10 년 전 · 09c8fcb295
--- a/roles/blog/tasks/blog.yml
+++ b/roles/blog/tasks/blog.yml
@@ -3,6 +3,9 @@
 
				
				 
			
 
				
				 - name: Configure the Apache HTTP server for the blog
			
 
				
				   template: src=etc_apache2_sites-available_blog.j2 dest=/etc/apache2/sites-available/${blog_domain} group=www-data owner=www-data
			
 
				
				-- command: a2ensite ${blog_domain}
			
 
				
				   notify: restart apache
			
 
				
				-  
			
 
				
				+
			
 
				
				+- name: Enable blog site
			
 
				
				+  command: a2ensite ${blog_domain} creates=/etc/apache2/sites-enabled/${blog_domain}
			
 
				
				+  notify: restart apache
			
 
				
				+
			
--- a/roles/common/tasks/ferm.yml
+++ b/roles/common/tasks/ferm.yml
@@ -4,8 +4,10 @@
 
				
				 - name: Install ferm
			
 
				
				   apt: pkg=ferm state=present
			
 
				
				 
			
 
				
				-- name: Copy ferm firewall rules into place
			
 
				
				+- name: Create ferm confiruation directory
			
 
				
				   file: path=/etc/ferm state=directory
			
 
				
				-- copy: src=etc_ferm_ferm.conf dest=/etc/ferm/ferm.conf
			
 
				
				+
			
 
				
				+- name: Copy ferm firewall rules into place
			
 
				
				+  copy: src=etc_ferm_ferm.conf dest=/etc/ferm/ferm.conf
			
 
				
				   notify:
			
 
				
				     - reload ferm rules
			
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -32,7 +32,8 @@
 
				
				   service: name=ntp state=started enabled=yes
			
 
				
				 
			
 
				
				 - name: Disable default Apache site
			
 
				
				-  command: a2dissite default
			
 
				
				+  command: a2dissite default removes=/etc/apache2/sites-enabled/default
			
 
				
				+  notify: restart apache
			
 
				
				 
			
 
				
				 - include: encfs.yml tags=encfs
			
 
				
				 - include: users.yml tags=users
			
--- a/roles/common/tasks/security.yml
+++ b/roles/common/tasks/security.yml
@@ -5,9 +5,12 @@
 
				
				     - rkhunter
			
 
				
				     - lynis
			
 
				
				 
			
 
				
				-- name: Copy fail2ban configuration files into place
			
 
				
				+- name: Copy fail2ban configuration into place
			
 
				
				+  template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
			
 
				
				+  notify: restart fail2ban
			
 
				
				+
			
 
				
				+- name: Copy fail2ban dovecot configuration into place
			
 
				
				   copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf
			
 
				
				-- template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
			
 
				
				   notify: restart fail2ban
			
 
				
				 
			
 
				
				 - name: Copy sshd_config into place
			
--- a/roles/common/tasks/ssl.yml
+++ b/roles/common/tasks/ssl.yml
@@ -8,4 +8,4 @@
 
				
				   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root
			
 
				
				 
			
 
				
				 - name: Enable Apache SSL module
			
 
				
				-  command: a2enmod ssl
			
 
				
				+  command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
			
--- a/roles/mailserver/tasks/dovecot.yml
+++ b/roles/mailserver/tasks/dovecot.yml
@@ -18,17 +18,28 @@
 
				
				   with_items:
			
 
				
				     - ${mail_virtual_domains}
			
 
				
				 
			
 
				
				-- name: Put Dovecot configuration files in place
			
 
				
				+- name: Copy dovecot.conf into place
			
 
				
				   copy: src=etc_dovecot_dovecot.conf dest=/etc/dovecot/dovecot.conf
			
 
				
				-- copy: src=etc_dovecot_conf.d_10-mail.conf dest=/etc/dovecot/conf.d/10-mail.conf
			
 
				
				-- copy: src=etc_dovecot_conf.d_10-auth.conf dest=/etc/dovecot/conf.d/10-auth.conf
			
 
				
				-- copy: src=etc_dovecot_conf.d_auth-sql.conf.ext dest=/etc/dovecot/conf.d/auth-sql.conf.ext
			
 
				
				-- copy: src=etc_dovecot_conf.d_10-master.conf dest=/etc/dovecot/conf.d/10-master.conf
			
 
				
				-- copy: src=etc_dovecot_conf.d_10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
			
 
				
				-- template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
			
 
				
				-- template: src=etc_dovecot_dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext
			
 
				
