merge conflict with task common

9 years ago · fc360da05a
--- a/README.md
+++ b/README.md
@ -3,3 +3,87 @@ configz

 Yet another ansible's playbook repository

 roles
 ======

 * Common
 * provides **common** configuration
 * https://github.com/nojhan/liquidprompt <3
 * Wallabag
 * provides **Wallabag** configuration
 * Imported with <3 from https://github.com/al3x/sovereign/
 * **Not yet READY**
 * Prosody
 * Provides XMPP (Jabber) server
 * Imported with <3 from https://github.com/al3x/sovereign/
 * **Not yet READY**
 * IRCBouncer
 * Provides a ZNC Config
 * Imported with <3 from https://github.com/al3x/sovereign/
 * **Not yet READY**
 * Mail
 * provides a complete **mail** server for a given domain name and the vdomain capability for other domains.
 * **Note** : This role starts in order : common, mariadb, and mail. If you don't want one of them, please comment out.
 * **Note2** : If you already have a SQL server, **it wont erase the original config**, but it needs a ``~/.my.cnf``.
 * **TODO** : 
     * Razor/Pyzor
     * Roundcube
     * Simplify template copy
     * Postgrey
 * MariaDB
 * provides a lambda **MariaDB** server peered on ``127.0.0.1:3306`` with ``root`` MySQL password on ``~/.my.cnf``
 * ownCloud
 * provides a simple instance of **ownCloud**, with ``NGINX, PHP5-FPM, and MariaDB``

 example host file
 ===== 

 ```yaml

 ---
 admin_ssh_keys: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian

 default_packages_debian: htop

 description: machine test

 # NTP
 ntp_servers:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
  - 2.pool.ntp.org
 disable_ipv6: true

 # Mail
 domain: test.net

 # MariaDB
 mariadb_version: 10.0
 mysql_root_password: changeme
 mysql_host: localhost

 # ircbouncer
 znc_version: 1.4
 irc_nick: (required)
 irc_ident: (required)
 irc_realname: (required)
 irc_quitmsg: (required)
 irc_password_hash: (required)
 irc_password_salt: (required)

 # xmpp
 prosody_admin: "admin@test.net"
 prosody_virtual_domain: "test.net"
 prosody_accounts: admin@test.net

 #Wallabag
 wallabag_version: 1.8.1
 wallabag_domain: "read.{{ domain }}"
 wallabag_salt: (required)
 wallabag_db_username: wallabag
 wallabag_db_password: (required)
 wallabag_db_database: wallabag
 # vim: set textwidth=0 ft=yaml:

 ```

--- a/etc/host_vars/localhost.example
+++ b/etc/host_vars/localhost.example
@ -1,12 +1,46 @@
 --- 
 ---
 admin_ssh_keys: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian

 default_packages_debian: htop

 description: machine test
 ntp_server1: 0.pool.ntp.org
 ntp_server2: 1.pool.ntp.org

 # NTP
 ntp_servers:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
  - 2.pool.ntp.org
 disable_ipv6: true

 # Mail
 domain: test.net

 # MariaDB
 mariadb_version: 10.0
 mysql_root_password: changeme
 mysql_host: localhost

 # ircbouncer
 znc_version: 1.4
 irc_nick: (required)
 irc_ident: (required)
 irc_realname: (required)
 irc_quitmsg: (required)
 irc_password_hash: (required)
 irc_password_salt: (required)

 # xmpp
 prosody_admin: admin@test.net
 prosody_virtual_domain: test.net
 prosody_accounts: admin@test.net

 # wallabag
 wallabag_version: 1.8.1
 wallabag_domain: "read.test.net"
 wallabag_salt: (required)
 wallabag_db_username: wallabag
 wallabag_db_password: (required)
 wallabag_db_database: wallabag


 # vim: set textwidth=0 ft=yaml:
--- a/mail.yml
+++ b/mail.yml
@ -6,6 +6,7 @@
  gather_facts: yes

  roles:
    - common
    - mariadb
    - mail

--- a/mariadb.yml
+++ b/mariadb.yml
@ -0,0 +1,11 @@
 ---

 - name: Deployer et configurer mariadb  
  hosts: all
  user: root
  gather_facts: yes

  roles:
    - mariadb

 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
--- a/owncloud.yml
+++ b/owncloud.yml
@ -0,0 +1,14 @@
 ---

 - name: Deployer et configurer un serveur ownCloud sous NGINX + PHP5-FPM + MariaDB
  hosts: all
  user: root
  gather_facts: yes


  roles:
       - common
       - mariadb
       - nginx
       - owncloud

--- a/postint.yml.README
+++ b/postint.yml.README
@ -28,9 +28,9 @@ Après la description suivent des exemples de ces variables.
 - default_packages_debian : la liste des packages debian a installer par defaut
 - ansible_fqdn : le nom a donner au serveur
 - description : La description du serveur (s'affichera a la connexion)
 - ntp_server1 : le premier serveur NTP a utiliser
 - ntp_server2 : le deuxième serveur ntp a installer
 - ntp_servers : liste de serveurs NTP à utiliser
 - disable_ipv6 : IPv6 doit il etre desactive ou non
 - tzdata_timezone: Permet de définir une timezone personnalisée (Europe/Paris est définie par défaut)

 ### Exemples de variables ###
 fichier : /etc/ansible/group_vars/all :
@ -48,9 +48,8 @@ ansible_fqdn: serveur-debian.exemple.com

 description: Bienvenue sur ce serveur debian

 ntp_server1: 0.fr.pool.ntp.org
 ntp_server2: 1.fr.pool.ntp.org
 ntp_servers:
  - 0.fr.pool.ntp.org
  - 1.fr.pool.ntp.org

 disable_ipv6: yes


--- a/roles/common/files/root-.bashrc
+++ b/roles/common/files/root-.bashrc
@ -1,4 +1,7 @@
 ### THIS FILE IS DEPLOYED BY ANSIBLE
 if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ]; then
    INPUTRC=/etc/inputrc
 fi

 export LS_OPTIONS='--color=auto'
 eval "`dircolors`"
--- a/roles/common/files/root-.inputrc
+++ b/roles/common/files/root-.inputrc
@ -1,3 +1,6 @@
 # /etc/inputrc - global inputrc for libreadline
 # See readline(3readline) and `info rluserman' for more information.

 ### THIS FILE IS DEPLOYED BY ANSIBLE

 # alternate mappings for "page up" and "page down" to search the history
@ -6,3 +9,66 @@
 "\e[1;5C": forward-word   # ctrl + right
 "\e[1;5D": backward-word  # ctrl + left

 # Be 8 bit clean.
 set input-meta on
 set output-meta on

 # To allow the use of 8bit-characters like the german umlauts, uncomment
 # the line below. However this makes the meta key not work as a meta key,
 # which is annoying to those which don't need to type in 8-bit characters.

 # set convert-meta off

 # try to enable the application keypad when it is called.  Some systems
 # need this to enable the arrow keys.
 # set enable-keypad on

 # see /usr/share/doc/bash/inputrc.arrows for other codes of arrow keys

 # do not bell on tab-completion
 # set bell-style none
 # set bell-style visible

 # some defaults / modifications for the emacs mode
 $if mode=emacs

 # allow the use of the Home/End keys
 "\e[1~": beginning-of-line
 "\e[4~": end-of-line

 # allow the use of the Delete/Insert keys
 "\e[3~": delete-char
 "\e[2~": quoted-insert

 # mappings for "page up" and "page down" to step to the beginning/end
 # of the history
 # "\e[5~": beginning-of-history
 # "\e[6~": end-of-history

 # alternate mappings for "page up" and "page down" to search the history
 # "\e[5~": history-search-backward
 # "\e[6~": history-search-forward

 # mappings for Ctrl-left-arrow and Ctrl-right-arrow for word moving
 "\e[1;5C": forward-word
 "\e[1;5D": backward-word
 "\e[5C": forward-word
 "\e[5D": backward-word
 "\e\e[C": forward-word
 "\e\e[D": backward-word

 $if term=rxvt
 "\e[8~": end-of-line
 "\eOc": forward-word
 "\eOd": backward-word
 $endif

 # for non RH/Debian xterm, can't hurt for RH/Debian xterm
 # "\eOH": beginning-of-line
 # "\eOF": end-of-line

 # for freebsd console
 # "\e[H": beginning-of-line
 # "\e[F": end-of-line

 $endif
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -40,5 +40,8 @@
 - name: apt-update
  command: apt-get update

 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

 - name: update timezone
  command: dpkg-reconfigure --frontend noninteractive tzdata

 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -8,30 +8,25 @@
  tags: bootstrap
  raw: python -c "import apt" || DEBIAN_FRONTEND=noninteractive apt-get --force-yes -y install python-apt
  when: ansible_distribution == 'Debian'
  
 # Check mandatory variables

 - name: Check vars 
 # Check mandatory variables
 - name: Check vars
  fail: msg="Missing variable admin_ssh_keys"
  when: admin_ssh_keys is not defined

 - name: Check vars 
 - name: Check vars
  fail: msg="Missing variable default_packages_debian"
  when: default_packages_debian is not defined

 - name: Check vars 
 - name: Check vars
  fail: msg="Missing variable description"
  when: description is not defined

 - name: Check vars 
  fail: msg="Missing variable ntp_server1"
  when: ntp_server1 is not defined

 - name: Check vars 
  fail: msg="Missing variable ntp_server2"
  when: ntp_server2 is not defined
 - name: Check vars
  fail: msg="Missing variable ntp_servers"
  when: ntp_servers is not defined

 - name: Check vars 
 - name: Check vars
  fail: msg="Missing variable disable_ipv6"
  when: disable_ipv6 is not defined

@ -39,7 +34,7 @@
 - name: Deploy SSH keys
  tags: ssh_keys
  authorized_key: user=root key="{{item}}"
  with_items: "{{admin_ssh_keys}}"
  with_items: admin_ssh_keys

 # Packages

@ -56,21 +51,18 @@

 # Basic Shell & vim configuration

 - name: Custom .bashrc
  tags: custom
  copy: src=root-.bashrc dest=/root/.bashrc
 - name: Custom .vimrc
  tags: custom
  copy: src=root-.vimrc dest=/root/.vimrc
 - name: Custom .inputrc
  tags: custom
  copy: src=root-.inputrc dest=/root/.inputrc
 - name: Create .vim/colors
  tags: custom
  file: path=/root/.vim/colors state=directory
 - name: Wombat vim colors theme is awesome

