Add MTA-STS configuration

2023-04-17 22:11:40 +02:00 · 2023-04-17 22:11:40 +02:00 · 4e098544be
commit 4e098544be
parent 649e769424
5 changed files with 66 additions and 0 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -23,3 +23,13 @@
  ansible.builtin.service:
    name: monit
    state: reloaded
+
+- name: Get certificate
+  command: dehydrated --cron -g
+  delegate_to: "{{ gateway_host }}"
+
+- name: reload nginx
+  ansible.builtin.service:
+    name: nginx
+    state: reloaded
+  delegate_to: "{{ gateway_host }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -28,6 +28,11 @@
  ansible.builtin.import_tasks: tls-helper.yml
  tags: tls-helper

+- name: MTA-STS
+  ansible.builtin.import_tasks: mta-sts.yml
+  tags: mta-sts
+  loop: "{{ postfix_domains }}"
+
 - name: Hostname
  ansible.builtin.import_tasks: hostname.yml
  tags: hostname
--- a/tasks/mta-sts.yml
+++ b/tasks/mta-sts.yml
@ -0,0 +1,31 @@
+---
+- name: "MTA-STS | Copy file"
+  ansible.builtin.template:
+    src: nginx/mta-sts.txt.j2
+    dest: /var/www/html/mta-sts.txt
+    mode: "0644"
+
+- name: "MTA-STS | Get certificate"
+  ansible.builtin.lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "mta-sts.{{ item.name }}"
+  when: "'dehydrated' in ansible_facts.packages and item.mta-sts is defined and item.mta-sts"
+  loop: "{{ postfix_domains }}"
+  notify: Get certificate
+
+- name: "MTA-STS | Copy Nginx configuration"
+  ansible.builtin.template:
+    src: nginx/nginx-mta-sts.j2
+    dest: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
+    mode: "0644"
+  when: item.mta-sts is defined and item.mta-sts
+  loop: "{{ postfix_domains }}"
+
+- name: "MTA-STS | Enable Nginx configuration"
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
+    dest: "/etc/nginx/sites-enabled/mta-sts.{{ item.name }}"
+    state: link
+  when: item.mta-sts is defined and item.mta-sts
+  loop: "{{ postfix_domains }}"
+  notify: reload nginx
--- a/templates/nginx/mta-sts.j2
+++ b/templates/nginx/mta-sts.j2
@ -0,0 +1,14 @@
+server {
+    listen 80;
+    server_name mta-sts.{{ item.name }};
+    include snippets/letsencrypt.conf;
+    location / { return 301 https://$http_host$request_uri; }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name mta-sts.{{ item.name }};
+    ssl_certificate /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/privkey.pem;
+    location /.well-known { alias /var/www/html; }
+}
--- a/templates/nginx/mta-sts.txt.j2
+++ b/templates/nginx/mta-sts.txt.j2
@ -0,0 +1,6 @@
+version: STSv1
+mode: enforce
+max_age: 10368000
+{% for mx in item.mx_server %}
+mx: {{ mx }}
+{% endfor %}