added jimsgarage

.gitignore

@@ -1,5 +1,6 @@
 # ---> Ansible
 *.retry
+.vault
 
 # ---> Python
 # Byte-compiled / optimized / DLL files

.gitmodules

@@ -19,3 +19,9 @@
 [submodule "roles/nginxproxymanager"]
 	path = roles/nginxproxymanager
 	url = ssh://git@git.unkrig.dev:2222/ansible-roles/nginxproxymanager.git
+[submodule "k3s-ansible"]
+	path = k3s-ansible
+	url = ssh://git@git.unkrig.dev:2222/homelab/k3s-ansible.git
+[submodule "JimsGarage"]
+	path = JimsGarage
+	url = https://github.com/JamesTurland/JimsGarage.git

ansible.cfg

@@ -3,3 +3,4 @@ nocows = True
 inventory = ./inventory
 roles_path = ./roles/
 pipelining = True
+vault_password_file = ./.vault

arr-Stack/compose.yaml

@@ -0,0 +1,133 @@
+version: "3"
+services:
+  gluetun:
+    image: qmcgaw/gluetun
+    container_name: gluetun
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    ports:
+      - 6881:6881
+      - 6881:6881/udp
+      - 8085:8085 # qbittorrent
+      - 9117:9117 # Jackett
+      - 8989:8989 # Sonarr
+      - 9696:9696 # Prowlarr
+      - 8686:8686 # Lidarr
+      - 8787:8787 # Readarr
+    volumes:
+      - ./pl.hideservers.net.ovpn:/gluetun/custom.conf:ro
+      - /containers/arr/guetun:/gluetun
+    environment:
+      - VPN_SERVICE_PROVIDER=custom
+      - VPN_TYPE=openvon
+      - OPENVPN_USER=blablalba1
+      - OPENVPN_PASSWORD=4AkmyeOnD6kP
+      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
+      - TZ=Europe/Berlin
+      - UPDATER_PERIOD=24h
+
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent
+    container_name: qbittorrent
+    network_mode: "service:gluetun"
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/London
+      - WEBUI_PORT=8085
+    volumes:
+      - /containers/arr/qbittorrent:/config
+      - /srv/dev-disk-by-uuid-1a244e24-c185-4bd7-8f98-658205a33b7a/arr/torrents:/downloads
+    depends_on:
+      - gluetun
+    restart: always
+
+
+  jackett:
+    image: lscr.io/linuxserver/jackett:latest
+    container_name: jackett
+    network_mode: "service:gluetun"
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - AUTO_UPDATE=true #optional
+      - RUN_OPTS= #optional
+    volumes:
+      - /home/ubuntu/docker/arr-stack/jackett/data:/config
+      - /home/ubuntu/docker/arr-stack/jackett/blackhole:/downloads
+    depends_on:
+      - gluetun
+    restart: always
+
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:latest
+    container_name: sonarr
+    network_mode: "service:gluetun"
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - /containers/sonarr:/config
+      - /containers/sonarr/tvseries:/tv #optional
+      - /containers/sonarr/downloadclient-downloads:/downloads #optional
+    depends_on:
+      - gluetun
+    restart: always
+
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:latest
+    container_name: prowlarr
+    network_mode: "service:gluetun"
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - /containers/prowlarr:/config
+    depends_on:
+      - gluetun
+    restart: always
+
+  lidarr:
+    image: lscr.io/linuxserver/lidarr:latest
+    container_name: lidarr
+    network_mode: "service:gluetun"
+    security_opt:
+      - seccomp:unconfined
+      - apparmor=unconfined
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - /containers/lidarr/config:/config
+      - /srv/dev-disk-by-uuid-1a244e24-c185-4bd7-8f98-658205a33b7a/arr/media/music:/music 
+      - /srv/dev-disk-by-uuid-1a244e24-c185-4bd7-8f98-658205a33b7a/arr/torrents:/downloads 
+    depends_on:
+      - gluetun
+    restart: always
+
+  readarr:
+    image: lscr.io/linuxserver/readarr:develop
+    container_name: readarr
+    network_mode: "service:gluetun"
+    security_opt:
+      - seccomp:unconfined
+      - apparmor=unconfined
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - /containers/readarr/config:/config
+      - /srv/dev-disk-by-uuid-1a244e24-c185-4bd7-8f98-658205a33b7a/arr/media/books:/books #optional
+      - /srv/dev-disk-by-uuid-1a244e24-c185-4bd7-8f98-658205a33b7a/arr/torrents:/downloads #optional
+    depends_on:
+      - gluetun
+    restart: always
+
+

