diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index cf021019a08b9007dfefac7f02b01a5ca0432916..14d4387bb068d14ef8c3a5776f4204192038f4c0 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -472,6 +472,26 @@ The role implements the following:
 * Sets the LDAP server administrator's password.
 
 
+LDIF Templates
+~~~~~~~~~~~~~~
+
+For adding users, use::
+
+  dn: uid=USERNAME,ou=people,BASE_DN
+  objectClass: inetOrgPerson
+  objectClass: simpleSecurityObject
+  uid: USERNAME
+  userPassword: PASSWORD_FROM_SLAPPASSWD
+  cn: NAME SURNAME
+  sn: SURNAME
+  gn: NAME
+  displayName: DISPLAYNAME
+  initials: INITIALS
+  mail: MAIL
+  mobile: MOBILE
+
+
+
 Role dependencies
 ~~~~~~~~~~~~~~~~~
 
@@ -603,7 +623,7 @@ Here is an example configuration for setting-up LDAP server:
   ldap_server_tls_certificate: "{{ lookup('file', '~/tls/ldap.example.com_ldap.pem') }}"
   ldap_server_tls_key: "{{ lookup('file', '~/tls/ldap.example.com_ldap.key') }}"
   ldap_server_ssf: 128
-  
+
   ldap_permissions:
     - >
       to *
@@ -624,7 +644,7 @@ Here is an example configuration for setting-up LDAP server:
       by dn="cn=admin,dc=example,dc=com" write
       by users read
       by * none
-  
+
   ldap_entries:
     - dn: ou=people,dc=example,dc=com
       objectClass: organizationalUnit
@@ -682,6 +702,17 @@ Prosody expects a specific directory structure in LDAP when doing look-ups:
   allows group-based granting of XMPP service to users.
 
 
+LDIF Templates
+~~~~~~~~~~~~~~
+
+For adding user to a group, use::
+
+  dn: cn=xmpp,ou=groups,BASE_DN
+  changetype: modify
+  add: uniqueMember
+  uniqueMember: uid=USERNAME,ou=people,BASE_DN
+
+
 Role dependencies
 ~~~~~~~~~~~~~~~~~
 
@@ -760,6 +791,12 @@ Here is an example configuration for setting-up XMPP server using Prosody:
 Mail Server
 -----------
 
+.. warning::
+   Unfortunately, there are some issues with ``clamav-milter``,
+   ``clamav-daemon``, and ``clamav-freshclam`` services on Debian Jessie. Once
+   the role has been applied for the first time, wait for ``clamav-freshclam``
+   service to update the ClamAV virus database, then restart all three services.
+
 The ``mail_server`` role can be used for setting-up a complete mail server
 solution, which includes both SMTP and IMAP service, on destination machine.
 
@@ -813,6 +850,30 @@ doing look-ups:
   group-based granting of mail services to users.
 
 
+LDIF Templates
+~~~~~~~~~~~~~~
+
+For adding domains, use::
+
+  dn: dc=DOMAIN,ou=domains,ou=mail,ou=services,BASE_DN
+  objectClass: dNSDomain
+  dc: DOMAIN
+
+For adding aliases, use::
+
+  dn: cn=ALIAS,ou=aliases,ou=mail,ou=services,BASE_DN
+  objectClass: nisMailAlias
+  cn: ALIAS
+  rfc822MailMember: REALEMAIL
+
+For adding user to a group, use::
+
+  dn: cn=mail,ou=groups,BASE_DN
+  changetype: modify
+  add: uniqueMember
+  uniqueMember: uid=USERNAME,ou=people,BASE_DN
+
+
 Role dependencies
 ~~~~~~~~~~~~~~~~~
 
@@ -845,9 +906,10 @@ Parameters
   LDAP URL that should be used for connecting to the LDAP server for doing
   domain/user look-ups.
 
-**mail_ldap_tls_truststore** (string, optional, ``/etc/ssl/certs/truststore.pem``)
-  Path to TLS truststore used for verifying the LDAP certificate. Should be in
-  PEM format.
+**mail_ldap_tls_truststore** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}``)
+  X.509 certificate chain used for issuing certificate for the LDAP service. The
+  file will be stored in locations ``/etc/ssl/certs/mail_ldap_tls_truststore.pem``
+  and ``/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem``.
 
 **mail_ldap_postfix_password** (string, mandatory)
   Password for authenticating the Postfix LDAP user.
