.. _usage:

Usage

=====

Majic Ansible Roles are targeted at sysadmins who wish to deploy services for

their own, small-scale use. This chapter gives a simple tutorial-like set of

instructions for using all of the roles available.

.. contents:: :local:

Overview

--------

There is a number of different roles that can prove useful for setting-up a

small infrastructure of your own.

Some roles are suited for one-off operations during installation, like the

``preseed`` and ``bootstrap``, while some are better suited for periodic runs

for maintaining the users and integrity of the system.

By the end of following the instructions, you will have the following:

* Ansible server, used as controller for configuring and managing the

  remaining servers.

* Communications server, providing the LDAP, mail, and XMPP services.

* Web server, providing the web services.

* Backup server, used for storing all of the backups.

.. warning::

   Majic Ansible Roles support *only* Python 3 - both on the

   controller side and on the managed servers side.

   It is important to make sure that both the controller Python

   virtual environment used for Ansible *and* the interpreter for

   remote servers are *both* set-up to use Python 3.

   Python 3 is specified explicitly during virtual environment

   creation and in ``ansible.cfg`` configuration file

   (``interpreter_python`` option under ``defaults`` section).

Pre-requisites

--------------

For the set-up outlined in this usage guide you'll need the following:

  be installed on top of this server. The server will be set-up

  manually (this is currently out of scope for the *Majic Ansible

  Roles* automated set-up).

* Three servers where the services will be set-up. All servers must be able to

  communicate over network with each-other, the Ansible servers, and with

  usage instructions.

* All servers should be on the same network.

* IP addresses for all servers should be known.

* Netmask for all servers should be known.

* Gateway for all servers should be known.

In case of the servers listed above, it might be safest to have them as VMs -

this is cheapest thing to do, and simplest (who wants to deal with pesky hardware anyway?).

Usage instructions assume the following:

* Domain used for all servers is ``example.com``. If you wish to use a different

  domain, adjust the instructions accordingly.

* Server hostnames are ``ansible``, ``comms``, ``www``, and ``bak`` (for Ansible

  server, communications server, web server, and backup server, respectively).

Installing the OS on Ansible server

-----------------------------------

Start-off by installing the operating system on the Ansible server:

1. Fire-up the ``ansible`` server, and boot from the network installation CD.

2. Select the **Install** option.

3. Pick **English** as language.

4. Pick the country you are living in (or whatever else you want).

5. Pick the **en_US.UTF-8** locale.

6. Pick the **American English** keymap.

7. Configure the network if necessary.

8. Set the hostname to ``ansible``.

9. Set the domain to ``example.com``.

10. Set the root password.

11. Create a new user. For simplicity, call the user **Ansible user**, with

    username **ansible**.

12. Set-up partitioning in any way you want. You can go for **Guided - use

    entire disk** if you want to keep it simple and are just testing things.

13. Wait until the base system has been installed.

14. Pick whatever Debian archive mirror is closest to you.

15. If you have an HTTP proxy, provide its URL.

16. Pick if you want to participate in package survey or not.

17. Make sure that at least the **standard system utilities** and **SSH server**

    options are selected on task selection screen.

18. Wait for packages to be installed.

19. Install the GRUB boot loader on MBR.

20. Finalise the server install, and remove the installation media from server.

Installing required packages

----------------------------

With the operating system installed, it is necessary to install a couple of

packages, and to prepare the environment a bit on the Ansible server:

1. Install the necessary system packages (using the ``root`` account)::

     apt-get install -y virtualenv virtualenvwrapper git python3-pip python3-dev libffi-dev libssl-dev

   .. warning::

      If you are already logged-in as user ``ansible`` in the server, you will

      need to log-out and log-in again in order to be able to use

      ``virtualenvwrapper`` commands!

   ::

     mkdir ~/mysite/

     mkvirtualenv -p /usr/bin/python3 -a ~/mysite/ mysite

     pip install -U pip setuptools

     pip install 'ansible~=2.9.0' dnspython

.. warning::

   The ``dnspython`` package is important since it is used internally via

   ``dig`` lookup plugin.