 - name: Custom .bashrc, .vimrc, .inputrc and Wombat vim colors theme
  tags: custom
  copy: src=root-.vim-colors-wombat.vim dest=/root/.vim/colors/wombat.vim
  copy: src={{ item.src }} dest={{ item.dest }}
  with_items:
    - { src: 'root-.bashrc', dest: '/root/.bashrc' }
    - { src: 'root-.vimrc', dest: '/root/.vimrc' }
    - { src: 'root-.inputrc', dest: '/root/.inputrc' }
    - { src: 'root-.vim-colors-wombat.vim', dest: '/root/.vim/colors/wombat.vim' }

 # Set motd and README.root

@ -78,13 +70,12 @@
  tags: custom
  template: src=etc-motd.j2 dest=/etc/motd

 - name: Modify /root/.profile
 - name: Modify /root/.profile, Add basic README.root
  tags: custom
  copy: src=root-.profile dest=/root/.profile
  when: initialize == 'True'
 - name: Add  basic README.root
  tags: custom
  copy: src=root-README.root dest=/root/README.root
  copy: src={{ item.src }} dest={{ item.dest }}
  with_items:
    - { src: 'root-.profile', dest: '/root/.profile' }
    - { src: 'root-README.root', dest: '/root/README.root' }
  when: initialize == 'True'

 # Env setup
@ -95,11 +86,11 @@
  debconf: name=locales question='locales/locales_to_be_generated' value='fr_FR.UTF-8, UTF-8' vtype='multiselect'
  when: ansible_distribution == 'Debian'

 - name: Set the timezone
  tags: environ
  debconf: name=tzdata question='tzdata/Zones/Etc' value='UTC' vtype='select'
  debconf: name=tzdata question='tzdata/Areas' value='Europe' vtype='select'
  debconf: name=tzdata question='tzdata/Zones/Europe' value='Paris' vtype='select'
 - name: Set timezone
  copy: content='{{ tzdata_timezone | default('Europe/Paris') }}'
        dest=/etc/timezone owner=root group=root mode=0644
  notify:
    - update timezone
  when: ansible_distribution == 'Debian'

 - name: Disable IPv6 (need reboot)
--- a/roles/common/templates/etc-ntp.conf.j2
+++ b/roles/common/templates/etc-ntp.conf.j2
@ -6,12 +6,11 @@ statistics loopstats peerstats clockstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 server {{ ntp_server1 }}
 server {{ ntp_server2 }}
 {% for server in ntp_servers %}
 server {{ server }}
 restrict {{ server }} nomodify nopeer
 {% endfor %}
 restrict default ignore
 restrict -6 default ignore
 restrict 127.0.0.1
 restrict ::1
 restrict {{ ntp_server1 }} nomodify nopeer
 restrict {{ ntp_server2 }} nomodify nopeer

--- a/roles/ircbouncer/files/etc_init.d_znc
+++ b/roles/ircbouncer/files/etc_init.d_znc
@ -0,0 +1,139 @@
 #! /bin/sh
 ### BEGIN INIT INFO
 # Provides:          znc
 # Required-Start:    $remote_fs $syslog
 # Required-Stop:     $remote_fs $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: ZNC IRC bouncer
 # Description:       ZNC is an IRC bouncer
 ### END INIT INFO
 
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 DESC="ZNC daemon"
 NAME=znc
 DAEMON=/usr/local/bin/$NAME
 DATADIR=/var/lib/znc
 DAEMON_ARGS="--datadir=$DATADIR"
 PIDDIR=/var/run/znc
 PIDFILE=$PIDDIR/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 USER=znc
 GROUP=znc

 # Exit if the package is not installed
 [ -x "$DAEMON" ] || exit 0

 # Read configuration variable file if it is present
 [ -r /etc/default/$NAME ] && . /etc/default/$NAME

 # Load the VERBOSE setting and other rcS variables
 . /lib/init/vars.sh

 # Define LSB log_* functions.
 # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
 # and status_of_proc is working.
 . /lib/lsb/init-functions

 #
 # Function that starts the daemon/service
 #
 do_start()
 {
  # Return
  #   0 if daemon has been started
  #   1 if daemon was already running
  #   2 if daemon could not be started
  if [ ! -d $PIDDIR ]
  then
    mkdir $PIDDIR
  fi
  chown $USER:$GROUP $PIDDIR
  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1
  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2
 }

 #
 # Function that stops the daemon/service
 #
 do_stop()
 {
  # Return
  #   0 if daemon has been stopped
  #   1 if daemon was already stopped
  #   2 if daemon could not be stopped
  #   other if a failure occurred
  start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER
  RETVAL="$?"
  [ "$RETVAL" = 2 ] && return 2
  # Wait for children to finish too if this is a daemon that forks
  # and if the daemon is only ever run from this initscript.
  # If the above conditions are not satisfied then add some other code
  # that waits for the process to drop all resources that could be
  # needed by services started subsequently.  A last resort is to
  # sleep for some time.
  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER
  [ "$?" = 2 ] && return 2
  # Many daemons don't delete their pidfiles when they exit.
  rm -f $PIDFILE
  return "$RETVAL"
 }

 #
 # Function that sends a SIGHUP to the daemon/service
 #
 do_reload() {
  start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER
  return 0
 }

 case "$1" in
  start)
  [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
  do_start
  case "$?" in
    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  esac
  ;;
  stop)
  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
  do_stop
  case "$?" in
    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  esac
  ;;
  status)
  status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
  ;;
  reload)
  log_daemon_msg "Reloading $DESC" "$NAME"
  do_reload
  log_end_msg $?
  ;;
  restart)
  log_daemon_msg "Restarting $DESC" "$NAME"
  do_stop
  case "$?" in
    0|1)
    do_start
    case "$?" in
      0) log_end_msg 0 ;;
      1) log_end_msg 1 ;; # Old process is still running
      *) log_end_msg 1 ;; # Failed to start
    esac
    ;;
    *)
    # Failed to stop
    log_end_msg 1
    ;;
  esac
  ;;
  *)
  echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2
  exit 3
  ;;
 esac

 :
--- a/roles/ircbouncer/handlers/main.yml
+++ b/roles/ircbouncer/handlers/main.yml
@ -0,0 +1,2 @@
 - name: restart znc
  service: name=znc state=restarted
--- a/roles/ircbouncer/tasks/main.yml
+++ b/roles/ircbouncer/tasks/main.yml
@ -0,0 +1 @@
 - include: znc.yml tags=znc
--- a/roles/ircbouncer/tasks/znc.yml
+++ b/roles/ircbouncer/tasks/znc.yml
@ -0,0 +1,65 @@
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon

 - name: Install znc dependencies
  apt: pkg={{ item }} state=installed
  with_items:
    - automake
    - build-essential
    - checkinstall
    - g++
    - libperl-dev
    - libsasl2-dev
    - libssl-dev
    - libtool
    - openssl
    - pkg-config
    - python3-dev
    - swig

 - name: Download znc release
  get_url: url=http://znc.in/releases/archive/znc-{{ znc_version }}.tar.gz dest=/root/znc-{{ znc_version }}.tar.gz

 - name: Decompress znc source
  command: tar xzf /root/znc-{{ znc_version }}.tar.gz chdir=/root creates=/root/znc-{{ znc_version }}/configure

 - name: Build and install znc
  shell: ./configure --enable-python && make && make install executable=/bin/bash chdir=/root/znc-{{ znc_version }} creates=/usr/local/bin/znc
  notify: restart znc

 - name: Create znc group
  group: name=znc state=present

 - name: Create znc user
  user: name=znc state=present home=/var/lib/znc system=yes group=znc shell=/usr/sbin/nologin

 - name: Copy znc init file into place
  copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755

 - name: Create a combined version of the private key with public cert and intermediate + root CAs
  shell: cat /etc/ssl/private/wildcard_private.key /etc/ssl/certs/wildcard_combined.pem >
    /var/lib/znc/znc.pem creates=/var/lib/znc/znc.pem
  notify: restart znc

 - name: Ensure znc user and group can read cert
  file: path=/var/lib/znc/znc.pem group=znc owner=znc mode=640
  notify: restart znc

 - name: Check for existing config file
  command: cat /var/lib/znc/configs/znc.conf
  register: znc_config
  ignore_errors: True
  changed_when: False  # never report as "changed"

 - name: Create znc config directory
  file: state=directory path=/var/lib/znc/configs group=znc owner=znc

 - name: Copy znc configuration file into place
  template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
  when: znc_config.rc != 0
  notify: restart znc

 - name: Set firewall rule for znc
  ufw: rule=allow port=6697 proto=tcp

 - name: Ensure znc is a system service
  service: name=znc state=started enabled=true
--- a/roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2
+++ b/roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2
@ -0,0 +1,84 @@
 // WARNING
 //
 // Do NOT edit this file while ZNC is running!
 // Use webadmin or *controlpanel instead.
 //
 // Buf if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.
 // Also check http://en.znc.in/wiki/Configuration

 AnonIPLimit = 10
 ConnectDelay = 5
 LoadModule = webadmin
 LoadModule = fail2ban
 LoadModule = lastseen
 LoadModule = partyline
 MaxBufferSize = 500
 Motd = Connected to ZNC
 PidFile = /var/run/znc/znc.pid
 ProtectWebSessions = true
 SSLCertFile = /var/lib/znc/znc.pem
 ServerThrottle = 30
 Skin = _default_
 StatusPrefix = *
 Version = 1.0

 <Listener listener0>
 	AllowIRC = true
 	AllowWeb = false
 	IPv4 = true
 	IPv6 = true
 	Port = 6697
 	SSL = true
 </Listener>

 <Listener listener1>
 	AllowIRC = false
 	AllowWeb = true
 	IPv4 = true
 	IPv6 = true
 	Port = 6643
 	SSL = false
 </Listener>

