Get dovecot certificates from secrets.

2024-09-06 21:06:45 +02:00 · 2024-09-06 21:06:45 +02:00 · ea5a5ae33a
commit ea5a5ae33a
parent 0a6dfbbedc
1 changed files with 57 additions and 2 deletions
--- a/roles/role_deploy_dovecot/tasks/main.yml
+++ b/roles/role_deploy_dovecot/tasks/main.yml
@ -52,11 +52,64 @@
  changed_when: duplicity_result.rc is defined and duplicity_result.rc == 0
  when: not dovecot_installed_flag.stat.exists

- name: Create /usr/local/docker-mounted-files/docker-mail-stack directory
+- name: Create /usr/local/docker-mounted-files/docker-mail-stack/certs directory
  ansible.builtin.file:
-    path: "/usr/local/docker-mounted-files/docker-mail-stack"
+    path: "/usr/local/docker-mounted-files/docker-mail-stack/certs"
    state: directory
    mode: '0755'
+    recurse: yes
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Remove temp directory
+  ansible.builtin.file:
+    path: "{{ remote_workdir }}/dovecot_secrets"
+    state: absent
+  changed_when: false
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Create temp directory
+  ansible.builtin.file:
+    path: "{{ remote_workdir }}/dovecot_secrets"
+    state: directory
+    recurse: yes
+  changed_when: false
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Extract dovecot certs from secrets.tar.gz.enc
+  shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 3 {{ item.name }}"
+  changed_when: false
+  with_items:
+    - name: secrets/docker-mail-stack/certs/dovecot.crt
+      dir: "{{ remote_workdir }}/dovecot_secrets"
+    - name: secrets/docker-mail-stack/certs/dovecot.key
+      dir: "{{ remote_workdir }}/dovecot_secrets"
+  environment:
+    SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Copy dovecot SSL cert
+  ansible.builtin.copy:
+    src: "{{ remote_workdir }}/dovecot_secrets/dovecot.crt"
+    dest: "/usr/local/docker-mounted-files/docker-mail-stack/certs/"
+    remote_src: yes
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Copy dovecot SSL key
+  ansible.builtin.copy:
+    src: "{{ remote_workdir }}/dovecot_secrets/dovecot.key"
+    dest: "/usr/local/docker-mounted-files/docker-mail-stack/certs/"
+    remote_src: yes
+    owner: root
+    group: root
+    mode: "u=rw,g=,o="
  become: true
  when: not dovecot_installed_flag.stat.exists

@ -136,6 +189,8 @@
      - /usr/local/docker-mounted-files/docker-mail-stack/users:/etc/dovecot/users:Z
      - /usr/local/docker-mounted-files/docker-mail-stack/15-lda.conf:/etc/dovecot/conf.d/15-lda.conf:Z
      - /usr/local/docker-mounted-files/docker-mail-stack/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf:Z
+      - /usr/local/docker-mounted-files/docker-mail-stack/certs/dovecot.crt:/etc/dovecot/dovecot.pem:Z
+      - /usr/local/docker-mounted-files/docker-mail-stack/certs/dovecot.key:/etc/dovecot/private/dovecot.pem:Z
  become: true
  when: not dovecot_installed_flag.stat.exists