@@ -979,9 +1041,10 @@ Parameters
 **smtp_relay_host** (string, optional, ``None``)
   SMTP server via which the mails are sent out for non-local recipients.
 
-**smtp_relay_truststore** (string, optional, ``/etc/ssl/certs/truststore.pem``)
-  Path to the file containing full X.509 CA certificate chain used for
-  validating the server certificate presented by the relay server.
+**smtp_relay_truststore** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}``)
+  X.509 certificate chain used for issuing certificate for the SMTP relay
+  service. The file will be stored in location
+  ``/etc/ssl/certs/smtp_relay_truststore.pem``
 
 
 Examples
@@ -1128,6 +1191,20 @@ Depends on the following roles:
 Parameters
 ~~~~~~~~~~
 
+**additional_nginx_config** (list, optional, ``[]``)
+  List providing additional Nginx configuration options to include. This can be
+  useful for specifying things like error pages. Options are applied inside of a
+  **server** context of Nginx configuration file.
+
+  Each item is a dictionary with the following options describing the extra
+  configuration option:
+
+  **comment** (string, mandatory)
+    Comment describing the configuration option.
+
+  **value** (string, mandatory)
+    Configuration option.
+
 **admin** (string, optional, ``web-{{ fqdn | replace('.', '_') }}``)
   Name of the operating system user in charge of maintaining the website. This
   user is capable of making modifications to website configuration and data
@@ -1220,6 +1297,11 @@ running *ownCloud* and *The Bug Genie* applications):
         - php5-curl
       https_tls_key: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.key') }}"
       https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.pem') }}"
+      additional_nginx_config:
+        - comment: Use custom page for forbidden files.
+          value: error_page 403 /core/templates/403.php;
+        - comment: Use custom page for non-existing locations/files.
+          value: error_page 404 /core/templates/404.php;
     - role: php_website
       admin: admin
       deny_files_regex:
@@ -1304,6 +1386,20 @@ Depends on the following roles:
 Parameters
 ~~~~~~~~~~
 
+**additional_nginx_config** (list, optional, ``[]``)
+  List providing additional Nginx configuration options to include. This can be
+  useful for specifying things like error pages. Options are applied inside of a
+  **server** context of Nginx configuration file.
+
+  Each item is a dictionary with the following options describing the extra
+  configuration option:
+
+  **comment** (string, mandatory)
+    Comment describing the configuration option.
+
+  **value** (string, mandatory)
+    Configuration option.
+
 **admin** (string, optional, ``web-{{ fqdn | replace('.', '_') }}``)
   Name of the operating system user in charge of maintaining the website. This
   user is capable of making modifications to website configuration anda data
@@ -1382,6 +1478,11 @@ running a bare Django project):
       wsgi_application: django_example_com.wsgi:application
       https_tls_key: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.key') }}"
       https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.pem') }}"
+      additional_nginx_config:
+        - comment: Use custom page for forbidden files.
+          value: error_page 403 /static/403.html;
+        - comment: Use custom page for non-existing locations/files.
+          value: error_page 404 /static/404.html;
 
 
 Database Server
@@ -1557,6 +1658,9 @@ Parameters
     IPv4 address from which the backup client server is connecting to the backup
     server. Used for introducing stricter firewall rules.
 
+  **public_key** (string, mandatory)
+    SSH public key used by backup client to connect to the backup server.