 <User {{ irc_nick }}>
 	Admin = true
 	Allow = *
 	AltNick = {{ irc_nick }}_
 	AppendTimestamp = false
 	AutoClearChanBuffer = true
 	Buffer = 5000
 	ChanModes = +stn
 	DenyLoadMod = false
 	DenySetBindHost = false
 	Ident = {{ irc_ident }}
 	JoinTries = 10
 	LoadModule = controlpanel
 	LoadModule = perform
 	LoadModule = block_motd
 	LoadModule = clientnotify
 	MaxNetworks = 1
 	MultiClients = true
 	Nick = {{ irc_nick }}
 	PrependTimestamp = true
 	QuitMsg = {{ irc_quitmsg }}
 	RealName = {{ irc_realname }}
 	TimestampFormat = [%H:%M:%S]
 	Timezone = {{ irc_timezone }}

 	<Pass password>
 	        Method = sha256
 	        Hash = {{ irc_password_hash }}
 	        Salt = {{ irc_password_salt }}
 	</Pass>

 	<Network freenode>
 		BindHost = 0.0.0.0
 		FloodBurst = 4
 		FloodRate = 1.00
 		IRCConnectEnabled = true
 		LoadModule = kickrejoin
 		LoadModule = nickserv
 		LoadModule = savebuff
 		Server = chat.freenode.net +6697
 	</Network>
 </User>
--- a/roles/mail/handlers/main.yml
+++ b/roles/mail/handlers/main.yml
@ -1,4 +1,10 @@

 - name: restart apache
  service: name=apache2 state=restarted

 - name: restart amavis
  service: name=amavis state=restarted

 - name: restart saslauthd
  service: name=saslauthd state=restarted

--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@ -2,7 +2,7 @@
  fail: msg="Missing domain name for first Vdomain creation"
  when: domain is not defined

 - name: Install packages
 - name: Install pwgen
  apt: pkg={{item}} state=installed update_cache=yes
  with_items: "{{ firstpkg }}" 
  ignore_errors: no
@ -11,7 +11,7 @@
  shell: pwgen -y -B -s 80 1
  register: dbpassword

 - name: Install packages
 - name: Install necessary packages for postfix standalone
  apt: pkg={{item}} state=installed update_cache=yes
  with_items: "{{ packages }}" 
  ignore_errors: no
@ -21,7 +21,7 @@
 - name: Creation of the right folder
  file: path=/etc/postfixadmin/ state=directory mode=0755 recurse=yes

 - name: Untar the beast
 - name: Untar the pfxadmin
  unarchive: src=/tmp/postfixadmin-2.91.tar.gz dest=/etc/postfixadmin/

 - name: enable SASLAuthd on boot
@ -50,70 +50,84 @@
  shell: adduser postfix sasl
  notify: restart dovecot

 - name: Copy dovecot config files
 - name: Copy dovecot config files - dovecot.conf
  template: src=dovecot.conf dest=/etc/dovecot/ owner=root mode=655

 - name: Copy dovecot config files
 - name: Copy dovecot config files - dovecot-mysql.conf
  template: src=dovecot-mysql.conf dest=/etc/dovecot/ owner=root mode=655

 - name: Copy postfixadmin config files
  template: src=config.inc.php dest=/etc/postfixadmin/ owner=root mode=655

 - name: Copy postfixadmin config files
 - name: Copy postfixadmin config files - dbconfig.inc.php pfxadmin
  template: src=dbconfig.inc.php dest=/etc/postfixadmin/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - dynmaps
  template: src=dynamicmaps.cf dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - main.cf
  template: src=main.cf dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - master.cf 
  template: src=master.cf dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - relay_domains.cf
  template: src=mysql_relay_domains.cf dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - valias_maps.cf
  template: src=mysql_virtual_alias_maps.cf dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - vbox_domains.cf
  template: src=mysql_virtual_mailbox_domains.cf dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files vbox_maps.cf
  template: src=mysql_virtual_mailbox_maps.cf dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - postfix-files
  template: src=postfix-files dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - postfix-scripts 
  template: src=postfix-script dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - post-install
  template: src=post-install dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files
 - name: Copy postfix config files - database script
  template: src=root-postfix.sql dest=/etc/postfix/ owner=root mode=655

 - name: Copy postfix config files - smtpd.conf
  template: src=smtpd.conf dest=/etc/postfix/sasl/smtpd.conf  owner=root mode=655 
  notify: restart postfix

 - name: Autosigned cert - openssl query
  command: openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=FR/ST=RA/L=Somewhere/O=Overtherainbow/CN={{ domain }}" -keyout /etc/ssl/mail.key -out /etc/ssl/mail.crt

 - name: ca_bundle - gettint it from startssl
  get_url: url=http://www.startssl.com/certs/ca-bundle.crt dest=/etc/ssl/ca-bundle.crt mode=0644

 - name: Create database for postfix
  shell: mysql < /etc/postfix/root-postfix.sql

 - name: Config amavis
 - name: Config amavis - content_filter_mode
  copy: src=etc-amavis-conf.d-15-content_filter_mode  dest=/etc/amavis/conf.d/15-content_filter_mode

 - name: Config amavis
 - name: Config amavis - userfile
  copy: src=etc-amavis-conf.d-50-user  dest=/etc/amavis/conf.d/50-user

 - name: Virus repository
  shell:  mkdir /var/spool/virusmails 
 - name: adding amavis to clamav group
  shell: usermod amavis -a -G clamav
 - name: Vice versa
  shell: usermod clamav -a -G amavis

 - name: chown
  shell: chown amavis:amavis /var/spool/virusmails
 - name: setting right perms to amavis homedir
  shell: chmod g+rx /var/lib/amavis

 - name: update SA
 - name: Virus repository
  file: path=/var/spool/virusmails state=directory owner=amavis group=amavis
     
 - name: update Spam-Assassin - will fail if playbook is played twice
  shell: sa-update -D
  notify: restart amavis
  ignore_errors: yes

 - name: Config SA
 - name: Config Spam-Assassin
  copy: src=etc-default-spamassassin  dest=/etc/default/spamassassin
  notify: restart spamassassin

@ -121,5 +135,24 @@
  template: src=etc-default-postgrey dest=/etc/default/postgrey
  notify: restart postgrey

 - name: Install postfixadmin from debian repos
  apt: pkg={{item}} state=installed update_cache=no install_recommends=yes
  with_items: "{{ postfixadmin }}"
  ignore_errors: no

 - name: Update old postfixadmin with new one
  shell: rsync -aP /etc/postfixadmin/postfixadmin-2.91/* /usr/share/postfixadmin/

 - name: Chowning to the rightful user
  shell: chown -R www-data. /usr/share/postfixadmin/
  notify: restart apache 

 - name: Copy postfixadmin config files
  template: src=config.inc.php dest=/etc/postfixadmin/ owner=root mode=655

 - name: Also to usr share 
  template: src=config.inc.php dest=/usr/share/postfixadmin/ owner=www-data mode=655

 - name: TODO
  debug: msg="Now go to http://{{ domain }}/postfixadmin and follow the instructions documentation is here http://sourceforge.net/p/postfixadmin/wiki/Home/"
 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
--- a/roles/mail/templates/config.inc.php
+++ b/roles/mail/templates/config.inc.php
@ -1,452 +0,0 @@
 <?php
 /** 
 * Postfix Admin 
 * 
 * LICENSE 
 * This source file is subject to the GPL license that is bundled with  
 * this package in the file LICENSE.TXT. 
 * 
 * Further details on the project are available at : 
 *     http://www.postfixadmin.com or http://postfixadmin.sf.net 
 * 
 * @version $Id: config.inc.php 935 2011-01-02 21:33:13Z christian_boltz $ 
 * @license GNU GPL v2 or later. 
 * 
 * File: config.inc.php
 * Contains configuration options.
 */

 // This loads the automatic generated DB credentials from /etc/postfixadmin/dbconfig.inc.php
 require_once('dbconfig.inc.php');
 if (!isset($dbserver) || empty($dbserver))
        $dbserver='localhost';

 /*****************************************************************
 *  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
 * You have to set $CONF['configured'] = true; before the
 * application will run!
 * Doing this implies you have changed this file as required.
 * i.e. configuring database etc; specifying setup.php password etc.
 */
 $CONF['configured'] = true;

 // In order to setup Postfixadmin, you MUST specify a hashed password here.
 // To create the hash, visit setup.php in a browser and type a password into the field,
 // on submission it will be echoed out to you as a hashed value.
 $CONF['setup_password'] = '{{ dbpassword }}';
 }
 }

 // Postfix Admin Path
 // Set the location of your Postfix Admin installation here.
 // YOU MUST ENTER THE COMPLETE URL e.g. http://domain.tld/postfixadmin
 $CONF['postfix_admin_url'] = '/postfixadmin';

 // shouldn't need changing.
 $CONF['postfix_admin_path'] = dirname(__FILE__);

 // Language config
 // Language files are located in './languages', change as required..
 $CONF['default_language'] = 'en';

 // Database Config
 // mysql = MySQL 3.23 and 4.0, 4.1 or 5
 // mysqli = MySQL 4.1+ 
 // pgsql = PostgreSQL
 $CONF['database_type'] = $dbtype;
 $CONF['database_host'] = $dbserver;
 $CONF['database_user'] = $dbuser;
 $CONF['database_password'] = $dbpass;
 $CONF['database_name'] = $dbname;
 // If you need to specify a different port for a MYSQL database connection, use e.g.
 //   $CONF['database_host'] = '172.30.33.66:3308';
 // If you need to specify a different port for POSTGRESQL database connection
 //   uncomment and change the following
 // $CONF['database_port'] = '5432';


 // Here, if you need, you can customize table names.
 $CONF['database_prefix'] = '';
 $CONF['database_tables'] = array (
    'admin' => 'admin',
    'alias' => 'alias',
    'alias_domain' => 'alias_domain',
    'config' => 'config',
    'domain' => 'domain',
    'domain_admins' => 'domain_admins',
    'fetchmail' => 'fetchmail',
    'log' => 'log',
    'mailbox' => 'mailbox',
    'vacation' => 'vacation',
    'vacation_notification' => 'vacation_notification',
    'quota' => 'quota',
    'quota2' => 'quota2',
 );

