2 files changed, 103 insertions, 0 deletions

diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
new file mode 100644
index 0000000..4233f68
--- /dev/null
+++ b/roles/mail/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+- name: install letsencrypt
+  apt:
+    name: letsencrypt
+    state: latest
+
+- name: allow 80/tcp ufw
+  ufw:
+    rule: allow
+    port: '80'
+    proto: 'tcp'
+
+- name: allow 443/tcp ufw
+  ufw:
+    rule: allow
+    port: '443'
+    proto: 'tcp'
+
+- name: restart ufw
+  service: name=ufw state=restarted enabled=yes
+
+- name: request certificate
+  shell: >
+    letsencrypt certonly -n --standalone -d "{{ domain }}" \
+      -m "{{ certbot_email }}" --agree-tos
+  args:
+    creates: "/etc/letsencrypt/live/{{ domain }}"
+
+- name: add monthly letsencrypt cronjob for cert renewal
+  cron:
+    name: "letsencrypt_renewal_mail"
+    day: "18"
+    hour: "2"
+    minute: "1"
+    job: "letsencrypt renew --cert-name {{ domain }} -n --standalone --agree-tos -m {{ certbot_email }}"
+
+- name: ensure mail docker/compose exist
+  file:
+    path: /etc/docker/compose/mail
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: build mail docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/mail/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable mail
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@mail
diff --git a/roles/mail/templates/docker-compose.yml.j2 b/roles/mail/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..091ef78
--- /dev/null
+++ b/roles/mail/templates/docker-compose.yml.j2
@@ -0,0 +1,46 @@
+services:
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    container_name: mailserver
+    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
+    hostname: {{ domain }}
+    ports:
+      - "25:25"
+      - "465:465"
+      - "587:587"
+      - "993:993"
+    volumes:
+      - ./docker-data/dms/mail-data/:/var/mail/
+      - ./docker-data/dms/mail-state/:/var/mail-state/
+      - ./docker-data/dms/mail-logs/:/var/log/mail/
+      - ./docker-data/dms/config/:/tmp/docker-mailserver/
+      - /etc/letsencrypt:/etc/letsencrypt
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - SSL_TYPE=letsencrypt
+      - ENABLE_CLAMAV=0
+      - ENABLE_AMAVIS=0
+      - ENABLE_FAIL2BAN=0
+      - SPOOF_PROTECTION=1
+      - ACCOUNT_PROVISIONER=LDAP
+      - LDAP_SERVER_HOST=ldap://lldap.internal.simponic.xyz:3890
+      - LDAP_SEARCH_BASE=dc=simponic,dc=xyz
+      - LDAP_BIND_DN=uid=admin,ou=people,dc=simponic,dc=xyz
+      - LDAP_BIND_PW={{ lldap_admin_pass }}
+
+      - LDAP_QUERY_FILTER_USER=(&(objectClass=mailAccount)(|(uid=%u)))
+      - LDAP_QUERY_FILTER_GROUP=(&(cn=mail)(uniquemember=uid=%u,ou=people,dc=simponic,dc=xyz))
+      - LDAP_QUERY_FILTER_ALIAS=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
+      - LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
+
+      - DOVECOT_AUTH_BIND=yes
+      - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%u)))
+      - DOVECOT_USER_ATTRS==uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir
+
+      - ENABLE_SASLAUTHD=1
+      - SASLAUTHD_MECHANISMS=rimap
+      - SASLAUTHD_MECH_OPTIONS=127.0.0.1
+      - POSTMASTER_ADDRESS={{ postmaster_email }}
+    dns:
+      - {{ johan_ip }}
+    restart: always