Breaking changes:

* Switched to Ansible 2.9.x, removing support for older versions. All

  documentation has been updated.

* Switched to using Python 3 on both controller and managed server

  side. Python 2.7 can no longer be used for this purpose. Support for

  WSGI applications running on Python 2.7 remains.

* All roles

  * Support for Debian 8 Jessie has been dropped.

Bug fixes:

* ``common`` role

  * Run apticron at least once during initial installation to avoid

    accidental locking later on during the same playbook run.

New features/improvements:

* Tests have been updated to work with latest Molecule/Testinfra as

  part of the Ansible upgrade process.

* Deploys XMPP TLS private key and certificate.

* Installs Prosody.

* Configures Prosody.

* Configures firewall to allow incoming connections to the XMPP server.

Prosody is configured as follows:

* Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,

  version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.

* Self-registration is not allowed.

* TLS is configured. Legacy TLS is available on port 5223.

* Client-to-server communication requires encryption (TLS).

* Authentication is done via LDAP. For setting the LDAP TLS truststore, see

  :ref:`LDAP Client <ldap_client>`.

* Internal storage is used.

* For each domain specified, a dedicated conference/multi-user chat (MUC)

  service is set-up, with FQDN set to ``conference.DOMAIN``.

* For each domain specified, a dedicated file proxy service will be set-up, with

  FQDN set to ``proxy.DOMAIN``.

.. warning::

   Since it is not possible to set-up separate TLS configuration for *c2s* and

   *s2s* connections in Prosody 0.9.x, no hardening of TLS is performed in order

   to improve interoperability. This will be changed in Prosody 0.10.x, at which

  submission port), as well as redirection from TCP port 27 to TCP port 25

  (alternate SMTP port), useful as workaround for ISP/hotel blocks.

Deployed services are configured as follows:

* Both Postfix and Dovecot look-up available domains, users, and aliases in

  LDAP.

* Incoming and outgoing mail is scanned with ClamAV (via ClamAV

  Milter). Infected mails are rejected.

* Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir``

  format.

* TLS is required for user log-ins for both SMTP and IMAP.

* For user submission (SMTP), users must connect and authenticate over TCP

  port 587.

* Configures TLS versions and ciphers supported by Dovecot.

* Configures TLS versions and ciphers supported by Postfix on submission port

  (587). TLS configuration on port 25 is kept intact in order to maintain maximum

  interoperability with other servers.

* RBL's are used for combating spam (if any is specified in configuration, see

  below).

* Postfix is configured to deliver undeliverable bounces to postmaster. This

  helps with detecting misconfigured applications and servers.

Both Postfix and Dovecot expect a specific directory structure in LDAP when

* Sets-up aliases for the local recipients.

* Installs SWAKS (utility for testing SMTP servers).

* Configures firewall to accept SMTP connections from SMTP relay (if one has

  been configured). This allows for delivery of bounced e-mails.

Postfix is configured as follows:

* Local destinations are set-up.

* A relay host is set.

* TLS is enforced for relaying mails, with configurable truststore for server

  certificate verification if SMTP relay is used. If SMTP relay is not used

  (configured), no certificate verification is done.

Role dependencies

~~~~~~~~~~~~~~~~~

Depends on the following roles:

* **common**

Parameters

~~~~~~~~~~

The ``web_server`` role can be used for setting-up a web server on destination

machine.

The role is supposed to be very lightweight, providing a basis for deployment of

web applications.

The role implements the following:

* Installs and configures nginx with a single, default vhost with a small static

  index page.

* Deploys the HTTPS TLS private key and certificate (for default vhost).

* Configures TLS versions and ciphers supported by Nginx.

* Configures firewall to allow incoming connections to the web server.

* Installs and configures virtualenv and virtualenvwrapper as a common base for

  Python apps.

* Installs and configures PHP FPM as a common base for PHP apps.

Role dependencies

~~~~~~~~~~~~~~~~~

Depends on the following roles:

* **common**