which allows ICMP echo requests (PING), incoming connection on TCP port 22

  (SSH), and also introduces rate-limitting for incoming ICMP echo request

  pacakges and (new) TCP connections. The rate-limitting is based on the source

  IP address, using the ``iptables hashlimit`` module.

Backups

~~~~~~~

If the backup for this role has been enabled, the following paths are backed-up:

**/var/log**

* Configures permissions.

* Creates LDAP entries.

* Configures firewall to allow incoming connections to the LDAP server.

* Sets the LDAP server administrator's password.

Backups

~~~~~~~

If the backup for this role has been enabled, the following paths are backed-up:

**/srv/backup/slapd.bak**

* User entries are read from sub-tree (first-level only)

  ``ou=people,XMPP_LDAP_BASE_DN``. Query filter used for finding users is

  ``(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,XMPP_LDAP_BASE_DN))``. This

  allows group-based granting of XMPP service to users.

Backups

~~~~~~~

If the backup for this role has been enabled, the following paths are backed-up:

**/var/lib/prosody/**

* User entries are read from sub-tree (first-level only)

  ``ou=people,MAIL_LDAP_BASE_DN``. Query filter used for finding users is

  ``(&(mail=%s)(memberOf=cn=mail,ou=groups,MAIL_LDAP_BASE_DN))``. This allows

  group-based granting of mail services to users.

Backups

~~~~~~~

If the backup for this role has been enabled, the following paths are backed-up:

**/var/{{ mail_user }}**

* Local destinations are set-up.

* A relay host is set.

* TLS is enforced for relaying mails, with configurable truststore for server

  certificate verification.

Parameters

~~~~~~~~~~

**local_mail_aliases** (dictionary, optional, ``[]``)

  Dictionary defining the local aliases. Aliases defined this way will either be

  appended to default aliases on the server, or replace the existing entries (if

* Configures firewall to allow incoming connections to the web server.

* Installs and configures virtualenv and virtualenvwrapper as a common base for

  Python apps.

* Installs and configures PHP FPM as a common base for PHP apps.

Parameters

~~~~~~~~~~

**default_https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_https.key``)

  Path to file on Ansible host that contains the private key used for TLS for

  HTTPS service. The file will be copied to directory

  honored. **Do not move the files, the permissions will not be set correctly.**

* Within the website directory, nginx/php5-fpm will expect to find the relevant

  files within the htdocs sub-directory (this can be symlink too).

* nginx communicates with PHP FPM over a dedicated Unix socket for each website.

Parameters

~~~~~~~~~~

**admin** (string, optional, ``web-{{ fqdn | replace('.', '_') }}``)

  Name of the operating system user in charge of maintaining the website. This

  user is capable of making modifications to website configuration and data

* Within the website directory, systemd service will expect to find the website

  code within the ``code`` sub-directory (this can be symlink too).

* nginx communicates with WSGI server over a dedicated Unix socket for each

  website.

Parameters

~~~~~~~~~~

**admin** (string, optional, ``web-{{ fqdn | replace('.', '_') }}``)

  Name of the operating system user in charge of maintaining the website. This

  user is capable of making modifications to website configuration anda data

* Configures MariaDB server and client to use *UTF-8* encoding by default.

* Sets password for the database root user.

* Deploys MariaDB client configuration in location ``/root/.my.cnf`` that

  contains username and password for the root database user.

Parameters

~~~~~~~~~~

**db_root_password** (string, mandatory)

  Password for the *root* database user.

* Creates a dedicated user capable of performing any operation on the created

  database. Username is set to be same as the name of database.

* Sets-up pre-backup task that creates database dump in location

  ``/srv/backup/mariadb/{{ db_name }}.sql``.

Backups

~~~~~~~

If the backup for this role has been enabled, the following paths are backed-up:

**/srv/backup/maraidb/{{ db_name }}.sql**

  clients. The instance listens on TCP port ``2222``.

* Updates firewall to allow incoming TCP connections to port

  ``2222``. Connections are allowed only from the configured IP addresses

  associated with backup clients.

Parameters

~~~~~~~~~~

**backup_clients** (list, optional)

  List of backup clients that are connecting to the backup server. This is

  usually done on a per-server basis. Each item in the list is a dictionary

---

allow_duplicates: yes

dependencies:

  - role: backup_client

    when: enable_backup

    backup_patterns_filename: "database_{{ db_name }}"

    backup_patterns:

      - "/srv/backup/mariadb/{{ db_name }}.sql"