+
 **backup_host_ssh_private_keys** (dictionary, mandatory)
   Defines host keys used for the dedicated OpenSSH server instance for
   backup. Key values that must be provided are: **dsa**, **rsa**, **ed25519**,
diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml
index e648102c98ae33142b4c6d52ae3b9da35e21ad3f..d067d8a3b212ad5e4daff43bcecfd4ae955b7535 100644
--- a/roles/backup_client/tasks/main.yml
+++ b/roles/backup_client/tasks/main.yml
@@ -66,6 +66,8 @@
 - name: Configure backup patterns
   template: src="backup_patterns.j2" dest="/etc/duply/main/patterns/{{ backup_patterns_filename }}"
             owner="root" group="root" mode=700
+  notify:
+    - Assemble Duply include patterns
 
 - name: Set-up directory for storing pre-backup scripts
   file: path="/etc/duply/main/pre.d/" state=directory
diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 2127872f6a10f32d285eebcb2f1c9f30f5778752..f7b90d6dc63f986bc337a7002ca7f315c8c5f854 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -43,7 +43,7 @@
 - name: Set-up operating system users
   user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
         groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
-        password="{{ item.password | default('!') }}"
+        password="{{ item.password | default('!') }}" update_password=on_create
   with_items: os_users
 
 - name: Set-up authorised keys
@@ -63,7 +63,7 @@
     - Restart SSH
 
 - name: Deploy CA certificates
-  copy: content="{{ item.value }}" dest="/etc/ssl/certs/{{ item.key }}" mode=644 owner=root group=root
+  copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=644 owner=root group=root
   with_dict: ca_certificates
   notify:
     - Update CA certificate cache
diff --git a/roles/database/tasks/main.yml b/roles/database/tasks/main.yml
index 9c00ce1be58f3f5f4e29f1d5e944f108c0144f47..ce66c6b5196721a464471f38fae974a67433c4f8 100644
--- a/roles/database/tasks/main.yml
+++ b/roles/database/tasks/main.yml
@@ -5,7 +5,7 @@
 
 - name: "Create database user {{ db_name }}"
   mysql_user: name="{{ db_name }}" password="{{ db_password }}"
-              priv=*.*:ALL state=present
+              priv="{{ db_name }}.*:ALL" state=present
 
 - name: Enable backup
   include: backup.yml
diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml
index e9b4033ba231b037dbfb6fe844d156c189ff04a3..1177a9c94dc8f378470068df78b46b950e418b11 100644
--- a/roles/ldap_server/defaults/main.yml
+++ b/roles/ldap_server/defaults/main.yml
@@ -7,8 +7,8 @@ ldap_server_domain: "{{ ansible_domain }}"
 ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
 ldap_server_organization: "Private"
 ldap_server_log_level: 256
-ldap_server_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_ldap.pem') }}"
-ldap_server_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_ldap.key') }}"
+ldap_server_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_ldap.pem') }}"
+ldap_server_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_ldap.key') }}"
 ldap_server_ssf: 128
 ldap_server_consumers: []
 ldap_server_groups: []
diff --git a/roles/mail_forwarder/defaults/main.yml b/roles/mail_forwarder/defaults/main.yml
index 32713fcf5440cb8fbb22bf8e4ead2e18ac639774..2603ddaf09a277e9a3d1b78ed2ffc876e4b3b262 100644
--- a/roles/mail_forwarder/defaults/main.yml
+++ b/roles/mail_forwarder/defaults/main.yml
@@ -2,4 +2,4 @@
 
 local_mail_aliases: []
 smtp_relay_host: ""
-smtp_relay_truststore: "/etc/ssl/certs/truststore.pem"
\ No newline at end of file
+smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}"
\ No newline at end of file
diff --git a/roles/mail_forwarder/tasks/main.yml b/roles/mail_forwarder/tasks/main.yml
index dbcb7b9122e81a44cce2147f37539607aa9a6d8a..6e9cb0938f0c411d71b1080ee085eba5547aa04f 100644
--- a/roles/mail_forwarder/tasks/main.yml
+++ b/roles/mail_forwarder/tasks/main.yml
@@ -6,6 +6,10 @@
 - name: Purge Exim configuration
   apt: name="exim4*" state=absent purge=yes
 
+- name: Deploy the SMTP relay TLS truststore
