Merge branch 'unifyroles'

all.yaml

@@ -1,9 +1,21 @@
 ---
-- import_playbook: g00.rhizogen.es.eu.org.yaml
-- import_playbook: g01.rhizogen.es.eu.org.yaml
-- import_playbook: g02.rhizogen.es.eu.org.yaml
-- import_playbook: g03.rhizogen.es.eu.org.yaml
-- import_playbook: ov1.rhizogen.es.eu.org.yaml
-- import_playbook: ov2.rhizogen.es.eu.org.yaml
-- import_playbook: ks1.rhizogen.es.eu.org.yaml
-- import_playbook: ks2.rhizogen.es.eu.org.yaml
+- name: Playbook All
+  strategy: free
+  hosts:
+    - g00
+    - g01
+    - g02
+    - g03
+    - ov1
+    - ov2
+    - ks1
+  remote_user: "{{ admin_user }}"
+  become_method: sudo
+
+  roles:
+    - all_roles
+
+  # # you can do `ansible -i inventory/hosts g01.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
+  # tasks:
+  #   - debug: var=ansible_facts
+  #   - debug: var=ansible_devices

g01.rhizogen.es.eu.org.yaml

@@ -18,7 +18,7 @@
     - logwatch
     - munin_node
     - nrpe
-    - bind_slave
+    - bind
 
   # # you can do `ansible -i inventory/hosts g01.rhizogen.es.eu.org -m setup -e "ansible_user=admin_user"`
   # tasks:

g02.rhizogen.es.eu.org.yaml

@@ -9,9 +9,7 @@
     - network
 #    - homedir
 #    - srvdir
-    - quota
     - base
-    - cacertificates
     - adminuser
     - default_user
     - adminuser_home
@@ -24,9 +22,8 @@
     - firstuser_scripts
     - testuser
     - testuser_maildir
-    - sync_user
     - ssh
-    - smtp_primary
+    - smtp_mx
     - sendmail_gpg
     - rkhunter
     - fail2ban
@@ -37,7 +34,6 @@
     - nginx
     - nginx_homedirs
     - imap_server
-#    - munin
     - mail_client
     - mailman
     - radicale

inventory

@@ -1 +1 @@
-Subproject commit c83ebc709545ae33bdf509934ca1a6c662c94858
+Subproject commit 323103b52004edff878a8230d2ae640195652ced

ks1.rhizogen.es.eu.org.yaml

@@ -8,7 +8,6 @@
     - hosting_platform
     - network
     - base
-    - cacertificates
     - adminuser
     - default_user
     - adminuser_home

ks2.rhizogen.es.eu.org.yaml

@@ -6,8 +6,8 @@
 
   roles:
     - hosting_platform
+    - network
     - base
-    - cacertificates
     - adminuser
     - default_user
     - adminuser_home

ov1.rhizogen.es.eu.org.yaml

@@ -8,7 +8,6 @@
     - hosting_platform
     - network
     - base
-    - cacertificates
     - adminuser
     - default_user
     - adminuser_home
@@ -17,14 +16,14 @@
     - firstuser_home
     - firstuser_sync
     - ssh
-    - smtp_secondary
+    - smtp_mx
     - sendmail_gpg
     - rkhunter
     - fail2ban
     - logwatch
     - munin_node
     - nrpe
-    - bind_slave
+    - bind
     - pureftpd
     - nginx
     - prosody_secondary

ov2.rhizogen.es.eu.org.yaml

@@ -11,7 +11,6 @@
     - adminuser
     - default_user
     - adminuser_home
-    - sync_user
     - ssh
     - smtp_client
     - sendmail_gpg
@@ -41,7 +40,7 @@
     - adminuser_workenv
     - ansible
     - auto_ansible
-    - bind_master
+    - bind
     - sync_node
     - deb
     - deb_client

roles/all_roles/tasks/main.yaml

@@ -0,0 +1,7 @@
+---
+- name: Include roles based on role list
+  include_role:
+    name: "{{ role }}"
+  loop: "{{ role_list }}"
+  loop_control:
+    loop_var: role

roles/bind/tasks/main.yaml

@@ -17,7 +17,7 @@
   become: yes
   notify: restart_bind
   with_items:
-    - { src: 'named.conf.options.j2', dest: '/etc/bind/named.conf.options' }
+    - { src: 'named.conf.options_{{ ns_type }}_.j2', dest: '/etc/bind/named.conf.options' }
 
 - name: Copy bind9 local config templates
   ansible.builtin.template:
@@ -29,7 +29,7 @@
   become: yes
   notify: restart_bind
   with_items:
-    - { src: 'named.conf.local.j2', dest: '/etc/bind/named.conf.local' }
+    - { src: 'named.conf.local_{{ ns_type }}_.j2', dest: '/etc/bind/named.conf.local' }
   # dont show file content
   diff: no
   #no_log: true
@@ -56,6 +56,9 @@
   with_items:
     - { src: '/var/lib/bind/query.log', dest: '/var/log/bind9/query.log' }
 