Cloning the *Majic Ansible Roles*

---------------------------------

With most of the software pieces in place, the only missing thing is the Majic

Ansible Roles:

1. Clone the git repository::

     git clone https://code.majic.rs/majic-ansible-roles ~/majic-ansible-roles

2. Checkout the correct version of the roles::

     cd ~/majic-ansible-roles/

     git checkout -b 7.0-dev 7.0-dev

Preparing the basic site configuration

--------------------------------------

Phew... Now that was a bit tedious and boring... But at least you are now ready

to set-up your own site :)

First of all, let's set-up some basic directory structure and configuration:

1. Create Ansible configuration file.

   .. warning::

      Since Ansible 2.x has introduced much stricter controls over security of

      deployed Python scripts, it is recommended (as in this example) to use the

      ``pipelining`` option (which should also improve performance). This is in

      particular necessary in cases where the SSH user connecting to remote

      machine is *not* ``root``, but there are tasks that use ``become`` with

      non-root ``become_user`` (which is the case in Majic Ansible Roles). See

      `official documentation

      <https://docs.ansible.com/ansible/latest/become.html#becoming-an-unprivileged-user>`_

      and other alternatives to this.

   :file:`~/mysite/ansible.cfg`

   ::

     [defaults]

     roles_path=/home/ansible/majic-ansible-roles/roles:/home/ansible/mysite/roles

     force_handlers = True

     inventory = /home/ansible/mysite/hosts

     interpreter_python = /usr/bin/python3

     [ssh_connection]

     pipelining = True

2. Create directory where retry files will be stored at (so they woudln't

   pollute your home directory)::

     mkdir ~/mysite/retry

3. Create the inventory file.

   :file:`~/mysite/hosts`

   ::

     [preseed]

     localhost ansible_connection=local

     [communications]

     comms.example.com

     [web]

     www.example.com

     [backup]

     bak.example.com

4. Create a number of directories for storing playbooks, group

   variables, SSH keys, X.509 artefacts (for TLS), and GnuPG keyring

   (we'll get to this later)::

     mkdir ~/mysite/playbooks/

     mkdir ~/mysite/group_vars/

     mkdir ~/mysite/ssh/

     mkdir ~/mysite/tls/

     mkdir ~/mysite/gnupg/

5. Create SSH private/public key pair that will be used by Ansible for

   connecting to destination servers, as well as for some roles::

     ssh-keygen -f ~/.ssh/id_rsa -N ''

Protecting communications using TLS

-----------------------------------

In order to protect the communications between users and servers, as

well as between servers themselves, it is important to set-up and

properly configure TLS for each role.

*Majic Ansible Roles* mandates use of TLS wherever possible. In other

words, *you must* have TLS private keys and certificates issued by

some CA for all servers in order to be able to use most of the

roles. The private keys and certificates are primarily meant to be

generated *per service*, and that is the approach we will pursue here

as well.

TLS private keys should be ideally generated locally and kept in a

safe environment (possibly encrypted until needed), while the X.509

certificates should be issued by a relevant certification

authority. You can choose to roll-out your own CA, use one of the

public CAs, or perhaps go for a mix of both.

For the purpose of this guide, we'll set-up a small simple local CA to

issue all the necessary certificates, and we'll generate the private

keys and issue server certificates on the go as needed, storing them

all under the ``~/mysite/tls/`` directory.

So, let us make a slight detour to create a CA of our own:

1. First off, install a couple more tools on the Ansible server. We

   will be using ``certtool`` for our improvised CA needs (run this as

   ``root``)::

     apt-get install -y gnutls-bin

2. Create a template for the ``certtool`` so it would know what

   extensions and content to have in the CA certificate:

   :file:`~/mysite/tls/ca.cfg`

   ::

      organization = "Example Inc."

      country = "SE"

      cn = "Example Inc. Test Site CA"

      expiration_days = 1825

      ca

      cert_signing_key

      crl_signing_key

3. Almost there... Now let us generate the CA private key and

   self-signed certificate::

     certtool --sec-param high --generate-privkey --outfile ~/mysite/tls/ca.key

     certtool --template ~/mysite/tls/ca.cfg --generate-self-signed --load-privkey ~/mysite/tls/ca.key --outfile ~/mysite/tls/ca.pem

4. And just one more small tweak - we need to provide a truststore PEM

   file containing all CA certificates in the chain for services to be

   able to connect to each-other (where necessary). In this particular

   case we have a super-simple hierarchy (root CA is also issuing the

   end entity certificates), so simply make a copy of the ``ca.pem``::

     cp ~/mysite/tls/ca.pem ~/mysite/tls/truststore.pem

.. note::

   A useful feature that all roles implement is a check to see if

   certificates will expire within the next 30 days. This check is

   performed via cronjob at midnight, and failing results will end-up

   being delivered to the ``root`` user on local server. Later on,

   once you have configured the mail server, you should be able to

   set-up the necessary aliases to have the mails delivered to

   non-local accounts too.

