Merge branch 'mail-passwd-virtual' into 'master'

Restrict the mail users to passwd and decouple the mailboxes from the system user

See merge request !450

playbooks/mail.archlinux.org.yml

@@ -15,7 +15,7 @@
     - { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
     - { role: unbound, unbound_port: 5353, tags: ["mail"] }
     - { role: postfwd, tags: ['mail'] }
-    - { role: archusers }
+    - { role: archusers, archusers_ssh_options: 'command="/usr/bin/passwd",restrict,pty' }
     - { role: fail2ban }
     - { role: prometheus_exporters }
     - { role: promtail }

roles/archusers/templates/authorized_keys.j2

 #jinja2: lstrip_blocks: True
-{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }}
+{% set keys = [item.value.ssh_key] %}
 {% if item.value.additional_ssh_keys is defined %}
 	{% for key in item.value.additional_ssh_keys %}
 		{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
-{{ lookup('file', '../pubkeys/' + key.name) }}
+			{{- keys.append(key.name) -}}
 		{% endif %}
 	{% endfor %}
 {% endif %}
+{% for key in keys %}
+	{% if archusers_ssh_options is defined %}
+{{ lookup('file', '../pubkeys/' + key) | regex_replace('(.*\S.*)', archusers_ssh_options + ' \\1') }}
+	{% else %}
+{{ lookup('file', '../pubkeys/' + key) }}
+	{% endif %}
+{% endfor %}

roles/dovecot/tasks/main.yml

@@ -15,6 +15,12 @@
   notify:
     - reload dovecot
 
+- name: add vmail group
+  group: name=vmail gid=5000
+
+- name: add vmail user
+  user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
+
 - name: install PAM config
   copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
 

roles/dovecot/templates/dovecot.conf.j2

@@ -97,6 +97,8 @@ ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH
 
 userdb {
 	driver = passwd
+	# https://doc.dovecot.org/configuration_manual/config_file/config_variables/
+	override_fields = uid=vmail gid=vmail home=/home/vmail/%d/%n
 }
 protocol imap {
 	imap_client_workarounds = tb-extra-mailbox-sep