+- name: Include NS-type dependent tasks
+  ansible.builtin.include_tasks: ns-{{ ns_type }}.yaml
+
 - name: Make sure bind is running
   ansible.builtin.service:
     name: "{{ bind_daemon }}"

roles/bind/tasks/ns-master.yaml

@@ -0,0 +1,17 @@
+---
+- name: Create keys dir
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: root
+    group: bind
+    mode: '2755'
+    state: directory
+  become: yes
+  with_items:
+    - { path: '/etc/bind/keys' }
+
+- name: Setup DNS zones
+  ansible.builtin.include_tasks: zone.yaml
+  vars:
+    v: "{{ item }}"
+  loop: "{{ dns_zones | subelements('keys') }}"

roles/bind/tasks/ns-slave.yaml

@@ -0,0 +1 @@
+---

roles/bind_master/tasks/main.yaml

@@ -1,70 +0,0 @@
----
-- name: Install package bind
-  ansible.builtin.package:
-    name:
-      - "{{ bind_package }}"
-      - dnsutils
-    state: present
-  become: yes
-
-- name: Copy bind9 config templates
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: bind
-    mode: '0644'
-  become: yes
-  notify: restart_bind
-  with_items:
-    - { src: 'named.conf.local.j2', dest: '/etc/bind/named.conf.local' }
-    - { src: 'named.conf.options.j2', dest: '/etc/bind/named.conf.options' }
-
-- name: Create log dir
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    owner: root
-    group: adm
-    mode: '0751'
-    state: directory
-  become: yes
-  with_items:
-    - { path: '/var/log/bind9' }
-
-- name: Create link
-  ansible.builtin.file:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    state: link
-    force: yes
-    follow: no
-  become: yes
-  with_items:
-    - { src: '/var/lib/bind/query.log', dest: '/var/log/bind9/query.log' }
-
-- name: Create keys dir
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    owner: root
-    group: bind
-    mode: '2755'
-    state: directory
-  become: yes
-  with_items:
-    - { path: '/etc/bind/keys' }
-
-- name: Setup DNS zones
-  ansible.builtin.include_tasks: zone.yaml
-  vars:
-    v: "{{ item }}"
-  loop: "{{ dns_zones | subelements('keys') }}"
-
-- name: Make sure bind is running
-  ansible.builtin.service:
-    name: "{{ bind_daemon }}"
-    enabled: yes
-    state: started
-  become: yes
-
-- name: Flush handlers
-  ansible.builtin.meta: flush_handlers

roles/bind_slave/handlers/main.yaml

@@ -1,7 +0,0 @@
----
-- name: Restart bind
-  ansible.builtin.service:
-    name: "{{ bind_daemon }}"
-    state: restarted
-  become: yes
-  listen: "restart_bind"

roles/bind_slave/meta/main.yaml

@@ -1,5 +0,0 @@
----
-dependencies:
-# needed:
-  - role: package_manager
-# bundled:

roles/smtp_mx/tasks/main.yaml

@@ -38,20 +38,6 @@
   diff: no
   #no_log: true
 
-# - name: copy aliases
-#   ansible.builtin.template:
-#     src: "{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     owner: root
-#     group: root
-#     mode: '0644'
-#   become: yes
-#   notify:
-#     - new_aliases
-#   with_items:
-#     - { src: 'aliases.j2', dest: '/etc/aliases' }
-#   no_log: true
-
 - name: Copy postfix sender_access
   ansible.builtin.copy:
     src: "{{ item.src }}"
@@ -93,53 +79,8 @@
   diff: no
   #no_log: true
 
-- name: Copy postfix relay_recipients
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'postfix/relay_recipients.j2', dest: '/etc/postfix/relay_recipients' }
-  # dont show file content
-  diff: no
-  #no_log: true
-
-- name: Add user postfix to group sasl
-  ansible.builtin.user:
-    name: postfix
-    groups: sasl
-    append: yes
-  notify: restart_postfix
-  become: yes
-
-# - name: template saslauthd config
-#   ansible.builtin.template:
-#     src: "{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     owner: root
-#     group: root
-#     mode: '0644'
-#   become: yes
-#   notify: restart_saslauthd
-#   with_items:
-#     - { src: 'postfix/sasl/smtpd.conf.j2', dest: '/etc/postfix/sasl/smtpd.conf' }
-#     - { src: 'default/saslauthd.j2', dest: '/etc/default/saslauthd' }
-
-- name: Include fail2ban conf for postfix
-  ansible.builtin.include_role:
-    name: fail2ban
-    tasks_from: postfix
-
-# - name: make sure saslauthd is running
-#   ansible.builtin.service:
-#     name: saslauthd
-#     enabled: yes
-#     state: started
-#   become: yes
+- name: Include mx-type-related tasks
+  ansible.builtin.include_tasks: mx-{{ mx_type }}.yaml
 
 - name: Add user postfix to group opendkim
   ansible.builtin.user:
@@ -163,45 +104,8 @@
   with_items:
     - { path: '{{ opendkim_chroot }}', owner: 'root', group: 'opendkim' }
 
-# - name: create data dir for opendkim
-#   ansible.builtin.file:
-#     path: "{{ item.path }}"
-#     state: directory
-#     owner: "{{ item.owner }}"
-#     group: "{{ item.group }}"
-#     mode: '0755'
-#   become: yes
-#   with_items:
-#     - { path: '/etc/dkimkeys/{{ mail_zone }}', owner: 'root', group: 'opendkim' }
-
-# - name: copy dkim pubkeys
-#   ansible.builtin.copy:
-#     src: "{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     owner: root
-#     group: opendkim
-#     mode: "{{ item.mode }}"
-#   become: yes
-#   notify:
-#     - reload_opendkim
-#     - restart_postfix
-#   with_items:
-#     - { src: 'dkimkeys/{{ mail_zone }}/default.txt', dest: '/etc/dkimkeys/{{ mail_zone }}/default.txt', mode: '0440' }
-
-# - name: copy dkim keys
-#   ansible.builtin.copy:
-#     src: "{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     owner: root
-#     group: opendkim
-#     mode: "{{ item.mode }}"
-#   become: yes
-#   notify:
-#     - reload_opendkim
-#     - restart_postfix
-#   with_items:
-#     - { src: 'dkimkeys/{{ mail_zone }}/default.private', dest: '/etc/dkimkeys/{{ mail_zone }}/default.private', mode: '0400' }
-#   no_log: true
+- name: Include mx-type-related opendkim tasks
+  ansible.builtin.include_tasks: mx-{{ mx_type }}_opendkim.yaml
 
 - name: Create directory for opendkim service file customization
   ansible.builtin.file:
@@ -235,13 +139,19 @@
     mode: '0644'
   become: yes
   notify:
+    # reloading is not enough, we must restart
     - restart_opendkim
     - restart_postfix
   with_items:
     - { src: 'default/opendkim.j2', dest: '/etc/default/opendkim' }
-    - { src: 'opendkim.conf.j2', dest: '/etc/opendkim.conf' }
+    - { src: 'opendkim.conf_{{ mta_type }}_{{ mx_type }}_.j2', dest: '/etc/opendkim.conf' }
 
-- name: Template postfix config
+- name: Include fail2ban conf for postfix
+  ansible.builtin.include_role:
+    name: fail2ban
+    tasks_from: postfix
+
+- name: Template postfix master config
   ansible.builtin.template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -251,15 +161,8 @@
   become: yes
   notify: restart_postfix
   with_items:
-    - { src: 'postfix/main.cf.j2', dest: '/etc/postfix/main.cf' }
-    - { src: 'postfix/master.cf.j2', dest: '/etc/postfix/master.cf' }
-
-# - name: make sure saslauthd is running
-#   ansible.builtin.service:
-#     name: saslauthd
-#     enabled: yes
-#     state: started
-#   become: yes
+    - { src: 'postfix/main.cf_{{ mta_type }}_{{ mx_type }}_{{ ansible_os_family }}_{{ ansible_distribution_major_version }}_.j2', dest: '/etc/postfix/main.cf' }
+    - { src: 'postfix/master.cf_{{ mta_type }}_{{ mx_type }}_.j2', dest: '/etc/postfix/master.cf' }
 
 - name: Make sure opendkim is running
   ansible.builtin.service:

roles/smtp_mx/tasks/mx-primary.yaml

@@ -0,0 +1,81 @@
+---
+- name: Enable standard aliases
+  ansible.builtin.include_tasks: mx-primary_aliases_enable.yaml
+  vars:
+    v: "{{ item }}"
+  loop: "{{ mail_users1 | subelements('aliases') }}"
+  no_log: true
+
+- name: Enable user aliases
+  ansible.builtin.include_tasks: mx-primary_aliases_enable.yaml
+  vars:
+    v: "{{ item }}"
+  loop: "{{ mail_users2 | subelements('aliases') }}"
+  no_log: true
+
+# - name: copy aliases
+#   ansible.builtin.template:
+#     src: "{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     owner: root
+#     group: root
+#     mode: '0644'
+#   become: yes
+#   notify:
+#     - new_aliases
+#   with_items:
+#     - { src: "aliases_{{ ansible_hostname }}.j2", dest: '/etc/aliases' }
+
+- name: Add user postfix to group sasl
+  ansible.builtin.user:
+    name: postfix
+    groups: sasl
+    append: yes
+  notify: restart_postfix
+  become: yes
+
+- name: Template saslauthd config
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify: restart_saslauthd
+  with_items:
+    - { src: 'postfix/sasl/smtpd.conf.j2', dest: '/etc/postfix/sasl/smtpd.conf' }
+    - { src: 'default/saslauthd.j2', dest: '/etc/default/saslauthd' }
+
+- name: Make sure saslauthd is running
+  ansible.builtin.service:
+    name: saslauthd
+    enabled: yes
+    state: started
+    runlevels:
+      - 2
+      - 3
+      - 4
+      - 5
+  become: yes
+  when: ansible_service_mgr == "sysvinit"
+
+- name: Make sure saslauthd is running
+  ansible.builtin.service:
+    name: saslauthd
+    enabled: yes
+    state: started
+  become: yes
+  when: ansible_service_mgr == "systemd"
+
+- name: Template procmail config
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify: restart_postfix
+  with_items:
+    - { src: 'procmailrc.j2', dest: '/etc/procmailrc' }

roles/smtp_mx/tasks/mx-primary_opendkim.yaml

@@ -0,0 +1,42 @@
+---
+- name: Create data dir for opendkim
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: '0755'
+  become: yes
+  with_items:
+    - { path: '/etc/dkimkeys/{{ mail_zone }}', owner: 'root', group: 'opendkim' }
+
+- name: Copy dkim pubkeys
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: opendkim
+    mode: "{{ item.mode }}"
+  become: yes
+  notify:
+    - reload_opendkim
+    - restart_postfix
+  with_items:
+    - { src: 'dkimkeys/{{ mail_zone }}/default.txt', dest: '/etc/dkimkeys/{{ mail_zone }}/default.txt', mode: '0440' }
+
+- name: Copy dkim keys
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: opendkim
+    mode: "{{ item.mode }}"
+  become: yes
+  notify:
+    - reload_opendkim
+    - restart_postfix
+  with_items:
+    - { src: 'dkimkeys/{{ mail_zone }}/default.private', dest: '/etc/dkimkeys/{{ mail_zone }}/default.private', mode: '0400' }
+  # dont show file content
+  diff: no
+  #no_log: true

roles/smtp_mx/tasks/mx-secondary.yaml

@@ -0,0 +1,23 @@
+---
+- name: Copy postfix relay_recipients
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  notify: reload_postfix
+  with_items:
+    - { src: 'postfix/relay_recipients.j2', dest: '/etc/postfix/relay_recipients' }
+  # dont show file content
+  diff: no
+  #no_log: true
+
+- name: Add user postfix to group sasl
+  ansible.builtin.user:
+    name: postfix
+    groups: sasl
+    append: yes
+  notify: restart_postfix
+  become: yes

roles/smtp_mx/tasks/mx-secondary_opendkim.yaml

@@ -0,0 +1 @@
+---

roles/smtp_mx/templates/postfix/main.cf_Debian_10_.j2

@@ -0,0 +1,46 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ ansible_fqdn }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost
+relayhost = {{ zone }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 51200000
+recipient_delimiter = +
+inet_interfaces = loopback-only
+inet_protocols = all

roles/smtp_mx/templates/postfix/main.cf_Debian_11_.j2

@@ -0,0 +1,46 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
+# fresh installs.
+compatibility_level = 3.6
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ ansible_fqdn }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost
+relayhost = {{ zone }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 51200000
+recipient_delimiter = +
+inet_interfaces = loopback-only
+inet_protocols = all

roles/smtp_mx/templates/postfix/main.cf_Debian_12_.j2

@@ -0,0 +1,46 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
+# fresh installs.
+compatibility_level = 3.6
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ ansible_fqdn }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost
+relayhost = {{ zone }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 51200000
+recipient_delimiter = +
+inet_interfaces = loopback-only
+inet_protocols = all

roles/smtp_mx/templates/postfix/main.cf_mx_primary_Debian_12_.j2

@@ -0,0 +1,127 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C RESOLV_MULTI=on
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 3.6
+
+# SASL
+smtpd_sasl_auth_enable = yes
+#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
+# Noter dans les en-tête des messages lʼidentifiant de lʼutilisateur.
+smtpd_sasl_authenticated_header = yes
+
+# TLS parameters (server)
+smtpd_tls_cert_file={{ ca_path }}/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt
+smtpd_tls_key_file={{ ca_path }}/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key
+#smtpd_use_tls=yes #obsolète
+smtpd_tls_security_level=may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+
+# TLS parameters (client)
+smtp_tls_cert_file={{ ca_path }}/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt
+smtp_tls_key_file={{ ca_path }}/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key
+# Use DNSSEC and DANE. This way if a TLSA record is found for a server,
+# we connect only if the certificate matches.
+smtp_dns_support_level = dnssec
+smtp_tls_security_level = dane
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+# DKIM
+smtpd_milters = unix:/{{ opendkim_subpath }}/opendkim.sock
+non_smtpd_milters = unix:/{{ opendkim_subpath }}/opendkim.sock
+
+# GLOBAL
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ mail_zone }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+virtual_alias_maps = regexp:/etc/postfix/virtual
+myorigin = {{ mail_zone }}
+mydestination = {{ mail_zone }}, {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost.localdomain, localhost, mail4.{{ zone }}, {{ defaultalias_smtp }}
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mynetworks }}
+mailbox_command = /usr/bin/procmail
+mailbox_size_limit = 5368709120
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+home_mailbox = Maildir/
+
+# BRUTEFORCE
+smtpd_client_connection_count_limit = 3
+smtpd_client_connection_rate_limit = 3
+smtpd_error_sleep_time = 10s
+smtpd_soft_error_limit = 3
+smtpd_hard_error_limit = 5
+smtpd_client_new_tls_session_rate_limit = 3
+smtpd_client_auth_rate_limit = 3
+# ↑(postfix 3.1)
+# smtpd_client_event_limit_exceptions
+#↑(default $mynetworks)
+
+# SPAM
+# Règles pour accepter ou refuser une connexion :
+# - on attend une seconde (pour piéger les zombies) ;
+# - on interdit la parallélisation là où il nʼest pas sensé y en avoir.
+smtpd_client_restrictions =
+    permit_mynetworks, permit_sasl_authenticated,
+    sleep 1, reject_unauth_pipelining
+#    reject_rbl_client sbl-xbl.spamhaus.org # une des rbl les plus fiables
+# Règles pour accepter ou refuser un message, dès lors quʼon connaît le nom
+# de lʼhôte de lʼexpéditeur (par sa commande HELO ou EHLO) :
+# - on refuse les noms dʼhôte invalides.
+# (ajouté) - on accepte tout ce qui vient de chez nous (utile pour tester)
+#          - on refuse les noms de domaine invalides
+smtpd_helo_restrictions = 
+    permit_mynetworks, reject_non_fqdn_hostname,
+    reject_invalid_helo_hostname
+# Règles pour accepter ou refuser un message, dès lors quʼon connaît lʼadresse
+# de lʼexpéditeur :
+# - sʼil vient dʼun expéditeur inexistant de notre domaine, on le rejette ;
+# - si le domaine de lʼexpéditeur nʼa pas dʼIP ou de MX, on le refuse ;
+# - sʼil vient dʼun client sûr ou dʼun client authentifié, on lʼaccepte ;
+# - si lʼadresse de lʼexpéditeur nʼest pas sous forme canonique, on le refuse.
+smtpd_sender_restrictions =
+    reject_unlisted_sender, reject_unknown_sender_domain,
+    permit_mynetworks, permit_sasl_authenticated,
+    check_sender_access hash:/etc/postfix/sender_access,
+    reject_non_fqdn_sender
+# Règles pour accepter ou refuser un message, dès lors quʼon connaît le
+# destinataire (par la commande RCPT TO) :
+# - sʼil est destiné à un expéditeur forgé chez nous, on le rejette ;
+# - sʼil est destiné à un domaine forgé, on le rejette ;
+# - sʼil vient dʼun hôte sûr ou dʼun client authentifié, on lʼaccepte ;
+# - si lʼadresse de destination nʼest pas sous forme canonique, on le refuse ;
+# - finalement, sʼil nʼest pas destiné à un domaine que lʼon gère ou pour
+#   lequel on relaie, on le refuse.
+# - le dernier paramètre active la politique SPF
+smtpd_recipient_restrictions =
+    reject_unlisted_recipient, reject_unknown_recipient_domain,
+    permit_mynetworks, permit_sasl_authenticated,
+    reject_non_fqdn_recipient,
+    reject_unauth_destination,
+#    check_policy_service inet:127.0.0.1:10023, #greylisting
+    check_policy_service unix:private/policy
+# Règles sur la commande DATA : on interdit la parallélisation (bots)
+smtpd_data_restrictions = reject_unauth_pipelining
+header_checks = regexp:/etc/postfix/header_checks