arr-Stack/pl.hideservers.net.ovpn

@@ -0,0 +1,98 @@
+client
+dev tun
+proto udp
+remote pl.hideservers.net 3000
+cipher AES-256-CBC
+auth SHA256
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+mute-replay-warnings
+verb 3
+auth-user-pass
+reneg-sec 900
+remote-cert-tls server
+verify-x509-name "*.hide.me" name
+tls-version-min 1.2
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIKJDCCBgygAwIBAgIQVc9ekKx5ZIkHcGchmaaVEzANBgkqhkiG9w0BAQ0FADCB
+kTELMAkGA1UEBhMCTVkxHDAaBgNVBAgME1dpbGF5YWggUGVyc2VrdXR1YW4xDzAN
+BgNVBAcMBkxhYnVhbjEZMBcGA1UECgwQZVZlbnR1cmUgTGltaXRlZDEeMBwGA1UE
+CwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRgwFgYDVQQDDA9IaWRlLk1lIFJvb3Qg
+Q0EwHhcNMTYwMTE3MjExMDI0WhcNNDYwMTA5MjExMDI0WjCBkTELMAkGA1UEBhMC
+TVkxHDAaBgNVBAgME1dpbGF5YWggUGVyc2VrdXR1YW4xDzANBgNVBAcMBkxhYnVh
+bjEZMBcGA1UECgwQZVZlbnR1cmUgTGltaXRlZDEeMBwGA1UECwwVQ2VydGlmaWNh
+dGUgQXV0aG9yaXR5MRgwFgYDVQQDDA9IaWRlLk1lIFJvb3QgQ0EwggQiMA0GCSqG
+SIb3DQEBAQUAA4IEDwAwggQKAoIEAQDX8zVTP6FQ4gJ+4e06bxvxifNHK8ht0RZn
+zCNrrwkekpB4ojXDghNfS38oK80RfygC8LXN7SnLv+0xw5dRZ3QVIZJnd/DtX2EF
+ZVxMyccJkLj8IEZv4Yx7zPnKI9EcQwo64O7npz28JZAGwexmK1W7ohm9VaAAtUPY
+6Ej7k/wsJi2d5BeHzYRrfJX3nEft8hbotwsFLPsngDciS3yE2B5zH/PJOZ5uzr/5
+djAbeFktfHR6ywbxE2CYjz2pVUfqvzjzwNj5BJPp3K5iTL/oL1xrAkQ5xSPtHbP0
+ZCMmR//PC73cqkI6bAw8YAjvq0CG7wSC3rCfzgz3RGGPHMVUmB+GGu1KZoGisexm
+9Y3ovmgubM+eE23aMBObf6tcRp1hSv7+EenlqAbyqQ5JqltWgsjEcV6THRKFmlSS
+CP84kZK+nLnoto6MEG8sK9d02+iYWPQbVQ9X7O6pMHgVj7vnOLuW6i+hKT/pcsnU
+8yhu2495Q07NDAAeX12dMbHhfLAs+DMtxjkj9SxejCS3Gi/XxON0E1NVVNEcl4yu
+TODIJVfh/+uDdUn6v8tP7XmIFlKlfyQzfxND/VlRAep1Tt4i04KAhW0SG5/qaXoP
+YROoP7eA0igKI5PxGbUZw/ym0i+1iXHR5XqfavZRM6gpOlDH2D9Mo64JfJTWT8J0
+AQ9apVXQZlC9raY5fulvX3TqZ5NDbm4z/hOawDFOmWWjOe2guTj+aMyDS13mpppz
+JF5h9JPlvvyb1Z0cjWv5zkW00pcO5qrk2l0kbL4kSoYia+URdpi/pbF30W27JwhQ
+oQqjdEcvr7qSYNkpnGSO57qZKS0Rjsnbgk2c8X1gHWqhECCoExBxT55bSKBPvrAw
+1jxdct9ZTROcU0Cz39jYT9stYEaozXhzHJmMZReunh1G2sWDqYQST33ljIcqtsDI
+DYu6KZorc3jioTHWnd8d/iCwz+vQcnNlyBIqqB9L0i07iQcTUGJ6lcm144JkfTEP
+2xY2mFuu14KXq9tI90PzxtodBhu7DodBTtARtwRwJ7O5goME8T29UTDQbjIvZegf
+eK3pzlPxdv7X+6jVl4a7Mx8S4FNAnwPa2Dz/y2uEOozRzMSmpjZb7qiVXipoe7aK
+QB4oc2kK2oEfWfnF/HcFf3QZSe2fCQKp3DOGk6n9fpPFbR7PFu1Ng16HpoA6l+F3
+Pamo4O6v0AxvDavj804dfyykN66Er3bfFVJu3wF/s7lrqjSQa+uGiIQ+TYehCBJY
+jzQsFtuKU3/GE4L8xlfgnSUASWkmOVEDwgPon9DUbcLR2fIM9O45Xkhmbq/2YPVw
