first commit

README.textile

@@ -0,0 +1,106 @@
+h1. Introduction
+
+Sovereign is a set of "Ansible":http://ansibleworks.com playbooks that you can use to build and maintain your own *wince* "personal cloud":http://www.urbandictionary.com/define.php?term=clown%20computing. It's based entirely on open source software, so you're in control.
+
+If you've never used Ansible before, you a) are in for a treat and b) might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
+
+h2. Background/Motivations
+
+I had been a paying Google Apps customer for personal and corporate use since the service was in beta. Until several weeks ago, that is. I was about to set up another Google Apps account for a new project when I stopped to consider what I would be funding with my USD $50 per user per year:
+
+# A "seriously questionable privacy track record":https://en.wikipedia.org/wiki/Criticism_of_Google#Privacy.
+# A "dwindling commitment to open standards":https://www.eff.org/deeplinks/2013/05/google-abandons-open-standards-instant-messaging.
+# A "lack of long-term commitment to products":http://www.quora.com/Google-Products/What-are-all-the-Google-products-that-have-been-shut-down.
+# Development of Google+: a cynical and "unimaginative Facebook ripoff":http://gigaom.com/2012/03/15/google-plus-the-problem-isnt-design-its-a-lack-of-demand/ that's "intruding into progressively more Google products":http://bits.blogs.nytimes.com/2012/03/06/google-defending-google-plus-shares-usage-numbers/?_r=0.
+
+To each her/his own, but personally I saw little reason to continue participating in the Google ecosystem. It had been years since I last ran my own server for email and such, but it's only gotten cheaper and easier to do so.
+
+Rather than writing up a long and hard-to-follow set of instructions, I decided to share my server setup in a format that you can more or less just clone, configure, and run. Ansible seemed like the most appropriate way to do that: it's simple, straightforward, and easy to pick up.
+
+I've been using this setup for about a month now and it's been great. It's also replaced a couple of non-Google services I used, saving me money and making me feel like I've got a little more privacy.
+
+h2. Services Provided
+
+What do you get if you point this thing at a VPS? All kinds of good stuff!
+
+* "IMAP":https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol over SSL via "Dovecot":http://dovecot.org/, complete with full text search provided by "Solr":https://lucene.apache.org/solr/.
+* "SMTP":https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol over SSL via Postfix, including a nice set of "DNSBLs":https://en.wikipedia.org/wiki/DNSBL to discard spam before it ever hits your filters.
+* Virtual domains for your email, backed by "MySQL":https://www.mysql.com/.
+* Secure on-disk storage for email and more via "EncFS":http://www.arg0.net/encfs.
+* Spam fighting via "DSPAM":http://dspam.sourceforge.net/ and "Postgrey":http://postgrey.schweikert.ch/.
+* Mail server verification via "OpenDKIM":http://www.opendkim.org/, so folks know you're legit.
+* "CalDAV":https://en.wikipedia.org/wiki/CalDAV and "CardDAV":https://en.wikipedia.org/wiki/CardDAV to keep your calendars and contacts in sync, via "ownCloud":http://owncloud.org/.
+* Your own private "Dropbox":https://www.dropbox.com/, also via "ownCloud":http://owncloud.org/.
+* Your own VPN server via "OpenVPN":http://openvpn.net/index.php/open-source.html.
+* An IRC bouncer via "ZNC":http://wiki.znc.in/ZNC.
+* "Monit":http://mmonit.com/monit/ to keep everything running smoothly (and alert you when it's not).
+* Web hosting (ex: for your blog) via "Apache":https://www.apache.org/.
+* Firewall management via "ferm":http://ferm.foo-projects.org/.
+* Intrusion prevention via "fail2ban":http://www.fail2ban.org/ and rootkit detection via "rkhunter":http://rkhunter.sourceforge.net.
+* Nightly backups to "Tarsnap":https://www.tarsnap.com/.
+* A bunch of nice-to-have tools like "mosh":http://mosh.mit.edu and "htop":http://htop.sourceforge.net that make life with a server a little easier.
+
+No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintainance. Set it up, SSH in every couple weeks, but mostly forget about it.
+
+Don't want one or more of the above services? Comment out the relevant role in `site.yml`. Or get more granular and comment out the associated `include:` directive in one of the playbooks.
+
+h1. Usage
+
+h2. What You'll Need
+
+# A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at "Linode":http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b. You'll probably want at least 512 MB of RAM between Apache, Solr, and MySQL. Mine has 1024.
+# "Debian 7":http://www.debian.org/News/2013/20130504 or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks.)
+# A wildcard SSL certificate. I bought one. You could self-sign if you wanna save money.
+# A "Tarsnap":http://www.tarsnap.com account with some credit in it. You could comment this out if you want to use a different backup service. I pay for backups at Linode in addition to the Tarsnap nightlies because you can never be too sure.
+
+h2. Manual Steps
+
+This does a lot for you automatically but there's still some stuff you have to do by hand.
+
+# Set up EncFS as per "these instructions":http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/.
+# Create a user account for Ansible to do its thing through. This account should be set up for passwordless sudo.
+# Put your Tarsnap key in `roles/common/files/root_tarsnap.key`.
+# Put your SSL certificate's components in the respective files that start with `wildcard_ca` in `roles/common/files`, and a combined version in `roles/ircbouncer/files/etc_ssl_znc-combined.pem`.
+# You should probably disable remote root login and password-based logins in `/etc/ssh/sshd_config` but that's up to you.
+
+Now, the time-consuming part: grep through the files for the string `TODO` and replace as necessary. You'll probably want to check out all the files in the respective `vars/` sub-directories in each playbook directory.
+
+h2. Running It
+
+First, make sure you've "got Ansible installed":http://ansibleworks.com/docs/gettingstarted.html#getting-ansible.
+
+To run the whole dang thing:
+
+  ansible-playbook -i ./hosts site.yml
+
+To run just one or more piece, use tags. I try to tag all my includes for easy isolated development. For example, to focus in on your firewall setup:
+
+  ansible-playbook -i ./hosts --tags=ferm site.yml
+
+You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there's no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I've tried to add comments where manual intervention is necessary. OpenVPN in particular requires a bunch of manual command line stuff to get running.
+
+h2. How I Use It
+
+I use this setup from my Mac like this:
+
+* I read email in "Airmail":https://itunes.apple.com/us/app/airmail/id573171375?mt=12.
+* I manage my calendar and contacts via the Apple-provided Calendar.app and Contacts.app. See "ownCloud's docs":http://doc.owncloud.com/server/5.0EE/user_manual/pim/index.html to get it set up.
+* I connect to the VPS via "Viscosity":http://www.sparklabs.com/viscosity/. It has some dumb DNS bug right now so I have to point my machine to "OpenDNS":https://use.opendns.com/ in order to resolve names. Despite that, it's better than the "alternative":https://code.google.com/p/tunnelblick/.
+* I connect to the IRC bouncer with "Textual":http://www.codeux.com/textual/.
+* I run the "ownCloud sync client":https://owncloud.com/download for Dropbox-like file sync.
+* I manage my blog and other sites with "Jekyll":http://jekyllrb.com/ locally, then push the resulting builds up to the server via "rsync":https://rsync.samba.org/ over SSH.
+
+... and from my iPhone like this:
+
+* I read email in the Apple-provided Mail app and check it quickly in "Triage":http://www.triage.cc/.
+* I manage my calendar and contacts with the built-in apps. Boring, effective. See the "ownCloud docs":http://doc.owncloud.com/server/5.0EE/user_manual/pim/index.html for setup instructions.
+* I access files stored in my ownCloud instance via "their app":https://itunes.apple.com/us/app/owncloud/id543672169?mt=8.
+* I connect to my IRC bouncer with "Palaver":https://itunes.apple.com/us/app/id538073623?mt=8.
+
+h1. Contributing
+
+If you improve one of the provided playbooks or add an exciting new one, send a pull request. Everyone benefits.
+
+h2. License
+
+Original content is "GPLv3":http://gplv3.fsf.org, same as Ansible. All files and templates based on third-party software should be considered under their respective licenses.

TODO

@@ -0,0 +1 @@
+- ensure log rotation

hosts

@@ -0,0 +1,2 @@
+[cerf]
+198.58.112.239

requirements.txt

@@ -0,0 +1 @@
+ansible==1.3

roles/blog/tasks/blog.yml

@@ -0,0 +1,8 @@
+- name: Create directory for blog HTML
+  file: state=directory path=/var/www/${blog_domain} group=www-data owner=www-data
+
+- name: Configure the Apache HTTP server for the blog
+  template: src=etc_apache2_sites-available_blog.j2 dest=/etc/apache2/sites-available/${blog_domain} group=www-data owner=www-data
+- command: a2ensite ${blog_domain}
+  notify: restart apache
+  

roles/blog/tasks/main.yml

@@ -0,0 +1 @@
+- include: blog.yml tags=blog

roles/blog/templates/etc_apache2_sites-available_blog.j2

@@ -0,0 +1,26 @@
+NameVirtualHost *:80
+
+<VirtualHost *:80>
+    ServerName {{ blog_domain }}
+    ServerAlias www.{{ blog_domain }}
+
+    Redirect / https://{{ blog_domain }}/
+</VirtualHost>
+
+NameVirtualHost *:443
+
+<VirtualHost *:443>
+    ServerName {{ blog_domain }}
+    ServerAlias www.{{ blog_domain }}
+
+    SSLEngine on
+    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
+
+    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
+    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
+    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+
+    DocumentRoot            "/var/www/{{ blog_domain }}"
+    DirectoryIndex          index.html
+    HostnameLookups         Off
+</VirtualHost>

roles/blog/vars/main.yml

@@ -0,0 +1 @@
+blog_domain: TODO.com

roles/common/files/etc_fail2ban_filter.d_dovecot-pop3imap.conf

@@ -0,0 +1,3 @@
+[Definition]
+failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
+ignoreregex =

roles/common/files/etc_ferm_ferm.conf

@@ -0,0 +1,36 @@
+# Firewall configuration for a web and SMTP server.
+# See http://ferm.foo-projects.org/
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+
+        # expose our services to the world:
+        # web, ssh, imap + ssl, smtp + ssl, jabber/xmpp, dns, znc
+        proto tcp dport (53 http https ssh smtp 993 465 5222 5223 5269 6697) ACCEPT;
+
+        # openvpn
+        proto udp dport 1194 ACCEPT;
+
+        # mosh port range
+        proto udp dport 60000:61000 ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    # this is not a router
+    chain FORWARD policy DROP;
+}