 // Site Admin
 // Define the Site Admins email address below.
 // This will be used to send emails from to create mailboxes.
 $CONF['admin_email'] = 'postmaster@{{ domain }}';

 // Mail Server
 // Hostname (FQDN) of your mail server.
 // This is used to send email to Postfix in order to create mailboxes.
 $CONF['smtp_server'] = 'localhost';
 $CONF['smtp_port'] = '25';

 // Encrypt
 // In what way do you want the passwords to be crypted?
 // md5crypt = internal postfix admin md5
 // md5 = md5 sum of the password
 // system = whatever you have set as your PHP system default
 // cleartext = clear text passwords (ouch!)
 // mysql_encrypt = useful for PAM integration
 // authlib = support for courier-authlib style passwords
 // dovecot:CRYPT-METHOD = use dovecotpw -s 'CRYPT-METHOD'. Example: dovecot:CRAM-MD5
 $CONF['encrypt'] = 'md5crypt';

 // In what flavor should courier-authlib style passwords be enrypted?
 // md5 = {md5} + base64 encoded md5 hash
 // md5raw = {md5raw} + plain encoded md5 hash
 // SHA = {SHA} + base64-encoded sha1 hash
 // crypt = {crypt} + Standard UNIX DES-enrypted with 2-character salt
 $CONF['authlib_default_flavor'] = 'md5raw';

 // If you use the dovecot encryption method: where is the dovecotpw binary located?
 $CONF['dovecotpw'] = "/usr/sbin/dovecotpw";

 // Minimum length required for passwords. Postfixadmin will not
 // allow users to set passwords which are shorter than this value.
 $CONF['min_password_length'] = 5;

 // Generate Password
 // Generate a random password for a mailbox or admin and display it.
 // If you want to automagically generate paswords set this to 'YES'.
 $CONF['generate_password'] = 'NO';

 // Show Password
 // Always show password after adding a mailbox or admin.
 // If you want to always see what password was set set this to 'YES'.
 $CONF['show_password'] = 'NO';

 // Page Size
 // Set the number of entries that you would like to see
 // in one page.
 $CONF['page_size'] = '10';

 // Default Aliases
 // The default aliases that need to be created for all domains.
 $CONF['default_aliases'] = array (
    'abuse' => 'abuse@{{ domain }}',
    'hostmaster' => 'hostmaster@{{ domain }}',
    'postmaster' => 'postmaster@{{ domain }}',
    'webmaster' => 'webmaster@{{ domain }}'
 );

 // Mailboxes
 // If you want to store the mailboxes per domain set this to 'YES'.
 // Examples:
 //   YES: /usr/local/virtual/domain.tld/username@domain.tld
 //   NO:  /usr/local/virtual/username@domain.tld
 $CONF['domain_path'] = 'NO';
 // If you don't want to have the domain in your mailbox set this to 'NO'.
 // Examples: 
 //   YES: /usr/local/virtual/domain.tld/username@domain.tld
 //   NO:  /usr/local/virtual/domain.tld/username
 // Note: If $CONF['domain_path'] is set to NO, this setting will be forced to YES.
 $CONF['domain_in_mailbox'] = 'YES';
 // If you want to define your own function to generate a maildir path set this to the name of the function.
 // Notes: 
 //   - this configuration directive will override both domain_path and domain_in_mailbox
 //   - the maildir_name_hook() function example is present below, commented out
 //   - if the function does not exist the program will default to the above domain_path and domain_in_mailbox settings
 $CONF['maildir_name_hook'] = 'NO';

 /*
    maildir_name_hook example function
 
    Called by create-mailbox.php if $CONF['maildir_name_hook'] == '<name_of_the_function>'
    - allows for customized maildir paths determined by a custom function
    - the example below will prepend a single-character directory to the
      beginning of the maildir, splitting domains more or less evenly over
      36 directories for improved filesystem performance with large numbers
      of domains.

    Returns: maildir path
    ie. I/example.com/user/
 */
 /*
 function maildir_name_hook($domain, $user) {
    $chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";

    $dir_index = hexdec(substr(md5($domain), 28)) % strlen($chars);
    $dir = substr($chars, $dir_index, 1);
    return sprintf("%s/%s/%s/", $dir, $domain, $user);
 }
 */


 // Default Domain Values
 // Specify your default values below. Quota in MB.
 $CONF['aliases'] = '10';
 $CONF['mailboxes'] = '10';
 $CONF['maxquota'] = '10';

 // Quota
 // When you want to enforce quota for your mailbox users set this to 'YES'.
 $CONF['quota'] = 'NO';
 // You can either use '1024000' or '1048576'
 $CONF['quota_multiplier'] = '1024000';

 // Transport
 // If you want to define additional transport options for a domain set this to 'YES'.
 // Read the transport file of the Postfix documentation.
 $CONF['transport'] = 'NO';
 // Transport options
 // If you want to define additional transport options put them in array below.
 $CONF['transport_options'] = array (
    'virtual',  // for virtual accounts
    'local',    // for system accounts
    'relay'     // for backup mx
 );
 // Transport default
 // You should define default transport. It must be in array above.
 $CONF['transport_default'] = 'virtual';

 // Virtual Vacation
 // If you want to use virtual vacation for you mailbox users set this to 'YES'.
 // NOTE: Make sure that you install the vacation module. (See VIRTUAL-VACATION/)
 $CONF['vacation'] = 'NO';
 // This is the autoreply domain that you will need to set in your Postfix
 // transport maps to handle virtual vacations. It does not need to be a
 // real domain (i.e. you don't need to setup DNS for it).
 $CONF['vacation_domain'] = 'autoreply.{{ domain }}';

 // Vacation Control
 // If you want users to take control of vacation set this to 'YES'.
 $CONF['vacation_control'] ='YES';

 // Vacation Control for admins
 // Set to 'YES' if your domain admins should be able to edit user vacation.
 $CONF['vacation_control_admin'] = 'YES';

 // Alias Control
 // Postfix Admin inserts an alias in the alias table for every mailbox it creates.
 // The reason for this is that when you want catch-all and normal mailboxes
 // to work you need to have the mailbox replicated in the alias table.
 // If you want to take control of these aliases as well set this to 'YES'.

 // Alias control for superadmins
 $CONF['alias_control'] = 'NO';

 // Alias Control for domain admins
 $CONF['alias_control_admin'] = 'NO';

 // Special Alias Control
 // Set to 'NO' if your domain admins shouldn't be able to edit the default aliases
 // as defined in $CONF['default_aliases']
 $CONF['special_alias_control'] = 'NO';

 // Alias Goto Field Limit
 // Set the max number of entries that you would like to see
 // in one 'goto' field in overview, the rest will be hidden and "[and X more...]" will be added.
 // '0' means no limits.
 $CONF['alias_goto_limit'] = '0';

 // Alias Domains
 // Alias domains allow to "mirror" aliases and mailboxes to another domain. This makes 
 // configuration easier if you need the same set of aliases on multiple domains, but
 // also requires postfix to do more database queries.
 // Note: If you update from 2.2.x or earlier, you will have to update your postfix configuration.
 // Set to 'NO' to disable alias domains.
 $CONF['alias_domain'] = 'YES';

 // Backup
 // If you don't want backup tab set this to 'NO';
 $CONF['backup'] = 'YES';

 // Send Mail
 // If you don't want sendmail tab set this to 'NO';
 $CONF['sendmail'] = 'YES';

 // Logging
 // If you don't want logging set this to 'NO';
 $CONF['logging'] = 'YES';

 // Fetchmail
 // If you don't want fetchmail tab set this to 'NO';
 $CONF['fetchmail'] = 'YES';

 // fetchmail_extra_options allows users to specify any fetchmail options and any MDA
 // (it will even accept 'rm -rf /' as MDA!)
 // This should be set to NO, except if you *really* trust *all* your users.
 $CONF['fetchmail_extra_options'] = 'NO';

 // Header
 $CONF['show_header_text'] = 'NO';
 $CONF['header_text'] = ':: Postfix Admin ::';

 // link to display under 'Main' menu when logged in as a user.
 $CONF['user_footer_link'] = "http://{{ domain }}/main";

 // Footer
 // Below information will be on all pages.
 // If you don't want the footer information to appear set this to 'NO'.
 $CONF['show_footer_text'] = 'YES';
 $CONF['footer_text'] = 'Return to {{ domain }}';
 $CONF['footer_link'] = 'http://{{ domain }}';

 // Welcome Message
 // This message is send to every newly created mailbox.
 // Change the text between EOM.
 $CONF['welcome_text'] = <<<EOM
 Hi,

 Welcome to your new account.
 EOM;

 // When creating mailboxes or aliases, check that the domain-part of the
 // address is legal by performing a name server look-up.
 $CONF['emailcheck_resolve_domain']='YES';


 // Optional:
 // Analyze alias gotos and display a colored block in the first column
 // indicating if an alias or mailbox appears to deliver to a non-existent
 // account.  Also, display indications, for POP/IMAP mailboxes and
 // for custom destinations (such as mailboxes that forward to a UNIX shell
 // account or mail that is sent to a MS exchange server, or any other
 // domain or subdomain you use)
 // See http://www.w3schools.com/html/html_colornames.asp for a list of
 // color names available on most browsers

 //set to YES to enable this feature
 $CONF['show_status']='NO';
 //display a guide to what these colors mean
 $CONF['show_status_key']='NO';
 // 'show_status_text' will be displayed with the background colors
 // associated with each status, you can customize it here
 $CONF['show_status_text']='&nbsp;&nbsp;';
 // show_undeliverable is useful if most accounts are delivered to this
 // postfix system.  If many aliases and mailboxes are forwarded
 // elsewhere, you will probably want to disable this.
 $CONF['show_undeliverable']='NO';
 $CONF['show_undeliverable_color']='tomato';
 // mails to these domains will never be flagged as undeliverable
 $CONF['show_undeliverable_exceptions']=array("unixmail.domain.ext","exchangeserver.domain.ext","gmail.com");
 $CONF['show_popimap']='NO';
 $CONF['show_popimap_color']='darkgrey';
 // you can assign special colors to some domains. To do this,
 // - add the domain to show_custom_domains
 // - add the corresponding color to show_custom_colors
 $CONF['show_custom_domains']=array("subdomain.domain.ext","domain2.ext");
 $CONF['show_custom_colors']=array("lightgreen","lightblue");
 // If you use a recipient_delimiter in your postfix config, you can also honor it when aliases are checked.
 // Example: $CONF['recipient_delimiter'] = "+";
 // Set to "" to disable this check.
 $CONF['recipient_delimiter'] = "";


