init

6 files changed, 204 insertions, 0 deletions

diff --git a/playbooks/roles/mail/tasks/main.yml b/playbooks/roles/mail/tasks/main.yml
new file mode 100644
index 0000000..81ced1d
--- /dev/null
+++ b/playbooks/roles/mail/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+
+- name: Ensure mail docker/compose exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/mail
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Ensure mail config volume exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/mail/docker-data/dms/config
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Ensure mail entries volume exist with correct permission
+  ansible.builtin.file:
+    path: /etc/docker/compose/mail/docker-data/dms/mail-data/
+    state: directory
+    owner: 5000
+    group: 5000
+    mode: 0700
+    recurse: true
+
+- name: Ensure dovecot ldap config exist
+  ansible.builtin.template:
+    src: user-patches.sh.j2
+    dest: /etc/docker/compose/mail/docker-data/dms/config/user-patches.sh
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Ensure config user overrides config exist
+  ansible.builtin.template:
+    src: dovecot-ldap.conf.j2
+    dest: /etc/docker/compose/mail/docker-data/dms/config/dovecot-ldap.conf
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Ensure roundcube config volume exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/mail/docker-data/roundcube/config
+    state: directory
+    owner: root
+    group: root
+    mode: 0777
+
+- name: Build roundcube oauth2 config
+  ansible.builtin.template:
+    src: oauth2.inc.php.j2
+    dest: /etc/docker/compose/mail/docker-data/roundcube/config/oauth2.inc.php
+    owner: root
+    group: root
+    mode: 0777
+
+- name: Build roundcube sieve plugin config
+  ansible.builtin.template:
+    src: sieve.inc.php.j2
+    dest: /etc/docker/compose/mail/docker-data/roundcube/config/sieve.inc.php
+    owner: root
+    group: root
+    mode: 0777
+
+- name: Build mail docker-compose.yml.j2
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /etc/docker/compose/mail/docker-compose.yml
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Daemon-reload and enable mail
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@mail
diff --git a/playbooks/roles/mail/templates/docker-compose.yml.j2 b/playbooks/roles/mail/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..f122185
--- /dev/null
+++ b/playbooks/roles/mail/templates/docker-compose.yml.j2
@@ -0,0 +1,71 @@
+version: '3'
+
+services:
+  roundcube:
+    image: roundcube/roundcubemail:latest
+    restart: always
+    volumes:
+      - ./docker-data/roundcube/www:/var/www/html
+      - ./docker-data/roundcube/db/sqlite:/var/roundcube/db
+      - ./docker-data/roundcube/config:/var/roundcube/config
+    ports:
+      - 127.0.0.1:9002:80
+    environment:
+      - ROUNDCUBEMAIL_DB_TYPE=sqlite
+      - ROUNDCUBEMAIL_SKIN=elastic
+      - ROUNDCUBEMAIL_PLUGINS={{ roundcube_plugins }}
+      - ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
+      - ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
+      - ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
+      - ROUNDCUBEMAIL_SMTP_PORT={{ roundcube_smtp_port }}
+
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    hostname: {{ mail_domain }}
+    restart: always
+    ports:
+      - 0.0.0.0:25:25
+      - 0.0.0.0:465:465
+      - 0.0.0.0:587:587
+      - 0.0.0.0:993:993
+      - 0.0.0.0:4190:4190
+    volumes:
+      - ./docker-data/dms/mail-data/:/var/mail/
+      - ./docker-data/dms/mail-state/:/var/mail-state/
+      - ./docker-data/dms/mail-logs/:/var/log/mail/
+      - ./docker-data/dms/config/:/tmp/docker-mailserver/
+      - ./docker-data/dms/config/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf.ext