+  copy: content="{{ smtp_relay_truststore }}" dest="/etc/ssl/certs/smtp_relay_truststore.pem"
+        owner=root group=root mode=644
+
 - name: Deploy Postfix main configuration
   template: src="main.cf.j2" dest="/etc/postfix/main.cf"
   notify:
diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2
index 5f25388f9579c2c5466cc401798f4d311d840702..3ac8ccdd36ba5a0d4a07a748c35a0edf121ad7a3 100644
--- a/roles/mail_forwarder/templates/main.cf.j2
+++ b/roles/mail_forwarder/templates/main.cf.j2
@@ -24,7 +24,7 @@ smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_security_level=verify
-smtp_tls_CAfile={{ smtp_relay_truststore }}
+smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore
 
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
index 5e41257e58ca8b7dad78e6a61698228f856a0198..ce8c33f6019085420b53ef5e37da9c6f9e37973e 100644
--- a/roles/mail_server/defaults/main.yml
+++ b/roles/mail_server/defaults/main.yml
@@ -1,12 +1,12 @@
 ---
 
 enable_backup: False
-mail_ldap_tls_truststore: "/etc/ssl/certs/truststore.pem"
+mail_ldap_tls_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}"
 mail_user: vmail
-imap_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_imap.pem') }}"
-imap_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_imap.key') }}"
-smtp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_smtp.pem') }}"
-smtp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_smtp.key') }}"
+imap_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_imap.pem') }}"
+imap_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_imap.key') }}"
+smtp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_smtp.pem') }}"
+smtp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_smtp.key') }}"
 imap_folder_separator: "/"
 smtp_rbl: []
 mail_postmaster: "postmaster@{{ ansible_domain }}"
diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml
index da32d04755f6a9b16b749adde51d16c5a5f333de..beac798a7bc9ff859879362bd3a930943d2494b0 100644
--- a/roles/mail_server/tasks/main.yml
+++ b/roles/mail_server/tasks/main.yml
@@ -73,10 +73,13 @@
   with_items:
     - /var/spool/postfix/var/run/clamav
 
-- name: Copy the LDAP TLS truststore into Postfix chroot
-  command: rsync -Lpci "{{ mail_ldap_tls_truststore }}" "/var/spool/postfix/{{ mail_ldap_tls_truststore}}"
-  register: rsync_result
-  changed_when: "rsync_result.stdout != ''"
+- name: Deploy the LDAP TLS truststore in default location
+  copy: content="{{ mail_ldap_tls_truststore }}" dest="/etc/ssl/certs/mail_ldap_tls_truststore.pem"
+        owner=root group=root mode=644
+
+- name: Deploy the LDAP TLS truststore in Postfix chroot
+  copy: content="{{ mail_ldap_tls_truststore }}" dest="/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem"
+        owner=root group=root mode=644
 
 - name: Deploy Postfix configurations files for LDAP look-ups
   template: src="{{ item }}.cf.j2" dest="/etc/postfix/{{ item }}.cf" owner=root group=postfix mode=640
diff --git a/roles/mail_server/templates/dovecot-ldap.conf.ext.j2 b/roles/mail_server/templates/dovecot-ldap.conf.ext.j2
index 712727e1b9988ed00d14aff066cf7a93bb776003..6089decab2001f8b023b2f632f8d7d170149f9c6 100644
--- a/roles/mail_server/templates/dovecot-ldap.conf.ext.j2
+++ b/roles/mail_server/templates/dovecot-ldap.conf.ext.j2
@@ -2,7 +2,7 @@ uris = {{ mail_ldap_url }}
 dn = cn=dovecot,ou=services,{{ mail_ldap_base_dn }}
 dnpass = {{ mail_ldap_dovecot_password }}
 tls = yes
-tls_ca_cert_file = {{ mail_ldap_tls_truststore }}
+tls_ca_cert_file = /etc/ssl/certs/mail_ldap_tls_truststore.pem
 tls_require_cert = demand
 auth_bind = yes
 base = ou=people,{{ mail_ldap_base_dn }}
diff --git a/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2 b/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2
index 6b674715d83b0cbf4ae86bea47b7459eba2b6a96..9f4705ed19d67e3d4366fa55686ffefaa7b82a8f 100644
--- a/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2
