---
- name: Install SASL dependencies
  package:
    name:
      - sasl2-bin
      - libsasl2-modules
    state: present
  tags:
    - role::sasl

- name: Create SASL authentication daemon user
  user:
    name: sasl
    group: sasl
    system: true
  tags:
    - role::sasl

- name: Create service override directory
  file:
    path: /etc/systemd/system/saslauthd.service.d
    state: directory
    owner: root
    group: root
    mode: "0755"
  tags:
    - role::sasl

- name: Copy service user configuration for SASL authentication daemon
  copy:
    src: user.conf
    dest: /etc/systemd/system/saslauthd.service.d/user.conf
    mode: "0640"
    owner: root
    group: root
  tags:
    - role::sasl
  notify:
    - Restart SASL
  register: sasl_systemd_override

- name: Update SASL authentication daemon preferences
  lineinfile:
    path: /etc/default/saslauthd
    regexp: '^{{ item[''key''] }}="'
    line: '{{ item["key"] }}="{{ item["value"] }}"'
    mode: "0644"
    owner: root
    group: root
  loop:
    - key: START
      value: "yes"
    - key: MECHANISMS
      value: ldap
    # Postfix runs in a CHROOT so we need to create the SASLAUTHD socket there
    # to allow Postfix to communicate with it.
    - key: OPTIONS
      value: "-c -m {{ sasl_mux_path }}"
  tags:
    - role::sasl
  notify:
    - Restart SASL

# The sysvinit script checks for a dpkg-statoverride when first starting. If
# one exists, it uses it, if none exists, ti creates the directory with
# ownership u=root g=sasl m=710. With these two tasks, we check whether there's
# a default override already specified (presumably from package installation)
# and only set it if it's distinct, ensuring idempotency.
- name: Check current overrides for runtime directory
  command: dpkg-statoverride --list "{{ sasl_mux_path }}"
  changed_when: false
  register: sasl_statoverride_list
  tags:
    - role::sasl

- name: Ask dpkg to create runtime directory as sasl user
  command: "dpkg-statoverride --update --force-statoverride-add --add {{ statoverride_line }}"
  changed_when: true
  tags:
    - role::sasl
  when:
    # Only if necessary.
    - sasl_statoverride_list.stdout_lines
    - sasl_statoverride_list.stdout_lines[0] != statoverride_line
  vars:
    statoverride_line: "sasl sasl 710 {{ sasl_mux_path }}"

- name: Copy SASL LDAP configuration
  template:
    src: saslauthd.conf.j2
    dest: /etc/saslauthd.conf
    mode: "0640"
    owner: root
    group: sasl
  tags:
    - role::sasl
  notify:
    - Reload SASL

# BEGIN temporary tasks. Can be removed after initial deploy.
- name: Remove Postfix from SASL group
  command: "gpasswd -d postfix sasl"
  register: command_result
  changed_when: "not 'is not a member of' in command_result.stderr"
  failed_when: false
  tags:
    - role::sasl

- name: Remove Postfix SASL configuration
  file:
    path: /etc/postfix/sasl/smtpd.conf
    state: absent
  tags:
    - role::sasl
  notify:
    - Reload postfix
# END temporary tasks. Can be removed after initial deploy.

- name: Enable and start SASL authentication daemon
  systemd_service:
    name: saslauthd
    state: started
    enabled: true
    daemon_reload: "{{ sasl_systemd_override is changed }}"
  tags:
    - role::sasl