Add postsrsd role

roles/postfix/defaults/main/global.yml

@@ -13,3 +13,7 @@ postfix_mydestination:
 
 postfix_transport_maps: []
 postfix_default_transport_map: "hash:/etc/postfix/transport"
+
+postfix_srsd_enable: no
+postfix_srsd_forward_lookup: "tcp:localhost:10001"
+postfix_srsd_reverse_lookup: "tcp:localhost:10002"

roles/postfix/templates/etc/postfix/main.cf.j2

@@ -101,3 +101,12 @@ body_checks =
 {% for check in postfix_body_checks %}
 	{{ check }},
 {% endfor %}
+
+
+{% if postfix_srsd_enable %}
+# PostSRSd (https://github.com/roehling/postsrsd)
+sender_canonical_maps = {{ postfix_srsd_forward_lookup }}
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = {{ postfix_srsd_reverse_lookup }}
+recipient_canonical_classes= envelope_recipient,header_recipient
+{% endif %}

roles/postsrsd/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+
+postsrsd_exclude_domains: []
+# Can be one of: -+=
+postsrsd_separator: '='
+postsrsd_secret: /etc/postsrsd.secret
+postsrsd_forward_port: 10001
+postsrsd_reverse_port: 10002
+postsrsd_runas: postsrsd
+postsrsd_chroot: /var/lib/postsrsd
+

roles/postsrsd/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart postsrsd
+  service:
+    name: postsrsd
+    state: restarted

roles/postsrsd/tasks/config.yml

@@ -0,0 +1,10 @@
+---
+
+- name: render /etc/default/postsrsd
+  template:
+    src: etc/default/postsrsd.j2
+    dest: /etc/default/postsrsd
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart postsrsd

roles/postsrsd/tasks/install.yml

@@ -0,0 +1,12 @@
+---
+
+- name: install postsrsd
+  apt:
+    name: postsrsd
+    state: present
+
+- name: start and enable postsrsd
+  service:
+    name: postsrsd
+    state: started
+    enabled: yes

roles/postsrsd/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- import_tasks: install.yml
+  tags:
+    - "role::postsrsd"
+    - "role::postsrsd:install"
+
+- import_tasks: config.yml
+  tags:
+    - "role::postsrsd"
+    - "role::postsrsd:config"

roles/postsrsd/templates/etc/default/postsrsd.j2

@@ -0,0 +1,44 @@
+{{ ansible_managed | comment }}
+
+# Default settings for postsrsd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={{ postsrsd_domain }}
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+SRS_EXCLUDE_DOMAINS={{ postsrsd_exclude_domains | join(',') }}
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR={{ postsrsd_separator }}=
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET={{ postsrsd_secret }}/etc/postsrsd.secret
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT={{ postsrsd_forward_port }}10001
+SRS_REVERSE_PORT={{ postsrsd_reverse_port }}10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS={{ postsrsd_runas }}postsrsd
+
+# Jail daemon in chroot environment
+CHROOT={{ postsrsd_chroot }}/var/lib/postsrsd
+