roles/smtp_mx/templates/postfix/main.cf_mx_secondary_Debian_12_.j2

@@ -0,0 +1,126 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C RESOLV_MULTI=on
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 3.6
+
+# SASL
+#smtpd_sasl_auth_enable = yes
+#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
+# Noter dans les en-tête des messages lʼidentifiant de lʼutilisateur.
+#smtpd_sasl_authenticated_header = yes
+
+# TLS parameters (server)
+smtpd_tls_cert_file={{ ca_path }}/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt
+smtpd_tls_key_file={{ ca_path }}/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key
+#smtpd_use_tls=yes #obsolète
+smtpd_tls_security_level=may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+
+# TLS parameters (client)
+smtp_tls_cert_file={{ ca_path }}/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt
+smtp_tls_key_file={{ ca_path }}/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+# DKIM
+smtpd_milters = unix:/{{ opendkim_subpath }}/opendkim.sock
+non_smtpd_milters = unix:/{{ opendkim_subpath }}/opendkim.sock
+
+# GLOBAL
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ ansible_fqdn }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+#virtual_alias_maps = regexp:/etc/postfix/virtual
+myorigin = /etc/mailname
+mydestination = {{ ansible_hostname }}, {{ ansible_fqdn }}, localhost.localdomain, localhost, mail4.{{ zone }}, {{ defaultalias_smtp }}
+relay_domains = {{ mail_zone }}
+relay_recipient_maps = regexp:/etc/postfix/relay_recipients
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mynetworks }}
+mailbox_command = /usr/bin/procmail
+mailbox_size_limit = 5368709120
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+home_mailbox = Maildir/
+
+# BRUTEFORCE
+smtpd_client_connection_count_limit = 3
+smtpd_client_connection_rate_limit = 3
+smtpd_error_sleep_time = 10s
+smtpd_soft_error_limit = 3
+smtpd_hard_error_limit = 5
+smtpd_client_new_tls_session_rate_limit = 3
+smtpd_client_auth_rate_limit = 3
+# ↑(postfix 3.1)
+# smtpd_client_event_limit_exceptions
+#↑(default $mynetworks)
+
+# SPAM
+# Règles pour accepter ou refuser une connexion :
+# - on attend une seconde (pour piéger les zombies) ;
+# - on interdit la parallélisation là où il nʼest pas sensé y en avoir.
+smtpd_client_restrictions =
+    permit_mynetworks, permit_sasl_authenticated,
+    sleep 1, reject_unauth_pipelining
+#    reject_rbl_client sbl-xbl.spamhaus.org # une des rbl les plus fiables
+# Règles pour accepter ou refuser un message, dès lors quʼon connaît le nom
+# de lʼhôte de lʼexpéditeur (par sa commande HELO ou EHLO) :
+# - on refuse les noms dʼhôte invalides.
+# (ajouté) - on accepte tout ce qui vient de chez nous (utile pour tester)
+#          - on refuse les noms de domaine invalides
+smtpd_helo_restrictions = 
+    permit_mynetworks, reject_non_fqdn_hostname,
+    reject_invalid_helo_hostname
+# Règles pour accepter ou refuser un message, dès lors quʼon connaît lʼadresse
+# de lʼexpéditeur :
+# - sʼil vient dʼun expéditeur inexistant de notre domaine, on le rejette ;
+# - si le domaine de lʼexpéditeur nʼa pas dʼIP ou de MX, on le refuse ;
+# - sʼil vient dʼun client sûr ou dʼun client authentifié, on lʼaccepte ;
+# - si lʼadresse de lʼexpéditeur nʼest pas sous forme canonique, on le refuse.
+smtpd_sender_restrictions =
+    reject_unlisted_sender, reject_unknown_sender_domain,
+    permit_mynetworks, permit_sasl_authenticated,
+    check_sender_access hash:/etc/postfix/sender_access,
+    reject_non_fqdn_sender
+# Règles pour accepter ou refuser un message, dès lors quʼon connaît le
+# destinataire (par la commande RCPT TO) :
+# - sʼil est destiné à un expéditeur forgé chez nous, on le rejette ;
+# - sʼil est destiné à un domaine forgé, on le rejette ;
+# - sʼil vient dʼun hôte sûr ou dʼun client authentifié, on lʼaccepte ;
+# - si lʼadresse de destination nʼest pas sous forme canonique, on le refuse ;
+# - finalement, sʼil nʼest pas destiné à un domaine que lʼon gère ou pour
+#   lequel on relaie, on le refuse.
+# - le dernier paramètre active la politique SPF
+smtpd_recipient_restrictions =
+    reject_unlisted_recipient, reject_unknown_recipient_domain,
+    permit_mynetworks, permit_sasl_authenticated,
+    reject_non_fqdn_recipient,
+    reject_unauth_destination,
+#    check_policy_service inet:127.0.0.1:10023, #greylisting
+    check_policy_service unix:private/policy
+# Règles sur la commande DATA : on interdit la parallélisation (bots)
+smtpd_data_restrictions = reject_unauth_pipelining
+#header_checks = regexp:/etc/postfix/header_checks