Preseed files

-------------

The ``preseed`` role is useful for generating Debian preseed files. Preseed

files can be used for automating the Debian installation process.

Preseed files are created on the Ansible controller, and then supplied

to Debian installer.

So, let's set this up for start:

1. First of all, create the playbook for generating the preseed files locally.

   :file:`~/mysite/playbooks/preseed.yml`

   ::

      ---

      - hosts: preseed

        roles:

          - preseed

2. Now we need to configure the role. Two parameters are mandatory -

   one that specifies where the preseed files are to be stored, and

   one that specifies the public key that should be used to

   pre-populate the SSH authorized keys for the ``root`` account. This

   is required for the initial bootstrap of servers because Debian

   GNU/Linux does not by default allow the ``root`` user to

   authenticate via SSH using a password. We will use the SSH public

   key generated earlier via the ``ssh-keygen`` command. Create the

   configuration file:

   :file:`~/mysite/group_vars/preseed.yml`

   ::

      ---

      # Public key used to authenticate remote logins via SSH for the

      # root account.

      ansible_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

      # Directory where the preseed files will be output to.

      preseed_directory: "~/mysite/preseed_files/"

3. Now we can generate the pressed files::

     workon mysite && ansible-playbook playbooks/preseed.yml

4. If all went well, you should have the following files created:

   * :file:`~/mysite/preseed_files/comms.example.com.cfg`

   * :file:`~/mysite/preseed_files/www.example.com.cfg`

   * :file:`~/mysite/preseed_files/bak.example.com.cfg`

5. You can have a look at them, but you might notice the settings in the file

   might not be to your liking. In particular, it could be using wrong timezone,

   defaulting to DHCP for network configuration etc. Let's concentrate on making

   the network configuration changes - this is the main thing that will probably

   differ in your environment. Update the preseed configuration file:

   :file:`~/mysite/group_vars/preseed.yml`

   ::

      ---

      # Public key used to authenticate remote logins via SSH for the

      # root account.

      ansible_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

      # Directory where the preseed files will be output to.

      preseed_directory: "~/mysite/preseed_files/"

      # Set your default (initial) root password.

      preseed_root_password: changeit

      # Use manual network configuration (no DHCP).

      preseed_network_auto: no

      # Set the gateway for all servers.

      preseed_gateway: 10.32.64.1

      # Set the netmask for all servers.

      preseed_netmask: 255.255.255.0

      # Set the DNS for all servers.

      preseed_dns: 10.32.64.1

      # Set the domain for all servers.

      preseed_domain: example.com

      # Set the server-specific options.

      preseed_server_overrides:

        comms.example.com:

          hostname: comms

          ip: 10.32.64.19

        www.example.com:

          hostname: www

          ip: 10.32.64.20

        bak.example.com:

          hostname: bak

          ip: 10.32.64.23

6. Now re-run the preseed playbook::

     workon mysite && ansible-playbook playbooks/preseed.yml

7. The preseed files should have been updated now, and you should have the new

   customised configuration files in the ``preseed_files`` directory. You can

   now use these to install the servers.

Installing the servers with preseed files

-----------------------------------------

You have your preseed files now, so you can go ahead and install the

servers ``comms.example.com``, ``www.example.com``, and

``bak.example.com`` using them with network install CD. Have a look at

`Debian instructions

more details.

If you need to, you can easily serve the preseed files from the Ansible server

with Python's built-in HTTP server::

  cd ~/mysite/preseed_files/

  python3 -m http.server 8000

Then you can point installer to the preseed file selecting the

``Advanced options -> Automated install`` (don't press ``ENTER`` yet),

then pressing ``TAB``, and appending the following at the end (just

fill-in the correct hostname - ``comms``, ``www``, or ``bak``)::

  url=http://ansible.example.com:8000/HOSTNAME.example.com.cfg

Bootstrapping servers for Ansible set-up

----------------------------------------

In order to effectively use Ansible, a small initial bootstrap always has to be

done for managed servers. This mainly involves set-up of Ansible users on the

destination machine, and distributing the SSH public keys for authorisation.