roles/common/files/root_tarsnap.key

@@ -0,0 +1,3 @@
+# START OF TARSNAP KEY FILE
+TODO
+# END OF TARSNAP KEY FILE

roles/common/files/wildcard_ca.pem

@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE-----
+TODO
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+TODO
+-----END CERTIFICATE-----

roles/common/files/wildcard_private.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+TODO
+-----END PRIVATE KEY-----

roles/common/files/wildcard_public_cert.crt

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+TODO
+-----END CERTIFICATE-----

roles/common/handlers/ferm.yml

@@ -0,0 +1,4 @@
+---
+
+- name: reload ferm rules
+  command: /etc/init.d/ferm reload

roles/common/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+# Defines handlers applicable across all machines in the infrastructure.
+
+- name: restart ntp
+  service: name=ntp state=restarted
+
+- name: restart apache
+  service: name=apache2 state=restarted
+
+- name: restart fail2ban
+  service: name=fail2ban state=restarted
+
+- include: ferm.yml

roles/common/tasks/ferm.yml

@@ -0,0 +1,11 @@
+---
+# Installs and configures ferm, which in turn uses iptables for firewall management
+
+- name: Install ferm
+  apt: pkg=ferm state=present
+
+- name: Copy ferm firewall rules into place
+  file: path=/etc/ferm state=directory
+- copy: src=etc_ferm_ferm.conf dest=/etc/ferm/ferm.conf
+  notify:
+    - reload ferm rules

roles/common/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+# Defines tasks applicable across all machines in the infrastructure.
+
+- name: Install necessities and nice-to-haves
+  apt: pkg=$item state=installed
+  with_items:
+    - sudo
+    - vim
+    - htop
+    - iftop
+    - iotop
+    - mosh
+    - zsh
+    - git
+    - encfs
+    - libfuse-dev
+    - fuse-utils
+    - ruby1.9.3
+    - screen
+    - apache2
+    - build-essential
+    - apticron
+    - update-notifier-common
+    - debian-goodies
+
+- name: Install ntp
+  apt: pkg=ntp state=installed
+
+- name: Configure ntp
+  template: src=ntp.conf.j2 dest=/etc/ntp.conf
+  notify:
+    - restart ntp
+
+- name: Ensure ntpd is running and enabled
+  service: name=ntp state=running enabled=yes
+
+- name: Disable default Apache site
+  command: a2dissite default
+
+- include: users.yml tags=users
+- include: ssl.yml tags=ssl
+- include: ferm.yml tags=ferm
+- include: security.yml tags=security
+- include: tarsnap.yml tags=tarsnap

roles/common/tasks/security.yml

@@ -0,0 +1,11 @@
+- name: Install security-related packages
+  apt: pkg=$item state=installed
+  with_items:
+    - fail2ban
+    - rkhunter
+    - lynis
+
+- name: Copy fail2ban configuration files into place
+  copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf
+- template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
+  notify: restart fail2ban

roles/common/tasks/ssl.yml

@@ -0,0 +1,11 @@
+- name: Copy SSL private key into place
+  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=root owner=root
+
+- name: Copy SSL public certificate into place
+  copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root
+
+- name: Copy CA combined certificate into place
+  copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root
+
+- name: Enable Apache SSL module
+  command: a2enmod ssl

roles/common/tasks/tarsnap.yml

@@ -0,0 +1,28 @@
+- name: Install dependencies for Tarsnap
+  apt: pkg=$item state=installed
+  with_items:
+    - libssl-dev
+    - zlib1g-dev
+    - e2fslibs-dev
+
+- name: Download Tarsnap source
+  get_url: url=https://www.tarsnap.com/download/tarsnap-autoconf-${tarsnap_version}.tgz dest=/root/tarsnap-autoconf-${tarsnap_version}.tgz
+  #sha256sum=14c0172afac47f5f7cbc58e6442a27a0755685711f9d1cec4195c4f457053811
+
+- name: Decompress Tarsnap source
+  command: tar xzf /root/tarsnap-autoconf-${tarsnap_version}.tgz chdir=/root creates=/root/tarsnap-autoconf-${tarsnap_version}/COPYING
+
+- name: Configure Tarsnap for local build
+  command: ./configure chdir=/root/tarsnap-autoconf-${tarsnap_version} creates=/root/tarsnap-autoconf-${tarsnap_version}/Makefile
+
+- name: Build and install Tarsnap
+  command: make all install clean chdir=/root/tarsnap-autoconf-${tarsnap_version} creates=/usr/local/bin/tarsnap
+
+- name: Copy Tarsnap key file into place
+  copy: src=root_tarsnap.key dest=/root/tarsnap.key owner=root group=root
+
+- name: Create Tarsnap cache directory
+  file: state=directory path=/usr/tarsnap-cache
+
+- name: Install nightly Tarsnap cronjob
+  cron: name="Tarsnap backup" hour="3" job="tarsnap --cachedir /usr/tarsnap-cache --keyfile /root/tarsnap.key -c -f backup-`date +\%Y\%m\%d` /home /root /decrypted-mail /var/www /var/log /var/lib/mysql > /dev/null"

roles/common/tasks/users.yml

@@ -0,0 +1,2 @@
+- name: Create main user account
+  user: name=${main_user_name} state=present shell=/usr/bin/zsh groups=${main_user_name},sudo,fuse

roles/common/templates/etc_fail2ban_jail.local.j2

@@ -0,0 +1,34 @@
+[DEFAULT]
+ignoreip  = 127.0.0.1 198.58.112.239
+bantime   = 86400
+destemail = {{ admin_email }}
+banaction = iptables-multiport
+action    = %(action_mwl)s
+
+# JAILS
+[ssh]
+enabled   = true
+maxretry  = 3
+ 
+[pam-generic]
+enabled   = true
+banaction = iptables-allports
+ 
+[ssh-ddos]
+enabled   = true
+
+[apache]
+enabled = true
+ 
+[postfix]
+enabled  = true
+maxretry = 1
+
+[dovecot-pop3imap]
+enabled = true
+filter = dovecot-pop3imap
+action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
+logpath = /var/log/maillog
+maxretry = 20
+findtime = 1200
+bantime = 1200

roles/common/templates/ntp.conf.j2

@@ -0,0 +1,49 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Use servers from the NTP Pool Project
+server 0.north-america.pool.ntp.org
+server 1.north-america.pool.ntp.org
+server 2.north-america.pool.ntp.org
+server 3.north-america.pool.ntp.org
+
+# fallback
+server tick.usno.navy.mil
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient

roles/common/vars/main.yml

@@ -0,0 +1,3 @@
+main_user_name: TODO
+admin_email: TODO@TODO.com
+tarsnap_version: 1.0.34

roles/ircbouncer/files/etc_init.d_znc

@@ -0,0 +1,139 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          znc
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: ZNC IRC bouncer
+# Description:       ZNC is an IRC bouncer
+### END INIT INFO
+ 
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="ZNC daemon"
+NAME=znc
+DAEMON=/usr/local/bin/$NAME
+DATADIR=/var/lib/znc
+DAEMON_ARGS="--datadir=$DATADIR"
+PIDDIR=/var/run/znc
+PIDFILE=$PIDDIR/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+USER=znc
+GROUP=znc
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+  # Return
+  #   0 if daemon has been started
+  #   1 if daemon was already running
+  #   2 if daemon could not be started
+  if [ ! -d $PIDDIR ]
+  then
+    mkdir $PIDDIR
+  fi
+  chown $USER:$GROUP $PIDDIR
+  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1
+  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+  # Return
+  #   0 if daemon has been stopped
+  #   1 if daemon was already stopped
+  #   2 if daemon could not be stopped
+  #   other if a failure occurred
+  start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER
+  RETVAL="$?"
+  [ "$RETVAL" = 2 ] && return 2
+  # Wait for children to finish too if this is a daemon that forks
+  # and if the daemon is only ever run from this initscript.
+  # If the above conditions are not satisfied then add some other code
+  # that waits for the process to drop all resources that could be
+  # needed by services started subsequently.  A last resort is to
+  # sleep for some time.
+  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER
+  [ "$?" = 2 ] && return 2
+  # Many daemons don't delete their pidfiles when they exit.
+  rm -f $PIDFILE
+  return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+  start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER
+  return 0
+}
+
+case "$1" in
+  start)
+  [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+  do_start
+  case "$?" in
+    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+  esac
+  ;;
+  stop)
+  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+  do_stop
+  case "$?" in
+    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+  esac
+  ;;
+  status)
+  status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
+  ;;
+  reload)
+  log_daemon_msg "Reloading $DESC" "$NAME"
+  do_reload
+  log_end_msg $?
+  ;;
+  restart)
+  log_daemon_msg "Restarting $DESC" "$NAME"
+  do_stop
+  case "$?" in
+    0|1)
+    do_start
+    case "$?" in
+      0) log_end_msg 0 ;;
+      1) log_end_msg 1 ;; # Old process is still running
+      *) log_end_msg 1 ;; # Failed to start
+    esac
+    ;;
+    *)
+    # Failed to stop
+    log_end_msg 1
+    ;;
+  esac
+  ;;
+  *)
+  echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2
+  exit 3
+  ;;
+esac
+
+:

roles/ircbouncer/files/etc_ssl_znc-combined.pem

@@ -0,0 +1,12 @@
+-----BEGIN PRIVATE KEY-----
+TODO
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+TODO
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+TODO
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+TODO
+-----END CERTIFICATE-----

roles/ircbouncer/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart znc
+  service: name=znc state=restarted

roles/ircbouncer/tasks/main.yml

@@ -0,0 +1 @@
+- include: znc.yml tags=znc

roles/ircbouncer/tasks/znc.yml

@@ -0,0 +1,47 @@
+# more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
+
+- name: Install znc dependencies
+  apt: pkg=$item state=installed
+  with_items:
+    - build-essential
+    - libssl-dev
+    - openssl
+    - swig
+    - automake
+    - libtool
+    - libsasl2-dev
+    - checkinstall
+    - g++
+    - pkg-config
+    - python3-dev
+    - libperl-dev
+
+- name: Download znc release
+  get_url: url=http://znc.in/releases/znc-${znc_version}.tar.gz dest=/root/znc-${znc_version}.tar.gz
+
+- name: Decompress znc source
+  command: tar xzf /root/znc-${znc_version}.tar.gz chdir=/root creates=/root/znc-${znc_version}/configure
+
+- name: Build and install znc
+  command: ./configure --enable-python ; make ; make install executable=/bin/bash chdir=/root/znc-${znc_version} creates=/usr/local/bin/znc
+
+- name: Create znc group
+  group: name=znc state=present
+
+- name: Create znc user
+  user: name=znc state=present home=/var/lib/znc system=yes group=znc
+
+- name: Copy znc init file into place
+  copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755
+
+- name: Copy znc combined SSL cert into place
+  copy: src=etc_ssl_znc-combined.pem dest=/etc/ssl/znc-combined.pem owner=znc group=znc
+
+# NOTE: you should probably just generate this using the directions above and then edit via the web panel
+#- name: Copy znc configuration file into place
+#  template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
+
+- name: Ensure znc is a system service
+  command: update-rc.d znc defaults
+  notify: restart znc
+

roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2

@@ -0,0 +1,71 @@
+// WARNING
+//
+// Do NOT edit this file while ZNC is running!
+// Use webadmin or *controlpanel instead.
+//
+// Buf if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.
+// Also check http://en.znc.in/wiki/Configuration
+
+AnonIPLimit = 10
+ConnectDelay = 5
+LoadModule = webadmin
+LoadModule = fail2ban
+LoadModule = lastseen
+MaxBufferSize = 500
+PidFile = /var/run/znc/znc.pid
+ProtectWebSessions = true
+SSLCertFile = /etc/ssl/znc-combined.pem
+ServerThrottle = 30
+Skin = _default_
+StatusPrefix = *
+Version = 1.0
+
+<Listener listener0>
+	AllowIRC = true
+	AllowWeb = true
+	IPv4 = true
+	IPv6 = false
+	Port = 6697
+	SSL = true
+</Listener>
+
+<User TODO>
+	Admin = true
+	Allow = *
+	AltNick = TODO_
+	AppendTimestamp = false
+	AutoClearChanBuffer = true
+	Buffer = 5000
+	ChanModes = +stn
+	DenyLoadMod = false
+	DenySetBindHost = false
+	Ident = TODO
+	JoinTries = 10
+	LoadModule = controlpanel
+	LoadModule = perform
+	LoadModule = block_motd
+	LoadModule = clientnotify
+	MaxNetworks = 1
+	MultiClients = true
+	Nick = TODO
+	PrependTimestamp = true
+	QuitMsg = TODO
+	RealName = TODO
+	TimestampFormat = [%H:%M:%S]
+
+	<Network freenode>
+		FloodBurst = 4
+		FloodRate = 1.00
+		IRCConnectEnabled = true
+		LoadModule = kickrejoin
+		LoadModule = nickserv
+		LoadModule = savebuff
+		Server = chat.freenode.net 6665
+	</Network>
+
+	<Pass password>
+		Hash = TODO
+		Method = SHA256
+		Salt = TODO
+	</Pass>
+</User>

roles/ircbouncer/vars/main.yml

@@ -0,0 +1 @@
+znc_version: 1.0

roles/mailserver/files/dot_dovecot.sieve

@@ -0,0 +1,11 @@
+require ["regex", "fileinto", "imap4flags"];
+# Catch mail tagged as Spam, except Spam retrained and delivered to the mailbox
+if allof (header :regex "X-DSPAM-Result" "^(Spam|Virus|Bl[ao]cklisted)$",
+          not header :contains "X-DSPAM-Reclassified" "Innocent") {
+  # Mark as read
+  setflag "\\Seen";
+  # Move into the Junk folder
+  fileinto "Spam";
+  # Stop processing here
+  stop;
+}

roles/mailserver/files/etc_dovecot_conf.d_10-auth.conf

@@ -0,0 +1,127 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+disable_plaintext_auth = yes
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain login
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext

roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf

@@ -0,0 +1,362 @@
+##
+## Mailbox locations and namespaces
+##
+
+# Location for users' mailboxes. The default is empty, which means that Dovecot
+# tries to find the mailboxes automatically. This won't work if the user
+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
+# location.
+#
+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
+# kept. This is called the "root mail directory", and it must be the first
+# path given in the mail_location setting.
+#
+# There are a few special variables you can use, eg.:
+#
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if there's no domain
+#   %h - home directory
+#
+# See doc/wiki/Variables.txt for full list. Some examples:
+#
+#   mail_location = maildir:~/Maildir
+#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
+#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
+#
+# <doc/wiki/MailLocation.txt>
+#
+mail_location = maildir:/decrypted-mail/%d/%n
+
+# If you need to set multiple mailbox locations or want to change default
+# namespace settings, you can do it by defining namespace sections.
+#
+# You can have private, shared and public namespaces. Private namespaces
+# are for user's personal mails. Shared namespaces are for accessing other
+# users' mailboxes that have been shared. Public namespaces are for shared
+# mailboxes that are managed by sysadmin. If you create any shared or public
+# namespaces you'll typically want to enable ACL plugin also, otherwise all
+# users can access all the shared mailboxes, assuming they have permissions
+# on filesystem level to do so.
+namespace inbox {
+  # Namespace type: private, shared or public
+  #type = private
+
+  # Hierarchy separator to use. You should use the same separator for all
+  # namespaces or some clients get confused. '/' is usually a good one.
+  # The default however depends on the underlying mail storage format.
+  #separator = 
+
+  # Prefix required to access this namespace. This needs to be different for
+  # all namespaces. For example "Public/".
+  #prefix = 
+
+  # Physical location of the mailbox. This is in same format as
+  # mail_location, which is also the default for it.
+  #location =
+
+  # There can be only one INBOX, and this setting defines which namespace
+  # has it.
+  inbox = yes
+
+  # If namespace is hidden, it's not advertised to clients via NAMESPACE
+  # extension. You'll most likely also want to set list=no. This is mostly
+  # useful when converting from another server with different namespaces which
+  # you want to deprecate but still keep working. For example you can create
+  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
+  #hidden = no
+
+  # Show the mailboxes under this namespace with LIST command. This makes the
+  # namespace visible for clients that don't support NAMESPACE extension.
+  # "children" value lists child mailboxes, but hides the namespace prefix.
+  #list = yes
+
+  # Namespace handles its own subscriptions. If set to "no", the parent
+  # namespace handles them (empty prefix should always have this as "yes")
+  #subscriptions = yes
+}
+
+# Example shared namespace configuration
+#namespace {
+  #type = shared
+  #separator = /
+
+  # Mailboxes are visible under "shared/user@domain/"
+  # %%n, %%d and %%u are expanded to the destination user.
+  #prefix = shared/%%u/
+
+  # Mail location for other users' mailboxes. Note that %variables and ~/
+  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
+  # destination user's data.
+  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
+
+  # Use the default namespace for saving subscriptions.
+  #subscriptions = no
+
+  # List the shared/ namespace only if there are visible shared mailboxes.
+  #list = children
+#}
+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+#mail_shared_explicit_inbox = yes
+
+# System user and group used to access mails. If you use multiple, userdb
+# can override these by returning uid or gid fields. You can use either numbers
+# or names. <doc/wiki/UserIds.txt>
+#mail_uid =
+#mail_gid =
+
+# Group to enable temporarily for privileged operations. Currently this is
+# used only with INBOX when either its initial creation or dotlocking fails.
+# Typically this is set to "mail" to give access to /var/mail.
+mail_privileged_group = vmail
+
+# Grant access to these supplementary groups for mail processes. Typically
+# these are used to set up access to shared mailboxes. Note that it may be
+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
+#mail_access_groups =
+
+# Allow full filesystem access to clients. There's no access checks other than
+# what the operating system does for the active UID/GID. It works with both
+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
+# or ~user/.
+#mail_full_filesystem_access = no
+
+##
+## Mail processes
+##
+
+# Don't use mmap() at all. This is required if you store indexes to shared
+# filesystems (NFS or clustered filesystem).
+#mmap_disable = no
+
+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
+# since version 3, so this should be safe to use nowadays by default.
+#dotlock_use_excl = yes
+
+# When to use fsync() or fdatasync() calls:
+#   optimized (default): Whenever necessary to avoid losing important data
+#   always: Useful with e.g. NFS when write()s are delayed
+#   never: Never use it (best performance, but crashes can lose data)
+#mail_fsync = optimized
+
+# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
+# whenever needed. If you're using only a single mail server this isn't needed.
+#mail_nfs_storage = no
+# Mail index files also exist in NFS. Setting this to yes requires
+# mmap_disable=yes and fsync_disable=no.
+#mail_nfs_index = no
+
+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
+# Dotlocking uses some tricks which may create more disk I/O than other locking
+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
+#lock_method = fcntl
+
+# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
+#mail_temp_dir = /tmp
+
+# Valid UID range for users, defaults to 500 and above. This is mostly
+# to make sure that users can't log in as daemons or other system users.
+# Note that denying root logins is hardcoded to dovecot binary and can't
+# be done even if first_valid_uid is set to 0.
+first_valid_uid = 0
+#last_valid_uid = 0
+
+# Valid GID range for users, defaults to non-root/wheel. Users having
+# non-valid GID as primary group ID aren't allowed to log in. If user
+# belongs to supplementary groups with non-valid GIDs, those groups are
+# not set.
+#first_valid_gid = 1
+#last_valid_gid = 0
+
+# Maximum allowed length for mail keyword name. It's only forced when trying
+# to create new keywords.
+#mail_max_keyword_length = 50
+
+# ':' separated list of directories under which chrooting is allowed for mail
+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
+# settings. If this setting is empty, "/./" in home dirs are ignored.
+# WARNING: Never add directories here which local users can modify, that
+# may lead to root exploit. Usually this should be done only if you don't
+# allow shell access for users. <doc/wiki/Chrooting.txt>
+#valid_chroot_dirs = 
+
+# Default chroot directory for mail processes. This can be overridden for
+# specific users in user database by giving /./ in user's home directory
+# (eg. /home/./user chroots into /home). Note that usually there is no real
+# need to do chrooting, Dovecot doesn't allow users to access files outside
+# their mail directory anyway. If your home directories are prefixed with
+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
+#mail_chroot = 
+
+# UNIX socket path to master authentication server to find users.
+# This is used by imap (for shared users) and lda.
+#auth_socket_path = /var/run/dovecot/auth-userdb
+
+# Directory where to look up mail plugins.
+#mail_plugin_dir = /usr/lib/dovecot/modules
+
+# Space separated list of plugins to load for all services. Plugins specific to
+# IMAP, LDA, etc. are added to this list in their own .conf files.
+#mail_plugins = 
+
+##
+## Mailbox handling optimizations
+##
+
+# The minimum number of mails in a mailbox before updates are done to cache
+# file. This allows optimizing Dovecot's behavior to do less disk writes at
+# the cost of more disk reads.
+#mail_cache_min_mail_count = 0
+
+# When IDLE command is running, mailbox is checked once in a while to see if
+# there are any new mails or other changes. This setting defines the minimum
+# time to wait between those checks. Dovecot can also use dnotify, inotify and
+# kqueue to find out immediately when changes occur.
+#mailbox_idle_check_interval = 30 secs
+
+# Save mails with CR+LF instead of plain LF. This makes sending those mails
+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
+# But it also creates a bit more disk I/O which may just make it slower.
+# Also note that if other software reads the mboxes/maildirs, they may handle
+# the extra CRs wrong and cause problems.
+#mail_save_crlf = no
+
+# Max number of mails to keep open and prefetch to memory. This only works with
+# some mailbox formats and/or operating systems.
+#mail_prefetch_count = 0
+
+# How often to scan for stale temporary files and delete them (0 = never).
+# These should exist only after Dovecot dies in the middle of saving mails.
+#mail_temp_scan_interval = 1w
+
+##
+## Maildir-specific settings
+##
+
+# By default LIST command returns all entries in maildir beginning with a dot.
+# Enabling this option makes Dovecot return only entries which are directories.
+# This is done by stat()ing each entry, so it causes more disk I/O.
+# (For systems setting struct dirent->d_type, this check is free and it's
+# done always regardless of this setting)
+#maildir_stat_dirs = no
+
+# When copying a message, do it with hard links whenever possible. This makes
+# the performance much better, and it's unlikely to have any side effects.
+#maildir_copy_with_hardlinks = yes
+
+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
+#maildir_very_dirty_syncs = no
+
+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
+# getting the mail's physical size, except when recalculating Maildir++ quota.
+# This can be useful in systems where a lot of the Maildir filenames have a
+# broken size. The performance hit for enabling this is very small.
+#maildir_broken_filename_sizes = no
+
+##
+## mbox-specific settings
+##
+
+# Which locking methods to use for locking mbox. There are four available:
+#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
+#           solution. If you want to use /var/mail/ like directory, the users
+#           will need write access to that directory.
+#  dotlock_try: Same as dotlock, but if it fails because of permissions or
+#               because there isn't enough disk space, just skip it.
+#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
+#  flock  : May not exist in all systems. Doesn't work with NFS.
+#  lockf  : May not exist in all systems. Doesn't work with NFS.
+#
+# You can use multiple locking methods; if you do the order they're declared
+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
+# locking methods as well. Some operating systems don't allow using some of
+# them simultaneously.
+#mbox_read_locks = fcntl
+#mbox_write_locks = dotlock fcntl
+
+# Maximum time to wait for lock (all of them) before aborting.
+#mbox_lock_timeout = 5 mins
+
+# If dotlock exists but the mailbox isn't modified in any way, override the
+# lock file after this much time.
+#mbox_dotlock_change_timeout = 2 mins
+
+# When mbox changes unexpectedly we have to fully read it to find out what
+# changed. If the mbox is large this can take a long time. Since the change
+# is usually just a newly appended mail, it'd be faster to simply read the
+# new mails. If this setting is enabled, Dovecot does this but still safely
+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
+# how it's expected to be. The only real downside to this setting is that if
+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# commands.
+#mbox_dirty_syncs = yes
+
+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
+#mbox_very_dirty_syncs = no
+
+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
+# commands and when closing the mailbox). This is especially useful for POP3
+# where clients often delete all mails. The downside is that our changes
+# aren't immediately visible to other MUAs.
+#mbox_lazy_writes = yes
+
+# If mbox size is smaller than this (e.g. 100k), don't write index files.
+# If an index file already exists it's still read, just not updated.
+#mbox_min_index_size = 0
+
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
+# algorithm, but it fails if the first Received: header isn't unique in all
+# mails. An alternative algorithm is "all" that selects all headers.
+#mbox_md5 = apop3d
+
+##
+## mdbox-specific settings
+##
+
+# Maximum dbox file size until it's rotated.
+#mdbox_rotate_size = 2M
+
+# Maximum dbox file age until it's rotated. Typically in days. Day begins
+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
+#mdbox_rotate_interval = 0
+
+# When creating new mdbox files, immediately preallocate their size to
+# mdbox_rotate_size. This setting currently works only in Linux with some
+# filesystems (ext4, xfs).
+#mdbox_preallocate_space = no
+
+##
+## Mail attachments
+##
+
+# sdbox and mdbox support saving mail attachments to external files, which
+# also allows single instance storage for them. Other backends don't support
+# this for now.
+
+# WARNING: This feature hasn't been tested much yet. Use at your own risk.
+
+# Directory root where to store mail attachments. Disabled, if empty.
+#mail_attachment_dir =
+
+# Attachments smaller than this aren't saved externally. It's also possible to
+# write a plugin to disable saving specific attachments externally.
+#mail_attachment_min_size = 128k
+
+# Filesystem backend to use for saving attachments:
+#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
+#  sis posix : SiS with immediate byte-by-byte comparison during saving
+#  sis-queue posix : SiS with delayed comparison and deduplication
+#mail_attachment_fs = sis posix
+
+# Hash format to use in attachment filenames. You can add any text and
+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
+#mail_attachment_hash = %{sha1}

