--- - name: Basic Setup hosts: ch-imap-proxy roles: - role: apt-repo/base - role: core/base - role: core/sshd/base - role: core/zsh - role: apt-repo/spreadspace - role: acmetool/base - role: acmetool/cert acmetool_cert_name: "imap.chaos-at-home.org" acmetool_cert_config: request: challenge: http-self-test: false post_tasks: - name: install stunnel package apt: name: stunnel4 state: present - name: generate stunnel config for imap copy: dest: /etc/stunnel/imap.conf content: | pid = /var/run/stunnel-imap.pid cert = /var/lib/acme/live/imap.chaos-at-home.org/fullchain key = /var/lib/acme/live/imap.chaos-at-home.org/privkey [imap] client = yes accept = 127.0.0.1:143 connect = 192.168.28.250:143 protocol = imap verify = 0 [imaps] options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 options = CIPHER_SERVER_PREFERENCE ciphers = ECDHE+CHACHA20:ECDHE+AESGCM:DHE+CHACHA20:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!ADH:!AECDH:!MD5:!SHA accept = 993 connect = 127.0.0.1:143 notify: restart stunnel4 - name: generate stunnel config for getmail copy: dest: /etc/stunnel/getmail.conf content: | pid = /var/run/stunnel-getmail.pid [gmail-pop3] client = yes accept = 192.168.32.9:110 connect = pop.gmail.com:995 verifyChain = yes CApath = /etc/ssl/certs checkHost = pop.gmail.com [gmx-pop3] client = yes accept = 192.168.32.9:111 connect = pop.gmx.at:995 verifyChain = yes CApath = /etc/ssl/certs checkHost = mail.gmx.net [elevate-pop3] client = yes accept = 192.168.32.9:112 connect = mail.elevate.at:995 verifyChain = yes CApath = /etc/ssl/certs checkHost = mail.elevate.at notify: restart stunnel4 - name: install systemd service unit for service-ip copy: dest: /etc/systemd/system/imap-service-ip.service content: | [Unit] Description=Assign IMAP Sevice IP After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.imap.addr }}/32 ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.imap.addr }}/32 RemainAfterExit=yes [Install] WantedBy=multi-user.target register: service_ip_systemd_unit - name: make sure service-ip systemd unit is enabeld and started systemd: daemon_reload: yes name: imap-service-ip.service state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}" enabled: yes handlers: - name: restart stunnel4 service: name: stunnel4 state: restarted