+BlNCu3ScU3Y6lJ3QRNanOrfMIg1l3DZ/jeZmMDlINJvA7arx4XD5AgMBAAGjdjB0
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTqzyLU
+H5gO8ud/EfET7E92x/rJuTAfBgNVHSMEGDAWgBTqzyLUH5gO8ud/EfET7E92x/rJ
+uTARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcNAQENBQADggQBAEs7gwuhUOxo
+rVCWcG0lKLWbgj0w/KqTwgAwyIN8Muth3SLF750iQ+U6AWDKY2sBRibYRmM5UUgq
+CVL2XShwN7SkuAnkitYU7NDEFr/gQsoEObMo1s7cNtelVcOTKYBqvIHsSw9SX7mr
+EoDVWCOW5Gx8/z6luexo6P5iSVvr4xbechQ6SKxpFIrhnE5k+MRDfvRLUyCbCQMg
+0zIteC1kVL6Lrfx/JiDjMpDz7zPUFh/gXuqA3FAFN/oaQkhpHroiwgMi6X1qFB7m
+/y1Qctb7Tw+h8SfzapRBq1EOxqZ86bGjI35MRxbEgP9SD7fRpo86jpejKS2JXnsf
+q1agSSw90H95nzX4ck6DGtKGNiDeNcDrsj98vCImsvO0X6T2eX/sx2ZRANEHcmHt
+J+tcdLo+UqoCUkdvCxxnNMYgnlhGhXbfzxeKsgQz5zQDg2XA2uZCNtgg6lQLgvmM
+xD+wPVY+ewGnJuz9reSxR9SyMxmpkAA7zqxpdG8HKRKupFxpnoyt17PAilsawMD/
+vtCTw1CNbo56oA635MZiNzb/5GO8vp0VDsS5nErL/DP/MEHmt/qZqLCoiStjTE1j
+QQsggyl/EH8NbIYQDAQweUMSmvdVBa1qwXSnbSd9xX3AE7RE34gZ1abS1zhXjTkY
+C16mj3nkCzCbax3eC5BKctxd4GB7JcpctAzvhWAfKAHAFsc8DLAUM+/S1+UWwOP1
+Lq5Z/+ZdXBiMiXbzyyAPILOp89hoF1c4BTmAmpFNCPQTa/kwC4pdSJCXRljfpMBE
+pkaKNteAJQZkWC2ACi2tuD6z34uS/yputnLMahyJvTiVa35NvG7yVc/h3/GDanHK
+f9h2CSlKc6FrtJNtysXWaVioATSjHLe0AXFLMuFBwlhyivrJaHjVneUOiG2EERVv
+TsaQT04Kqschl9tiqvlsXSrqKi2dLvDWEkG3F+nmNCUE4E6VrHCTk3X9Gs/d2AbP
+MfcxPbrIt1TLRN+OFG2ivpJtWyHROqWXQG85GVwpplaa4sg80OrX9bu4MYlg5MFk
+4RHBAPLe5eJ8YobwPOAD4vnl2yqpgxbEBAiPlX/mXsfbBYLXHsDS/EMPecJ3aqZ3
+Wv7y9IeWz9x6h4/AGM2pSbL+FHy4i55o4486CTKuB/6PEnlLAiVfPDkhDpJo0/ta
+n+p25b79tbI2iIoa4VqhkFAXpCdujNc/j7f+5wT+PsandEi3vckAvvZjhmTdreev
++nB/J2uzyFLr+6MUrYkPlOEUOnNImqDeXE/ocPFsTHiigV1I+1CUUgLr2MGuFTFm
+ZpQyQ6V9oqNU6av+hsD11GYpV8wi4QqWjeBOQayXJ7vcwqE3igyoBI2vMrpwfLlJ
+K127pRfgZn0=
+-----END CERTIFICATE-----
+</ca>
+
+<tls-crypt>
+-----BEGIN OpenVPN Static key V1-----
+8d25d82e75abbcdd73fb17b2ba5d1af2
+2d0e026ac8608ec8e51ecb0b3b1b5dba
+8ac1f6e556e4b4e3545e979dd26e2d9d
+5bc28c1d75b4e37531aabf5da3cba671
+1f8998eb66aa290daab6122bdfcb1aa3
+b9b428e722ea6e7edd9b878a5161c555
+14e6233d18b5cc34e859ecb5852b34ed
+6e539d64676edf9ad79470795ae73184
+05d93554de1063aec1df6420709c2dcc
+79511fa9c5e82de09d560f7d92001ea2
+75e4b3e9b6ce19687968b4813d6a9d61
+a48311658de88d651edb4eab447d73f6
+b209d144a3343a2c992b09c7501cad77
+cdf5c6b3be5f9919854bb10182c86794
+9df929173b8e98aeea9ffe277eddd7f7
+936232e1e44c9feb7a3a2753ed05c90b
+-----END OpenVPN Static key V1-----
+</tls-crypt>

