Commit 75830fd6 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Merge branch 'mail-passwd-virtual' into 'master'

Restrict the mail users to passwd and decouple the mailboxes from the system user

See merge request !450
parents 4104404f af46f2a5
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
- { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] } - { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
- { role: unbound, unbound_port: 5353, tags: ["mail"] } - { role: unbound, unbound_port: 5353, tags: ["mail"] }
- { role: postfwd, tags: ['mail'] } - { role: postfwd, tags: ['mail'] }
- { role: archusers } - { role: archusers, archusers_ssh_options: 'command="/usr/bin/passwd",restrict,pty' }
- { role: fail2ban } - { role: fail2ban }
- { role: prometheus_exporters } - { role: prometheus_exporters }
- { role: promtail } - { role: promtail }
......
#jinja2: lstrip_blocks: True #jinja2: lstrip_blocks: True
{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }} {% set keys = [item.value.ssh_key] %}
{% if item.value.additional_ssh_keys is defined %} {% if item.value.additional_ssh_keys is defined %}
{% for key in item.value.additional_ssh_keys %} {% for key in item.value.additional_ssh_keys %}
{% if inventory_hostname in key.hosts or 'all' in key.hosts %} {% if inventory_hostname in key.hosts or 'all' in key.hosts %}
{{ lookup('file', '../pubkeys/' + key.name) }} {{- keys.append(key.name) -}}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% for key in keys %}
{% if archusers_ssh_options is defined %}
{{ lookup('file', '../pubkeys/' + key) | regex_replace('(.*\S.*)', archusers_ssh_options + ' \\1') }}
{% else %}
{{ lookup('file', '../pubkeys/' + key) }}
{% endif %}
{% endfor %}
...@@ -15,6 +15,12 @@ ...@@ -15,6 +15,12 @@
notify: notify:
- reload dovecot - reload dovecot
- name: add vmail group
group: name=vmail gid=5000
- name: add vmail user
user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
- name: install PAM config - name: install PAM config
copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
......
...@@ -97,6 +97,8 @@ ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH ...@@ -97,6 +97,8 @@ ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH
userdb { userdb {
driver = passwd driver = passwd
# https://doc.dovecot.org/configuration_manual/config_file/config_variables/
override_fields = uid=vmail gid=vmail home=/home/vmail/%d/%n
} }
protocol imap { protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep imap_client_workarounds = tb-extra-mailbox-sep
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment