From f4d6bd2463a57e49dace6460bf91e4d13f8851e6 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Mon, 10 Nov 2025 20:49:59 +0800
Subject: [PATCH] dovecot role: add mail group membership
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add dovecot user to mail group for proper permissions
- Install dovecot-core package (alongside dovecot-imapd)
- Maintains existing dovecot configuration via templates
- Idempotent user module for group management

Configuration:
- Existing templates for dovecot.conf, 10-mail.conf, 10-auth.conf, 10-ssl.conf, 10-master.conf
- Service management with systemd

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../roles/vhosts/dovecot/handlers/main.yml    | 10 +++
 playbooks/roles/vhosts/dovecot/tasks/main.yml | 66 +++++++++++++++++++
 .../vhosts/dovecot/templates/10-auth.conf.j2  |  3 +
 .../vhosts/dovecot/templates/10-mail.conf.j2  |  5 ++
 .../dovecot/templates/10-master.conf.j2       | 24 +++++++
 .../vhosts/dovecot/templates/10-ssl.conf.j2   |  5 ++
 .../vhosts/dovecot/templates/dovecot.conf.j2  |  3 +
 7 files changed, 116 insertions(+)
 create mode 100644 playbooks/roles/vhosts/dovecot/handlers/main.yml
 create mode 100644 playbooks/roles/vhosts/dovecot/tasks/main.yml
 create mode 100644 playbooks/roles/vhosts/dovecot/templates/10-auth.conf.j2
 create mode 100644 playbooks/roles/vhosts/dovecot/templates/10-mail.conf.j2
 create mode 100644 playbooks/roles/vhosts/dovecot/templates/10-master.conf.j2
 create mode 100644 playbooks/roles/vhosts/dovecot/templates/10-ssl.conf.j2
 create mode 100644 playbooks/roles/vhosts/dovecot/templates/dovecot.conf.j2

diff --git a/playbooks/roles/vhosts/dovecot/handlers/main.yml b/playbooks/roles/vhosts/dovecot/handlers/main.yml
new file mode 100644
index 0000000..c11e2a9
--- /dev/null
+++ b/playbooks/roles/vhosts/dovecot/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart dovecot
+  systemd:
+    name: dovecot
+    state: restarted
+
+- name: Reload dovecot
+  systemd:
+    name: dovecot
+    state: reloaded
diff --git a/playbooks/roles/vhosts/dovecot/tasks/main.yml b/playbooks/roles/vhosts/dovecot/tasks/main.yml
new file mode 100644
index 0000000..f305c65
--- /dev/null
+++ b/playbooks/roles/vhosts/dovecot/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+- name: Update apt cache
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: Install dovecot
+  apt:
+    name:
+      - dovecot-core
+      - dovecot-imapd
+    state: present
+
+- name: Add dovecot user to mail group
+  user:
+    name: dovecot
+    groups: mail
+    append: yes
+
+- name: Create dovecot configuration directories
+  file:
+    path: /etc/dovecot/conf.d
+    state: directory
+    mode: '0755'
+
+- name: Create main dovecot configuration
+  template:
+    src: dovecot.conf.j2
+    dest: /etc/dovecot/dovecot.conf
+    mode: '0644'
+  notify: Restart dovecot
+
+- name: Create 10-mail.conf
+  template:
+    src: 10-mail.conf.j2
+    dest: /etc/dovecot/conf.d/10-mail.conf
+    mode: '0644'
+  notify: Restart dovecot
+
+- name: Create 10-auth.conf
+  template:
+    src: 10-auth.conf.j2
+    dest: /etc/dovecot/conf.d/10-auth.conf
+    mode: '0644'
+  notify: Restart dovecot
+
+- name: Create 10-ssl.conf
+  template:
+    src: 10-ssl.conf.j2
+    dest: /etc/dovecot/conf.d/10-ssl.conf
+    mode: '0644'
+  notify: Restart dovecot
+
+- name: Create 10-master.conf
+  template:
+    src: 10-master.conf.j2
+    dest: /etc/dovecot/conf.d/10-master.conf
+    mode: '0644'
+  notify: Restart dovecot
+
+- name: Enable and start dovecot service
+  systemd:
+    name: dovecot
+    state: started
+    enabled: yes
+    daemon_reload: yes
diff --git a/playbooks/roles/vhosts/dovecot/templates/10-auth.conf.j2 b/playbooks/roles/vhosts/dovecot/templates/10-auth.conf.j2
new file mode 100644
index 0000000..c91cdbe
--- /dev/null
+++ b/playbooks/roles/vhosts/dovecot/templates/10-auth.conf.j2
@@ -0,0 +1,3 @@
+auth_mechanisms = plain login
+disable_plaintext_auth = yes
+!include auth-system.conf.ext
diff --git a/playbooks/roles/vhosts/dovecot/templates/10-mail.conf.j2 b/playbooks/roles/vhosts/dovecot/templates/10-mail.conf.j2
new file mode 100644
index 0000000..97c1876
--- /dev/null
+++ b/playbooks/roles/vhosts/dovecot/templates/10-mail.conf.j2
@@ -0,0 +1,5 @@
+mail_location = maildir:~/Maildir
+namespace inbox {
+  inbox = yes
+}
+mail_privileged_group = mail
diff --git a/playbooks/roles/vhosts/dovecot/templates/10-master.conf.j2 b/playbooks/roles/vhosts/dovecot/templates/10-master.conf.j2
new file mode 100644
index 0000000..dd2ba2d
--- /dev/null
+++ b/playbooks/roles/vhosts/dovecot/templates/10-master.conf.j2
@@ -0,0 +1,24 @@
+service imap-login {
+  inet_listener imap {
+    port = 143
+  }
+  inet_listener imaps {
+    port = 993
+    ssl = yes
+  }
+}
+
+service auth {
+  unix_listener auth-userdb {
+    mode = 0600
+    user = dovecot
+  }
+  unix_listener auth-chasquid-userdb {
+    mode = 0660
+    user = chasquid
+  }
+  unix_listener auth-chasquid-client {
+    mode = 0660
+    user = chasquid
+  }
+}
diff --git a/playbooks/roles/vhosts/dovecot/templates/10-ssl.conf.j2 b/playbooks/roles/vhosts/dovecot/templates/10-ssl.conf.j2
new file mode 100644
index 0000000..4261581
--- /dev/null
+++ b/playbooks/roles/vhosts/dovecot/templates/10-ssl.conf.j2
@@ -0,0 +1,5 @@
+ssl = required
+ssl_cert = <{{ CERT_PEM }}
+ssl_key  = <{{ CERT_KEY }}
+ssl_min_protocol = TLSv1.2
+ssl_prefer_server_ciphers = yes
diff --git a/playbooks/roles/vhosts/dovecot/templates/dovecot.conf.j2 b/playbooks/roles/vhosts/dovecot/templates/dovecot.conf.j2
new file mode 100644
index 0000000..7fb1587
--- /dev/null
+++ b/playbooks/roles/vhosts/dovecot/templates/dovecot.conf.j2
@@ -0,0 +1,3 @@
+protocols = imap
+listen = *, ::
+!include conf.d/*.conf