 // Optional:
 // Script to run after creation of mailboxes.
 // Note that this may fail if PHP is run in "safe mode", or if
 // operating system features (such as SELinux) or limitations
 // prevent the web-server from executing external scripts.
 // Parameters: (1) username (2) domain (3) maildir (4) quota
 // $CONF['mailbox_postcreation_script']='sudo -u courier /usr/local/bin/postfixadmin-mailbox-postcreation.sh';

 // Optional:
 // Script to run after alteration of mailboxes.
 // Note that this may fail if PHP is run in "safe mode", or if
 // operating system features (such as SELinux) or limitations
 // prevent the web-server from executing external scripts.
 // Parameters: (1) username (2) domain (3) maildir (4) quota
 // $CONF['mailbox_postedit_script']='sudo -u courier /usr/local/bin/postfixadmin-mailbox-postedit.sh';

 // Optional:
 // Script to run after deletion of mailboxes.
 // Note that this may fail if PHP is run in "safe mode", or if
 // operating system features (such as SELinux) or limitations
 // prevent the web-server from executing external scripts.
 // Parameters: (1) username (2) domain
 // $CONF['mailbox_postdeletion_script']='sudo -u courier /usr/local/bin/postfixadmin-mailbox-postdeletion.sh';

 // Optional:
 // Script to run after creation of domains.
 // Note that this may fail if PHP is run in "safe mode", or if
 // operating system features (such as SELinux) or limitations
 // prevent the web-server from executing external scripts.
 // Parameters: (1) domain
 //$CONF['domain_postcreation_script']='sudo -u courier /usr/local/bin/postfixadmin-domain-postcreation.sh';

 // Optional:
 // Script to run after deletion of domains.
 // Note that this may fail if PHP is run in "safe mode", or if
 // operating system features (such as SELinux) or limitations
 // prevent the web-server from executing external scripts.
 // Parameters: (1) domain
 // $CONF['domain_postdeletion_script']='sudo -u courier /usr/local/bin/postfixadmin-domain-postdeletion.sh';

 // Optional:
 // Sub-folders which should automatically be created for new users.
 // The sub-folders will also be subscribed to automatically.
 // Will only work with IMAP server which implement sub-folders.
 // Will not work with POP3.
 // If you define create_mailbox_subdirs, then the
 // create_mailbox_subdirs_host must also be defined.
 //
 // $CONF['create_mailbox_subdirs']=array('Spam');
 // $CONF['create_mailbox_subdirs_host']='localhost';
 //
 // Specify '' for Dovecot and 'INBOX.' for Courier.
 $CONF['create_mailbox_subdirs_prefix']='INBOX.';

 // Optional:
 // Show used quotas from Dovecot dictionary backend in virtual
 // mailbox listing.
 // See: DOCUMENTATION/DOVECOT.txt
 //      http://wiki.dovecot.org/Quota/Dict
 //
 $CONF['used_quotas'] = 'NO';

 // if you use dovecot >= 1.2, set this to yes.
 // Note about dovecot config: table "quota" is for 1.0 & 1.1, table "quota2" is for dovecot 1.2 and newer
 $CONF['new_quota_table'] = 'NO';

 //
 // Normally, the TCP port number does not have to be specified.
 // $CONF['create_mailbox_subdirs_hostport']=143;
 //
 // If you have trouble connecting to the IMAP-server, then specify
 // a value for $CONF['create_mailbox_subdirs_hostoptions']. These
 // are some examples to experiment with:
 // $CONF['create_mailbox_subdirs_hostoptions']=array('notls');
 // $CONF['create_mailbox_subdirs_hostoptions']=array('novalidate-cert','norsh');
 // See also the "Optional flags for names" table at
 // http://www.php.net/manual/en/function.imap-open.php


 // Theme Config
 // Specify your own logo and CSS file
 $CONF['theme_logo'] = 'images/logo-default.png';
 $CONF['theme_css'] = 'css/default.css';

 // XMLRPC Interface.
 // This should be only of use if you wish to use e.g the 
 // Postfixadmin-Squirrelmail package
 //  change to boolean true to enable xmlrpc
 $CONF['xmlrpc_enabled'] = false;


 // If you want to keep most settings at default values and/or want to ensure 
 // that future updates work without problems, you can use a separate config 
 // file (config.local.php) instead of editing this file and override some
 // settings there.
 if (file_exists(dirname(__FILE__) . '/config.local.php')) {
    include(dirname(__FILE__) . '/config.local.php');
 }

 //
 // END OF CONFIG FILE
 //
 /* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */
--- a/roles/mail/templates/config.inc.php
+++ b/roles/mail/templates/config.inc.php
@ -0,0 +1 @@
 /etc/postfixadmin/config.inc.php
--- a/roles/mail/templates/dbconfig.inc.php
+++ b/roles/mail/templates/dbconfig.inc.php
@ -11,7 +11,7 @@
 ## above too.
 ##
 $dbuser='postfix';
 $dbpass='{{ dbpassword }}';
 $dbpass='{{ dbpassword.stdout }}';
 }
 }
 $basepath='';
--- a/roles/mail/templates/dovecot-mysql.conf
+++ b/roles/mail/templates/dovecot-mysql.conf
@ -1,5 +1,5 @@
 driver = mysql
 connect = host=127.0.0.1 dbname=postfix user=postfix password={{ dbpassword }}
 connect = host=127.0.0.1 dbname=postfix user=postfix password={{ dbpassword.stdout }}
 default_pass_scheme = MD5-CRYPT
 user_query = SELECT '/home/facteur/%d/%n' as home, 3000 AS uid, 3000 AS gid FROM mailbox WHERE username = '%u'
 password_query = SELECT password FROM mailbox WHERE username = '%u'
--- a/roles/mail/templates/dovecot.conf
+++ b/roles/mail/templates/dovecot.conf
@ -1,51 +1,49 @@
 ## Dovecot configuration file
 
 protocols = imap imaps pop3 pop3s managesieve
 log_timestamp = "%Y-%m-%d %H:%M:%S "
 mail_privileged_group = mail
 
 # 2.1.7: /etc/dovecot/dovecot.conf
 # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7 ext4
 !include conf.d/*.conf
 disable_plaintext_auth = no
 log_timestamp = "%Y-%m-%d %H:%M:%S "
 mail_location = maildir:/home/facteur/%d/%n:INDEX=/home/facteur/%d/%n/indexes
 
 protocol imap {
 }
 protocol pop3 {
 }
 protocol managesieve {
  listen = *:4190
  login_executable = /usr/lib/dovecot/managesieve-login
  mail_executable = /usr/lib/dovecot/managesieve
 mail_privileged_group = mail
 passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
 }
 protocol lda {
  postmaster_address = admin@{{ domain }}
  mail_plugin_dir = /usr/lib/dovecot/modules/lda
  auth_socket_path = /var/run/dovecot/auth-master
  mail_plugins = sieve quota
 plugin {
  sieve = /home/facteur/%d/%n/.dovecot.sieve
  sieve_dir = /home/facteur/%d/%n/sieve
 }
 auth default {
        userdb sql {
        args = /etc/dovecot/dovecot-mysql.conf
        }
        passdb sql {
        args = /etc/dovecot/dovecot-mysql.conf
        }
 socket listen {
  master {
  path = /var/run/dovecot/auth-master
  mode = 0600
  user = facteur
 protocols = imap pop3 sieve
 service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  client {
  path = /var/spool/postfix/private/auth
  mode = 0660
  user = postfix
  group = postfix
  unix_listener auth-master {
    mode = 0600
    user = facteur
  }
 }
 }
 dict {
 service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 64 M
  executable = /usr/lib/dovecot/managesieve-login
 }
 plugin {
  sieve_dir = /home/facteur/%d/%n/sieve
  sieve = /home/facteur/%d/%n/.dovecot.sieve
 service managesieve {
 executable = /usr/lib/dovecot/managesieve
 }
 userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
 }
 protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  mail_plugin_dir = /usr/lib/dovecot/modules
  mail_plugins = sieve quota
  postmaster_address = admin@{{ domain }}
 }
--- a/roles/mail/templates/dynamicmaps.cf
+++ b/roles/mail/templates/dynamicmaps.cf
@ -4,3 +4,4 @@
 #====	================================	=============	============
 tcp	/usr/lib/postfix/dict_tcp.so		dict_tcp_open	
 sqlite	/usr/lib/postfix/dict_sqlite.so		dict_sqlite_open	
 mysql	/usr/lib/postfix/dict_mysql.so		dict_mysql_open	
--- a/roles/mail/templates/main.cf
+++ b/roles/mail/templates/main.cf
@ -86,8 +86,8 @@ smtpd_sasl_security_options = noanonymous
 broken_sasl_auth_clients = yes

 # Indiquer à Postfix de livrer à un destinataire à la fois
 # la réception d'un mail en provenance d'un expéditeur unique avec plusieurs destinataire ne fonctionnerais pas sans cette option
 dovecot_destination_recipient_limit = 1
 ## la réception d'un mail en provenance d'un expéditeur unique avec plusieurs destinataire ne fonctionnerais pas sans cette option
 #dovecot_destination_recipient_limit = 1
 content_filter = amavis:[127.0.0.1]:10024
 receive_override_options = no_address_mappings

--- a/roles/mail/templates/master.cf
+++ b/roles/mail/templates/master.cf
@ -1,3 +1,4 @@

