Merge branch 'release/2.5'

.ansible-lint-ignore

@@ -1 +1,2 @@
 tasks/ssl.yml schema[tasks] # no idea why the linter complains on this one, the whole thing works
+meta/main.yml schema[meta] # the platform EL versin 8 does exist - not sure why the liner complains about it

.travis.yml

@@ -9,7 +9,7 @@ sudo: false
 addons:
   apt:
     packages:
-    - python-pip
+      - python-pip
 
 install:
   # Install ansible
@@ -26,4 +26,4 @@ script:
   - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
 
 notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -15,14 +15,12 @@ Role Variables
         aliases:
           - [email protected]
           - [email protected]
-        old_imap_mail: # Dovecot imapc configuration values
-          host
-          ssl
-          ssl_verify
-          port
-          user
-          password
-          sync: yes # this boolean is not a default Dovecot thing. indicates if mailbox should be daily synced after the initial copy
+        old_imap_mail: # connection info to the old IMAP address to sync
+          host # hostname or IP address of the remote mail server
+          user # login user to the remote mail server
+          password # password to log in to the remote mail server
+          sync: yes # indicates if mailbox should be daily synced after the initial copy
+        imap_dedup # boolean if e-mails should be deduplicated daily
         vpn: # WireGuard setup - if a user doesn't have VPN info defined, a client with their name will be generated by default
           - name: client1 # name metadata to identify the VPN client - this should be unique among all users
             privatekey: # WireGuard private key for the client

handlers/main.yml

@@ -129,7 +129,7 @@
     force: true
     owner: root
     group: root
-    mode: 0644
+    mode: u=rw,og=r
 - name: Restart systemd-resolved
   ansible.builtin.systemd_service:
     name: systemd-resolved

meta/main.yml

@@ -30,7 +30,9 @@ galaxy_info:
   # To view available platforms and versions (or releases), visit:
   # https://galaxy.ansible.com/api/v1/platforms/
   #
-  # platforms:
+  platforms:
+    - name: EL
+      versions: 8
   # - name: Fedora
   #   versions:
   #   - all

tasks/antivirus.yml

@@ -22,7 +22,8 @@
 - name: Update SPAMAssassin's signatures
   ansible.builtin.command: sa-update -D
   register: sa_update
-  failed_when: "{{ sa_update.rc >= 4 }}"
+  failed_when: sa_update.rc >= 4
+  changed_when: sa_update.rc != 0
   notify: Restart spamassassin
 - name: Enable systemd services
   ansible.builtin.systemd_service:

tasks/configure_dyndns_subdomain.yml

@@ -0,0 +1,50 @@
+---
+- name: Add DynDNS NS records
+  tags:
+    - dyndns
+    - poweradmin
+  ansible.builtin.include_tasks: add_dns_record.yml
+  vars:
+    record:
+      zone: "{% if dyndns_item | length > 0 %}dyndns.{% endif %}{{ mailserver_domain }}"
+      name: "{{ wg_configs[dyndns_item]['owner'] | default('dyndns') }}"
+      ttl: "3600"
+      type: NS
+      content: "ns.{{ mailserver_domain }}"
+- name: Add DynDNS A records
+  tags:
+    - dyndns
+    - poweradmin
+  ansible.builtin.include_tasks: add_dns_record.yml
+  vars:
+    record:
+      zone: "{% if dyndns_item | length > 0 %}{{ wg_configs[dyndns_item]['owner'] }}.{% endif %}dyndns.{{ mailserver_domain }}"
+      name: "{% if dyndns_item | length > 0 %}{{ dyndns_item }}{% else %}@{% endif %}"
+      ttl: "3600"
+      type: A
+      content: "{% if dyndns_item | length > 0 %}{{ wg_configs[dyndns_item]['cidr'].split(', ') | first }}{% else %}{{ ansible_default_ipv4.address }}{% endif %}"
+- name: Add DynDNS AAAA records
+  tags:
+    - dyndns
+    - poweradmin
+  ansible.builtin.include_tasks: add_dns_record.yml
+  vars:
+    record:
+      zone: "{% if dyndns_item | length > 0 %}{{ wg_configs[dyndns_item]['owner'] }}.{% endif %}dyndns.{{ mailserver_domain }}"
+      name: "{% if dyndns_item | length > 0 %}{{ dyndns_item }}{% else %}@{% endif %}"
+      ttl: "3600"
+      type: AAAA
+      content: "{% if dyndns_item | length > 0 %}{{ wg_configs[dyndns_item]['cidr'].split(', ') | last }}{% else %}{{ ansible_default_ipv6.address }}{% endif %}"
+- name: Configure PowerDNS recursor to forward DynDNS domains
+  tags:
+    - dyndns
+    - poweradmin
+  ansible.builtin.lineinfile:
+    path: /etc/pdns-recursor/recursor.conf
+    line: "forward-zones+={% if dyndns_item | length > 0 %}{{ wg_configs[dyndns_item]['owner'] }}.{% endif %}dyndns.{{ mailserver_domain }}=127.0.0.1:5300"
+    regex: "^forward-zones+={% if dyndns_item | length > 0 %}{{ wg_configs[dyndns_item]['owner'] }}.{% endif %}dyndns.{{ mailserver_domain }}="
+    state: present
+    backup: yes
+  no_log: yes
+  when: public_dns == "yes"
+  notify: Restart pdns-recursor

tasks/dns_records.yml

@@ -53,7 +53,7 @@
   when: public_dns == "yes"
   register: enable_dnssec
   ignore_errors: yes
-  changed_when: enable_dnssec.item.rc == 0
+  changed_when: enable_dnssec.rc == 0
 - name: Fail if the issue is not about DNSSEC being already enabled
   ansible.builtin.fail:
     msg: "{{ item.stderr }}"
@@ -63,14 +63,14 @@
   ansible.builtin.command: 'pdnsutil list-zone {{ item }}'
   register: zone_records
   loop: "{{ [mailserver_domain] + custom_domains + ['vpn.' ~ mailserver_domain] + ['dyndns.' ~ mailserver_domain] }}"
-  changed_when: zone_records.item.rc == 0
+  changed_when: zone_records.rc == 0
 - name: Correct SOA record for all domains
   ansible.builtin.command: 'pdnsutil replace-rrset {{ zone_record.item }} @ SOA 3600 "ns.{{ mailserver_domain }} hostmaster\\.{{ zone_record.item }} {{ zone_record.stdout_lines | length }} 10800 3600 604800 3600"'
   loop: "{{ zone_records.results }}"
   loop_control:
     loop_var: zone_record
   register: zone_record
-  changed_when: zone_record.zone_record.rc == 0
+  changed_when: zone_record.rc == 0
 - name: Rectify all zones
   ansible.builtin.command: pdnsutil rectify-all-zones
   register: rectify_zones