wireguard: Adding conflatorio.

dovecot: adding password management
postfix-satellite: removing apt update
ufw: handling missing variables. Allow ssh by default.
all.yml: taking passwords for postfix-satellite from dovecot.

9 files changed, 104 insertions, 36 deletions

diff --git a/ansible/all.yml b/ansible/all.yml
index 86b0688..99f0d6f 100644
--- a/ansible/all.yml
+++ b/ansible/all.yml
@@ -11,11 +11,27 @@
     - knot
   roles:
     - postfix
+    - dovecot
 
 - hosts:
     - all !knot
   roles:
     - postfix-satellite
+  vars:
+    username: "{{ ansible_hostname }}.trygvis.io"
+    postfix:
+      sasl_password:
+        - host: "[trygvis.io]:587"
+          username: "{{ username }}"
+          password: "{{ dovecot__passwords[username] }}"
+
+  tasks:
+    - tags: postfix-satellite
+      become: yes
+      lineinfile:
+        dest: /etc/postfix/sasl_passwd
+        state: absent
+        regex: "^\\[knot.trygvis.io\\]"
 
 - hosts:
     - linode-dns-update
diff --git a/ansible/files/conflatorio/etc/wireguard/public.key b/ansible/files/conflatorio/etc/wireguard/public.key
new file mode 100644
index 0000000..dc49595
--- /dev/null
+++ b/ansible/files/conflatorio/etc/wireguard/public.key
@@ -0,0 +1 @@
+Rdq2LKzVxDBuXhimgLA1ZW9qFKCypHhBSaBx+24w3gA=
diff --git a/ansible/group_vars/all/dovedot-secret.yml b/ansible/group_vars/all/dovedot-secret.yml
new file mode 100644
index 0000000..173bef0
--- /dev/null
+++ b/ansible/group_vars/all/dovedot-secret.yml
@@ -0,0 +1,43 @@
+$ANSIBLE_VAULT;1.1;AES256
+63353563353533356137306637316439636363303934346565346566373936623835656363623636
+3038366463373336356163616637346235633063626637350a393134653533373034326635643339
+37663334363134393939323064663364313437383531353431653364616564353339663138653832
+6264323030356539380a353466663139633339363166626436333336316561323930373234376361
+63313135336535386538373961353736356334313630316639363935613539633135643137383763
+31623631636539663736356261313139373832323833663936316238376566623538643737656463
+66353435653264666638613531313536616238643861616165613566306630643339303365333663
+33313432393862383333313030656137343334313636643235313330343138306365393664386561
+64333034316632366533343366303731653830633339633635636632653338633264313265643334
+63646534343036646135353264336366663062316636613532643537313963323930343663646337
+64626434356565643737393431373339616433356339316665303863623566363336363834373365
+39663061643235303335663838636435613230383438653439306437623663393932663231393530
+33666364363235616635616666333935306261623930616361373963313962356638396531316437
+62376332373861666636333466306361666137386439633265316433636431306663633361653764
+61326634643737383366373339386131376366326564633564636331353365363738303330656532
+30366330383636323333663432653363626262306637363037353233336365646432616634323132
+35613634333163616563646130653464393632353035623130336166343565303930303432646331
+32373235396531306336663333303938613963613261386566613933323535313761363066313432
+34366439333266366139626465366266363531623662386463653834396262663333303739363532
+37376137326562326334323163666533376439323336663937346262323662353664356137333665
+39643335393766643766393334373631643735626464613737376261663338626164643535663838
+37663836633064636466383665333939653335666635363964626531356462333939376264396263
+31623033616639333236623230343761343738326539336431646432316638333030666639366633
+38353661363532653762373565613830663466656330636433383337646366303134303934623963
+35373038303336396337376633343162356136346661336538663534363135323366323966393364
+63316163346332393765333932386531323138333564626562643737633066666433663235656233
+36653965613435313364626531663964323565626536306436356562386462613534626462646466
+30643861633537303839613333333434633633343833613565643636343930666337313139613730
+35366337383931316633613631353864336237326233626531646536633034333939653332653933
+36343231626634633963316530336132623933643438333266343963636438393434333536353832
+66396234303937383334306135346136643463363964383339323265376630326163343463333238
+63666634303030323433336338663565663630666636363337323839393434646265363631373665
+35653237326130323036666635616438343734383035393962333536323637626135386266656339
+32326162356338303431643736383566356266636662393065323334383362306466313431663433
+36366562303638663231363764363834346432353661623033346431333236623339306334633131
+62343361383636326139383634363366386131336337613366336363343430373466353465613662
+39663062386337626162346662376164303637326632643061336636643839363730653638366231
+35363163326235623438336432306235356630366435663530356438383039363563313339613839
+38633236333062343032616561636339626361663132626163376538386566636363303736326264
+31306333316661316363373065626435363066396438633936356438656164313362306262636638
+36376665386566346432306538376337386638613264653936306365633039646663383235306135
+3338313061353364303632663766303531626561653666393434
diff --git a/ansible/group_vars/all/postfix-secret.yml b/ansible/group_vars/all/postfix-secret.yml
new file mode 100644
index 0000000..0924a65
--- /dev/null
+++ b/ansible/group_vars/all/postfix-secret.yml
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+66656639623865393533323337343131323763383364303365383461313364626363353034653861
+6264653564373334303230356137363438613535616164660a363135656563653066316364623266
+64613430396638633662386530343338396235386336306637646533353833626461323335363164
+6235643635313530330a396337623865353765323634633661396237383964646239626238383739
+3433
diff --git a/ansible/group_vars/wireguard_net1.yml b/ansible/group_vars/wireguard_net1.yml
index 716778e..0dc958e 100644
--- a/ansible/group_vars/wireguard_net1.yml
+++ b/ansible/group_vars/wireguard_net1.yml
@@ -16,7 +16,7 @@ wireguard__clients:
     ipv4: 192.168.80.2
     ipv6: fdf3:aad9:a885:0b3a::2
   conflatorio:
-    state: absent
+    state: present
     ipv4: 192.168.80.3
     ipv6: fdf3:aad9:a885:0b3a::3
   fuckaduck:
diff --git a/ansible/host_vars/malabaricus/postfix.yml b/ansible/host_vars/malabaricus/postfix.yml
deleted file mode 100644
index a78e062..0000000
--- a/ansible/host_vars/malabaricus/postfix.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-62376638333038663363323337633031383533623661393361623265353762646633396234343038
-3465373234366261363965623166353662303366303463360a393937393333373631366263663234
-36303863613734393238343837383230393730646331303037316438353932666434383332653130
-6566346565376561630a623662653730633239376136326137653764393734656339626466363131
-37376130306364663961376637656366636139666365343132353331633138636339323938383664
-65326537323232366635613965653135393538623363346137636265643337633839316237666131
-32316339353736616439306531376466383935313032333238373637373031303465623038376238
-65356263666263636134646164626136326635623736646635326161663833613534316139636534
-65326663356139343330396635396134666362333531303635613735353534306562373333623165
-3938616134376462336131323934373538336132313036633063
diff --git a/ansible/roles/dovecot/tasks/main.yml b/ansible/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..1ee3b8d
--- /dev/null
+++ b/ansible/roles/dovecot/tasks/main.yml
@@ -0,0 +1,20 @@
+- tags:
+    - dovecot
+    - packages
+  become: yes
+  apt:
+    name: python-passlib
+    install_recommends: no
+
+- tags:
+    - dovecot
+    - update-passwords
+  become: yes
+  with_dict: "{{ dovecot__passwords }}"
+  no_log: yes
+  htpasswd:
+    path: /etc/dovecot/users
+    name: "{{ item.key }}"
+    password: "{{ item.value }}"
+    crypt_scheme: sha512_crypt
+    state: "{{ 'absent' if not item.value or item.value.strip() == '' else 'present' }}"
diff --git a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
index 5f8f02a..a92250a 100644
--- a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
+++ b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
@@ -1,15 +1,12 @@
-- name: Update apt cache
-  apt:
-    update_cache: yes
-    cache_valid_time: 3600
 - name: Install package
   package:
-    name: "{{ item }}"
+    name: "{{ items }}"
     state: present
-  with_items:
-    - postfix
-    - libsasl2-modules
-    - swaks
+  vars:
+    items:
+      - postfix
+      - libsasl2-modules
+      - swaks
 