roles/smtp_primary/tasks/main.yaml

@@ -1,285 +0,0 @@
----
-- name: Install dependencies for postfix MTA
-  ansible.builtin.package:
-    name:
-      - sasl2-bin
-      - libsasl2-modules
-      - postfix-policyd-spf-perl
-      - opendkim
-      - opendkim-tools
-      - procmail
-    state: present
-  become: yes
-
-- name: Copy postfix certs
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: postfix
-    mode: "{{ item.mode }}"
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'tls/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt', dest: '{{ ca_path }}/certs/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.crt', mode: '0644' }
-
-- name: Copy postfix keys
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: postfix
-    mode: "{{ item.mode }}"
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'tls/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key', dest: '{{ ca_path }}/private/{{ ansible_hostname }}_postfix_{{ defaultalias_smtp }}.key', mode: '0440' }
-  # dont show file content
-  diff: no
-  #no_log: true
-
-- name: Enable standard aliases
-  ansible.builtin.include_tasks: aliases_enable.yaml
-  vars:
-    v: "{{ item }}"
-  loop: "{{ mail_users1 | subelements('aliases') }}"
-  no_log: true
-
-- name: Enable user aliases
-  ansible.builtin.include_tasks: aliases_enable.yaml
-  vars:
-    v: "{{ item }}"
-  loop: "{{ mail_users2 | subelements('aliases') }}"
-  no_log: true
-
-# - name: copy aliases
-#   ansible.builtin.template:
-#     src: "{{ item.src }}"
-#     dest: "{{ item.dest }}"
-#     owner: root
-#     group: root
-#     mode: '0644'
-#   become: yes
-#   notify:
-#     - new_aliases
-#   with_items:
-#     - { src: "aliases_{{ ansible_hostname }}.j2", dest: '/etc/aliases' }
-
-- name: Copy postfix sender_access
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify:
-    - postmap_senderaccess
-    - reload_postfix
-  with_items:
-    - { src: 'postfix/sender_access', dest: '/etc/postfix/sender_access' }
-
-- name: Copy postfix header_checks
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'postfix/header_checks', dest: '/etc/postfix/header_checks' }
-
-- name: Copy postfix virtual
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify: reload_postfix
-  with_items:
-    - { src: 'postfix/virtual.j2', dest: '/etc/postfix/virtual' }
-  # dont show file content
-  diff: no
-  #no_log: true
-
-- name: Add user postfix to group sasl
-  ansible.builtin.user:
-    name: postfix
-    groups: sasl
-    append: yes
-  notify: restart_postfix
-  become: yes
-
-- name: Template saslauthd config
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify: restart_saslauthd
-  with_items:
-    - { src: 'postfix/sasl/smtpd.conf.j2', dest: '/etc/postfix/sasl/smtpd.conf' }
-    - { src: 'default/saslauthd.j2', dest: '/etc/default/saslauthd' }
-
-- name: Include fail2ban conf for postfix
-  ansible.builtin.include_role:
-    name: fail2ban
-    tasks_from: postfix
-
-- name: Make sure saslauthd is running
-  ansible.builtin.service:
-    name: saslauthd
-    enabled: yes
-    state: started
-    runlevels:
-      - 2
-      - 3
-      - 4
-      - 5
-  become: yes
-  when: ansible_service_mgr == "sysvinit"
-
-- name: Make sure saslauthd is running
-  ansible.builtin.service:
-    name: saslauthd
-    enabled: yes
-    state: started
-  become: yes
-  when: ansible_service_mgr == "systemd"
-
-- name: Add user postfix to group opendkim
-  ansible.builtin.user:
-    name: postfix
-    groups: opendkim
-    append: yes
-  notify: restart_postfix
-  become: yes
-
-- name: Create chroot for opendkim
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    mode: '0771'
-  become: yes
-  notify:
-    - restart_opendkim
-    - restart_postfix
-  with_items:
-    - { path: '{{ opendkim_chroot }}', owner: 'root', group: 'opendkim' }
-
-- name: Create data dir for opendkim
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    mode: '0755'
-  become: yes
-  with_items:
-    - { path: '/etc/dkimkeys/{{ mail_zone }}', owner: 'root', group: 'opendkim' }
-
-- name: Copy dkim pubkeys
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: opendkim
-    mode: "{{ item.mode }}"
-  become: yes
-  notify:
-    - reload_opendkim
-    - restart_postfix
-  with_items:
-    - { src: 'dkimkeys/{{ mail_zone }}/default.txt', dest: '/etc/dkimkeys/{{ mail_zone }}/default.txt', mode: '0440' }
-
-- name: Copy dkim keys
-  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: opendkim
-    mode: "{{ item.mode }}"
-  become: yes
-  notify:
-    - reload_opendkim
-    - restart_postfix
-  with_items:
-    - { src: 'dkimkeys/{{ mail_zone }}/default.private', dest: '/etc/dkimkeys/{{ mail_zone }}/default.private', mode: '0400' }
-  # dont show file content
-  diff: no
-  #no_log: true
-
-- name: Create directory for opendkim service file customization
-  ansible.builtin.file:
-    path: /etc/systemd/system/opendkim.service.d/
-    state: directory
-    owner: root
-    group: root
-    mode: '0755'
-  become: yes
-  when: ansible_service_mgr == "systemd"
-
-- name: Copy opendkim systemd service file
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  with_items:
-    - { src: 'systemd/system/opendkim.service.d/override.conf.j2', dest: '/etc/systemd/system/opendkim.service.d/override.conf' }
-  notify: daemonreload
-  when: ansible_service_mgr == "systemd"
-
-- name: Template opendkim config
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify:
-    # reloading is not enough, we must restart
-    - restart_opendkim
-    - restart_postfix
-  with_items:
-    - { src: 'default/opendkim.j2', dest: '/etc/default/opendkim' }
-    - { src: 'opendkim.conf.j2', dest: '/etc/opendkim.conf' }
-
-- name: Template postfix and procmail config
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: '0644'
-  become: yes
-  notify: restart_postfix
-  with_items:
-    - { src: 'postfix/main.cf.j2', dest: '/etc/postfix/main.cf' }
-    - { src: 'postfix/master.cf.j2', dest: '/etc/postfix/master.cf' }
-    - { src: 'procmailrc.j2', dest: '/etc/procmailrc' }
-
-- name: Make sure opendkim is running
-  ansible.builtin.service:
-    name: opendkim
-    enabled: yes
-    state: started
-  become: yes
-
-- name: Make sure postfix is running
-  ansible.builtin.service:
-    name: postfix
-    enabled: yes
-    state: started
-  become: yes

roles/smtp_secondary/files/dkimkeys/g03.rhizogen.es.eu.org

@@ -1 +0,0 @@
-../../../../inventory/files/dkim/g03.rhizogen.es.eu.org

roles/smtp_secondary/files/dkimkeys/rhizogen.es.eu.org

@@ -1 +0,0 @@
-../../../../inventory/files/dkim/rhizogen.es.eu.org

roles/smtp_secondary/files/host.conf

@@ -1 +0,0 @@
-multi on

roles/smtp_secondary/files/postfix/header_checks

@@ -1 +0,0 @@
-../../../../inventory/files/postfix/header_checks

roles/smtp_secondary/files/postfix/sender_access

@@ -1 +0,0 @@
-../../../../inventory/files/postfix/sender_access

roles/smtp_secondary/files/tls/certs

@@ -1 +0,0 @@
-../../../../inventory/files/tls/certs

roles/smtp_secondary/files/tls/private

@@ -1 +0,0 @@
-../../../../inventory/files/tls/private

roles/smtp_secondary/handlers/main.yaml

@@ -1,40 +0,0 @@
----
-- name: Systemctl daemon-reload
-  ansible.builtin.command:
-    cmd: systemctl daemon-reload
-  listen: "daemonreload"
-  become: yes
-
-- name: Restart saslauthd
-  ansible.builtin.service:
-    name: saslauthd
-    state: restarted
-  become: yes
-  listen: "restart_saslauthd"
-
-- name: Reload saslauthd
-  ansible.builtin.service:
-    name: saslauthd
-    state: reloaded
-  become: yes
-  listen: "reload_saslauthd"
-
-- name: Restart opendkim
-  ansible.builtin.service:
-    name: opendkim
-    state: restarted
-  become: yes
-  listen: "restart_opendkim"
-
-- name: Reload opendkim
-  ansible.builtin.service:
-    name: opendkim
-    state: reloaded
-  become: yes
-  listen: "reload_opendkim"
-
-- name: Postmap sender_access
-  ansible.builtin.command:
-    cmd: postmap /etc/postfix/sender_access
-  listen: "postmap_senderaccess"
-  become: yes