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - SSL_TYPE=letsencrypt
+      - ENABLE_CLAMAV=0
+      - ENABLE_AMAVIS=1
+      - ENABLE_FAIL2BAN=1
+      - ENABLE_SASLAUTHD=1
+      - ENABLE_MANAGESIEVE=1
+      - ENABLE_POSTGREY=0
+
+      - SPOOF_PROTECTION=1
+      - ACCOUNT_PROVISIONER=LDAP
+      - LDAP_SERVER_HOST={{ ldap_server_host }}
+      - LDAP_SEARCH_BASE={{ ldap_search_base }}
+      - LDAP_BIND_DN={{ ldap_bind_dn }}
+      - LDAP_BIND_PW={{ email_ldap_api_token }}
+
+      - LDAP_QUERY_FILTER_USER={{ ldap_query_filter_user }}
+      - LDAP_QUERY_FILTER_GROUP={{ ldap_query_filter_group }}
+      - LDAP_QUERY_FILTER_ALIAS={{ ldap_query_filter_alias }}
+      - LDAP_QUERY_FILTER_DOMAIN={{ ldap_query_filter_domain }}
+      - LDAP_QUERY_FILTER_SENDERS={{ ldap_query_filter_senders }}
+
+      - POSTMASTER_ADDRESS={{ postmaster_email }}
+
+      - ENABLE_SASLAUTHD=1
+      - SASLAUTHD_MECHANISMS=ldap
+      - SASLAUTHD_LDAP_FILTER={{ sasl_ldap_filter }} 
+
+      - ENABLE_OAUTH2=1
+      - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}
+    extra_hosts:
+      - {{ ldap_server }}:{{ ldap_intranet }}
diff --git a/playbooks/roles/mail/templates/dovecot-ldap.conf.j2 b/playbooks/roles/mail/templates/dovecot-ldap.conf.j2
new file mode 100644
index 0000000..92bfcbd
--- /dev/null
+++ b/playbooks/roles/mail/templates/dovecot-ldap.conf.j2
@@ -0,0 +1,10 @@
+base = {{ ldap_search_base }}
+uris = {{ ldap_server_host }}
+tls = no
+ldap_version = 3
+default_pass_scheme = SSHA
+
+auth_bind = yes
+auth_bind_userdn = {{ dovecot_auth_bind_userdn }}
+user_filter = {{ dovecot_user_filter }}
+user_attrs = {{ dovecot_user_attrs }}
diff --git a/playbooks/roles/mail/templates/oauth2.inc.php.j2 b/playbooks/roles/mail/templates/oauth2.inc.php.j2
new file mode 100644
index 0000000..919e162
--- /dev/null
+++ b/playbooks/roles/mail/templates/oauth2.inc.php.j2
@@ -0,0 +1,19 @@
+<?php
+
+$config['oauth_provider'] = 'generic';
+$config['oauth_provider_name'] = 'Misty Mountains Therapy SSO';
+$config['oauth_client_id'] = '{{ roundcube_oauth2_client_id }}';
+$config['oauth_client_secret'] = '{{ roundcube_oauth2_client_basic_secret }}';
+$config['oauth_auth_uri'] = '{{ roundcube_oauth2_auth_uri }}';
+$config['oauth_token_uri'] = '{{ roundcube_oauth2_token_uri }}';
+$config['oauth_identity_uri'] = '{{ roundcube_oauth2_user_uri }}';
+
+$config['oauth_verify_peer'] = true;
+
+$config['oauth_scope'] = 'email openid profile';
+$config['oauth_identity_fields'] = ['email'];
+
+$config['oauth_login_redirect'] = false;
+
+$config['force_https'] = true;
+$config['use_https'] = true;
diff --git a/playbooks/roles/mail/templates/sieve.inc.php.j2 b/playbooks/roles/mail/templates/sieve.inc.php.j2
new file mode 100644
index 0000000..e7b08b0
--- /dev/null
+++ b/playbooks/roles/mail/templates/sieve.inc.php.j2
@@ -0,0 +1,4 @@
+<?php
+
+$config['managesieve_host'] = "tls://{{ mail_domain }}";
+$config['managesieve_auth_type'] = "PLAIN";
diff --git a/playbooks/roles/mail/templates/user-patches.sh.j2 b/playbooks/roles/mail/templates/user-patches.sh.j2
new file mode 100644
index 0000000..6845563
--- /dev/null
+++ b/playbooks/roles/mail/templates/user-patches.sh.j2
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+postconf -e 'smtpd_sasl_type = dovecot'
+postconf -e 'smtpd_sasl_path = /dev/shm/sasl-auth.sock'
+postconf -e 'smtpd_sasl_auth_enable = yes'
+postconf -e 'broken_sasl_auth_clients = yes'
+
+echo 'auth_username_format = %Ln' >> /etc/dovecot/conf.d/10-auth.conf
+
+echo 'username_format = %Ln' >> /etc/dovecot/dovecot-oauth2.conf.ext
+
+echo "passdb {
+    driver = ldap
+    args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+userdb {
+    driver = static
+    args = uid=5000 gid=5000 home=/var/mail/%u
+}" > /etc/dovecot/conf.d/auth-ldap.conf.ext