 - name: "Configure postfix: main.cf"
   tags: postfix-satellite-config
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index 0579f0a..b6a963b 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -2,17 +2,21 @@
     - ufw
   become: yes
   block:
-    - when: 
-      notify: ufw reload
+    - notify: ufw reload
+      vars:
+        state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}"
+        nat:
+          address: "{{ ufw__nat_address if ufw__nat_address is defined else '' }}"
+          prefix: "{{ ufw__nat_prefix if ufw__nat_prefix is defined else '' }}"
       blockinfile:
         path: /etc/ufw/before.rules
         insertbefore: "^# Don't delete these required lines"
         marker: "# NAT config: {mark}"
-        state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}"
+        state: "{{ state }}"
         content: |
           *nat
           :POSTROUTING ACCEPT [0:0]
-          -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE
+          -A POSTROUTING -s {{ nat.address }}/{{ nat.prefix }} -o eth0 -j MASQUERADE
           COMMIT
 
     - notify: ufw reload
@@ -33,14 +37,6 @@
     - ufw:
         state: enabled
 
-#    - ufw:
-#        default: allow
-#        direction: out
-
-#    - ufw:
-#        policy: deny
-#        direction: out
-
-#    - ufw:
-#        policy: allow
-#        direction: routed
+    - ufw:
+        name: OpenSSH
+        rule: allow