mail_user_uid: 5000

  mail_user_gid: 5000

  imap_tls_certificate: ~/tls/mail.example.com_imap.pem

  imap_tls_key: ~/tls/mail.example.com_imap.key

  smtp_tls_certificate: ~/tls/mail.example.com_smtp.pem

  smtp_tls_key: ~/tls/mail.example.com_smtp.key

  imap_folder_separator: /

  smtp_rbl:

    - bl.spamcop.net

    - zen.spamhaus.org

  mail_postmaster: postmaster@example.com

  smtp_allow_relay_from:

    - ldap.example.com

    - xmpp.example.com

Mail Forwarder

--------------

The ``mail_forwarder`` role can be used for setting-up a local SMTP server for

sending out mails and receiving mails for local users. The SMTP server is

provided by Postfix.

SMTP service on server set-up this way is not meant to be exposed to the

Internet directly, and should receive delivery failures from the relay server

instead.

The role implements the following:

* Installs and configures Postfix.

* Purges Exim4 configuration (just in case).

* Sets-up aliases for the local recipients.

* Installs SWAKS (utility for testing SMTP servers).

Postfix is configured as follows:

* Local destinations are set-up.

* A relay host is set.

* TLS is enforced for relaying mails, with configurable truststore for server

  certificate verification.

Parameters

~~~~~~~~~~

**local_mail_aliases** (dictionary, mandatory)

  Dictionary defining the local aliases. Aliases defined this way will either be

  appended to default aliases on the server, or replace the existing entries (if

  the alias/recipient is already present). Keys in the dictionary are the local

  recipients/aliases, while the value provided should be a space-separated list

  of mail addresses (or local users) where the mails should be forwarded.

**smtp_relay_host** (string, mandatory)

  SMTP server via which the mails are sent out for non-local recipients.

**smtp_relay_truststore** (string, mandatory)

  Path to the file containing full X.509 CA certificate chain used for

  validating the server certificate presented by the relay server.

Examples

~~~~~~~~

Here is an example configuration for setting-up the mail forwarder:

.. code-block:: yaml

  ---

  # All mails sent to local user root will be forwarded to external account as

  # well.

  local_mail_aliases:

    root: "root john.doe@example.com"

  smtp_relay_host: mail.example.com

  smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

Web Server

----------

The ``web_server`` role can be used for setting-up a web server on destination

machine.

The role is supposed very lightweight, providing a basis for deployment of web

applications.

The role implements the following:

* Installs and configures nginx with a single, default vhost with a small static

  index page.

* Deploys the HTTPS TLS private key and certificate (for default vhost).

* Configures firewall to allow incoming connections to the web server.

Parameters

~~~~~~~~~~

**https_tls_key** (string, mandatory)

  Path to file on Ansible host that contains the private key used for TLS for

  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.

**https_tls_certificate** (string, mandatory)

  Path to file on Ansible host that contains the X.509 certificate used for TLS

  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.

**web_default_title** (string, mandatory)

  Title for the default web page shown to users (if no other vhosts were matched).

**web_default_message** (string, mandatory)

  Message for the default web page shown to users (if no other vhosts were

  matched).

Examples

~~~~~~~~

Here is an example configuration for setting-up XMPP server using Prosody:

.. code-block:: yaml

  ---

  https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"

  https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"

  web_default_title: "Welcome to Example Inc."

  web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

---

- name: Restart nginx

  service: name=nginx state=restarted

---

- name: Install nginx

  apt: name=nginx state=installed

- name: Allow nginx user to traverse the directory with TLS private keys

  user: name=www-data append=yes groups=ssl-cert

  notify:

    - Restart nginx

- name: Deploy nginx TLS private key

  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"

        mode=640 owner=root group=root

  notify:

    - Restart nginx

- name: Deploy nginx TLS certificate

  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"

        mode=644 owner=root group=root

  notify:

    - Restart nginx

- name: Deploy default vhost configuration

  template: src="nginx-default.j2" dest="/etc/nginx/sites-available/default"

             owner=root group=root mode=644

  notify:

    - Restart nginx

- name: Deploy firewall configuration for web server

  copy: src="ferm_http.conf" dest="/etc/ferm/conf.d/30-web.conf" owner=root group=root mode=640

  notify:

    - Restart ferm

- name: Remove the default Debian html files

  file: path="{{ item }}" state=absent

  with_items:

    - /var/www/html/index.nginx-debian.html

    - /var/www/html/

- name: Create directory for storing the default website page

  file: path="/var/www/default/" state=directory

        owner=root group=www-data mode=750

- name: Deploy the default index.html

  template: src="index.html.j2" dest=/var/www/default/index.html

            owner=root group=www-data mode=640

- name: Enable nginx service

  service: name=nginx enabled=yes state=started

---

# Configuration for roles bootstrap and preseed.

ansible_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

# Configuration for role 'common', shared across all servers.

os_users:

  - name: admin

    uid: 1000

    additional_groups: sudo

    authorized_keys:

      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

    password: '$6$/aerscJY6aevRG$ABBCymEDtk2mHW/dklre9dMEdgZNJvVHsGLCzgjGmy61FssZ.KW7ePcO2wsMGIkHcg3mZlrA4dhYh.APq9OQu0'

  - name: johndoe

    uid: 1001

    additional_groups: "office,developer"

    authorized_keys: []

    password: '$6$cJnUatae7cMz23fl$O3HE2TslnEaKaTDSZnvuDDrfqILAiuMV1wOPGVnkUQFxUu3gIWZOyO7AI1OWYkqeQMVBiezpSqYNiQy6NF6bi0'

os_groups:

  - name: office

    gid: 2000

  - name: developer

    gid: 2001

common_packages:

  - emacs24-nox

  - screen

  - debconf-utils

ca_certificates:

  - "{{ inventory_dir }}/tls/example_ca_chain.pem"

incoming_connection_limit: 2/second

incoming_connection_limit_burst: 6