devops.yaml

@@ -2,14 +2,8 @@
 
 - name: Manage devops VM
   hosts: devops
-  vars:
-    drone_server_url: drone.unkrig.dev
-    drone_gitea_url: "https://git.unkrig.dev"
-    drone_gitea_client_id: "20df7baf-e00b-439c-a022-f440a9780fe1"
-    drone_gitea_client_secret: "gto_vzlnwcq57nmp7wx5mressh6xuz24pwz4neostignihuq4lvpkhaa"
-    drone_rpc_secret: "c385e9b0b4aed5d52b1bfac9579e83ac"
+  vars: []
   roles:
     - { role: docker, become: true }
     - { role: haup.gitea, become: true }
-    - { role: docker-droneCI, become: true }
     - { role: prometheus.prometheus.node_exporter, become: true }

gitlab.yaml

@@ -0,0 +1,54 @@
+---
+
+- name: Manage devops VM
+  hosts: gitlab
+  vars:
+    mail_server: "smtp.variomedia.de"
+    mail_username: "relay@unkrig.dev"
+    mail_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33663362623763346365343030376663333238333437326538616138316564316538343666656335
+          3532613366393466346262613264643437313138396363310a623962366634323064613161646461
+          63323936353762613863373961333264616136376366333232363137373261323133363136383765
+          6639663162633638650a653662333738396165356564363137613434376334643831313161346461
+          63663366303663643064626137356465636530653933663237393363356238616562373937626462
+          3164336265373436353331613262643563653066346237373031
+  roles:
+    - { role: postfix, become: true }
+    - { role: docker, become: true }
+    - { role: prometheus.prometheus.node_exporter, become: true }
+  tasks:
+    - name: Install gitlab dependencies
+      ansible.builtin.apt:
+        name: "{{ item }}"
+      loop:
+        - curl
+        - openssh-server
+        - ca-certificates
+        - perl
+      become: true
+
+    - name: Download foo.conf
+      ansible.builtin.get_url:
+        url: https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh
+        dest: /tmp/script.deb.sh
+        mode: '0770'
+      become: true
+
+    - name: Install repo script from gitlab
+      ansible.builtin.command: /tmp/script.deb.sh
+      changed_when: true
+      become: true
+
+    - name: Install gitlab-ee
+      ansible.builtin.apt:
+        name: gitlab-ee
+      become: true
+      environment:
+        EXTERNAL_URL: "https://gitlab.unkrig.dev"
+
+    - name: Mark gitlab-ee package
+      ansible.builtin.dpkg_selections:
+        name: gitlab-ee
+        selection: hold
+      become: true

