puppet-prod/site/profiles/manifests/dovecot/backend.pp

class profiles::dovecot::backend (
  Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
  Stdlib::Absolutepath $tls_key_file  = '/etc/pki/tls/vault/certificate.pem',
  Stdlib::Absolutepath $tls_ca_file   = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
  Stdlib::Absolutepath $mail_location = '/shared/apps/maildata/%u',
  String $hostname                    = $trusted['certname'],
  Array[String] $listen               = ['*', '::'],
  Array[String] $protocols            = ['imap', 'imaps'],
  Hash[String, Any] $auth_config      = {},
  Hash[String, Any] $mail_config      = {},
  Hash[String, Any] $ssl_config       = {},
  Hash[String, Any] $logging_config   = {},
) {

  # Ensure the maildata directory exists
  file { '/shared/apps/maildata':
    ensure => directory,
    owner  => 'vmail',
    group  => 'vmail',
    mode   => '0755',
  }

  # Create vmail user for dovecot
  user { 'vmail':
    ensure     => present,
    uid        => 5000,
    gid        => 5000,
    home       => '/shared/apps/maildata',
    shell      => '/usr/sbin/nologin',
    managehome => false,
    system     => true,
  }

  group { 'vmail':
    ensure => present,
    gid    => 5000,
    system => true,
  }

  # Main dovecot configuration
  $main_config = {
    'values' => {
      'listen'            => join($listen, ', '),
      'protocols'         => join($protocols, ' '),
      'default_login_user' => 'vmail',
      'default_internal_user' => 'vmail',
      'first_valid_uid'   => '5000',
      'last_valid_uid'    => '5000',
      'first_valid_gid'   => '5000',
      'last_valid_gid'    => '5000',
      'mail_uid'          => 'vmail',
      'mail_gid'          => 'vmail',
      'mail_location'     => "maildir:${mail_location}",
      'login_trusted_networks' => '10.0.0.0/8 127.0.0.0/8 [::1]/128',
    }
  }

  # SSL configuration
  $default_ssl_config = {
    'ssl' => {
      'values' => {
        'ssl'          => 'required',
        'ssl_cert'     => "<${tls_cert_file}",
        'ssl_key'      => "<${tls_key_file}",
        'ssl_ca'       => "<${tls_ca_file}",
        'ssl_protocols' => '!SSLv2 !SSLv3',
        'ssl_cipher_list' => join([
          'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES',
          'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
        ], ':'),
        'ssl_prefer_server_ciphers' => 'yes',
        'ssl_dh_parameters_length' => '2048',
      }
    }
  }

  # Authentication configuration
  $default_auth_config = {
    'auth' => {
      'values' => {
        'auth_mechanisms' => 'plain login',
        'auth_username_format' => '%Lu',
        'auth_default_realm' => 'main.unkin.net',
      }
    },
    'auth-vmail' => {
      'values' => {
        'passdb' => '{
          driver = pam
        }',
        'userdb' => '{
          driver = passwd
          override_fields = uid=vmail gid=vmail home=/shared/apps/maildata/%u
        }',
      }
    }
  }

  # Mail configuration
  $default_mail_config = {
    'mail' => {
      'values' => {
        'mail_plugins' => '$mail_plugins',
        'namespace inbox' => '{
          inbox = yes
          location =
          mailbox Drafts {
            special_use = \\Drafts
          }
          mailbox Junk {
            special_use = \\Junk
          }
          mailbox Sent {
            special_use = \\Sent
          }
          mailbox "Sent Messages" {
            special_use = \\Sent
          }
          mailbox Trash {
            special_use = \\Trash
          }
        }',
      }
    }
  }

  # Logging configuration
  $default_logging_config = {
    'logging' => {
      'values' => {
        'log_path'       => 'syslog',
        'syslog_facility' => 'mail',
        'auth_verbose'   => 'yes',
        'auth_debug'     => 'no',
        'mail_debug'     => 'no',
      }
    }
  }

  # Merge configurations
  $final_ssl_config = deep_merge($default_ssl_config, $ssl_config)
  $final_auth_config = deep_merge($default_auth_config, $auth_config)
  $final_mail_config = deep_merge($default_mail_config, $mail_config)
  $final_logging_config = deep_merge($default_logging_config, $logging_config)

  $all_configs = $final_ssl_config + $final_auth_config + $final_mail_config + $final_logging_config

  # Configure dovecot
  class { 'dovecot':
    main_config        => $main_config,
    configs            => $all_configs,
    include_sysdefault => false,
    require            => [User['vmail'], Group['vmail'], File['/shared/apps/maildata']],
  }

}