Add MTA-STS configuration
This commit is contained in:
parent
649e769424
commit
4e098544be
5 changed files with 66 additions and 0 deletions
|
@ -23,3 +23,13 @@
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: monit
|
name: monit
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: Get certificate
|
||||||
|
command: dehydrated --cron -g
|
||||||
|
delegate_to: "{{ gateway_host }}"
|
||||||
|
|
||||||
|
- name: reload nginx
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
delegate_to: "{{ gateway_host }}"
|
||||||
|
|
|
@ -28,6 +28,11 @@
|
||||||
ansible.builtin.import_tasks: tls-helper.yml
|
ansible.builtin.import_tasks: tls-helper.yml
|
||||||
tags: tls-helper
|
tags: tls-helper
|
||||||
|
|
||||||
|
- name: MTA-STS
|
||||||
|
ansible.builtin.import_tasks: mta-sts.yml
|
||||||
|
tags: mta-sts
|
||||||
|
loop: "{{ postfix_domains }}"
|
||||||
|
|
||||||
- name: Hostname
|
- name: Hostname
|
||||||
ansible.builtin.import_tasks: hostname.yml
|
ansible.builtin.import_tasks: hostname.yml
|
||||||
tags: hostname
|
tags: hostname
|
||||||
|
|
31
tasks/mta-sts.yml
Normal file
31
tasks/mta-sts.yml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
- name: "MTA-STS | Copy file"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: nginx/mta-sts.txt.j2
|
||||||
|
dest: /var/www/html/mta-sts.txt
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: "MTA-STS | Get certificate"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/dehydrated/domains.txt
|
||||||
|
line: "mta-sts.{{ item.name }}"
|
||||||
|
when: "'dehydrated' in ansible_facts.packages and item.mta-sts is defined and item.mta-sts"
|
||||||
|
loop: "{{ postfix_domains }}"
|
||||||
|
notify: Get certificate
|
||||||
|
|
||||||
|
- name: "MTA-STS | Copy Nginx configuration"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: nginx/nginx-mta-sts.j2
|
||||||
|
dest: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
|
||||||
|
mode: "0644"
|
||||||
|
when: item.mta-sts is defined and item.mta-sts
|
||||||
|
loop: "{{ postfix_domains }}"
|
||||||
|
|
||||||
|
- name: "MTA-STS | Enable Nginx configuration"
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
|
||||||
|
dest: "/etc/nginx/sites-enabled/mta-sts.{{ item.name }}"
|
||||||
|
state: link
|
||||||
|
when: item.mta-sts is defined and item.mta-sts
|
||||||
|
loop: "{{ postfix_domains }}"
|
||||||
|
notify: reload nginx
|
14
templates/nginx/mta-sts.j2
Normal file
14
templates/nginx/mta-sts.j2
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name mta-sts.{{ item.name }};
|
||||||
|
include snippets/letsencrypt.conf;
|
||||||
|
location / { return 301 https://$http_host$request_uri; }
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name mta-sts.{{ item.name }};
|
||||||
|
ssl_certificate /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/privkey.pem;
|
||||||
|
location /.well-known { alias /var/www/html; }
|
||||||
|
}
|
6
templates/nginx/mta-sts.txt.j2
Normal file
6
templates/nginx/mta-sts.txt.j2
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
version: STSv1
|
||||||
|
mode: enforce
|
||||||
|
max_age: 10368000
|
||||||
|
{% for mx in item.mx_server %}
|
||||||
|
mx: {{ mx }}
|
||||||
|
{% endfor %}
|
Loading…
Reference in a new issue