 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master").
@ -9,27 +10,21 @@
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 smtp      inet  n       -       -       -       -       smtpd
 #smtp      inet  n       -       -       -       1       postscreen
 #smtpd     pass  -       -       -       -       -       smtpd
 #dnsblog   unix  -       -       -       -       0       dnsblog
 #tlsproxy  unix  -       -       -       -       0       tlsproxy
 #submission inet n       -       -       -       -       smtpd
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #smtps     inet  n       -       -       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       -       -       -       qmqpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
 #qmgr     fifo  n       -       n       300     1       oqmgr
 #qmgr     fifo  n       -       -       300     1       oqmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
@ -40,7 +35,9 @@ flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
 relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
@ -105,9 +102,28 @@ ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
 bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
 scalemail-backend unix	-	n	n	-	2	pipe
 scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
 mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

 dovecot   unix  -       n       n       -       -       pipe flags=DRhu user=facteur:facteur argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

 amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

 127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

--- a/roles/mail/templates/mysql_relay_domains.cf
+++ b/roles/mail/templates/mysql_relay_domains.cf
@ -1,5 +1,5 @@
 hosts = 127.0.0.1
 user = postfix
 password = {{ dbpassword }}
 password = {{ dbpassword.stdout }}
 dbname = postfix
 query = SELECT domain FROM domain WHERE domain='%s' and backupmx = 1
--- a/roles/mail/templates/mysql_virtual_alias_maps.cf
+++ b/roles/mail/templates/mysql_virtual_alias_maps.cf
@ -1,5 +1,5 @@
 hosts = 127.0.0.1
 user = postfix
 password = {{ dbpassword }}
 password = {{ dbpassword.stdout }}
 dbname = postfix
 query = SELECT goto FROM alias WHERE address='%s' AND active = 1
--- a/roles/mail/templates/mysql_virtual_mailbox_domains.cf
+++ b/roles/mail/templates/mysql_virtual_mailbox_domains.cf
@ -1,5 +1,5 @@
 hosts = 127.0.0.1
 user = postfix
 password = {{ dbpassword }}
 password = {{ dbpassword.stdout }}
 dbname = postfix
 query = SELECT domain FROM domain WHERE domain='%s' and backupmx = 0 and active = 1
--- a/roles/mail/templates/mysql_virtual_mailbox_maps.cf
+++ b/roles/mail/templates/mysql_virtual_mailbox_maps.cf
@ -1,5 +1,5 @@
 hosts = 127.0.0.1
 user = postfix
 password = {{ dbpassword }}
 password = {{ dbpassword.stdout }}
 dbname = postfix
 query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1
--- a/roles/mail/templates/root-postfix.sql
+++ b/roles/mail/templates/root-postfix.sql
@ -1,4 +1,5 @@
 DROP DATABASE IF EXISTS postfix;
 CREATE DATABASE postfix;
 GRANT ALL PRIVILEGES ON postfix.* TO 'postfix_admin'@'%' IDENTIFIED BY '{{ dbpassword.stdout }}';
 GRANT ALL PRIVILEGES ON postfix.* TO 'postfix'@'%' IDENTIFIED BY '{{ dbpassword.stdout }}';
 GRANT SELECT ON postfix.* TO 'postfix'@'%' IDENTIFIED BY '{{ dbpassword.stdout }}';
 FLUSH PRIVILEGES;
--- a/roles/mail/templates/smtpd.conf
+++ b/roles/mail/templates/smtpd.conf
@ -0,0 +1,2 @@
 pwcheck_method: saslauthd
 mech_list: PLAIN LOGIN
--- a/roles/mail/vars/main.yml
+++ b/roles/mail/vars/main.yml
@ -60,4 +60,25 @@ packages:
 files:
  - random

 postfixadmin:
    - postfixadmin
    - libc-client2007e
    - postfixadmin
    - dbconfig-common
    - libapr1
    - libapache2-mod-php5
    - libaprutil1-ldap
    - apache2-mpm-prefork
    - apache2-utils
    - apache2
    - apache2.2-common
    - libaprutil1-dbd-sqlite3
    - mlock
    - apache2.2-bin
    - php5-imap
    - wwwconfig-common
    - libaprutil1
    - php5
    - rsync

 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
--- a/roles/nginx/files/etc-nginx-nginx.conf
+++ b/roles/nginx/files/etc-nginx-nginx.conf
@ -0,0 +1,37 @@
 user www-data;
 worker_processes 4;
 worker_priority   -10;
 pid /var/run/nginx.pid;
 worker_rlimit_nofile 65536;

 events {
  worker_connections 4096;
  use epoll;
 }

 http {
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 8;
  types_hash_max_size 2048;
  server_tokens off;

  keepalive_requests 100000;
  open_file_cache max=200000 inactive=20s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;


  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  gzip on;
  gzip_disable "msie6";

  #include /etc/nginx/naxsi_core.rules;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
 }
--- a/roles/nginx/files/etc-php5-fpm-pool.d-www-data.conf
+++ b/roles/nginx/files/etc-php5-fpm-pool.d-www-data.conf
@ -0,0 +1,26 @@
 [www-data]
 prefix = /var/tmp

 user = www-data
 group = www-data

 listen = /var/run/php5-fpm-www-data.sock
 listen.backlog = 1024

 pm = ondemand
 pm.max_children = 2
 pm.process_idle_timeout = 30s;
 pm.max_requests = 800
 pm.status_path = /status

 request_terminate_timeout = 120s

 chdir = /

 security.limit_extensions = .php .php3 .php4 .php5

 env[TMP] = /tmp
 env[TMPDIR] = /tmp
 env[TEMP] = /tmp

 php_admin_value[memory_limit] = 128M
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@ -0,0 +1,13 @@
 ---
 # handlers du role nginx

 - name: reload nginx
  service: name=nginx state=reloaded
 - name: restart nginx
  service: name=nginx state=restarted
 - name: start nginx
  service: name=nginx state=started
 - name: stop nginx
  service: name=nginx state=stopped  
 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -0,0 +1,23 @@
 ---
 - name: Install default packages Debian.
  apt: pkg={{item}} state=installed install_recommends=no
  with_items:
      - nginx
      - nginx-common
      - nginx-full
      - php5-fpm

 - name: Copy nginx.conf
  tags: nginx
  copy: src=etc-nginx-nginx.conf dest=/etc/nginx/nginx.conf

 - name: Copy php5/fpm/pool.d/www-data.conf
  tags: nginx
  copy: src=etc-php5-fpm-pool.d-www-data.conf dest=/etc/php5/fpm/pool.d/www-data.conf

 - name: Delete the www.conf template
  tags: nginx
  file: path=etc/php5/fpm/pool.d/www.conf state=absent
  notify: restart nginx

 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
--- a/roles/nginx/vars/main.yml
+++ b/roles/nginx/vars/main.yml
@ -0,0 +1,46 @@
 ---

 packages:
  - nginx
  - php5-cli
  - php5-mysql
  - php5-fpm
  - php-apc
  - php5-mysql
  - php5-curl
  - libmime-lite-perl

 firewall_role_rules:
  - "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT"

 sysctls:
  - name: net.ipv4.ip_local_port_range
    value: "'1024 65000'"
  - name: net.ipv4.tcp_tw_reuse
    value: 1
  - name: net.ipv4.tcp_fin_timeout
    value: 15
  - name: net.core.netdev_max_backlog
    value: 4096
  - name: net.core.rmem_max
    value: 16777216
  - name: net.core.somaxconn
    value: 4096
  - name: net.core.wmem_max
    value: 16777216
  - name: net.ipv4.tcp_max_syn_backlog
    value: 20480
  - name: net.ipv4.tcp_max_tw_buckets
    value: 400000
  - name: net.ipv4.tcp_no_metrics_save
    value: 1
  - name: net.ipv4.tcp_rmem
    value: "'4096 87380 16777216'"
  - name: net.ipv4.tcp_syn_retries
    value: 2
  - name: net.ipv4.tcp_synack_retries
    value: 2
  - name: net.ipv4.tcp_wmem
    value: "'4096 65536 16777216'"

 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
--- a/roles/owncloud/handlers/main.yml
+++ b/roles/owncloud/handlers/main.yml
@ -0,0 +1,46 @@
 ---
 # handlers du role common

 - name: update aliases
  command: newaliases

 - name: restart munin-node
  service: name=munin-node state=restarted

 - name: restart hobbit-client
  service: name=hobbit-client state=restarted

 - name: restart xymon-client
  service: name=xymon-client state=restarted

 - name: restart gwm
  service: name=gwm state=restarted

 - name: restart xend
  service: name=xend state=restarted

 - name: update-grub
  command: update-grub

 - name: restart collectd
  service: name=collectd state=restarted

 - name: restart ntp
  service: name=ntp state=restarted

 - name: restart xymon
  service: name=xymon state=restarted

 - name: update mysql_relay_domains map
  shell: postmap /etc/postfix/mysql_relay_domains.cf

 - name: restart postfix
  service: name=postfix state=restarted

 - name: restart nginx
  command: name=nginx state=restarted

 - name: restart php5-fpm
  shell: /etc/init.d/php5-fpm restart
 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

--- a/roles/owncloud/tasks/main.yml
+++ b/roles/owncloud/tasks/main.yml
@ -0,0 +1,78 @@
 ---
      
 - name: Install ownCloud dependencies
  apt: pkg={{item}} state=installed update_cache=no
  tags: owncloud
  with_items: "{{ packages }}" 
  ignore_errors: no

 - name: unlink default vhost nginx
  tags: owncloud
  shell: unlink /etc/nginx/sites-enabled/default
  ignore_errors: yes

 - name: Get ownCloud
  tags:
      - update
      - owncloud
  get_url: url=https://download.owncloud.org/community/owncloud-latest.tar.bz2 validate_certs=no dest=/root/owncloud-latest.tar.bz2

 - name: Creation of the right folder
  tags: owncloud
  file: path=/etc/nginx/ssl/ state=directory recurse=yes

 - name: create self-signed SSL cert
  command: openssl req -new -nodes -x509 -subj "/C=FR/ST=SomeWhere/L=OverTheRainBow/O=OwnCloud/CN=owncloud.{{ domain }}" -days 3650 -keyout /etc/nginx/ssl/owncloud.key -out /etc/nginx/ssl/owncloud.crt -extensions v3_ca creates=/etc/nginx/ssl/owncloud.crt
  tags: owncloud
  notify: restart nginx

 - name: Creation of the right folder
  tags: owncloud
  file: path=/var/www/owncloud/ state=directory recurse=yes

 - name: Untar
  tags: 
    - update
    - owncloud
  shell: tar xvf /root/owncloud-latest.tar.bz2 -C /var/www/owncloud/
  ignore_errors: no

