* Sets the LDAP server administrator's password.

Role dependencies

~~~~~~~~~~~~~~~~~

  ldap_server_tls_certificate: "{{ lookup('file', '~/tls/ldap.example.com_ldap.pem') }}"

  ldap_server_tls_key: "{{ lookup('file', '~/tls/ldap.example.com_ldap.key') }}"

  ldap_server_ssf: 128

  ldap_permissions:

    - >

      to *

      by dn="cn=admin,dc=example,dc=com" write

      by users read

      by * none

  ldap_entries:

    - dn: ou=people,dc=example,dc=com

      objectClass: organizationalUnit

  allows group-based granting of XMPP service to users.

Role dependencies

~~~~~~~~~~~~~~~~~

Mail Server

-----------

The ``mail_server`` role can be used for setting-up a complete mail server

solution, which includes both SMTP and IMAP service, on destination machine.

  group-based granting of mail services to users.

Role dependencies

~~~~~~~~~~~~~~~~~

  LDAP URL that should be used for connecting to the LDAP server for doing

  domain/user look-ups.

**mail_ldap_postfix_password** (string, mandatory)

  Password for authenticating the Postfix LDAP user.

**smtp_relay_host** (string, optional, ``None``)

  SMTP server via which the mails are sent out for non-local recipients.

Examples

Parameters

~~~~~~~~~~

**admin** (string, optional, ``web-{{ fqdn | replace('.', '_') }}``)

  Name of the operating system user in charge of maintaining the website. This

  user is capable of making modifications to website configuration and data

        - php5-curl

      https_tls_key: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.key') }}"

      https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.pem') }}"

    - role: php_website

      admin: admin

      deny_files_regex:

Parameters

~~~~~~~~~~

**admin** (string, optional, ``web-{{ fqdn | replace('.', '_') }}``)

  Name of the operating system user in charge of maintaining the website. This

  user is capable of making modifications to website configuration anda data

      wsgi_application: django_example_com.wsgi:application

      https_tls_key: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.key') }}"

      https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.pem') }}"

Database Server

    IPv4 address from which the backup client server is connecting to the backup

    server. Used for introducing stricter firewall rules.

**backup_host_ssh_private_keys** (dictionary, mandatory)

  Defines host keys used for the dedicated OpenSSH server instance for

  backup. Key values that must be provided are: **dsa**, **rsa**, **ed25519**,

- name: Configure backup patterns

  template: src="backup_patterns.j2" dest="/etc/duply/main/patterns/{{ backup_patterns_filename }}"

            owner="root" group="root" mode=700

- name: Set-up directory for storing pre-backup scripts

  file: path="/etc/duply/main/pre.d/" state=directory

- name: Set-up operating system users

  user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"

        groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present

  with_items: os_users

- name: Set-up authorised keys

    - Restart SSH

- name: Deploy CA certificates

  with_dict: ca_certificates

  notify:

    - Update CA certificate cache

- name: "Create database user {{ db_name }}"

  mysql_user: name="{{ db_name }}" password="{{ db_password }}"

- name: Enable backup

  include: backup.yml

ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"

ldap_server_organization: "Private"

ldap_server_log_level: 256

ldap_server_ssf: 128

ldap_server_consumers: []

ldap_server_groups: []

local_mail_aliases: []

smtp_relay_host: ""

- name: Purge Exim configuration

  apt: name="exim4*" state=absent purge=yes

- name: Deploy Postfix main configuration

  template: src="main.cf.j2" dest="/etc/postfix/main.cf"

  notify:

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_security_level=verify

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

---

enable_backup: False

mail_user: vmail

imap_folder_separator: "/"

smtp_rbl: []

mail_postmaster: "postmaster@{{ ansible_domain }}"

  with_items:

    - /var/spool/postfix/var/run/clamav

- name: Deploy Postfix configurations files for LDAP look-ups

  template: src="{{ item }}.cf.j2" dest="/etc/postfix/{{ item }}.cf" owner=root group=postfix mode=640

dn = cn=dovecot,ou=services,{{ mail_ldap_base_dn }}

dnpass = {{ mail_ldap_dovecot_password }}

tls = yes

tls_require_cert = demand

auth_bind = yes

base = ou=people,{{ mail_ldap_base_dn }}

server_host = {{ mail_ldap_url }}

start_tls = yes

tls_require_cert = yes

bind = yes

bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }}

bind_pw = {{ mail_ldap_postfix_password }}

server_host = {{ mail_ldap_url }}

start_tls = yes

tls_require_cert = yes

bind = yes

bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }}

bind_pw = {{ mail_ldap_postfix_password }}

server_host = {{ mail_ldap_url }}

start_tls = yes

tls_require_cert = yes

bind = yes

bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }}

bind_pw = {{ mail_ldap_postfix_password }}

---

deny_files_regex: []

enforce_https: True

index: index.php

---

    user: "web-{{ fqdn | replace('.', '_') }}"

    home: "/var/www/{{ fqdn }}"

    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;

    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;

    {% if rewrites -%}

    # Generic URL rewrites.

    {% for rewrite in rewrites -%}

    # Serve the files.

    location ~ /(.+) {

    }

    {% if php_rewrite_urls -%}

---

enforce_https: True

packages: []

rewrites: []

    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;

    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;

    {% if rewrites -%}

    # Site rewrites.

    {% for rewrite in rewrites -%}

enable_backup: False

xmpp_domains: "{{ ansible_domain }}"

  file: path=/usr/local/lib/prosody/modules/ state=directory mode=755 owner=root group=root

- name: Deploy the Prosody mod_auth_ldap module

           dest=/usr/local/lib/prosody/modules/mod_auth_ldap.lua

- name: Set-up file permissions for the Prosody mod_auth_ldap module

smtp_relay_host: mail.{{ testsite_domain }}

backup_clients:

  - server: web.{{ testsite_domain }}

  root: "root john.doe@{{ testsite_domain }}"

smtp_relay_host: mail.{{ testsite_domain }}

ldap_client_config:

  - comment: Set the base DN

---

mail_ldap_url: ldap://ldap.{{ testsite_domain }}/

mail_ldap_base_dn: "{{ testsite_ldap_base }}"

mail_ldap_postfix_password: postfix

mail_ldap_dovecot_password: dovecot

smtp_relay_host: mail.{{ testsite_domain }}

default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.key') }}"

default_https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.pem') }}"

smtp_relay_host: mail.{{ testsite_domain }}

xmpp_administrators:

  - john.doe@{{ testsite_domain }}