '';
-
-// disabled sieve extensions (body, copy, date, editheader, encoded-character,
-// envelope, environment, ereject, fileinto, ihave, imap4flags, index,
-// mailbox, mboxmetadata, regex, reject, relational, servermetadata,
-// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
-// Note: not all extensions are implemented
-$config['managesieve_disabled_extensions'] = array();
-
-// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
-$config['managesieve_debug'] = false;
-
-// Enables features described in http://wiki.kolab.org/KEP:14
-$config['managesieve_kolab_master'] = false;
-
-// Script name extension used for scripts including. Dovecot uses '.sieve',
-// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
-$config['managesieve_filename_extension'] = '.sieve';
-
-// List of reserved script names (without extension).
-// Scripts listed here will be not presented to the user.
-$config['managesieve_filename_exceptions'] = array();
-
-// List of domains limiting destination emails in redirect action
-// If not empty, user will need to select domain from a list
-$config['managesieve_domains'] = array();
-
-// Enables separate management interface for vacation responses (out-of-office)
-// 0 - no separate section (default),
-// 1 - add Vacation section,
-// 2 - add Vacation section, but hide Filters section
-$config['managesieve_vacation'] = 0;
-
-// Default vacation interval (in days).
-// Note: If server supports vacation-seconds extension it is possible
-// to define interval in seconds here (as a string), e.g. "3600s".
-$config['managesieve_vacation_interval'] = 0;
-
-// Some servers require vacation :addresses to be filled with all
-// user addresses (aliases). This option enables automatic filling
-// of these on initial vacation form creation.
-$config['managesieve_vacation_addresses_init'] = false;
-
-// Supported methods of notify extension. Default: 'mailto'
-$config['managesieve_notify_methods'] = array('mailto');

ansible/roles/ispmail-webmail-apache-roundcube/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart apache
+  service:
+    name: apache2
+    state: restarted

ansible/roles/ispmail-webmail-apache-roundcube/tasks/main.yml

@@ -5,40 +5,74 @@
     update_cache: yes
   vars:
     packages:
-      #- roundcube 
-      #- roundcube-plugins
-      - php-horde-imp
-      - php-horde-ingo
-      - php-horde-kronolith
-      - php-horde-turba
-# - name: Creating random des_key for Roundcube
-#   shell: pwgen 24
-#   register: roundcube_random_des_key
-# - name: Deploying Roundcube configuration
-#   template:
-#     src: roundcube-config.inc.php.j2
-#     dest: /etc/roundcube/config.inc.php
-#     owner: root
-#     group: www-data
-#     mode: 0640
-# - name: Deploying Roundcube managesieve plugin configuration
-#   copy:
-#     src: roundcube-managesieve-config.inc.php 
-#     dest: /etc/roundcube/plugins/managesieve/config.inc.php 
-#     mode: 0640
-# - name: Deploying Roundcube password plugin configuration
-#   template: 
-#     src: roundcube-password-config.inc.php.j2 
-#     dest: /etc/roundcube/plugins/password/config.inc.php 
-#     owner: root 
-#     group: www-data 
-#     mode: 0640
-# - name: Copy ISPmail logo
-#   copy: 
-#     src: ispmail-logo.png 
-#     dest: /var/lib/roundcube/
-# - name: Copy Roundcube database config file
-#   template: 
-#     src: roundcube-debian-db.php.j2 
-#     dest: /etc/roundcube/debian-db.php 
-#     mode: 0640
+      - roundcube
+      - roundcube-plugins
+      - roundcube-plugins-extra
+      - roundcube-mysql
+- name: Creating random des_key for Roundcube
+  shell: pwgen 24 1
+  register: roundcube_random_des_key
+- name: Deploying Roundcube configuration
+  template:
+    src: config.inc.php.j2
+    dest: /etc/roundcube/config.inc.php
+    owner: root
+    group: www-data
+    mode: 0640
+- name: Deploying Roundcube managesieve plugin configuration
+  template:
+    src: plugins/managesieve/config.inc.php.j2
+    dest: /etc/roundcube/plugins/managesieve/config.inc.php 
+    owner: root
+    group: www-data
+    mode: 0640
+- name: Deploying Roundcube password plugin configuration
+  template: 
+    src: plugins/password/config.inc.php.j2 
+    dest: /etc/roundcube/plugins/password/config.inc.php 
+    owner: root 
+    group: www-data 
+    mode: 0640
+- name: Copy ISPmail logo
+  copy: 
+    src: ispmail-logo.png 
+    dest: /var/lib/roundcube/skins/larry/
+- name: Enable Apache rewrite and ssl module
+  shell: a2enmod {{item}}
+  args:
+    creates: /etc/apache2/mods-enabled/{{item}}.load
+  with_items:
+    - rewrite
+    - ssl
+  notify: restart apache
+- name: Create DocumentRoot for HTTP vhost
+  file:
+    path: /var/www/{{ispmail_fqdn}}
+    state: directory
+    owner: www-data
+    group: www-data
+- name: Remove Apache default vhost pointing to dummy page
+  file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify: restart apache
+- name: Configure HTTP vhost
+  template:
+    src: vhosts/http.j2
+    dest: /etc/apache2/sites-available/{{ispmail_fqdn}}-http.conf
+  notify: restart apache
+- name: Enable HTTP vhost
+  shell: a2ensite {{ispmail_fqdn}}-http.conf
+  args:
+    creates: /etc/apache2/sites-enabled/{{ispmail_fqdn}}-http.conf
+  notify: restart apache
+- name: Configure HTTPS vhost
+  template:
+    src: vhosts/https.j2
+    dest: /etc/apache2/sites-available/{{ispmail_fqdn}}-https.conf
+  notify: restart apache
+- name: Enable HTTPS vhost
+  shell: a2ensite {{ispmail_fqdn}}-https.conf
+  args:
+    creates: /etc/apache2/sites-enabled/{{ispmail_fqdn}}-https.conf
+  notify: restart apache

