yohan/ovh_instance_playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
ovh_instance_playbooks/roles/role_deploy_dovecot/tasks/main.yml
yohan c51ddae051 Fix regex.
2024-11-08 20:04:56 +01:00

258 lines
8.0 KiB
YAML
Raw Permalink Blame History

---
- name: Stop container service
ansible.builtin.systemd:
name: container-dovecot
state: stopped
become: true
register: result_dovecot_systemd_stop
failed_when: "result_dovecot_systemd_stop is failed and 'Could not find the requested service' not in result_dovecot_systemd_stop.msg"
- name: Check if dovecot container is running
command: 'podman ps -q --filter "name=^dovecot$"'
changed_when: false
register: podman_ps
become: true
- name: Assert that no dovecot container is running
ansible.builtin.assert:
that:
- podman_ps.stdout_lines | length == 0
- name: Check if restore from backup is already done
stat:
path: /mnt/volumes/restore_states/dovecot_restored
register: dovecot_restored_flag
- name: Setup volume
ansible.builtin.include_role:
name: role_setup_volume
vars:
volume: "{{ item }}"
with_items:
- name: mail_data
size: 10
vol_type: high-speed
- name: mail_data_Sylvie
size: 10
vol_type: high-speed
when: not dovecot_restored_flag.stat.exists
- name: change ownership of duplicity working directories
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ LINUX_USERNAME }}"
group: "{{ LINUX_USERNAME }}"
become: true
with_items:
- "{{ DUPLICITY_WORKDIR }}"
- "{{ DUPLICITY_ARCHIVE_DIR }}"
when: not dovecot_restored_flag.stat.exists
- name: restore volume backup
ansible.builtin.command:
cmd: "duplicity restore --archive-dir {{ DUPLICITY_ARCHIVE_DIR }} --name {{ item }} swift://{{ item }} /mnt/volumes/{{ item }}/data"
environment:
SWIFT_USERNAME: "{{ OS_USERNAME }}"
SWIFT_PASSWORD: "{{ OS_PASSWORD }}"
SWIFT_AUTHURL: "{{ OS_AUTH_URL }}"
SWIFT_REGIONNAME: "{{ SWIFT_REGIONNAME }}"
SWIFT_TENANTNAME: "{{ OS_TENANT_NAME }}"
SWIFT_AUTHVERSION: "{{ OS_IDENTITY_API_VERSION }}"
PASSPHRASE: "{{ duplicity_passphrase }}"
# /usr/bin/duplicity uses "-s" python argument to prevent loading modules from user's python directory,
# this variable will override that.
PYTHONPATH: ".local/lib/python3.9/site-packages"
register: duplicity_result
become: true
with_items:
- mail_data
- mail_data_Sylvie
failed_when: duplicity_result is failed and (duplicity_result.rc is not defined or duplicity_result.rc != 11)
changed_when: duplicity_result.rc is defined and duplicity_result.rc == 0
when: not dovecot_restored_flag.stat.exists
- name: Create /usr/local/docker-mounted-files/docker-mail-stack directory
ansible.builtin.file:
path: "/usr/local/docker-mounted-files/docker-mail-stack"
state: directory
mode: '0755'
become: true
- name: Create /usr/local/docker-mounted-files/docker-mail-stack/certs directory
ansible.builtin.file:
path: "/usr/local/docker-mounted-files/docker-mail-stack/certs"
state: directory
mode: '0755'
become: true
- name: Remove temp directory
ansible.builtin.file:
path: "{{ remote_workdir }}/dovecot_secrets"
state: absent
changed_when: false
become: true
- name: Create temp directory
ansible.builtin.file:
path: "{{ remote_workdir }}/dovecot_secrets"
state: directory
recurse: yes
changed_when: false
become: true
- name: Extract dovecot certs from secrets.tar.gz.enc
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 3 {{ item.name }}"
changed_when: false
with_items:
- name: secrets/docker-mail-stack/certs/dovecot.crt
dir: "{{ remote_workdir }}/dovecot_secrets"
- name: secrets/docker-mail-stack/certs/dovecot.key
dir: "{{ remote_workdir }}/dovecot_secrets"
environment:
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
become: true
- name: Copy dovecot SSL cert
ansible.builtin.copy:
src: "{{ remote_workdir }}/dovecot_secrets/dovecot.crt"
dest: "/usr/local/docker-mounted-files/docker-mail-stack/certs/"
remote_src: yes
owner: root
