blob: 277b0483df84198de259257b6ec8807c112ac2da (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
---
- name: Basic Setup
hosts: ch-imap-proxy
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd/base
- role: core/zsh
- role: core/ntp
- name: Payload Setup
hosts: ch-imap-proxy
roles:
- role: apt-repo/spreadspace
- role: nginx/base
- role: monitoring/prometheus/exporter
- role: x509/acmetool/base
- role: x509/acmetool/cert
acmetool_cert_hostnames:
- "imap.chaos-at-home.org"
acmetool_cert_config:
request:
challenge:
http-self-test: false
post_tasks:
- name: install stunnel package
apt:
name: stunnel4
state: present
- name: generate stunnel config for imap
copy:
dest: /etc/stunnel/imap.conf
content: |
pid = /var/run/stunnel-imap.pid
cert = {{ x509_certificate_path_fullchain }}
key = {{ x509_certificate_path_key }}
[imap]
client = yes
accept = 127.0.0.1:143
connect = 192.168.28.250:143
protocol = imap
verify = 0
[imaps]
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1_1
options = CIPHER_SERVER_PREFERENCE
ciphers = ECDHE+CHACHA20:ECDHE+AESGCM:DHE+CHACHA20:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!ADH:!AECDH:!MD5:!SHA
accept = 993
connect = 127.0.0.1:143
notify: restart stunnel4
- name: generate stunnel config for getmail
copy:
dest: /etc/stunnel/getmail.conf
content: |
pid = /var/run/stunnel-getmail.pid
[gmail-pop3]
client = yes
accept = 192.168.32.9:110
connect = pop.gmail.com:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = pop.gmail.com
[gmx-pop3]
client = yes
accept = 192.168.32.9:111
connect = pop.gmx.at:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = mail.gmx.net
[elevate-pop3]
client = yes
accept = 192.168.32.9:112
connect = mail.elevate.at:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = mail.elevate.at
notify: restart stunnel4
- name: install systemd service unit for service-ip
copy:
dest: /etc/systemd/system/imap-service-ip.service
content: |
[Unit]
Description=Assign IMAP Sevice IP
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.imap.addr }}/32
ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.imap.addr }}/32
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
register: service_ip_systemd_unit
- name: make sure service-ip systemd unit is enabeld and started
systemd:
daemon_reload: yes
name: imap-service-ip.service
state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
enabled: yes
handlers:
- name: restart stunnel4
service:
name: stunnel4
state: restarted
|