+++ b/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2
@@ -2,7 +2,7 @@
 server_host = {{ mail_ldap_url }}
 start_tls = yes
 tls_require_cert = yes
-tls_ca_cert_file = {{ mail_ldap_tls_truststore }}
+tls_ca_cert_file = /etc/ssl/certs/mail_ldap_tls_truststore.pem
 bind = yes
 bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }}
 bind_pw = {{ mail_ldap_postfix_password }}
diff --git a/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2 b/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2
index 0902e732c1587182e994ad0da92a494a71ba3f9d..75099ae7e4f8238dc74c9b9784bdc42f21c4bdc3 100644
--- a/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2
+++ b/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2
@@ -2,7 +2,7 @@
 server_host = {{ mail_ldap_url }}
 start_tls = yes
 tls_require_cert = yes
-tls_ca_cert_file = {{ mail_ldap_tls_truststore }}
+tls_ca_cert_file = /etc/ssl/certs/mail_ldap_tls_truststore.pem
 bind = yes
 bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }}
 bind_pw = {{ mail_ldap_postfix_password }}
diff --git a/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2 b/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2
index 4bbaca3b6239c65c3bdb531a6cb96981b03b9fe9..9b834f9cd9e24a0363ebef26d9a9b7de0055bcbd 100644
--- a/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2
+++ b/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2
@@ -2,7 +2,7 @@
 server_host = {{ mail_ldap_url }}
 start_tls = yes
 tls_require_cert = yes
-tls_ca_cert_file = {{ mail_ldap_tls_truststore }}
+tls_ca_cert_file = /etc/ssl/certs/mail_ldap_tls_truststore.pem
 bind = yes
 bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }}
 bind_pw = {{ mail_ldap_postfix_password }}
diff --git a/roles/php_website/defaults/main.yml b/roles/php_website/defaults/main.yml
index 749d39f975592e142a067596fc261aa3ac6edaf7..aa7686c08c1ee0ddff9534ce29fa3cd8e5061c70 100644
--- a/roles/php_website/defaults/main.yml
+++ b/roles/php_website/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 
+additional_nginx_config: {}
 deny_files_regex: []
 enforce_https: True
 index: index.php
diff --git a/roles/php_website/tasks/main.yml b/roles/php_website/tasks/main.yml
index a106141ff06b7564ba8d64b3ad882a5b8f1536f6..6933edf22fc00e862efec357cd74a2a06ac133ab 100644
--- a/roles/php_website/tasks/main.yml
+++ b/roles/php_website/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 
-- set_fact:
+- name: Calculate username and home
+  set_fact:
     user: "web-{{ fqdn | replace('.', '_') }}"
     home: "/var/www/{{ fqdn }}"
 
diff --git a/roles/php_website/templates/nginx_site.j2 b/roles/php_website/templates/nginx_site.j2
index 54c825fa440569cd8a607f889faa12234be01643..a85938ce9371c77deb8d1a565f765c73c0992622 100644
--- a/roles/php_website/templates/nginx_site.j2
+++ b/roles/php_website/templates/nginx_site.j2
@@ -26,6 +26,11 @@ server {
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 
+    {% for config in additional_nginx_config -%}
+    # {{ config.comment }}
+    {{ config.value }}
+    {% endfor -%}
+
     {% if rewrites -%}
     # Generic URL rewrites.
     {% for rewrite in rewrites -%}
@@ -50,7 +55,7 @@ server {
 
     # Serve the files.
     location ~ /(.+) {
-	try_files $uri $uri/{% if php_rewrite_urls %} @php_rewrite{% endif %};
+	try_files $uri $uri/{% if php_rewrite_urls %} @php_rewrite{% endif %} =404;
     }
 
     {% if php_rewrite_urls -%}
diff --git a/roles/wsgi_website/defaults/main.yml b/roles/wsgi_website/defaults/main.yml
index afc44e0cc2e57bb1291ff107dea74ec2ff805842..f7f74d3d4ad31b111f24333494721866a07b3af4 100644
--- a/roles/wsgi_website/defaults/main.yml
+++ b/roles/wsgi_website/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 
+additional_nginx_config: {}
 enforce_https: True
 packages: []
 rewrites: []
diff --git a/roles/wsgi_website/templates/nginx_site.j2 b/roles/wsgi_website/templates/nginx_site.j2
index 09588a8b19e3a2037e45f814fe8f7085a01e3421..05f7eee9147368a351294869254f41508f266bc7 100644