infra.yaml

@@ -5,6 +5,6 @@
   roles:
     - { role: docker, become: true }
     - { role: pi_hole, become: true }
-    - { role: nginxproxymanager, become: true }
+#     - { role: nginxproxymanager, become: true }
     - { role: unifi_controller, become: true }
     - { role: prometheus.prometheus.node_exporter, become: true }

inventory

@@ -21,26 +21,12 @@ all:
         infra:
             ansible_host: "10.20.1.1"
             ansible_user: "tim"
+        gitlab:
+            ansible_host: "10.20.1.2"
+            ansible_user: "tim"
         cloud:
             ansible_host: "10.20.1.8"
             ansible_user: "tim"            
-        Tim-PC:
-            ansible_host: "tim-pc"
-            ansible_user: tunkr
-            ansible_connection: ssh
-            ansible_shell_type: cmd
-        k3s-master:
-            ansible_host: "10.20.1.243"
-            ansible_user: "tim"
-        k3s-node1:
-            ansible_host: "10.20.1.241"
-            ansible_user: "tim"
-        k3s-node2:
-            ansible_host: "10.20.1.242"
-            ansible_user: "tim"
-        k3s-node3:
-            ansible_host: "10.20.1.244"
-            ansible_user: "tim"
     vars:
     children:
         ubuntu:
@@ -52,26 +38,3 @@ all:
         pve:
             hosts: 
                 proxmox:
-        windows:
-            hosts:
-                Tim-PC:
-        k3s:
-            hosts:
-                k3s-master:
-                k3s-node1:
-                k3s-node2:
-                k3s-node3:
-        k3s_master:
-            hosts:
-                k3s-master:
-        k3s_nodes:
-            hosts:
-                k3s-node1:
-                k3s-node2:
-                k3s-node3:
-        raspi:
-            hosts:
-                k3s-master:
-                k3s-node1:
-                k3s-node2:
-                k3s-node3:

roles/postfix/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/postfix/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for postfix

roles/postfix/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+# handlers file for postfix
+
+
+- name: Run postmap
+  ansible.builtin.command: postmap /etc/postfix/sasl_passwd
+  changed_when: true
+  become: true
+
+- name: Restart posfix
+  become: true
+  ansible.builtin.systemd:
+    service: posfix
+    state: restarted

roles/postfix/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/postfix/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+# tasks file for postfix
+
+- name: Install postfix packages on debian
+  ansible.builtin.apt:
+    name: postfix
+    state: present
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: Notify handler when db does not exist.
+  ansible.builtin.stat:
+    path: /etc/postfix/sasl_passwd.db
+  register: sasl_passwd_exists
+  changed_when: not sasl_passwd_exists.stat.exists
+  notify: Run postmap
+
+- name: Create sasl_passwd and notify the handler when changed.
+  become: true
+  ansible.builtin.template:
+    src: sasl_passwd.j2
+    dest: /etc/postfix/sasl_passwd
+    mode: "0600"
+  notify: Run postmap
+
+- name: Replace myhostname in main.cf
+  ansible.builtin.replace:
+    path: /etc/postfix/main.cf
+    regexp: '^myhostname = gitlab$'
+    replace: 'myhostname = gitlab.unkrig.dev'
+  tags:
+    - replace
+
+- name: Replace mydestination in main.cf
+  ansible.builtin.replace:
+    path: /etc/postfix/main.cf
+    regexp: '^relayhost = $'
+    replace: 'relayhost = [{{ mail_server }}]:587'
+  tags:
+    - replace
+
+- name: Add relay config to main.cfg
+  ansible.builtin.blockinfile:
+    path: /etc/postfix/main.cf
+    backup: true
+    insertafter: "EOF"
+    block: |
+      smtp_sasl_auth_enable = yes
+      smtp_sasl_security_options = noanonymous
+      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+      smtp_use_tls = yes
+      smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+- name: Set permissions on sasl_passwd
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  loop:
+    - '/etc/postfix/sasl_passwd.db'
+    - '/etc/postfix/sasl_passwd'
+  notify: Restart postfix

roles/postfix/templates/sasl_passwd.j2

@@ -0,0 +1 @@
+[{{ mail_server }}]:587 {{ mail_username }}:{{ mail_password }}

roles/postfix/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/postfix/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - postfix

roles/postfix/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for postfix