roles/mailserver/files/etc_dovecot_conf.d_10-master.conf

@@ -0,0 +1,127 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+#default_vsz_limit = 256M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+default_internal_user = vmail
+
+service imap-login {
+  inet_listener imap {
+    port = 0
+  }
+
+  inet_listener imaps {
+    #port = 993
+    #ssl = yes
+  }
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  #service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = $default_vsz_limit
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    port = 0
+  }
+
+  inet_listener pop3s {
+    #port = 995
+    #ssl = yes
+  }
+}
+
+service lmtp {
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0666
+    group = postfix
+    user = postfix
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  #inet_listener lmtp {
+    # Avoid making LMTP visible for the entire internet
+    #address =
+    #port = 
+  #}
+
+  user = vmail
+}
+
+service imap {
+  # Most of the memory goes to mmap()ing files. You may need to increase this
+  # limit if you have huge mailboxes.
+  #vsz_limit = $default_vsz_limit
+
+  # Max. number of IMAP processes (connections)
+  #process_limit = 1024
+}
+
+service pop3 {
+  # Max. number of POP3 processes (connections)
+  #process_limit = 1024
+}
+
+service auth {
+  # auth_socket_path points to this userdb socket by default. It's typically
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
+  # permissions make it readable only by root, but you may need to relax these
+  # permissions. Users that have access to this socket are able to get a list
+  # of all usernames and get results of everyone's userdb lookups.
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+
+  unix_listener auth-userdb {
+    mode = 0660
+    user = vmail
+    group = vmail
+  }
+
+  # Postfix smtp-auth
+  #unix_listener /var/spool/postfix/private/auth {
+  #  mode = 0666
+  #}
+
+  # Auth process is run as this user.
+  user = vmail
+}
+
+service auth-worker {
+  # Auth worker process is run as root by default, so that it can access
+  # /etc/shadow. If this isn't necessary, the user should be changed to
+  # $default_internal_user.
+  #user = vmail
+
+  unix_listener auth-worker {
+    user = vmail # same as above, mode and group are supported too
+  }
+}
+
+service dict {
+  # If dict proxy is used, mail processes should have access to its socket.
+  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+  unix_listener dict {
+    #mode = 0600
+    #user = 
+    #group = 
+  }
+}

roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf

@@ -0,0 +1,50 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = required
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/ssl/certs/wildcard_public_cert.crt
+ssl_key = </etc/ssl/private/wildcard_private.key
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+ssl_ca = /etc/ssl/certs/wildcard_ca.pem
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# How often to regenerate the SSL parameters file. Generation is quite CPU
+# intensive operation. The value is in hours, 0 disables regeneration
+# entirely.
+#ssl_parameters_regenerate = 168
+
+# SSL protocols to use
+#ssl_protocols = !SSLv2
+
+# SSL ciphers to use
+#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =

roles/mailserver/files/etc_dovecot_conf.d_20-imap.conf

@@ -0,0 +1,64 @@
+##
+## IMAP specific settings
+##
+
+protocol imap {
+  # Maximum IMAP command line length. Some clients generate very long command
+  # lines with huge mailboxes, so you may need to raise this if you get
+  # "Too long argument" or "IMAP command line too large" errors often.
+  #imap_max_line_length = 64k
+
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins antispam fts fts_solr
+
+  # IMAP logout format string:
+  #  %i - total number of bytes read from client
+  #  %o - total number of bytes sent to client
+  #imap_logout_format = bytes=%i/%o
+
+  # Override the IMAP CAPABILITY response. If the value begins with '+',
+  # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+  #imap_capability = 
+
+  # How long to wait between "OK Still here" notifications when client is
+  # IDLEing.
+  #imap_idle_notify_interval = 2 mins
+
+  # ID field names and values to send to clients. Using * as the value makes
+  # Dovecot use the default value. The following fields have default values
+  # currently: name, version, os, os-version, support-url, support-email.
+  #imap_id_send = 
+
+  # ID fields sent by client to log. * means everything.
+  #imap_id_log =
+
+  # Workarounds for various client bugs:
+  #   delay-newmail:
+  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+  #     and CHECK commands. Some clients ignore them otherwise, for example OSX
+  #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+  #     may show user "Message no longer in server" errors. Note that OE6 still
+  #     breaks even with this workaround if synchronization is set to
+  #     "Headers Only".
+  #   tb-extra-mailbox-sep:
+  #     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+  #     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+  #     ignore the extra '/' instead of treating it as invalid mailbox name.
+  #   tb-lsub-flags:
+  #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+  #     This makes Thunderbird realize they aren't selectable and show them
+  #     greyed out, instead of only later giving "not selectable" popup error.
+  #
+  # The list is space-separated.
+  #imap_client_workarounds = 
+}
+
+protocol lmtp {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins sieve
+  postmaster_address = postmaster@syntax.cc
+}

roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf

@@ -0,0 +1,26 @@
+##
+## Plugin settings
+##
+
+# All wanted plugins must be listed in mail_plugins setting before any of the
+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
+# their configuration. Note that %variable expansion is done for all values.
+
+plugin {
+  # Antispam (DSPAM)
+  antispam_backend = dspam
+  antispam_allow_append_to_spam = YES
+  antispam_spam = Spam;Junk
+  antispam_trash = trash;Trash
+  antispam_signature = X-DSPAM-Signature
+  antispam_signature_missing = error
+  antispam_dspam_binary = /usr/bin/dspam
+  antispam_dspam_args = --user;%u;--deliver=;--source=error
+  antispam_dspam_spam = --class=spam
+  antispam_dspam_notspam = --class=innocent
+  antispam_dspam_result_header = X-DSPAM-Result
+
+  # FTS (full text search with Solr)
+  fts = solr
+  fts_solr = break-imap-search url=http://localhost:8080/solr/
+}

roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext

@@ -0,0 +1,30 @@
+# Authentication for SQL users. Included from auth.conf.
+#
+# <doc/wiki/AuthDatabase.SQL.txt>
+
+passdb {
+  driver = sql
+
+  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = static
+  args = uid=vmail gid=vmail home=/decrypted-mail/%d/%n
+}
+
+# If you don't have any user-specific settings, you can avoid the user_query
+# by using userdb static instead of userdb sql, for example:
+# <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
+#}

roles/mailserver/files/etc_dovecot_dovecot.conf

@@ -0,0 +1,99 @@
+## Dovecot configuration file
+
+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
+
+# "doveconf -n" command gives a clean output of the changed settings. Use it
+# instead of copy&pasting files when posting to the Dovecot mailing list.
+
+# '#' character and everything after it is treated as comments. Extra spaces
+# and tabs are ignored. If you want to use either of these explicitly, put the
+# value inside quotes, eg.: key = "# char and trailing whitespace  "
+
+# Default values are shown for each setting, it's not required to uncomment
+# those. These are exceptions to this though: No sections (e.g. namespace {})
+# or plugin settings are added by default, they're listed only as examples.
+# Paths are also just examples with the real defaults being based on configure
+# options. The paths listed here are for configure --prefix=/usr
+# --sysconfdir=/etc --localstatedir=/var
+
+# Enable installed protocols
+!include_try /usr/share/dovecot/protocols.d/*.protocol
+
+# A comma separated list of IPs or hosts where to listen in for connections. 
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+# If you want to specify non-default ports or anything more complex,
+# edit conf.d/master.conf.
+#listen = *, ::
+
+# Base directory where to store runtime data.
+#base_dir = /var/run/dovecot/
+
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
+#instance_name = dovecot
+
+# Greeting message for clients.
+#login_greeting = Dovecot ready.
+
+# Space separated list of trusted network ranges. Connections from these
+# IPs are allowed to override their IP addresses and ports (for logging and
+# for authentication checks). disable_plaintext_auth is also ignored for
+# these networks. Typically you'd specify your IMAP proxy servers here.
+#login_trusted_networks =
+
+# Sepace separated list of login access check sockets (e.g. tcpwrap)
+#login_access_sockets = 
+
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
+# Show more verbose process titles (in ps). Currently shows user name and
+# IP address. Useful for seeing who are actually using the IMAP processes
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
+#verbose_proctitle = no
+
+# Should all processes be killed when Dovecot master process shuts down.
+# Setting this to "no" means that Dovecot can be upgraded without
+# forcing existing client connections to close (although that could also be
+# a problem if the upgrade is e.g. because of a security fix).
+#shutdown_clients = yes
+
+# If non-zero, run mail commands via this many connections to doveadm server,
+# instead of running them directly in the same process.
+#doveadm_worker_count = 0
+# UNIX socket or host:port used for connecting to doveadm server
+#doveadm_socket_path = doveadm-server
+
+# Space separated list of environment variables that are preserved on Dovecot
+# startup and passed down to all of its child processes. You can also give
+# key=value pairs to always set specific settings.
+#import_environment = TZ
+
+##
+## Dictionary server settings
+##
+
+# Dictionary can be used to store key=value lists. This is used by several
+# plugins. The dictionary can be accessed either directly or though a
+# dictionary server. The following dict block maps dictionary names to URIs
+# when the server is used. These can then be referenced using URIs in format
+# "proxy::<name>".
+
+dict {
+  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+}
+
+# Most of the actual configuration gets included below. The filenames are
+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
+# in filenames are intended to make it easier to understand the ordering.
+!include conf.d/*.conf
+
+# A config file can also tried to be included without giving an error if
+# it's not found:
+!include_try /usr/share/dovecot/protocols.d/*.protocol
+protocols = imap lmtp

roles/mailserver/files/etc_dspam_default.prefs

@@ -0,0 +1,43 @@
+# $Id: default.prefs,v 1.2 2011/04/19 07:17:03 sbajic Exp $
+# default.prefs v3.2
+# Default preferences for DSPAM
+
+# This file serves two purposes. First, it sets the default preferences each
+# user will see when using the preferences section of the DSPAM Control
+# Center. Second, it may be symbolically linked (or copied) into DSPAM_HOME to
+# set the system-wide default preferences, overriding any commandline or
+# dspam.conf parameters. If symlinked, an administrator can edit these options 
+# in the DSPAM Administrative Suite.
+
+# Training Mode: TEFT, TOE, TUM, NOTRAIN
+trainingMode=TEFT
+
+# Spam Action: quarantine, tag, deliver
+spamAction=deliver         # { quarantine | tag | deliver } -> default:quarantine
+
+# Spam Subject: the text to be prepended onto the subject line of tagged spams
+spamSubject=[SPAM]
+
+# Bayesian Noise Reduction: on/off
+enableBNR=on
+
+# Automatic Whitelisting: on/off
+enableWhitelist=on
+
+# Statistical Sedation: 0-10
+statisticalSedation=5
+
+# Signature Location: message, headers, attachment
+signatureLocation=headers  # { message | headers } -> default:message
+
+# Whitelist Threshold: the minimum number of innocent hits from a recipient to
+# be automatically whitelisted. Do not set this value too low!
+whitelistThreshold=10
+
+# showFactors: when set to on, the determining factors for each message will
+# be added to a X-DSPAM-Factors message header.
+showFactors=on
+
+# optIn/optOut: Depending on the opt mode set, you can also use one of these.
+#optIn=on
+#optOut=off