When you use the preseed configuration files to deploy a server, you get the

benefit of having the authorized_keys set-up for the root operating system user,

making it easier to bootstrap the machines subsequently via Ansible.

Let's bootstrap our machines now:

1. For start, create a dedicated playbook for the bootstrap process.

   :file:`~/mysite/playbooks/bootstrap.yml`

   ::

      ---

      - hosts:

          - communications

          - web

          - backup

        remote_user: root

        roles:

          - bootstrap

2. The ``bootstrap`` role has only one parameter - an SSH key which

   should be deployed for the Ansible user on managed server (in the

   ``authorized_keys`` file). Since this role is applied against all

   servers, we will use the same value everywhere. Configure the role:

   :file:`~/mysite/group_vars/all.yml`

   ::

      ---

      ansible_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

3. SSH into all machines at least once from the Ansible server in order to

   store the SSH fingerprints into known hosts file::

     ssh root@comms.example.com date && \

     ssh root@www.example.com date && \

     ssh root@bak.example.com date

4. Now, simply run the bootstrap role against the servers::

     workon mysite && ansible-playbook playbooks/bootstrap.yml

6. At this point you won't be able to ssh into the machines with the

   ``root`` account anymore. You will be able to ssh into the machines

   using the ``ansible`` user (from the Ansible server). The

   ``ansible`` user will also be granted ability to run the ``sudo``

   commands without providing password.

7. Now you can finally move on to configuring what you really want -

   common configuration and services for your site.

Common server configuration

---------------------------

Each server needs to share some common configuration in order to be functioning

properly. This includes set-up of some shared accounts, perhaps some hardening

etc.

.. note::

   Should you ever need to limit what hosts can connect to a server

   for some kind of maintenance or upgrade purposes, the ``common``

   role comes with ``maintenance`` and ``maintenance_allowed_hosts``

   parameters. See :ref:`rolereference` for more information.

Let's take care of this common configuration right away:

1. Create playbook for the communications server:

   :file:`~/mysite/playbooks/communications.yml`

   ::

      ---

      - hosts: communications

        remote_user: ansible

        become: yes

        roles:

          - common

2. Create playbook for the web server:

   :file:`~/mysite/playbooks/web.yml`

   ::

      ---

      - hosts: web

        remote_user: ansible

        become: yes

        roles:

          - common

3. Create playbook for the backup server:

   :file:`~/mysite/playbooks/backup.yml`

   ::

      ---

      - hosts: backup

        remote_user: ansible

        become: yes

        roles:

          - common

4. Create the global site playbook:

   :file:`~/mysite/playbooks/site.yml`

   ::

      ---

      - import_playbook: preseed.yml

      - import_playbook: communications.yml

      - import_playbook: web.yml

      - import_playbook: backup.yml

5. Time to create configuration for the role. Since this role is supposed to

   set-up a common base, we'll set-up the variables file that applies to all

   roles:

   :file:`~/mysite/group_vars/all.yml`

   ::

      ---

      ansible_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

      os_users:

        - name: admin

          uid: 1000

          additional_groups:

            - sudo

          authorized_keys:

            - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

          password: "{{ 'admin' | password_hash('sha512') }}"

      common_packages:

      ca_certificates:

        truststore: "{{ lookup('file', '~/mysite/tls/truststore.pem') }}"

   .. note::

      The ``common`` role comes with ability to set-up time

      synchronisation using NTP. This is not done by default. For

      details see the role parameter ``ntp_servers``.

   .. note::

      The ``ca_certificates`` parameter lets us deploy custom CA

      certificates on servers. The name we pick (in this case

      ``truststore``) can be set to anything. In this particular case,

      we want to deploy our own CA certificate for use as truststore,

      since this is what the services will use to validate server

      certificates when connecting to each-other.

6. That's all for configuration, time to apply the changes::

     workon mysite && ansible-playbook playbooks/site.yml

7. After this you should be able to *ssh* from Ansible server onto the

   managed servers as user ``admin`` using the *SSH* private key of

   the ``ansible`` user on controller machine. The ``admin`` user's

   password has also been set to ``admin``, and the user will be

   member of ``sudo`` group.

   .. note::

      Remote logins over SSH using password authentication are

      explicitly disabled as part of common set-up/hardening.

Introducing LDAP

----------------

Since some of the services actually depend on LDAP, we'll go ahead and set that

one up first. This includes both the LDAP *server* and *client* configuration.

1. Update the playbook for communications server to include the LDAP client and

   server roles (``ldap_client`` and ``ldap_server``, respectively).

   :file:`~/mysite/playbooks/communications.yml`

   ::

      ---

      - hosts: communications

        remote_user: ansible

        become: yes

        roles:

          - common

          - ldap_client

          - ldap_server

2. Update the playbook for web server to include the LDAP client role

   (``ldap_client``). You never know when it might come in handy :)

   :file:`~/mysite/playbooks/web.yml`

   ::

      ---

      - hosts: web

        remote_user: ansible

        become: yes

        roles:

          - common

          - ldap_client

3. Time to configure the roles. For start, let us configure the LDAP

   server role. Keep in mind that there is a lot of default variables

   set-up by the role itself, making our config rather short. The

   ``ldap_server_domain`` parameter will be used to form the base DN

   of the LDAP directory (resulting in ``dc=example,dc=com``).

   :file:`~/mysite/group_vars/communications.yml`

   ::

      ---

      ldap_admin_password: admin

      ldap_server_domain: example.com

      ldap_server_organization: "Example Inc."

      ldap_server_tls_certificate: "{{ lookup('file', '~/mysite/tls/comms.example.com_ldap.pem') }}"

      ldap_server_tls_key: "{{ lookup('file', '~/mysite/tls/comms.example.com_ldap.key') }}"

4. Phew. That was... Well, actually, easy :) Technically, only the

   LDAP admin password, domain, and TLS certificate/key *must* be set,

   but it is nice to have organisation explicitly specified as well

   (instead of using whatever Debian picks as default). Let us add the

   LDAP client configuration next. We will start off with global LDAP

   client configuration. In case of the LDAP client role, we have got

   to be a bit more explicit.

   :file:`~/mysite/group_vars/all.yml`

   ::

      # Observe how we set the base DN. By default the ldap_server role

      # (defined up there) will use server's domain to form the base for LDAP.

      ldap_client_config:

        - comment: Set the base DN

          option: BASE

          value: dc=example,dc=com

        - comment: Set the default URI

          option: URI

          value: ldap://comms.example.com/

        - comment: Set the LDAP TLS truststore

          option: TLS_CACERT

          value: /etc/ssl/certs/truststore.pem

        - comment: Enforce TLS

          option: TLS_REQCERT

          value: demand

5. Ok, so this looks nice and dandy... But, let's have a bit better

   configuration on the communications server itself. Namely, on that

   one we should be able to connect to the LDAP server via unix socket

   instead of TCP.

   :file:`~/mysite/group_vars/communications.yml`

   ::

      ldap_client_config:

        - comment: Set the base DN

          option: BASE

          value: dc=example,dc=com

        - comment: Set the default URI

          option: URI

          value: ldapi:///

        - comment: Set the default bind DN, useful for administration.

          option: BINDDN

          value: cn=admin,dc=example,dc=com

        - comment: Set the LDAP TLS truststore

          option: TLS_CACERT

          value: /etc/ssl/certs/truststore.pem

        - comment: Enforce TLS

          option: TLS_REQCERT

          value: demand

6. Ok, time to re-run the playbooks again... Wait a minute, something

   is missing here... Ah, right, we have to generate the TLS private

   key and issue the X.509 certificate.

   1. Create template for the ``certtool`` so it would know what

      extensions and content to have in the certificate:

      :file:`~/mysite/tls/comms.example.com_ldap.cfg`

      ::

         organization = "Example Inc."

         country = SE

         cn = "Exampe Inc. LDAP Server"

         expiration_days = 365

         dns_name = "comms.example.com"

         tls_www_server

         signing_key

         encryption_key

   2. Almost there... Now let us generate the key and issue the certificate::

        certtool --sec-param normal --generate-privkey --outfile ~/mysite/tls/comms.example.com_ldap.key

        certtool --generate-certificate --load-ca-privkey ~/mysite/tls/ca.key --load-ca-certificate ~/mysite/tls/ca.pem --template ~/mysite/tls/comms.example.com_ldap.cfg --load-privkey ~/mysite/tls/comms.example.com_ldap.key --outfile ~/mysite/tls/comms.example.com_ldap.pem

7. And now, for the finishing touch, just run the playbooks again::

     workon mysite && ansible-playbook playbooks/site.yml

Adding mail server

------------------

The next thing in line is to implement the mail server capability. *Majic

Ansible Roles* come with two distinct mail server-related roles. One for

setting-up a mail server host (with authenticated IMAP, SMTP, mail storage etc),

and one for setting-up a local SMTP mail forwarder (for having the rest of your

servers relay their mails to the mail server host).