group: root
mode: "u=rw,g=r,o=r"
become: true
- name: Copy dovecot SSL key
ansible.builtin.copy:
src: "{{ remote_workdir }}/dovecot_secrets/dovecot.key"
dest: "/usr/local/docker-mounted-files/docker-mail-stack/certs/"
remote_src: yes
owner: root
group: root
mode: "u=rw,g=,o="
become: true
- name: Retrieve config repo
ansible.builtin.git:
repo: "ssh://git@git.scimetis.net:2222/yohan/config.git"
dest: "{{ remote_workdir }}/config"
version: master
accept_hostkey: true
force: true
changed_when: false
- name: Copy config
ansible.builtin.copy:
src: "{{ remote_workdir }}/config/docker-mail-stack/{{ item }}"
dest: "/usr/local/docker-mounted-files/docker-mail-stack/"
remote_src: yes
become: true
with_items:
- dovecot_expire.sh
- name: Template dovecot config files
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/usr/local/docker-mounted-files/docker-mail-stack/{{ item }}"
become: true
with_items:
- 15-lda.conf
- 10-mail.conf
- users
- name: Fix permissions
ansible.builtin.file:
path: "/usr/local/docker-mounted-files/docker-mail-stack/{{ item.name }}"
owner: root
group: root
mode: "{{ item.mode }}"
become: true
with_items:
- name: dovecot_expire.sh
mode: "u=rwx,g=rx,o="
# podman logout is needed before podman login if registry was recreated
- name: Logout from {{ private_registry_domain }}
containers.podman.podman_logout:
registry: "{{ private_registry_domain }}"
changed_when: false
# We ignore failures because the image should be in the cache
failed_when: false
become: true
- name: Login to {{ private_registry_domain }} and create ${XDG_RUNTIME_DIR}/containers/auth.json
containers.podman.podman_login:
username: "{{ private_registry_user }}"
password: "{{ private_registry_password }}"
registry: "{{ private_registry_domain }}"
changed_when: false
# We ignore failures because the image should be in the cache
failed_when: false
become: true
- name: Create dovecot container
containers.podman.podman_container:
name: dovecot
image: "{{ private_registry_domain }}/dovecot:530c367996"
state: present
network:
- host
volume:
- /mnt/volumes/mail_data/data:/home/yohan:z
- /mnt/volumes/mail_data_Sylvie/data:/home/sylvie:z
- /usr/local/docker-mounted-files/docker-mail-stack/dovecot_expire.sh:/root/dovecot_expire.sh:Z
- /usr/local/docker-mounted-files/docker-mail-stack/users:/etc/dovecot/users:Z
- /usr/local/docker-mounted-files/docker-mail-stack/15-lda.conf:/etc/dovecot/conf.d/15-lda.conf:Z
- /usr/local/docker-mounted-files/docker-mail-stack/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf:Z
- /usr/local/docker-mounted-files/docker-mail-stack/certs/dovecot.crt:/etc/dovecot/dovecot.pem:z
- /usr/local/docker-mounted-files/docker-mail-stack/certs/dovecot.key:/etc/dovecot/private/dovecot.pem:Z
generate_systemd:
path: /etc/systemd/system
become: true
- name: start/enable container service
ansible.builtin.systemd:
daemon-reload: true
name: container-dovecot
state: started
enabled: true
become: true
- name: Add services to /etc/hosts
ansible.builtin.lineinfile:
path: "/etc/hosts"
line: "127.0.0.1 {{ item }}.{{ DOMAIN }} {{ item }}"
become: true
with_items:
- imap
- sieve
- name: Allow IMAPS and SIEVE ports
ansible.posix.firewalld:
zone: public
port: "{{ item }}"
permanent: true
immediate: true
state: enabled
become: true
with_items:
- 993/tcp
- 4190/tcp
# A local volume is needed to store restore states
- name: Create /mnt/volumes/restore_states directory if it does not exist
ansible.builtin.file:
path: "/mnt/volumes/restore_states"
state: directory
mode: '0755'
become: true
when: not dovecot_restored_flag.stat.exists
- name: Create dovecot_restored state file
ansible.builtin.file:
path: "/mnt/volumes/restore_states/dovecot_restored"
state: touch
mode: '0755'
become: true
when: not dovecot_restored_flag.stat.exists
Reference in New Issue View Git Blame Copy Permalink