roles/smtp_secondary/meta/main.yaml

@@ -1,10 +0,0 @@
----
-dependencies:
-# needed:
-  - role: smtp_base
-  - role: aliases
-  - role: tls
-  - role: maildir
-# needed because of some included tasks
-  - role: fail2ban
-# bundled:

roles/smtp_secondary/templates/aliases.j2

@@ -1 +0,0 @@
-../../../inventory/files/postfix/aliases.j2

roles/smtp_secondary/templates/default/opendkim.j2

@@ -1,30 +0,0 @@
-# NOTE: This is a legacy configuration file. It is not used by the opendkim
-# systemd service. Please use the corresponding configuration parameters in
-# /etc/opendkim.conf instead.
-#
-# Previously, one would edit the default settings here, and then execute
-# /lib/opendkim/opendkim.service.generate to generate systemd override files at
-# /etc/systemd/system/opendkim.service.d/override.conf and
-# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
-# recommended to adjust the settings directly in /etc/opendkim.conf.
-#
-#DAEMON_OPTS=""
-# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
-# postfix in a chroot:
-RUNDIR={{ opendkim_chroot }}
-#RUNDIR=/run/opendkim
-#
-# Uncomment to specify an alternate socket
-# Note that setting this will override any Socket value in opendkim.conf
-# default:
-SOCKET=local:$RUNDIR/opendkim.sock
-# listen on all interfaces on port 54321:
-#SOCKET=inet:54321
-# listen on loopback on port 12345:
-#SOCKET=inet:12345@localhost
-# listen on 192.0.2.1 on port 12345:
-#SOCKET=inet:12345@192.0.2.1
-USER=opendkim
-GROUP=opendkim
-PIDFILE=$RUNDIR/$NAME.pid
-EXTRAAFTER=

roles/smtp_secondary/templates/default/saslauthd.j2

@@ -1,63 +0,0 @@
-#
-# Settings for saslauthd daemon
-# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
-#
-
-# Should saslauthd run automatically on startup? (default: no)
-START=yes
-
-# Description of this saslauthd instance. Recommended.
-# (suggestion: SASL Authentication Daemon)
-DESC="SASL Authentication Daemon"
-
-# Short name of this saslauthd instance. Strongly recommended.
-# (suggestion: saslauthd)
-NAME="saslauthd"
-
-# Which authentication mechanisms should saslauthd use? (default: pam)
-#
-# Available options in this Debian package:
-# getpwent  -- use the getpwent() library function
-# kerberos5 -- use Kerberos 5
-# pam       -- use PAM
-# rimap     -- use a remote IMAP server
-# shadow    -- use the local shadow password file
-# sasldb    -- use the local sasldb database file
-# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
-#
-# Only one option may be used at a time. See the saslauthd man page
-# for more information.
-#
-# Example: MECHANISMS="pam"
-MECHANISMS="pam"
-
-# Additional options for this mechanism. (default: none)
-# See the saslauthd man page for information about mech-specific options.
-MECH_OPTIONS=""
-
-# How many saslauthd processes should we run? (default: 5)
-# A value of 0 will fork a new process for each connection.
-THREADS=5
-
-# Other options (default: -c -m /var/run/saslauthd)
-# Note: You MUST specify the -m option or saslauthd won't run!
-#
-# WARNING: DO NOT SPECIFY THE -d OPTION.
-# The -d option will cause saslauthd to run in the foreground instead of as
-# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
-# to run saslauthd in debug mode, please run it by hand to be safe.
-#
-# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
-# See the saslauthd man page and the output of 'saslauthd -h' for general
-# information about these options.
-#
-# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
-# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
-#
-# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
-# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
-# then your Postfix is running in a chroot.
-# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
-# running in a chroot.
-#OPTIONS="-c -m /var/run/saslauthd"
-OPTIONS="-c -m {{ saslauthd_chroot }}"

roles/smtp_secondary/templates/opendkim.service.j2

@@ -1,14 +0,0 @@
-[Unit]
-Description=OpenDKIM Milter
-Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-lua(3) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testkey(8) http://www.opendkim.org/docs.html
-After=network.target nss-lookup.target
-
-[Service]
-Type=forking
-PIDFile={{ postfix_chroot }}/{{ opendkim_subpath }}/opendkim.pid
-ExecStart=/usr/sbin/opendkim
-ExecReload=/bin/kill -USR1 $MAINPID
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

roles/smtp_secondary/templates/postfix/relay_recipients.j2

@@ -1 +0,0 @@
-../../../../inventory/files/postfix/relay_recipients.j2

roles/smtp_secondary/templates/postfix/sasl/smtpd.conf.j2

@@ -1,2 +0,0 @@
-pwcheck_method: saslauthd
-mech_list: plain login

roles/smtp_secondary/templates/postfix/virtual.j2

@@ -1 +0,0 @@
-../../../../inventory/files/postfix/virtual.j2

roles/smtp_secondary/templates/systemd/system/opendkim.service.d/override.conf.j2

@@ -1,2 +0,0 @@
-[Service]
-PIDFile=/var/spool/postfix/var/run/opendkim/opendkim.pid