 - name: Chown
  tags: 
    - update
    - owncloud
  shell: chown -R www-data. /var/www/

 - name: Randomly generate an ownCloud database password
  shell: pwgen -y -B -s 80 1 
  tags: 
      - owncloud
  register: dbpassword


 - name: Config nginx
  template: src=etc-nginx-sites-enabled-owncloud.j2 dest=/etc/nginx/sites-enabled/owncloud
  tags: owncloud
  notify: restart nginx

 - name: Config PHP5-fpm
  template: src=etc-php5-fpm-pool.d-www.conf.j2 dest=/etc/php5/fpm/pool.d/www.conf
  tags: owncloud
  notify: restart php5-fpm
 - name: Config PHP5-fpm ini file
  template: src=php.ini.j2 dest=/etc/php5/fpm/php.ini
  tags: owncloud
  notify: restart php5-fpm

 - name: Import database template
  tags: 
      - owncloud
  template: src=root-ownclouddb.sql.j2 dest=/root/ownclouddb.sql

 - name: Import sql file for account and db creation
  tags: 
      - owncloud
  shell: mysql < /root/ownclouddb.sql
  notify: restart php5-fpm

 #vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
--- a/roles/owncloud/templates/etc-nginx-sites-enabled-owncloud.j2
+++ b/roles/owncloud/templates/etc-nginx-sites-enabled-owncloud.j2
@ -0,0 +1,73 @@
 server {
       listen         80;
       server_name    owncloud.{{ domain }};
       return         301 https://$server_name$request_uri;
 }

 server {
        listen 443 ssl;
        server_name owncloud.{{ domain }};
        keepalive_timeout   70;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_certificate /etc/nginx/ssl/owncloud.crt;
        ssl_certificate_key /etc/nginx/ssl/owncloud.key;
        root /var/www/owncloud/owncloud/;
        error_log /var/log/owncloud.error.log;
        access_log /var/log/owncloud.access.log;
        
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;

        rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
        rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
        rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

        index index.php;
        error_page 403 /core/templates/403.php;
        error_page 404 /core/templates/404.php;

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
                deny all;
        }

        location / {
                rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
                rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
                rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
                rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
                rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
                try_files $uri $uri/ index.php;
                error_log /var/log/owncloud.error.log;
                access_log /var/log/owncloud.access.log;
        }

        location ~ ^(.+?\.php)(/.*)?$ {
                try_files $1 = 404;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$1;
                fastcgi_param PATH_INFO $2;
                fastcgi_param HTTPS on;
                fastcgi_connect_timeout 60;
                fastcgi_send_timeout 180;
                fastcgi_param htaccessWorking true;
                fastcgi_read_timeout 360;
                fastcgi_pass unix:/var/run/php5-fpm-www-data.sock;
                error_log /var/log/owncloud.fpm.error.log;
                access_log /var/log/owncloud.fpm.access.log;
        }

        # Optional: set long EXPIRES header on static assets
        location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
                expires 30d;
                # Optional: Don't log access to assets
                access_log off;
        }
 }

--- a/roles/owncloud/templates/etc-php5-fpm-pool.d-www.conf.j2
+++ b/roles/owncloud/templates/etc-php5-fpm-pool.d-www.conf.j2
@ -0,0 +1,36 @@
 [www-data]
 prefix = /var/tmp

 user = www-data
 group = www-data

 slowlog = /var/log/php-fpm/slowlog-site.log
 listen = /var/run/php5-fpm-www-data.sock
 listen.backlog = 1024

 pm = dynamic
 pm.start_servers = 4
 pm.min_spare_servers = 2
 pm.max_spare_servers = 6
 pm.max_children = 8
 pm.process_idle_timeout = 30s;
 pm.max_requests = 800
 pm.status_path = /status
 listen.backlog = -1
 listen.owner = www-data
 listen.group = www-data
 listen.mode = 0666
 request_terminate_timeout = 3600s
 catch_workers_output=no
 chdir = /
 rlimit_core = unlimited

 security.limit_extensions = .php .php3 .php4 .php5

 env[TMP] = /tmp
 env[TMPDIR] = /tmp
 env[TEMP] = /tmp
 env[HOSTNAME] = $HOSTNAME

 php_admin_value[memory_limit] = 1G

--- a/roles/owncloud/templates/php.ini.j2
+++ b/roles/owncloud/templates/php.ini.j2
--- a/roles/owncloud/templates/root-ownclouddb.sql.j2
+++ b/roles/owncloud/templates/root-ownclouddb.sql.j2
@ -0,0 +1,5 @@
 CREATE USER 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}';
 GRANT USAGE ON * . * TO 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}' WITH MAX_QUERIES_PER_HOUR 0
 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
 CREATE DATABASE IF NOT EXISTS `owncloud` ;
 GRANT ALL PRIVILEGES ON `owncloud` . * TO 'owncloud'@'localhost';
--- a/roles/owncloud/vars/main.yml
+++ b/roles/owncloud/vars/main.yml
@ -0,0 +1,17 @@
 packages:
  - php5 
  - php5-gd 
  - php-xml-parser 
  - php5-intl
  - php5-sqlite 
  - php5-mysql 
  - php5-pgsql 
  - smbclient 
  - php5-curl
  - php5-mcrypt
  - php5-fpm
  - pwgen
  - bzip2
  - php5-ldap
 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:

--- a/roles/prosody/handlers/main.yml
+++ b/roles/prosody/handlers/main.yml
@ -0,0 +1,2 @@
 - name: restart prosody
  command: /etc/init.d/prosody restart
--- a/roles/prosody/tasks/main.yml
+++ b/roles/prosody/tasks/main.yml
@ -0,0 +1,4 @@
 ---
 # Provides the Prosody Jabber/XMPP server.

 - include: prosody.yml tags=prosody
--- a/roles/prosody/tasks/prosody.yml
+++ b/roles/prosody/tasks/prosody.yml
@ -0,0 +1,29 @@
 - name: Ensure repository key for Prosody is in place
  apt_key: url=https://prosody.im/files/prosody-debian-packages.key state=present

 # Prosody supplies repo for sid, squeeze, wheezy, jessie, trusty, saucy, raring, quantal, precise and lucid
 - name: Add Prosody Debian/Ubuntu repository
  apt_repository: repo="deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"

 - name: Install Prosody from official repository
  apt: pkg=prosody update_cache=yes

 - name: Add prosody user to ssl-cert group
  user: name=prosody groups=ssl-cert append=yes

 - name: Create Prosody data directory
  file: state=directory path=/decrypted/prosody owner=prosody group=prosody

 - name: Configure Prosody
  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root
  notify: restart prosody

 - name: Create Prosody accounts
  command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
  with_items: prosody_accounts

 - name: Set firewall rules for Prosody
  ufw: rule=allow port={{ item }} proto=tcp
  with_items:
    - 5222  # xmpp c2s
    - 5269  # xmpp s2s
--- a/roles/prosody/templates/prosody.cfg.lua.j2
+++ b/roles/prosody/templates/prosody.cfg.lua.j2
@ -0,0 +1,175 @@
 -- Prosody XMPP Server Configuration
 --
 -- Information on configuring Prosody can be found on our
 -- website at http://prosody.im/doc/configure
 --
 -- Tip: You can check that the syntax of this file is correct
 -- when you have finished by running: luac -p prosody.cfg.lua
 -- If there are any errors, it will let you know what and where
 -- they are, otherwise it will keep quiet.
 --
 -- Good luck, and happy Jabbering!


 ---------- Server-wide settings ----------
 -- Settings in this section apply to the whole server and are the default settings
 -- for any virtual hosts

 -- This is a (by default, empty) list of accounts that are admins
 -- for the server. Note that you must create the accounts separately
 -- (see http://prosody.im/doc/creating_accounts for info)
 -- Example: admins = { "user1@example.com", "user2@example.net" }
 admins = { "{{ prosody_admin }}" }

 -- Enable use of libevent for better performance under high load
 -- For more information see: http://prosody.im/doc/libevent
 --use_libevent = true;

 -- This is the list of modules Prosody will load on startup.
 -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
 -- Documentation on modules can be found at: http://prosody.im/doc/modules
 modules_enabled = {

 	-- Generally required
 		"roster"; -- Allow users to have a roster. Recommended ;)
 		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
 		"tls"; -- Add support for secure TLS on c2s/s2s connections
 		"dialback"; -- s2s dialback support
 		"disco"; -- Service discovery
 		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

 	-- Not essential, but recommended
 		"private"; -- Private XML storage (for room bookmarks, etc.)
 		"vcard"; -- Allow users to set vCards

 	-- These are commented by default as they have a performance impact
 		"privacy"; -- Support privacy lists
 		--"compression"; -- Stream compression (requires the lua-zlib package installed)

 	-- Nice to have
 		"version"; -- Replies to server version requests
 		"uptime"; -- Report how long server has been running
 		"time"; -- Let others know the time here on this server
 		"ping"; -- Replies to XMPP pings with pongs
 		-- "pep"; -- Enables users to publish their mood, activity, playing music and more
 		"register"; -- Allow users to register on this server using a client and change passwords

 	-- Admin interfaces
 		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
 		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582

 	-- HTTP modules
 		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
 		--"http_files"; -- Serve static files from a directory over HTTP

 	-- Other specific functionality
 		--"groups"; -- Shared roster support
 		--"announce"; -- Send announcement to all online users
 		--"welcome"; -- Welcome users who register accounts
 		--"watchregistrations"; -- Alert admins of registrations
 		--"motd"; -- Send a message to users when they log in
 		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
 };

 -- These modules are auto-loaded, but should you want
 -- to disable them then uncomment them here:
 modules_disabled = {
 	-- "offline"; -- Store offline messages
 	-- "c2s"; -- Handle client connections
 	-- "s2s"; -- Handle server-to-server connections
 };

 -- Disable account creation by default, for security
 -- For more information see http://prosody.im/doc/creating_accounts
 allow_registration = false;

 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
 	key = "/etc/ssl/private/wildcard_private.key";
 	certificate = "/etc/ssl/certs/wildcard_public_cert.crt";
 }

 -- Force clients to use encrypted connections? This option will
 -- prevent clients from authenticating unless they are using encryption.

 c2s_require_encryption = true

 -- Force certificate authentication for server-to-server connections?
 -- This provides ideal security, but requires servers you communicate
 -- with to support encryption AND present valid, trusted certificates.
 -- NOTE: Your version of LuaSec must support certificate verification!
 -- For more information see http://prosody.im/doc/s2s#security

 s2s_secure_auth = false

 -- Many servers don't support encryption or have invalid or self-signed
 -- certificates. You can list domains here that will not be required to
 -- authenticate using certificates. They will be authenticated using DNS.