roles/mailserver/files/etc_dspam_dspam.conf

@@ -0,0 +1,699 @@
+## $Id: dspam.conf.in,v 1.100 2011/07/09 00:00:52 sbajic Exp $
+## dspam.conf -- DSPAM configuration file
+##
+
+#
+# DSPAM Home: Specifies the base directory to be used for DSPAM storage
+#
+Home /var/spool/dspam
+
+#
+# StorageDriver: Specifies the storage driver backend (library) to use.
+# You'll only need to set this if you are using dynamic storage driver plugins
+# from a binary distribution. The default build statically links the storage
+# driver (when only one is specified at configure time), overriding this
+# setting, which only comes into play if multiple storage drivers are specified
+# at configure time. When using dynamic linking, be sure to include the path
+# to the library if necessary, and some systems may use an extension other
+# than .so (e.g. OSX uses .dylib).
+#
+# Options include:
+#
+#   libmysql_drv.so     libpgsql_drv.so
+#   libsqlite3_drv.so   libhash_drv.so
+#
+# IMPORTANT: Switching storage drivers requires more than merely changing
+# this option. If you do not wish to lose all of your data, you will need to
+# migrate it to the new backend before making this change.
+#
+StorageDriver /usr/lib/x86_64-linux-gnu/dspam/libhash_drv.so
+
+#
+# Trusted Delivery Agent: Specifies the local delivery agent DSPAM should call
+# when delivering mail as a trusted user. Use %u to specify the user DSPAM is
+# processing mail for. It is generally a good idea to allow the MTA to specify
+# the pass-through arguments at run-time, but they may also be specified here.
+#
+# Most operating system defaults:
+#TrustedDeliveryAgent "/usr/bin/procmail"       # Linux
+#TrustedDeliveryAgent "/usr/bin/mail"           # Solaris
+#TrustedDeliveryAgent "/usr/libexec/mail.local" # FreeBSD
+#TrustedDeliveryAgent "/usr/bin/procmail"       # Cygwin
+#
+# Other popular configurations:
+#TrustedDeliveryAgent "/usr/cyrus/bin/deliver"	# Cyrus
+#TrustedDeliveryAgent "/bin/maildrop"		# Maildrop
+#TrustedDeliveryAgent "/usr/local/sbin/exim -oMr spam-scanned -oi" # Exim
+#
+TrustedDeliveryAgent "/usr/sbin/sendmail"
+
+#
+# Untrusted Delivery Agent: Specifies the local delivery agent and arguments
+# DSPAM should use when delivering mail and running in untrusted user mode.
+# Because DSPAM will not allow pass-through arguments to be specified to
+# untrusted users, all arguments should be specified here. Use %u to specify
+# the user DSPAM is processing mail for. This configuration parameter is only
+# necessary if you plan on allowing untrusted processing.
+#
+UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u"
+
+#
+# SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP
+# delivery to deliver your message to the mail server instead of using a
+# delivery agent. You will need to configure with --enable-daemon to use host
+# delivery, however you do not need to operate in daemon mode. Specify an IP
+# address or UNIX path to a domain socket below as a host.
+#
+# If you would like to set up DeliveryHost's on a per-domain basis, use
+# the syntax: DeliveryHost.domain.com 1.2.3.4
+#
+#DeliveryHost		127.0.0.1
+#DeliveryPort		2424
+#DeliveryIdent		localhost
+#DeliveryProto		LMTP
+
+#
+# FallbackDomains: If you want to specify certain domains as fallback domains,
+# enable this option. For example, you could create a user @domain.com, and
+# if bob@domain.com does not resolve to a known user on the system, the user
+# could default to your @domain.com user. NOTE: This also requires designating
+# fallbackDomain for the domain name;
+# e.g. dspam_admin ch pref domain.com fallbackDomain on
+#
+#FallbackDomains on
+
+#
+# Quarantine Agent: DSPAM's default behavior is to quarantine all mail it
+# thinks is spam. If you wish to override this behavior, you may specify
+# a quarantine agent which will be called with all messages DSPAM thinks is
+# spam. Use %u to specify the user DSPAM is processing mail for.
+#
+#QuarantineAgent	"/usr/bin/procmail -d spam"
+
+#
+# DSPAM can optionally process "plused users" (addresses in the user+detail
+# form) by truncating the username just before the "+", so all internal
+# processing occurs for "user", but delivery will be performed for
+# "user+detail". This is only useful if the LDA can handle "plused users"
+# (for example Cyrus IMAP) and when configured for LMTP delivery above
+#
+#EnablePlusedDetail	on
+
+#
+# Character to use as seperator between user names and address extensions.
+# If you change this value then please adjust QuarantineMailbox to use the
+# new specified character. The default is '+'.
+#
+#PlusedCharacter	+
+
+#
+# Turn this feature on if you want to force DSPAM to lowercase the "plused
+# users" username.
+#
+#PlusedUserLowercase	on
+
+#
+# Quarantine Mailbox: DSPAM's LMTP code can send spam mail using LMTP to a
+# "plused" mailbox (such as user+quarantine) leaving quarantine processing
+# for retraining or deletion to be performed by the LDA and the mail client.
+# "plused" mailboxes are supported by Cyrus IMAP and possibly other LDAs. If
+# you don't set/change PlusedCharacter then the mailbox name must have the +
+# since the + is the default used character.
+#
+#QuarantineMailbox	+quarantine
+
+#
+# OnFail: What to do if local delivery or quarantine should fail. If set
+# to "unlearn", DSPAM will unlearn the message prior to exiting with an
+# un successful return code. The default option, "error" will not unlearn
+# the message but return the appropriate error code. The unlearn option
+# is use-ful on some systems where local delivery failures will cause the
+# message to be requeued for delivery, and could result in the message
+# being processed multiple times. During a very large failure, however,
+# this could cause a significant load increase.
+#
+OnFail error
+
+#
+# Trusted Users: Only the users specified below will be allowed to perform
+# administrative functions in DSPAM such as setting the active user and
+# accessing tools. All other users attempting to run DSPAM will be restricted;
+# their uids will be forced to match the active username and they will not be
+# able to specify delivery agent privileges or use tools.
+#
+Trust root
+Trust dspam
+Trust www-data
+Trust mail
+Trust daemon
+Trust amavis
+Trust vmail
+#Trust nobody
+#Trust majordomo
+
+#
+# Debugging: Enables debugging for some or all users. IMPORTANT: DSPAM must
+# be compiled with debug support in order to use this option. DSPAM should
+# never be running in production with debug active unless you are
+# troubleshooting problems.
+#
+# DebugOpt: One or more of: process, classify, spam, fp, inoculation, corpus
+#   process     standard message processing
+#   classify    message classification using --classify
+#   spam        error correction of missed spam
+#   fp          error correction of false positives
+#   inoculation message inoculations (source=inoculation)
+#   corpus      corpusfed messages (source=corpus)
+#
+#Debug *
+#Debug bob bill
+#
+#DebugOpt process spam fp
+
+#
+# ClassAlias: Alias a particular class to spam/nonspam. This is useful if
+# classifying things other than spam.
+#
+#ClassAliasSpam badstuff
+#ClassAliasNonspam goodstuff
+
+#
+# Training Mode: The default training mode to use for all operations, when
+# one has not been specified on the commandline or in the user's preferences.
+# Acceptable values are:
+#     toe     Train on Error (Only)
+#     teft    Train Everything (Trains on every message)
+#     tum     Train Until Mature (Train only tokens without enough data)
+#     notrain Do not train or store signatures (large ISP systems, post-train)
+#
+TrainingMode teft
+
+#
+# TestConditionalTraining: By default, dspam will retrain certain errors
+# until the condition is no longer met. This usually accelerates learning.
+# Some people argue that this can increase the risk of errors, however.
+#
+TestConditionalTraining on
+
+#
+# Features: Specify features to activate by default; can also be specified
+# on the commandline. See the documentation for a list of available features.
+# If _any_ features are specified on the commandline, these are ignored.
+#
+#Feature noise
+Feature whitelist
+
+# Training Buffer: The training buffer waters down statistics during training.
+# It is designed to prevent false positives, but can also dramatically reduce
+# dspam's catch rate during initial training. This can be a number from 0
+# (no buffering) to 10 (maximum buffering). If you are paranoid about false
+# positives, you should probably enable this option.
+#
+#Feature tb=5
+
+#
+# Algorithms: Specify the statistical algorithms to use, overriding any
+# defaults configured in the build. The options are:
+#    naive       Naive-Bayesian (All Tokens)
+#    graham      Graham-Bayesian ("A Plan for Spam")
+#    burton      Burton-Bayesian (SpamProbe)
+#    robinson    Robinson's Geometric Mean Test (Obsolete)
+#    chi-square  Fisher-Robinson's Chi-Square Algorithm
+#
+# You may have multiple algorithms active simultaneously, but it is strongly
+# recommended that you group Bayesian algorithms with other Bayesian
+# algorithms, and any use of Chi-Square remain exclusive.
+#
+# NOTE: For standard "CRM114" Markovian weighting, use 'naive', or consider
+#       using 'burton' for slightly better accuracy
+#
+# Don't mess with this unless you know what you're doing
+#
+#Algorithm chi-square
+#Algorithm naive
+Algorithm graham burton
+
+#
+# Tokenizer: Specify the tokenizer to use. The tokenizer is the piece
+# responsible for parsing the message into individual tokens. Depending on
+# how many resources you are willing to trade off vs. accuracy, you may
+# choose to use a less or more detailed tokenizer:
+#   word    uniGram (single word) tokenizer
+#           Tokenizes message into single individual words/tokens
+#           example: "free" and "viagra"
+#   chain   biGram (chained tokens) tokenizer (default)
+#           Single words + chains adjacent tokens together
+#           example: "free" and "viagra" and "free viagra"
+#   sbph    Sparse Binary Polynomial Hashing tokenizer
+#           Creates sparse token patterns across sliding window of 5-tokens
+#           example: "the quick * fox jumped" and "the * * fox jumped"
+#   osb     Orthogonal Sparse biGram tokenizer
+#           Similar to SBPH, but only uses the biGrams
+#           example: "the * * fox" and "the * * * jumped"
+#
+# In general the reccomendation is to use 'osb' for new installations.
+# The default value of 'chain' remains here as not to surprise anyone upgrading
+# that has not changed from the default value.
+#
+Tokenizer chain
+
+#
+# PValue: Specify the technique used for calculating Probability Values,
+# overriding any defaults configured in the build. These options are:
+#    bcr         Bayesian Chain Rule (Graham's Technique - "A Plan for Spam")
+#    robinson    Robinson's Technique (used in Chi-Square)
+#    markov      Markovian Weighted Technique (for Markovian discrimination)
+#
+# Unlike the "Algorithms" property, you may only have one of these defined.
+# Use of the chi-square algorithm automatically changes this to robinson.
+#
+# Don't mess with this unless you know what you're doing.
+#
+#PValue robinson
+#PValue markov
+PValue bcr
+
+#
+# WebStats: Enable this if you are using the CGI, which writes .stats files
+WebStats on
+
+#
+# ImprobabilityDrive: Calculate odds-ratios for ham/spam, and add to
+# X-DSPAM-Improbability headers
+#
+#ImprobabilityDrive on
+
+#
+# Preferences: Specify any preferences to set by default, unless otherwise
+# overridden by the user (see next section) or a default.prefs file.
+# If user or default.prefs are found, the user's preferences will override any
+# defaults.
+#
+Preference "trainingMode=TEFT"		# { TOE | TUM | TEFT | NOTRAIN } -> default:teft
+Preference "spamAction=tag"		# { quarantine | tag | deliver } -> default:quarantine
+Preference "spamSubject=[SPAM]"		# { string } -> default:[SPAM]
+Preference "statisticalSedation=5"	# { 0 - 10 } -> default:0
+Preference "enableBNR=on"		# { on | off } -> default:off
+Preference "enableWhitelist=on"		# { on | off } -> default:on
+Preference "signatureLocation=headers"	# { message | headers } -> default:message
+Preference "tagSpam=off"		# { on | off }
+Preference "tagNonspam=off"		# { on | off }
+Preference "showFactors=off"		# { on | off } -> default:off
+Preference "optIn=off"			# { on | off }
+Preference "optOut=off"			# { on | off }
+Preference "whitelistThreshold=10"	# { Integer } -> default:10
+Preference "makeCorpus=off"		# { on | off } -> default:off
+Preference "storeFragments=off"		# { on | off } -> default:off
+Preference "localStore="		# { on | off } -> default:username
+Preference "processorBias=on"		# { on | off } -> default:on
+Preference "fallbackDomain=off"		# { on | off } -> default:off
+Preference "trainPristine=off"		# { on | off } -> default:off
+Preference "optOutClamAV=off"		# { on | off } -> default:off
+Preference "ignoreRBLLookups=off"	# { on | off } -> default:off
+Preference "RBLInoculate=off"		# { on | off } -> default:off
+Preference "notifications=off"		# { on | off } -> default:off
+
+#
+# Overrides: Specifies the user preferences which may override configuration
+# and commandline defaults. Any other preferences supplied by an untrusted user
+# will be ignored.
+#
+AllowOverride enableBNR
+AllowOverride enableWhitelist
+AllowOverride fallbackDomain
+AllowOverride ignoreGroups
+AllowOverride ignoreRBLLookups
+AllowOverride localStore
+AllowOverride makeCorpus
+AllowOverride optIn
+AllowOverride optOut
+AllowOverride optOutClamAV
+AllowOverride processorBias
+AllowOverride RBLInoculate
+AllowOverride showFactors
+AllowOverride signatureLocation
+AllowOverride spamAction
+AllowOverride spamSubject
+AllowOverride statisticalSedation
+AllowOverride storeFragments
+AllowOverride tagNonspam
+AllowOverride tagSpam
+AllowOverride trainPristine
+AllowOverride trainingMode