				+
			
 
				
				+- name: Copy additional Dovecot configuration files in place
			
 
				
				+  copy: src=etc_dovecot_conf.d_${item} dest=/etc/dovecot/conf.d/${item}
			
 
				
				+  with_items:
			
 
				
				+    - 10-mail.conf
			
 
				
				+    - 10-auth.conf
			
 
				
				+    - auth-sql.conf.ext
			
 
				
				+    - 10-master.conf
			
 
				
				+    - 10-ssl.conf
			
 
				
				+  notify: restart dovecot
			
 
				
				+
			
 
				
				+- name: Template 15-lda.conf
			
 
				
				+  template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
			
 
				
				+  notify: restart dovecot
			
 
				
				+
			
 
				
				+- name: Template dovecot-sql.conf.ext
			
 
				
				+  template: src=etc_dovecot_dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext
			
 
				
				+  notify: restart dovecot
			
 
				
				 
			
 
				
				 - name: Ensure correct permissions on Dovecot config directory
			
 
				
				-  shell: chown -R vmail:dovecot /etc/dovecot
			
 
				
				-- shell: chmod -R o-rwx /etc/dovecot
			
 
				
				+  file: state=directory path=/etc/dovecot
			
 
				
				+          group=dovecot owner=vmail mode=770 recurse=yes
			
 
				
				   notify: restart dovecot
			
--- a/roles/mailserver/tasks/dspam.yml
+++ b/roles/mailserver/tasks/dspam.yml
@@ -10,14 +10,27 @@
 
				
				   file: state=directory path=/decrypted/dspam group=dspam owner=dspam
			
 
				
				 
			
 
				
				 - name: Put dspam configuration files in place
			
 
				
				-  copy: src=etc_dspam_default.prefs dest=/etc/dspam/default.prefs owner=dspam group=dspam
			
 
				
				-- copy: src=etc_dspam_dspam.conf dest=/etc/dspam/dspam.conf owner=dspam group=dspam
			
 
				
				-- copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
			
 
				
				-- copy: src=etc_dovecot_conf.d_20-imap.conf dest=/etc/dovecot/conf.d/20-imap.conf owner=vmail group=dovecot
			
 
				
				-- copy: src=etc_dovecot_conf.d_90-plugin.conf dest=/etc/dovecot/conf.d/90-plugin.conf owner=vmail group=dovecot
			
 
				
				-- copy: src=dot_dovecot.sieve dest=/decrypted/${item.name}/${item.primary_user}/.dovecot.sieve owner=vmail group=dovecot
			
 
				
				+  copy: src=etc_dspam_{{item}} dest=/etc/dspam/{{item}} owner=dspam group=dspam
			
 
				
				   with_items:
			
 
				
				-    - ${mail_virtual_domains}
			
 
				
				+    - default.prefs
			
 
				
				+    - dspam.conf
			
 
				
				   notify:
			
 
				
				     - restart postfix
			
 
				
				     - restart dovecot
			
 
				
				+
			
 
				
				+- name: Put dspam postfix configuration in place
			
 
				
				+  copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
			
 
				
				+  notify: restart postfix
			
 
				
				+
			
 
				
				+- name: Put dspam dovecot configuration in place
			
 
				
				+  copy: src=etc_dovecot_conf.d_{{item}} dest=/etc/dovecot/conf.d/{{item}} owner=vmail group=dovecot
			
 
				
				+  with_items:
			
 
				
				+    - 20-imap.conf
			
 
				
				+    - 90-plugin.conf
			
 
				
				+  notify: restart dovecot
			
 
				
				+
			
 
				
				+- name: Put sieve rules into each primary user directory
			
 
				
				+  copy: src=dot_dovecot.sieve dest=/decrypted/${item.name}/${item.primary_user}/.dovecot.sieve owner=vmail group=dovecot
			
 
				
				+  with_items:
			
 
				
				+    - ${mail_virtual_domains}
			
 
				
				+  notify: restart dovecot
			
--- a/roles/mailserver/tasks/opendkim.yml
+++ b/roles/mailserver/tasks/opendkim.yml
@@ -20,15 +20,25 @@
 
				
				   with_items:
			
 
				
				     - ${mail_virtual_domains}
			
 
				
				 
			
 
				
				-- name: Put OpenDKIM configuration files into place
			
 
				
				-  template: src=etc_opendkim_KeyTable.j2 dest=/etc/opendkim/KeyTable owner=opendkim group=opendkim
			
 
				