 --s2s_insecure_domains = { "gmail.com" }

 -- Even if you leave s2s_secure_auth disabled, you can still require valid
 -- certificates for some domains by specifying a list here.

 --s2s_secure_domains = { "jabber.org" }

 -- Required for init scripts and prosodyctl
 pidfile = "/var/run/prosody/prosody.pid"

 -- Select the authentication backend to use. The 'internal' providers
 -- use Prosody's configured data storage to store the authentication data.
 -- To allow Prosody to offer secure authentication mechanisms to clients, the
 -- default provider stores passwords in plaintext. If you do not trust your
 -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
 -- for information about using the hashed backend.

 authentication = "internal_plain"

 -- Select the storage backend to use. By default Prosody uses flat files
 -- in its configured data directory, but it also supports more backends
 -- through modules. An "sql" backend is included by default, but requires
 -- additional dependencies. See http://prosody.im/doc/storage for more info.

 --storage = "sql" -- Default is "internal"

 -- For the "sql" backend, you can uncomment *one* of the below to configure:
 --sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
 --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
 --sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }

 -- Logging configuration
 -- For advanced logging see http://prosody.im/doc/logging
 log = {
 	info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
 	error = "/var/log/prosody/prosody.err";
 	"*syslog";
 }

 data_path = "/decrypted/prosody"

 ----------- Virtual hosts -----------
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
 -- Settings under each VirtualHost entry apply *only* to that host.

 VirtualHost "{{ prosody_virtual_domain }}"

 ------ Components ------
 -- You can specify components to add hosts that provide special services,
 -- like multi-user conferences, and transports.
 -- For more information on components, see http://prosody.im/doc/components

 ---Set up a MUC (multi-user chat) room server on conference.example.com:
 --Component "conference.example.com" "muc"

 -- Set up a SOCKS5 bytestream proxy for server-proxied file tr3ansfers:
 --Component "proxy.example.com" "proxy65"

 ---Set up an external component (default component port is 5347)
 --
 -- External components allow adding various services, such as gateways/
 -- transports to other networks like ICQ, MSN and Yahoo. For more info
 -- see: http://prosody.im/doc/components#adding_an_external_component
 --
 --Component "gateway.example.com"
 --	component_secret = "password"
--- a/roles/wallabag/handlers/main.yml
+++ b/roles/wallabag/handlers/main.yml
@ -0,0 +1,10 @@
 - name: import wallabag sql
  shell: PGPASSWORD='{{ wallabag_db_password }}' psql -h localhost -d {{ wallabag_db_database }} -U {{ wallabag_db_username }} -f /var/www/wallabag/install/postgres.sql --set ON_ERROR_STOP=1
  notify: remove install folder
 #'
 - name: restart apache2
  service: name=apache2 state=restarted


 - name: remove install folder
  file: path=/var/www/wallabag/install state=absent
--- a/roles/wallabag/tasks/main.yml
+++ b/roles/wallabag/tasks/main.yml
@ -0,0 +1 @@
 - include: wallabag.yml tags=wallabag
--- a/roles/wallabag/tasks/wallabag.yml
+++ b/roles/wallabag/tasks/wallabag.yml
@ -0,0 +1,73 @@
 - name: Determine whether wallabag is configured
  stat: path=/var/www/wallabag/inc/poche/config.inc.php
  register: wallabag_config

 - name: Clone wallabag
  git: repo=https://github.com/wallabag/wallabag.git
       dest=/var/www/wallabag
       version={{ wallabag_version }}
       accept_hostkey=yes

 - name: Remove wallabag 'install' directory if its configuration file is there
  file: name=/var/www/wallabag/install state=absent
  when: wallabag_config.stat.exists == True

 - name: Install wallabag dependencies
  apt: pkg={{ item }} state=present
  with_items:
    - php5
    - php5-curl
    - php5-mcrypt
    - php5-pgsql
    - php5-tidy

 - name: Import database user template
  template: src=root-wallabag.sql.j2 dest=/root/wallabag.sql

 - name: Import sql file for account and db creation
  shell: mysql < /root/wallabag.sql


 - name: Import wallabag sql
  shell: mysql {{ wallabag_db_database }} < /var/www/wallabag/install/mysql.sql
  notify: remove install folder 

 - name: Build Composer
  shell: curl -sS https://getcomposer.org/installer | php
         chdir=/root
         creates=/root/composer.phar

 - name: Initialize composer
  command: php /root/composer.phar install
           chdir=/var/www/wallabag
           creates=/var/www/wallabag/vendor/autoload.php

 - name: Set wallabag permissions
  file: owner=www-data
        group=www-data
        path=/var/www/wallabag
        recurse=yes
        state=directory

 - name: Create the configuration file
  template: src=var_www_wallabag_inc_poche_config.inc.php.j2
            dest=/var/www/wallabag/inc/poche/config.inc.php
            owner=www-data
            group=www-data

 - name: Rename existing Apache wallabag virtualhost
  command: mv /etc/apache2/sites-available/wallabag /etc/apache2/sites-available/wallabag.conf removes=/etc/apache2/sites-available/wallabag

 - name: Remove old sites-enabled/wallabag symlink (new one will be created by a2ensite)
  command: rm /etc/apache2/sites-enabled/wallabag removes=/etc/apache2/sites-enabled/wallabag

 - name: Configure the Apache HTTP server for wallabag
  template: src=etc_apache2_sites-available_wallabag.j2
            dest=/etc/apache2/sites-available/wallabag.conf
            owner=root
            group=root

 - name: Enable the wallabag site
  command: a2ensite wallabag.conf
           creates=/etc/apache2/sites-enabled/wallabag.conf
  notify: restart apache
--- a/roles/wallabag/templates/etc_apache2_sites-available_wallabag.j2
+++ b/roles/wallabag/templates/etc_apache2_sites-available_wallabag.j2
@ -0,0 +1,31 @@
 <VirtualHost *:80>
    ServerName {{ wallabag_domain }}

    Redirect permanent / https://{{ wallabag_domain }}/
 </VirtualHost>

 <VirtualHost *:443>
    ServerName {{ wallabag_domain }}

    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

    DocumentRoot            /var/www/wallabag
    Options                 -Indexes

    ErrorLog                /var/log/apache2/wallabag.info-error_log
    CustomLog               /var/log/apache2/wallabag.info-access_log common

    <Directory /var/www/wallabag>
        AllowOverride All
        Order allow,deny
        allow from all
        DirectoryIndex index.php
    </Directory>
 </VirtualHost>
--- a/roles/wallabag/templates/root-wallabag.sql.j2
+++ b/roles/wallabag/templates/root-wallabag.sql.j2
@ -0,0 +1,5 @@
 CREATE USER 'wallabag'@'localhost' IDENTIFIED BY '{{ wallabag_db_password }}';
 GRANT USAGE ON * . * TO 'wallabag'@'localhost' IDENTIFIED BY '{{ wallabag_db_password }}' WITH MAX_QUERIES_PER_HOUR 0
 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
 CREATE DATABASE IF NOT EXISTS `wallabag` ;
 GRANT ALL PRIVILEGES ON `wallabag` . * TO 'wallabag'@'localhost';
--- a/roles/wallabag/templates/var_www_wallabag_inc_poche_config.inc.php.j2
+++ b/roles/wallabag/templates/var_www_wallabag_inc_poche_config.inc.php.j2
@ -0,0 +1,58 @@
 <?php
 /**
 * wallabag, self hostable application allowing you to not miss any content anymore
 *
 * @category   wallabag
 * @author     Nicolas Lœuillet <nicolas@loeuillet.org>
 * @copyright  2013
 * @license    http://www.wtfpl.net/ see COPYING file
 */

 define ('SALT', '{{ wallabag_salt }}'); # put a strong string here
 define ('LANG', 'en_EN.utf8');

 define ('STORAGE', 'postgres'); # postgres, mysql or sqlite

 define ('STORAGE_SQLITE', ROOT . '/db/poche.sqlite'); # if you are using sqlite, where the database file is located

 # only for postgres & mysql
 define ('STORAGE_SERVER', 'localhost');
 define ('STORAGE_DB', '{{ wallabag_db_database }}');
 define ('STORAGE_USER', '{{ wallabag_db_username }}');
 define ('STORAGE_PASSWORD', '{{ wallabag_db_password }}');

 #################################################################################
 # Do not trespass unless you know what you are doing
 #################################################################################

 // Change this if not using the standart port for SSL - i.e you server is behind sslh
 define ('SSL_PORT', 443);

 define ('MODE_DEMO', FALSE);
 define ('DEBUG_POCHE', FALSE);
 define ('DOWNLOAD_PICTURES', FALSE);
 define ('CONVERT_LINKS_FOOTNOTES', FALSE);
 define ('REVERT_FORCED_PARAGRAPH_ELEMENTS', FALSE);
 define ('SHARE_TWITTER', TRUE);
 define ('SHARE_MAIL', TRUE);
 define ('SHARE_SHAARLI', FALSE);
 define ('SHAARLI_URL', 'http://myshaarliurl.com');
 define ('FLATTR', TRUE);
 define ('FLATTR_API', 'https://api.flattr.com/rest/v2/things/lookup/?url=');
 define ('NOT_FLATTRABLE', '0');
 define ('FLATTRABLE', '1');
 define ('FLATTRED', '2');
 define ('ABS_PATH', 'assets/');

 define ('DEFAULT_THEME', 'baggy');

 define ('THEME', ROOT . '/themes');
 define ('LOCALE', ROOT . '/locale');
 define ('CACHE', ROOT . '/cache');

 define ('PAGINATION', '10');

 //limit for download of articles during import
 define ('IMPORT_LIMIT', 5);
 //delay between downloads (in sec)
 define ('IMPORT_DELAY', 5);