Add MTA-STS configuration

This commit is contained in:
phil 2023-04-17 22:11:40 +02:00
parent 649e769424
commit 4e098544be
5 changed files with 66 additions and 0 deletions

View file

@ -23,3 +23,13 @@
ansible.builtin.service: ansible.builtin.service:
name: monit name: monit
state: reloaded state: reloaded
- name: Get certificate
command: dehydrated --cron -g
delegate_to: "{{ gateway_host }}"
- name: reload nginx
ansible.builtin.service:
name: nginx
state: reloaded
delegate_to: "{{ gateway_host }}"

View file

@ -28,6 +28,11 @@
ansible.builtin.import_tasks: tls-helper.yml ansible.builtin.import_tasks: tls-helper.yml
tags: tls-helper tags: tls-helper
- name: MTA-STS
ansible.builtin.import_tasks: mta-sts.yml
tags: mta-sts
loop: "{{ postfix_domains }}"
- name: Hostname - name: Hostname
ansible.builtin.import_tasks: hostname.yml ansible.builtin.import_tasks: hostname.yml
tags: hostname tags: hostname

31
tasks/mta-sts.yml Normal file
View file

@ -0,0 +1,31 @@
---
- name: "MTA-STS | Copy file"
ansible.builtin.template:
src: nginx/mta-sts.txt.j2
dest: /var/www/html/mta-sts.txt
mode: "0644"
- name: "MTA-STS | Get certificate"
ansible.builtin.lineinfile:
path: /etc/dehydrated/domains.txt
line: "mta-sts.{{ item.name }}"
when: "'dehydrated' in ansible_facts.packages and item.mta-sts is defined and item.mta-sts"
loop: "{{ postfix_domains }}"
notify: Get certificate
- name: "MTA-STS | Copy Nginx configuration"
ansible.builtin.template:
src: nginx/nginx-mta-sts.j2
dest: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
mode: "0644"
when: item.mta-sts is defined and item.mta-sts
loop: "{{ postfix_domains }}"
- name: "MTA-STS | Enable Nginx configuration"
ansible.builtin.file:
src: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
dest: "/etc/nginx/sites-enabled/mta-sts.{{ item.name }}"
state: link
when: item.mta-sts is defined and item.mta-sts
loop: "{{ postfix_domains }}"
notify: reload nginx

View file

@ -0,0 +1,14 @@
server {
listen 80;
server_name mta-sts.{{ item.name }};
include snippets/letsencrypt.conf;
location / { return 301 https://$http_host$request_uri; }
}
server {
listen 443 ssl http2;
server_name mta-sts.{{ item.name }};
ssl_certificate /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/privkey.pem;
location /.well-known { alias /var/www/html; }
}

View file

@ -0,0 +1,6 @@
version: STSv1
mode: enforce
max_age: 10368000
{% for mx in item.mx_server %}
mx: {{ mx }}
{% endfor %}