From d3988b8431e06c4baaa34b2beff009dac013d85c Mon Sep 17 00:00:00 2001
From: Jason Rothstein <fdragon@fdragon.org>
Date: Sun, 23 Jan 2022 18:09:27 -0600
Subject: [PATCH] Enable selecting the TLS Certificate

---
 README.md                                            |  4 +++-
 defaults/main.yml                                    |  1 +
 templates/Fedora/35/etc/postfix/main.cf              |  6 ++++--
 .../usr/lib/systemd/system/postfix-copytls.service   | 12 ++++++++++++
 .../35/usr/lib/systemd/system/postfix-copytls.timer  |  9 +++++++++
 vars/Fedora-35-default.yml                           |  5 +++++
 6 files changed, 34 insertions(+), 3 deletions(-)
 create mode 100644 templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.service
 create mode 100644 templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.timer

diff --git a/README.md b/README.md
index 225dd44..d91bb75 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,9 @@ Any pre-requisites that may not be covered by Ansible itself or the role should
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+| Variable | Default | Description |
+|-|-|-|
+| postfix&lowbar;vhost | inventory&lowbar;hostname | What mod&lowbar;md certificate should be used for Postfix |
 
 Dependencies
 ------------
diff --git a/defaults/main.yml b/defaults/main.yml
index 92948da..af38716 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 # defaults file for ensure_postfix
 postmaster_email: 'postmaster@example.com'
+postfix_vhost: '{{ inventory_hostname }}'
diff --git a/templates/Fedora/35/etc/postfix/main.cf b/templates/Fedora/35/etc/postfix/main.cf
index 0327a04..a1bbafe 100644
--- a/templates/Fedora/35/etc/postfix/main.cf
+++ b/templates/Fedora/35/etc/postfix/main.cf
@@ -706,13 +706,15 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # in PEM format. Intermediate certificates should be included in general,
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
-smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+# smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+smtpd_tls_cert_file = /etc/postfix/certificates/pubcert.pem
 
 # The full pathname of a file with the Postfix SMTP server RSA private key
 # in PEM format. The private key must be accessible without a pass-phrase,
 # i.e. it must not be encrypted.
 #
-smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+# smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+smtpd_tls_key_file = /etc/postfix/certificates/privkey.pem
 
 # Announce STARTTLS support to remote SMTP clients, but do not require that
 # clients use TLS encryption (opportunistic TLS inbound).
diff --git a/templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.service b/templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.service
new file mode 100644
index 0000000..0642613
--- /dev/null
+++ b/templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Copy TLS Certificates for Postfix
+
+[Service]
+Type=oneshot
+ExecStartPre=mkdir -p /etc/postfix/certificates
+ExecStart=/bin/bash -lc 'cp /etc/httpd/md/domains/{{ postfix_vhost }}/*.pem /etc/postfix/certificates/'
+ExecStartPost=chown -R root:root /etc/postfix/certificates
+
+[Install]
+WantedBy=postfix.service
+
diff --git a/templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.timer b/templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.timer
new file mode 100644
index 0000000..65cb658
--- /dev/null
+++ b/templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Copy TLS Certificates for Postfix
+
+[Timer]
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=postfix.service
+
diff --git a/vars/Fedora-35-default.yml b/vars/Fedora-35-default.yml
index edf1298..21a6a51 100644
--- a/vars/Fedora-35-default.yml
+++ b/vars/Fedora-35-default.yml
@@ -97,3 +97,8 @@ template_list:
     src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/opendkim.conf'
   - dest: '/etc/opendmarc.conf'
     src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/opendmarc.conf'
+  - dest: '/usr/lib/systemd/system/postfix-copytls.service'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/postfix-copytls.service'
+  - dest: '/usr/lib/systemd/system/postfix-copytls.timer'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/postfix-copytls.timer'
+