.. note::

   Should you ever need to deploy the forwarder role on a laptop or

   machine behind NAT, make sure to look at the

   ``smtp_from_relay_allowed`` parameter. In case you need to connect

   to the SMTP relay via non-standard port (for example to work-around

   ISP blocks), have a look at the ``smtp_relay_host_port`` parameter.

The mail server role looks-up available mail domains, users, and aliases in the

LDAP directory. This has already been set-up on the server

``comms.example.com``, but some changes will be required.

1. Update the playbook for communications server to include the mail server

role.

    :file:`~/mysite/playbooks/communications.yml`

    ::

      ---

      - hosts: communications

        remote_user: ansible

        become: yes

        roles:

          - common

          - ldap_client

          - ldap_server

          - mail_server

2. Let's configure the role next.

   :file:`~/mysite/group_vars/communications.yml`

   ::

      # Set the LDAP URL to connect through. Keep in mind TLS is required.

      mail_ldap_url: ldap://comms.example.com/

      # Here we need to point to the base DN of LDAP server. A bunch of entries

      # will need to exist under it for service to function correctly, though.

      mail_ldap_base_dn: dc=example,dc=com

      # Separate LDAP entries are used for Postfix/Dovecot

      # authentication. Therefore we have two passwords here.

      mail_ldap_postfix_password: postfix

      mail_ldap_dovecot_password: dovecot

      # Setting uid/gid is optional, but you might have a policy on how to

      # assign UIDs and GIDs, so it is convenient to be able to change this.

      mail_user_uid: 5000

      mail_user_gid: 5000

      # Set private keys and certificates to use for the IMAP service.

      imap_tls_certificate: "{{ lookup('file', '~/mysite/tls/comms.example.com_imap.pem') }}"

      imap_tls_key: "{{ lookup('file', '~/mysite/tls/comms.example.com_imap.key') }}"

      # Set private keys and certificates to use for the SMTP service.

      smtp_tls_certificate: "{{ lookup('file', '~/mysite/tls/comms.example.com_smtp.pem') }}"

      smtp_tls_key: "{{ lookup('file', '~/mysite/tls/comms.example.com_smtp.key') }}"

      # Set the X.509 certificate truststore to use for validating the

      # LDAP server certificate.

      mail_ldap_tls_truststore: "{{ lookup('file', '~/mysite/tls/truststore.pem') }}"

3. There are two distinct mail services that need to access the LDAP directory -

   *Postfix* (serving as an SMTP server), and *Dovecot* (serving as an IMAP

   server). These two need their own dedicated LDAP entries on the LDAP server in

   order to log-in. Luckily, it is easy to create such entries through the options

   provided by the LDAP server role. In addition to this, the Postfix and Dovecot

   services will check if users are members of ``mail`` group in LDAP directory

   before accepting them as valid mail users. Once again, the LDAP server role

   comes with a simple option for creating groups.

   :file:`~/mysite/group_vars/communications.yml`

   ::

      # Don't forget, the passwords here must match with passwords specified

      # under options mail_ldap_postfix_password/mail_ldap_dovecot_password.

      ldap_server_consumers:

        - name: postfix

          password: postfix

        - name: dovecot

          password: dovecot

      ldap_server_groups:

        - name: mail

4. Ok, so now our SMTP and IMAP service can log-in into the LDAP server to

   look-up the mail server information. We have also defined the mail group for

   limitting which users get mail service. However, we don't have any

   user/domain information yet. So let's change that, using the ``ldap_entries``

   option from LDAP server role.

   .. warning::

      Long-term, you probably want to manage these entries manually or through

      other means than the ``ldap_entries`` option. The reason for this is

      because this type of data in LDAP directory can be considered more of an