+AllowOverride whitelistThreshold
+AllowOverride dailyQuarantineSummary
+AllowOverride notifications
+
+# --- Profiles ---
+
+#
+# You can specify multiple storage profiles, and specify the server to
+# use on the commandline with --profile. For example:
+#
+#Profile DECAlpha
+#MySQLServer.DECAlpha	10.0.0.1
+#MySQLPort.DECAlpha	3306
+#MySQLUser.DECAlpha	dspam
+#MySQLPass.DECAlpha	changeme
+#MySQLDb.DECAlpha	dspam
+#MySQLCompress.DECAlpha	true
+#MySQLReconnect.DECAlpha	true
+#
+#Profile Sun420R
+#MySQLServer.Sun420R	10.0.0.2
+#MySQLPort.Sun420R	3306
+#MySQLUser.Sun420R	dspam
+#MySQLPass.Sun420R	changeme
+#MySQLDb.Sun420R	dspam
+#MySQLCompress.Sun420R	false
+#MySQLReconnect.Sun420R	true
+#
+#DefaultProfile	DECAlpha
+
+#
+# If you're using storage profiles, you can set failovers for each profile.
+# Of course, if you'll be failing over to another database, that database
+# must have the same information as the first. If you're using a global
+# database with no training, this should be relatively simple. If you're
+# configuring per-user data, however, you'll need to set up some type of
+# replication between databases.
+#
+#Failover.DECAlpha	SUN420R
+#Failover.Sun420R	DECAlpha
+
+# If the storage fails, the agent will follow each profile's failover up to
+# a maximum number of failover attempts. This should be set to a maximum of
+# the number of profiles you have, otherwise the agent could loop and try
+# the same profile multiple times (unless this is your desired behavior).
+#
+#FailoverAttempts	1
+
+#
+# Ignored headers: If DSPAM is behind other tools which may add a header to
+# incoming emails, it may be beneficial to ignore these headers - especially
+# if they are coming from another spam filter. If you are _not_ using one of
+# these tools, however, leaving the appropriate headers commented out will
+# allow DSPAM to use them as telltale signs of forged email.
+#
+#IgnoreHeader X-Spam-Status
+#IgnoreHeader X-Spam-Scanned
+#IgnoreHeader X-Virus-Scanner-Result
+
+#
+# Lookup: Perform lookups on streamlined blackhole list servers (see
+# http://www.nuclearelephant.com/projects/sbl/). The streamlined blacklist
+# server is machine-automated, unsupervised blacklisting system designed to
+# provide real-time and highly accurate blacklisting based on network spread.
+# When performing a lookup, DSPAM will automatically learn the inbound message
+# as spam if the source IP is listed. Until an official public RABL server is
+# available, this feature is only useful if you are running your own
+# streamlined blackhole list server for internal reporting among multiple mail
+# servers. Provide the name of the lookup zone below to use.
+#
+# This function performs standard reverse-octet.domain lookups, and while it
+# will function with many RBLs, it's strongly discouraged to use those
+# maintained by humans as they're often inaccurate and could hurt filter
+# learning and accuracy.
+#
+#Lookup		"sbl.yourdomain.com"
+
+#
+# RBLInoculate: If you want to inoculate the user from RBL'd messages it would
+# have otherwise missed, set this to on.
+#
+#RBLInoculate	off
+
+#
+# Notifications: Enable the sending of notification emails to users (first
+# message, quarantine full, etc.)
+#
+Notifications	off
+
+#
+# QuarantineWarnSize: You may specify a size when DSPAM should send a "Quarantine
+# Full" message to each user. This is only working if you enable notifications
+# (see above). Value is in bytes. Default is 2097152 -> 2MB.
+#
+#QuarantineWarnSize 2097152
+
+#
+# Purge configuration: Set dspam_clean purge default options, if not otherwise
+# specified on the commandline
+#
+PurgeSignatures 14	# Stale signatures
+PurgeNeutral	90	# Tokens with neutralish probabilities
+PurgeUnused	90	# Unused tokens
+PurgeHapaxes	30	# Tokens with less than 5 hits (hapaxes)
+PurgeHits1S	15	# Tokens with only 1 spam hit
+PurgeHits1I	15	# Tokens with only 1 innocent hit
+
+#
+# Purge configuration for SQL-based installations using purge.sql
+#
+#PurgeSignature	off	# Specified in purge.sql
+#PurgeNeutral	90
+#PurgeUnused	off	# Specified in purge.sql
+#PurgeHapaxes	off	# Specified in purge.sql
+#PurgeHits1S	off	# Specified in purge.sql
+#PurgeHits1I	off	# Specified in purge.sql
+
+#
+# Local Mail Exchangers: Used for source address tracking, tells DSPAM which
+# mail exchangers are local and therefore should be ignored in the Received:
+# header when tracking the source of an email. Note: you should use the address
+# of the host as appears between brackets [ ] in the Received header.
+# By default DSPAM is considering the following IPs always as LocalMX:
+#	10.0.0.0/8	- Private IP addresses (RFC 1918)
+#	127.0.0.0/8	- Localhost Loopback Address (RFC 1700)
+#	169.254.0.0/16	- Zeroconf / APIPA (RFC 3330)
+#	172.16.0.0/12	- Private IP addresses (RFC 1918)
+#	192.168.0.0/16	- Private IP addresses (RFC 1918)
+#
+LocalMX 127.0.0.1
+
+#
+# Logging: Disabling logging for users will make usage graphs unavailable to
+# them. Disabling system logging will make admin graphs unavailable.
+#
+SystemLog	on
+UserLog		on
+
+#
+# TrainPristine: for systems where the original message remains server side
+# and can therefore be presented in pristine format for retraining. This option
+# will cause DSPAM to cease all writing of signatures and DSPAM headers to the
+# message, and deliver the message in as pristine format as possible. This mode
+# REQUIRES that the original message in its pristine format (as of delivery)
+# be presented for retraining, as in the case of webmail, imap, or other
+# applications where the message is actually kept server-side during reading,
+# and is preserved. DO NOT use this switch unless the original message can be
+# presented for retraining with the ORIGINAL HEADERS and NO MODIFICATIONS.
+#
+# NOTE: You can't use this setting with dspam_trian; if you're going to use it,
+#       wait until after you train any corpora.
+#
+#TrainPristine on
+
+#
+# Opt: in or out; determines DSPAM's default filtering behavior. If this value
+# is set to in, users must opt-in to filtering by dropping a .dspam file in
+# /var/dspam/opt-in/user.dspam (or if you have homedirs configured, a .dspam
+# folder in their home directory).  The default is opt-out, which means all
+# users will be filtered unless a .nodspam file is dropped in
+# /var/dspam/opt-out/user.nodspam
+#
+Opt out
+
+#
+# TrackSources: specify which (if any) source addresses to track and report
+# them to syslog (mail.info). This is useful if you're running a firewall or
+# blacklist and would like to use this information. Spam reporting also drops
+# RABL blacklist files (see http://www.nuclearelephant.com/projects/rabl/).
+#
+#TrackSources spam nonspam virus
+
+#
+# ParseToHeaders: In lieu of setting up individual aliases for each user,
+# DSPAM can be configured to automatically parse the To: address for spam and
+# false positive forwards. From there, it can be configured to either set the
+# DSPAM user based on the username specified in the header and/or change the
+# training class and source accordingly. The options below can be used to
+# customize most common types of header parsing behavior to avoid the need for
+# multiple aliases, or if using LMTP, aliases entirely..
+#
+# ParseToHeader: Parse the To: headers of an incoming message. This must be
+#                set to 'on' to use either of the following features.
+#
+# ChangeModeOnParse: Automatically change the class (to spam or innocent)
+#   depending on whether spam- or notspam- was specified, and change the source
+#   to 'error'. This is convenient if you're not using aliases at all, but
+#   are delivering via LMTP.
+#
+# ChangeUserOnParse: Automatically change the username to match that specified
+#   in the To: header. For example, spam-bob@domain.tld will set the username
+#   to bob, ignoring any --user passed in. This may not always be desirable if
+#   you are using virtual email addresses as usernames. Options:
+#     on or user	take the portion before the @ sign only
+#     full		take everything after the initial {spam,notspam}-.
+#
+#ParseToHeaders on
+#ChangeModeOnParse on
+#ChangeUserOnParse on
+
+#
+# Broken MTA Options: Some MTAs don't support the proper functionality
+# necessary. In these cases you can activate certain features in DSPAM to
+# compensate. 'returnCodes' causes DSPAM to return an exit code of 99 if
+# the message is spam, 0 if not, or a negative code if an error has occured.
+# Specifying 'case' causes DSPAM to force the input usernames to lowercase.
+# Specifying 'lineStripping' causes DSPAM to strip ^M's from messages passed
+# in.
+#
+#Broken returnCodes
+#Broken case
+#Broken lineStripping
+
+#
+# MaxMessageSize: You may specify a maximum message size for DSPAM to process.
+# If the message is larger than the maximum size, it will be delivered
+# without processing. Value is in bytes.
+#
+#MaxMessageSize 4194304
+
+# --- ClamAV ---
+
+#
+# Virus Checking: If you are running clamd, DSPAM can perform stream-based
+# virus checking using TCP. Uncomment the values below to enable virus
+# checking.
+#
+# ClamAVResponse: reject (reject or drop the message with a permanent failure)
+#                 accept (accept the message and quietly drop the message)
+#                 spam   (treat as spam and quarantine/tag/whatever)
+#
+#ClamAVPort		3310
+#ClamAVHost		127.0.0.1
+#ClamAVResponse		accept
+
+# --- CLIENT / SERVER ---
+
+#
+# Daemonized Server: If you are running DSPAM as a daemonized server using
+# --daemon, the following parameters will override the default. Use the
+# ServerPass option to set up accounts for each client machine. The DSPAM
+# server will process and deliver the message based on the parameters
+# specified. If you want the client machine to perform delivery, use
+# the --stdout option in conjunction with a local setup.
+#
+# ServerHost: Not enabling ServerHost will bind DSPAM server to all available
+# interfaces.
+#
+# ServerPort: Default upstream configuration is to run dspam daemon on port
+# 24. On Debian, dspam being run as a unprivileged user, default port is
+# set to 2424.
+#
+#ServerHost		127.0.0.1
+#ServerPort		2424
+#ServerQueueSize	32
+#ServerPID		/var/run/dspam/dspam.pid
+
+#
+# ServerMode specifies the type of LMTP server to start. This can be one of:
+#     dspam: DSPAM-proprietary DLMTP server, for communicating with dspamc
+#  standard: Standard LMTP server, for communicating with Postfix or other MTA
+#      auto: Speak both DLMTP and LMTP; auto-detect by ServerPass.IDENT
+#
+#ServerMode dspam
+
+# If supporting DLMTP (dspam) mode, dspam clients will require authentication
+# as they will be passing in parameters. The idents below will be used to
+# determine which clients will be speaking DLMTP, so if you will be using
+# both LMTP and DLMTP from the same host, be sure to use something other
+# than the server's hostname below (which will be sent by the MTA during a
+# standard LMTP LHLO).
+#
+#ServerPass.Relay1	"secret"
+#ServerPass.Relay2	"password"
+
+# If supporting standard LMTP mode, server parameters will need to be specified
+# here, as they will not be passed in by the mail server. The ServerIdent
+# specifies the 250 response code ident sent back to connecting clients and
+# should be set to the hostname of your server, or an alias.
+#
+# NOTE: If you specify --user in ServerParameters, the RCPT TO will be
+#       used only for delivery, and not set as the active user for processing.
+#
+#ServerParameters	"--deliver=innocent -d %u"
+#ServerIdent		"localhost.localdomain"
+
+# If you wish to use a local domain socket instead of a TCP socket, uncomment
+# the following. It is strongly recommended you use local domain sockets if
+# you are running the client and server on the same machine, as it eliminates
+# much of the bandwidth overhead.
+#
+ServerDomainSocketPath	"/var/run/dspam/dspam.sock"
+
+#
+# Client Mode: If you are running DSPAM in client/server mode, uncomment and
+# set these variables. A ClientHost beginning with a / will be treated as
+# a domain socket.
+#
+#ClientHost	/var/run/dspam/dspam.sock
+#ClientIdent	"secret@Relay1"
+#
+#ClientHost	127.0.0.1
+#ClientPort	2424
+#ClientIdent	"secret@Relay1"
+
+# --- RABL ---
+
+# RABLQueue: Touch files in the RABL queue
+# If you are a reporting streamlined blackhole list participant, you can
+# touch ip addresses within the directory the rabl_client process is watching.
+#
+#RABLQueue	/var/spool/rabl
+
+# ---  ---
+
+# DataSource: If you are using any type of data source that does not include
+# email-like headers (such as documents), uncomment the line below. This
+# will cause the entire input to be treated like a message "body"
+#
+#DataSource document
+
+# ProcessorWordFrequency: By default, words are only counted once per message.
+# If you are classifying large documents, however, you may wish to count once
+# per occurrence instead.
+#
+#ProcessorWordFrequency occurrence
+
+# ProcessorURLContext: By default, a URL context is generated for URLs, which
+# records their tokens as separate from words found in documents. To use
+# URL tokens in the same context as words, turn this feature off.
+#
+ProcessorURLContext on
+
+# ProcessorBias: Bias causes the filter to lean more toward 'innocent', and
+# usually greatly reduces false positives. It is the default behavior of
+# most Bayesian filters (including dspam).
+#
+# NOTE: You probably DONT want this if you're using Markovian Weighting, unless
+# you are paranoid about false positives.
+#
+ProcessorBias on
+
+# StripRcptDomain: Cut the domain (including the at sign) from recipients.
+# This is particularly useful if the recipient name is equal to real user
+# accounts as recipients with domains tend to cause permission issues with
+# dspam-web.
+#
+StripRcptDomain off
+
+# --- Split Configuration File Support ---
+
+# Include a directory with configuration items.
+Include /etc/dspam/dspam.d/
+
+# ---  ---
+
+## EOF