ansible/roles/ispmail-webmail-apache-roundcube/templates/config.inc.php.j2

@@ -0,0 +1,90 @@
+<?php
+
+/*
++-----------------------------------------------------------------------+
+| Local configuration for the Roundcube Webmail installation.           |
+|                                                                       |
+| This is a sample configuration file only containing the minimum       |
+| setup required for a functional installation. Copy more options       |
+| from defaults.inc.php to this file to override the defaults.          |
+|                                                                       |
+| This file is part of the Roundcube Webmail client                     |
+| Copyright (C) 2005-2013, The Roundcube Dev Team                       |
+|                                                                       |
+| Licensed under the GNU General Public License version 3 or            |
+| any later version with exceptions for skins & plugins.                |
+| See the README file for a full license statement.                     |
++-----------------------------------------------------------------------+
+*/
+
+$config = array();
+
+/* Do not set db_dsnw here, use dpkg-reconfigure roundcube-core to configure database ! */
+include_once("/etc/roundcube/debian-db-roundcube.php");
+
+// The IMAP host chosen to perform the log-in.
+// Leave blank to show a textbox at login, give a list of hosts
+// to display a pulldown menu or set one host as string.
+// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
+// Supported replacement variables:
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %s - domain name after the '@' from e-mail address provided at login screen
+// For example %n = mail.domain.tld, %t = domain.tld
+$config['default_host'] = 'localhost';
+
+// SMTP server host (for sending mails).
+// Enter hostname with prefix tls:// to use STARTTLS, or use
+// prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS)
+// Supported replacement variables:
+// %h - user's IMAP hostname
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %z - IMAP domain (IMAP hostname without the first part)
+// For example %n = mail.domain.tld, %t = domain.tld
+$config['smtp_server'] = 'localhost';
+
+// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
+// deprecated SSL over SMTP (aka SMTPS))
+$config['smtp_port'] = 25;
+
+// SMTP username (if required) if you use %u as the username Roundcube
+// will use the current username for login
+$config['smtp_user'] = '%u';
+
+// SMTP password (if required) if you use %p as the password Roundcube
+// will use the current user's password for login
+$config['smtp_pass'] = '%p';
+
+// provide an URL where a user can get support for this Roundcube installation
+// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
+$config['support_url'] = '';
+
+// Name your service. This is displayed on the login screen and in the window title
+$config['product_name'] = 'ISPmail – your mail server';
+
+// this key is used to encrypt the users imap password which is stored
+// in the session record (and the client cookie if remember password is enabled).
+// please provide a string of exactly 24 chars.
+// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
+$config['des_key'] = '{{roundcube_random_des_key.stdout}}';
+
+// List of active plugins (in plugins/ directory)
+// Debian: install roundcube-plugins first to have any
+$config['plugins'] = array(
+  'managesieve',
+  'password',
+);
+
+// skin name: folder from skins/
+$config['skin'] = 'larry';
+
+// Disable spellchecking
+// Debian: spellshecking needs additional packages to be installed, or calling external APIs
+//         see defaults.inc.php for additional informations
+$config['enable_spellcheck'] = false;
+
+// Set a nice ISPmail logo :)
+$config['skin_logo'] = '/ispmail-logo.png';

