summaryrefslogtreecommitdiff
path: root/chaos-at-home/ch-imap-proxy.yml
blob: fd503a7083ec62a53c39be694a4730e6546aeeef (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
---
- name: Basic Setup
  hosts: ch-imap-proxy
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd/base
  - role: core/zsh
  - role: apt-repo/spreadspace
  - role: acmetool/base
  - role: acmetool/cert
    acmetool_cert_name: "imap.chaos-at-home.org"
    acmetool_cert_config:
      request:
        challenge:
          http-self-test: false
  post_tasks:
  - name: install stunnel package
    apt:
      name: stunnel4
      state: present

  - name: generate stunnel config for imap
    copy:
      dest: /etc/stunnel/imap.conf
      content: |
        cert = /var/lib/acme/live/imap.chaos-at-home.org/fullchain
        key = /var/lib/acme/live/imap.chaos-at-home.org/privkey

        [imap]
        client = yes
        accept  = 127.0.0.1:143
        connect = 192.168.28.250:143
        protocol = imap
        verify = 0

        [imaps]
        options = NO_SSLv2
        options = NO_SSLv3
        options = NO_TLSv1
        options = NO_TLSv1.1
        options = CIPHER_SERVER_PREFERENCE
        ciphers = ECDHE+CHACHA20:ECDHE+AESGCM:DHE+CHACHA20:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!ADH:!AECDH:!MD5:!SHA
        accept  = 993
        connect = 127.0.0.1:143
    notify: restart stunnel4

  - name: install systemd service unit for service-ip
    copy:
      dest: /etc/systemd/system/imap-service-ip.service
      content: |
        [Unit]
        Description=Assign IMAP Sevice IP
        After=network.target

        [Service]
        Type=oneshot
        ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.imap.addr }}/32
        ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.imap.addr }}/32
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target
    register: service_ip_systemd_unit

  - name: make sure service-ip systemd unit is enabeld and started
    systemd:
      daemon_reload: yes
      name: imap-service-ip.service
      state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
      enabled: yes

  handlers:
  - name: restart stunnel4
    service:
      name: stunnel4
      state: restarted