---
- name: "POSTFIX | Install postfix package"
  ansible.builtin.apt:
    name:
      - postfix
      - postfix-pcre # Often useful for advanced matching
      - libsasl2-modules # Required for SASL authentication
    state: present
    update_cache: true
  tags:
    - postfix_install

- name: "POSTFIX | Configure /etc/mailname"
  ansible.builtin.copy:
    content: "{{ postfix_mail_domain }}\n"
    dest: /etc/mailname
    owner: root
    group: root
    mode: '0644'
  tags:
    - postfix_config    

- name: "POSTFIX | Configure main.cf"
  ansible.builtin.template:
    src: main.cf.j2
    dest: /etc/postfix/main.cf
    owner: root
    group: root
    mode: '0644'
    validate: 'postfix check -c %s' # Validates the template before deploying
  notify: Restart Postfix # Triggers the handler to restart the service
  tags:
    - postfix_config

- name: "POSTFIX | Configure smarthost credentials (if defined)"
  when: postfix_relayhost_user is defined and postfix_relayhost_password is defined
  block:
    - name: "POSTFIX | Template the SASL password file"
      ansible.builtin.template:
        src: sasl_passwd.j2
        dest: /etc/postfix/sasl_passwd
        owner: root
        group: root
        mode: '0600' # Secure permissions for file with credentials
      no_log: true # Prevents credentials from being displayed in Ansible logs
      notify: Restart Postfix

    - name: "POSTFIX | Create hash map for SASL password file"
      ansible.builtin.command:
        cmd: postmap hash:/etc/postfix/sasl_passwd
      changed_when: true # The postmap command always updates the .db file
      notify: Restart Postfix
  tags:
    - postfix_config
    - postfix_smarthost

- name: "DOVECOT | Install Dovecot packages"
  when: dovecot_enabled | default(false)
  ansible.builtin.apt:
    name: "{{ ['dovecot-core', 'dovecot-imapd', 'dovecot-pop3d', 'openssl'] + (['dovecot-lmtpd'] if dovecot_postfix_lmtp_enable | default(false) else []) }}"
    state: present
  tags:
    - dovecot_install

- name: "DOVECOT | Install pwgen"
  when: dovecot_enabled | default(false)
  ansible.builtin.apt:
    name: pwgen
    state: present
  tags:
    - dovecot_install

- name: "DOVECOT | Generate Dovecot token"
  when: dovecot_enabled | default(false)
  ansible.builtin.shell:
    cmd: "pwgen -s 16 1 > /etc/dovecot/dovecot_token"
    creates: /etc/dovecot/dovecot_token
  tags:
    - dovecot_config

- name: "DOVECOT | Read Dovecot token"
  when: dovecot_enabled | default(false)
  ansible.builtin.slurp:
    src: /etc/dovecot/dovecot_token
  register: dovecot_token_file
  tags:
    - dovecot_config

- name: "DOVECOT | Create vmail group"
  when: dovecot_enabled | default(false)
  ansible.builtin.group:
    name: vmail
    gid: 5000
    state: present
  tags:
    - dovecot_config

- name: "DOVECOT | Create vmail user"
  when: dovecot_enabled | default(false)
  ansible.builtin.user:
    name: vmail
    uid: 5000
    group: vmail
    home: /var/vmail
    create_home: true
    system: true
    shell: /usr/sbin/nologin
  tags:
    - dovecot_config

- name: "DOVECOT | Ensure vmail directory permissions"
  when: dovecot_enabled | default(false)
  ansible.builtin.file:
    path: /var/vmail
    state: directory
    owner: vmail
    group: vmail
    mode: '0700'
  tags:
    - dovecot_config

- name: "DOVECOT | Generate user password hashes"
  when: dovecot_enabled | default(false) and dovecot_users | length > 0
  ansible.builtin.command:
    cmd: "openssl passwd -6 -salt {{ dovecot_token_value | quote }} {{ (dovecot_token_value + item.pass) | quote }}"
  loop: "{{ dovecot_users }}"
  register: dovecot_user_hashes
  changed_when: false
  vars:
    dovecot_token_value: "{{ dovecot_token_file['content'] | b64decode | trim }}"
  tags:
    - dovecot_config

- name: "DOVECOT | Create users password file"
  when: dovecot_enabled | default(false)
  ansible.builtin.template:
    src: dovecot-users.j2
    dest: /etc/dovecot/users
    owner: root
    group: dovecot
    mode: '0640'
  vars:
    dovecot_token_value: "{{ dovecot_token_file['content'] | b64decode | trim }}"
  notify: Restart Dovecot
  tags:
    - dovecot_config

- name: "DOVECOT | Configure dovecot.conf"
  when: dovecot_enabled | default(false)
  ansible.builtin.template:
    src: dovecot.conf.j2
    dest: /etc/dovecot/dovecot.conf
    owner: root
    group: dovecot
    mode: '0644'
  notify: Restart Dovecot
  tags:
    - dovecot_config

- name: "DOVECOT | Configure conf.d files"
  when: dovecot_enabled | default(false)
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "/etc/dovecot/conf.d/{{ item.dest }}"
    owner: root
    group: dovecot
    mode: '0644'
  loop:
    - { src: '10-auth.conf.j2', dest: '10-auth.conf' }
    - { src: 'auth-dovecot-users.conf.ext.j2', dest: 'auth-dovecot-users.conf.ext' }
    - { src: '10-master.conf.j2', dest: '10-master.conf' }
    - { src: '10-ssl.conf.j2', dest: '10-ssl.conf' }
    - { src: '10-mail.conf.j2', dest: '10-mail.conf' }
  notify: Restart Dovecot
  tags:
    - dovecot_config