				-- template: src=etc_opendkim_SigningTable.j2 dest=/etc/opendkim/SigningTable owner=opendkim group=opendkim
			
 
				
				-- template: src=etc_opendkim_TrustedHosts.j2 dest=/etc/opendkim/TrustedHosts owner=opendkim group=opendkim
			
 
				
				-- copy: src=etc_opendkim.conf dest=/etc/opendkim.conf owner=opendkim group=opendkim
			
 
				
				+- name: Put opendkim.conf into place
			
 
				
				+  copy: src=etc_opendkim.conf dest=/etc/opendkim.conf owner=opendkim group=opendkim
			
 
				
				+  notify:
			
 
				
				+    - restart opendkim
			
 
				
				+    - restart postfix
			
 
				
				+
			
 
				
				+- name: Put additional OpenDKIM configuration files into place
			
 
				
				+  template: src=etc_opendkim_{{item}}.j2 dest=/etc/opendkim/{{item}} owner=opendkim group=opendkim
			
 
				
				+  with_items:
			
 
				
				+    - KeyTable
			
 
				
				+    - SigningTable
			
 
				
				+    - TrustedHosts
			
 
				
				+  notify:
			
 
				
				+    - restart opendkim
			
 
				
				+    - restart postfix
			
 
				
				 
			
 
				
				 - name: Set OpenDKIM config directory permissions
			
 
				
				-  command: chmod -R go-rwx /etc/opendkim
			
 
				
				-- command: chown -R opendkim:opendkim /etc/opendkim
			
 
				
				+  file: state=directory path=/etc/opendkim
			
 
				
				+          group=opendkim owner=opendkim mode=700 recurse=yes
			
 
				
				   notify:
			
 
				
				     - restart opendkim
			
 
				
				     - restart postfix
			
--- a/roles/mailserver/tasks/postfix.yml
+++ b/roles/mailserver/tasks/postfix.yml
@@ -25,8 +25,16 @@
 
				
				 
			
 
				
				 - name: Copy Postfix config files into place
			
 
				
				   template: src=etc_postfix_main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root
			
 
				
				-- copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root
			
 
				
				-- template: src=etc_postfix_mysql-virtual-mailbox-domains.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-domains.cf owner=root group=root
			
 
				
				-- template: src=etc_postfix_mysql-virtual-mailbox-maps.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-maps.cf owner=root group=root
			
 
				
				-- template: src=etc_postfix_mysql-virtual-alias-maps.cf.j2 dest=/etc/postfix/mysql-virtual-alias-maps.cf owner=root group=root
			
 
				
				+  notify: restart postfix
			
 
				
				+
			
 
				
				+- name: Copy master.cf
			
 
				
				+  copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root
			
 
				
				+  notify: restart postfix
			
 
				
				+
			
 
				
				+- name: Copy additional postfix configuration files
			
 
				
				+  template: src=etc_postfix_${item}.j2 dest=/etc/postfix/${item} owner=root group=root
			
 
				
				+  with_items:
			
 
				
				+    - mysql-virtual-mailbox-domains.cf
			
 
				
				+    - mysql-virtual-mailbox-maps.cf
			
 
				
				+    - mysql-virtual-alias-maps.cf
			
 
				
				   notify: restart postfix
			
--- a/roles/mailserver/tasks/solr.yml
+++ b/roles/mailserver/tasks/solr.yml
@@ -7,9 +7,13 @@
 
				
				 - name: Work around Debian bug and copy Solr schema file into place
			
 
				
				   copy: src=solr-schema.xml dest=/etc/solr/conf/schema.xml group=root owner=root
			
 
				
				 
			
 
				
				-- name: Copy tweaked Solr/Tomcat config files into place
			
 
				
				+- name: Copy tweaked Tomcat config file into place
			
 
				
				   copy: src=etc_tomcat6_server.xml dest=/etc/tomcat6/server.xml group=tomcat6 owner=root
			
 
				
				-- copy: src=etc_solr_conf_solrconfig.xml dest=/etc/solr/conf/solrconfig.xml group=root owner=root
			
 
				
				+  notify: restart solr
			
 
				
				+
			
 
				
				+- name: Copy tweaked Solr config file into place
			
 
				
				+  copy: src=etc_solr_conf_solrconfig.xml dest=/etc/solr/conf/solrconfig.xml group=root owner=root
			
 
				
				+  notify: restart solr
			
 
				
				 
			
 
				
				 - name: Create Solr index directory
			
 
				
				   file: state=directory path=/decrypted/solr group=tomcat6 owner=tomcat6