ansible/roles/ispmail-webmail-apache-roundcube/templates/plugins/managesieve/config.inc.php.j2

@@ -0,0 +1 @@
+$config['managesieve_host'] = 'localhost';

ansible/roles/ispmail-webmail-apache-roundcube/templates/plugins/password/config.inc.php.j2

@@ -0,0 +1,13 @@
+<?php
+// Plugin configuration for password
+// See /usr/share/roundcube/plugins/password/config.inc.php.dist for instructions
+// Check the access right of the file if you put sensitive information in it.
+$config['password_driver'] = 'sql';
+$config['password_minimum_length'] = 12;
+$config['password_force_save'] = true;
+$config['password_algorithm'] = 'dovecot';
+$config['password_dovecotpw'] = '/usr/bin/doveadm pw -s BLF-CRYPT';
+$config['password_dovecotpw_method'] = 'BLF_CRYPT';
+$config['password_dovecotpw_with_method'] = true;
+$config['password_db_dsn'] = 'mysql://mailadmin:{{ispmail_mysql_mailserver_password}}@localhost/mailserver';
+$config['password_query'] = "UPDATE virtual_users SET password=%D WHERE email=%u";

ansible/roles/ispmail-webmail-apache-roundcube/templates/roundcube-password-config.inc.php.j2

@@ -43,7 +43,7 @@ $config['password_force_new_user'] = false;
 // ------------------
 // PEAR database DSN for performing the query. By default
 // Roundcube DB settings are used.
-$config['password_db_dsn'] = 'mysql://mailuser:{{ispmail_mysql_mailuser_password}}@127.0.0.1/mailserver';
+$config['password_db_dsn'] = 'mysql://mailuser:{{ispmail_mysql_mailserver_password}}@127.0.0.1/mailserver';
 
 // The SQL query used to change the password.
 // The query can contain the following macros that will be expanded as follows:

ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/http.j2

@@ -0,0 +1,8 @@
+<VirtualHost *:80>
+  ServerName {{ispmail_fqdn}}
+  DocumentRoot /var/www/{{ispmail_fqdn}}
+
+  RewriteEngine On
+  RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge
+  RewriteRule ^(.*)$ https://%{SERVER_NAME}/ [R=301,L]
+</VirtualHost>

ansible/roles/ispmail-webmail-apache-roundcube/templates/vhosts/https.j2

@@ -0,0 +1,12 @@
+<VirtualHost *:443>
+  ServerName {{ispmail_fqdn}}
+  DocumentRoot /var/lib/roundcube
+
+  SSLEngine on
+  SSLCertificateKeyFile /etc/ssl/private/mailserver.pem
+  SSLCertificateFile /etc/ssl/certs/mailserver.pem
+
+  # When using Let's Encrypt use these line instead:
+  # SSLCertificateKeyFile /etc/letsencrypt/live/{{ispmail_fqdn}}/privkey.pem
+  # SSLCertificateFile /etc/letsencrypt/live/{{ispmail_fqdn}}/fullchain.pem
+  </VirtualHost>