--- a/roles/wsgi_website/templates/nginx_site.j2
+++ b/roles/wsgi_website/templates/nginx_site.j2
@@ -25,6 +25,11 @@ server {
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 
+    {% for config in additional_nginx_config -%}
+    # {{ config.comment }}
+    {{ config.value }}
+    {% endfor -%}
+
     {% if rewrites -%}
     # Site rewrites.
     {% for rewrite in rewrites -%}
diff --git a/roles/xmpp_server/defaults/main.yml b/roles/xmpp_server/defaults/main.yml
index 034ccdfc2f2262f66323d6ac4ab6474799cbdc00..88509fcea0c559a56a9e8c93da4063aa1c7867a3 100644
--- a/roles/xmpp_server/defaults/main.yml
+++ b/roles/xmpp_server/defaults/main.yml
@@ -2,5 +2,5 @@
 
 enable_backup: False
 xmpp_domains: "{{ ansible_domain }}"
-xmpp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_xmpp.pem') }}"
-xmpp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_xmpp.key') }}"
+xmpp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_xmpp.pem') }}"
+xmpp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_xmpp.key') }}"
diff --git a/roles/xmpp_server/tasks/main.yml b/roles/xmpp_server/tasks/main.yml
index 101411052abab3e01e64d2f9bf970a622b7bdb41..e409fac5238ae0d9ec197f599513c0e253af0f4b 100644
--- a/roles/xmpp_server/tasks/main.yml
+++ b/roles/xmpp_server/tasks/main.yml
@@ -39,7 +39,7 @@
   file: path=/usr/local/lib/prosody/modules/ state=directory mode=755 owner=root group=root
 
 - name: Deploy the Prosody mod_auth_ldap module
-  get_url: url=https://prosody-modules.googlecode.com/hg/mod_auth_ldap/mod_auth_ldap.lua
+  get_url: url=https://hg.prosody.im/prosody-modules/raw-file/tip/mod_auth_ldap/mod_auth_ldap.lua
            dest=/usr/local/lib/prosody/modules/mod_auth_ldap.lua
 
 - name: Set-up file permissions for the Prosody mod_auth_ldap module
diff --git a/testsite/group_vars/backup.yml b/testsite/group_vars/backup.yml
index 2a279710eae0b379d600403feb104d5f343218a2..b122d7e5728ecb5ab1c0d281603e5a469f98171e 100644
--- a/testsite/group_vars/backup.yml
+++ b/testsite/group_vars/backup.yml
@@ -5,7 +5,7 @@ local_mail_aliases:
 
 smtp_relay_host: mail.{{ testsite_domain }}
 
-smtp_relay_truststore: /etc/ssl/certs/ca.pem
+smtp_relay_truststore:  "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 
 backup_clients:
   - server: web.{{ testsite_domain }}
diff --git a/testsite/group_vars/ldap.yml b/testsite/group_vars/ldap.yml
index 85af3af7a1849d8da7b5d97e014075d43c5a0d6c..701976e9062f4a2c13eb63ed228f2eeebac19df7 100644
--- a/testsite/group_vars/ldap.yml
+++ b/testsite/group_vars/ldap.yml
@@ -4,7 +4,7 @@ local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 
 smtp_relay_host: mail.{{ testsite_domain }}
-smtp_relay_truststore: /etc/ssl/certs/ca.pem
+smtp_relay_truststore:  "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 
 ldap_client_config:
   - comment: Set the base DN
diff --git a/testsite/group_vars/mail.yml b/testsite/group_vars/mail.yml
index 864bedb44a7553f9d62d1dd37c0ed350f49bf136..0d61b3af58f28895f2f38f532f407f927bc3cf8f 100644
--- a/testsite/group_vars/mail.yml
+++ b/testsite/group_vars/mail.yml
@@ -1,7 +1,7 @@
 ---
 
 mail_ldap_url: ldap://ldap.{{ testsite_domain }}/
-mail_ldap_tls_truststore: /etc/ssl/certs/ca.pem
+mail_ldap_tls_truststore: "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 mail_ldap_base_dn: "{{ testsite_ldap_base }}"
 mail_ldap_postfix_password: postfix
 mail_ldap_dovecot_password: dovecot
diff --git a/testsite/group_vars/web.yml b/testsite/group_vars/web.yml
index fd828e2ff4c556adff580605d219469c5b6aa0ee..2cdfde5ee47a90c1b08fdcd0a5b72d5ba9777528 100644
--- a/testsite/group_vars/web.yml
+++ b/testsite/group_vars/web.yml
@@ -5,7 +5,7 @@ local_mail_aliases:
 
 smtp_relay_host: mail.{{ testsite_domain }}
 
-smtp_relay_truststore: /etc/ssl/certs/ca.pem
+smtp_relay_truststore: "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 
 default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.key') }}"
 default_https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.pem') }}"
diff --git a/testsite/group_vars/xmpp.yml b/testsite/group_vars/xmpp.yml
index 4229ecdf74b170996b8cd194482ac85d1a3aa3e9..8edc393bdefb0608424f8711b2eb715606652043 100644
--- a/testsite/group_vars/xmpp.yml
+++ b/testsite/group_vars/xmpp.yml
@@ -5,7 +5,7 @@ local_mail_aliases:
 
 smtp_relay_host: mail.{{ testsite_domain }}
 
-smtp_relay_truststore: /etc/ssl/certs/ca.pem
+smtp_relay_truststore: "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 
 xmpp_administrators:
   - john.doe@{{ testsite_domain }}