Enable selecting the TLS Certificate

README.md

@@ -11,7 +11,9 @@ Any pre-requisites that may not be covered by Ansible itself or the role should
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+| Variable | Default | Description |
+|-|-|-|
+| postfix_vhost | inventory_hostname | What mod_md certificate should be used for Postfix |
 
 Dependencies
 ------------

defaults/main.yml

@@ -1,3 +1,4 @@
 ---
 # defaults file for ensure_postfix
 postmaster_email: 'postmaster@example.com'
+postfix_vhost: '{{ inventory_hostname }}'

templates/Fedora/35/etc/postfix/main.cf

@@ -706,13 +706,15 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # in PEM format. Intermediate certificates should be included in general,
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
-smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+# smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+smtpd_tls_cert_file = /etc/postfix/certificates/pubcert.pem
 
 # The full pathname of a file with the Postfix SMTP server RSA private key
 # in PEM format. The private key must be accessible without a pass-phrase,
 # i.e. it must not be encrypted.
 #
-smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+# smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+smtpd_tls_key_file = /etc/postfix/certificates/privkey.pem
 
 # Announce STARTTLS support to remote SMTP clients, but do not require that
 # clients use TLS encryption (opportunistic TLS inbound).

templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Copy TLS Certificates for Postfix
+
+[Service]
+Type=oneshot
+ExecStartPre=mkdir -p /etc/postfix/certificates
+ExecStart=/bin/bash -lc 'cp /etc/httpd/md/domains/{{ postfix_vhost }}/*.pem /etc/postfix/certificates/'
+ExecStartPost=chown -R root:root /etc/postfix/certificates
+
+[Install]
+WantedBy=postfix.service
+

templates/Fedora/35/usr/lib/systemd/system/postfix-copytls.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Copy TLS Certificates for Postfix
+
+[Timer]
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=postfix.service
+

vars/Fedora-35-default.yml

@@ -97,3 +97,8 @@ template_list:
     src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/opendkim.conf'
   - dest: '/etc/opendmarc.conf'
     src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/opendmarc.conf'
+  - dest: '/usr/lib/systemd/system/postfix-copytls.service'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/postfix-copytls.service'
+  - dest: '/usr/lib/systemd/system/postfix-copytls.timer'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/postfix-copytls.timer'
+