roles/mailserver/files/etc_opendkim.conf

@@ -0,0 +1,18 @@
+##
+## opendkim.conf -- configuration file for OpenDKIM filter
+##
+Canonicalization        relaxed/relaxed
+ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
+InternalHosts           refile:/etc/opendkim/TrustedHosts
+KeyTable                refile:/etc/opendkim/KeyTable
+LogWhy                  Yes
+MinimumKeyBits          1024
+Mode                    sv
+PidFile                 /var/run/opendkim/opendkim.pid
+SigningTable            refile:/etc/opendkim/SigningTable
+Socket                  inet:8891@localhost
+Syslog                  Yes
+SyslogSuccess           Yes
+TemporaryDirectory      /var/tmp
+UMask                   022
+UserID                  opendkim:opendkim

roles/mailserver/files/etc_postfix_dspam_filter_access

@@ -0,0 +1 @@
+/./   FILTER dspam:unix:/run/dspam/dspam.sock

roles/mailserver/files/etc_postfix_master.cf

@@ -0,0 +1,131 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp       inet  n       -       -       -       -       smtpd
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+#submission inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#   -o smtpd_sasl_auth_enable=yes
+#   -o smtpd_enforce_tls=yes
+#  -o smtpd_etrn_restrictions=reject
+#   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+
+# SMTP over SSL on port 465.
+smtps     inet  n       -       -       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_tls_auth_only=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
+  -o smtpd_sasl_security_options=noanonymous,noplaintext
+  -o smtpd_sasl_tls_security_options=noanonymous
+
+
+#628       inet  n       -       -       -       -       qmqpd
+pickup    fifo  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+#qmgr     fifo  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+# spam protection
+dspam     unix  -       n       n       -       10      pipe
+  flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user $recipient -i -f $sender -- $recipient
+dovecot   unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

roles/mailserver/files/etc_tomcat6_server.xml

@@ -0,0 +1,153 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <!--
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  -->
+  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+  <Listener className="org.apache.catalina.core.JasperListener" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
+  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container", 
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+  
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" 
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+    
+    
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL HTTP/1.1 Connector on port 8080
+    -->
+    <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1" 
+               connectionTimeout="20000" 
+               URIEncoding="UTF-8"
+               redirectPort="8443" />
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1" 
+               connectionTimeout="20000" 
+               redirectPort="8443" />
+    -->           
+    <!-- Define a SSL HTTP/1.1 Connector on port 8443
+         This connector uses the JSSE configuration, when using APR, the 
+         connector should be using the OpenSSL style configuration
+         described in the APR documentation -->
+    <!--
+    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+               maxThreads="150" scheme="https" secure="true"
+               clientAuth="false" sslProtocol="TLS" />
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <!--
+    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+    -->
+
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">         
+    --> 
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->        
+
+      <!-- The request dumper valve dumps useful debugging information about
+           the request and response data received and sent by Tomcat.
+           Documentation at: /docs/config/valve.html -->
+      <!--
+      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
+      -->
+
+      <!-- This Realm uses the UserDatabase configured in the global JNDI
+           resources under the key "UserDatabase".  Any edits
+           that are performed against this UserDatabase are immediately
+           available for use by the Realm.  -->
+      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+             resourceName="UserDatabase"/>
+
+      <!-- Define the default virtual host
+           Note: XML Schema validation will not work with Xerces 2.2.
+       -->
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true"
+            xmlValidation="false" xmlNamespaceAware="false">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
+               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+        -->
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>

roles/mailserver/files/solr-schema.xml

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<!--
+For fts-solr:
+
+This is the Solr schema file, place it into solr/conf/schema.xml. You may
+want to modify the tokenizers and filters.
+-->
+<schema name="dovecot" version="1.4">
+  <types>
+    <!-- IMAP has 32bit unsigned ints but java ints are signed, so use longs -->
+    <fieldType name="string" class="solr.StrField" omitNorms="true"/>
+    <fieldType name="long" class="solr.LongField" omitNorms="true"/>
+    <fieldType name="slong" class="solr.SortableLongField" omitNorms="true"/>
+    <fieldType name="float" class="solr.FloatField" omitNorms="true"/>
+    <fieldType name="boolean" class="solr.BoolField" omitNorms="true"/>
+
+    <fieldType name="text" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
+        <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords.txt"/>
+        <filter class="solr.WordDelimiterFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter class="solr.LowerCaseFilterFactory"/>
+        <filter class="solr.EnglishPorterFilterFactory" protected="protwords.txt"/>
+        <filter class="solr.RemoveDuplicatesTokenFilterFactory"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
+        <filter class="solr.SynonymFilterFactory" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords.txt"/>
+        <filter class="solr.WordDelimiterFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0"/>
+        <filter class="solr.LowerCaseFilterFactory"/>
+        <filter class="solr.EnglishPorterFilterFactory" protected="protwords.txt"/>
+        <filter class="solr.RemoveDuplicatesTokenFilterFactory"/>
+      </analyzer>
+    </fieldType>
+ </types>
+
+
+ <fields>
+   <field name="id" type="string" indexed="true" stored="true" required="true" />
+   <field name="uid" type="slong" indexed="true" stored="true" required="true" />
+   <field name="box" type="string" indexed="true" stored="true" required="true" />
+   <field name="user" type="string" indexed="true" stored="true" required="true" />
+
+   <field name="hdr" type="text" indexed="true" stored="false" />
+   <field name="body" type="text" indexed="true" stored="false" />
+
+   <field name="from" type="text" indexed="true" stored="false" />
+   <field name="to" type="text" indexed="true" stored="false" />
+   <field name="cc" type="text" indexed="true" stored="false" />
+   <field name="bcc" type="text" indexed="true" stored="false" />
+   <field name="subject" type="text" indexed="true" stored="false" />
+ </fields>
+
+ <uniqueKey>id</uniqueKey>
+ <defaultSearchField>body</defaultSearchField>
+ <solrQueryParser defaultOperator="AND" />
+</schema>

roles/mailserver/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: restart postfix
+  service: name=postfix state=restarted
+
+- name: restart dovecot
+  service: name=dovecot state=restarted
+
+- name: restart opendkim
+  service: name=opendkim state=restarted
+
+- name: restart solr
+  service: name=tomcat6 state=restarted

roles/mailserver/tasks/dovecot.yml

@@ -0,0 +1,34 @@
+- name: Install Dovecot and related packages
+  apt: pkg=$item state=installed
+  with_items:
+    - dovecot-core
+    - dovecot-imapd
+    - mysql-server
+    - dovecot-mysql
+    - dovecot-lmtpd
+
+- name: Create vmail group
+  group: name=vmail state=present gid=5000
+
+- name: Create vmail user
+  user: name=vmail group=vmail state=present uid=5000 home=/decrypted-mail
+
+- name: Ensure mail directories are in place
+  file: state=directory path=/decrypted-mail/${item.name}/${item.primary_user} owner=vmail group=dovecot
+  with_items:
+    - ${mail_virtual_domains}
+
+- name: Put Dovecot configuration files in place
+  copy: src=etc_dovecot_dovecot.conf dest=/etc/dovecot/dovecot.conf
+- copy: src=etc_dovecot_conf.d_10-mail.conf dest=/etc/dovecot/conf.d/10-mail.conf
+- copy: src=etc_dovecot_conf.d_10-auth.conf dest=/etc/dovecot/conf.d/10-auth.conf
+- copy: src=etc_dovecot_conf.d_auth-sql.conf.ext dest=/etc/dovecot/conf.d/auth-sql.conf.ext
+- copy: src=etc_dovecot_conf.d_10-master.conf dest=/etc/dovecot/conf.d/10-master.conf
+- copy: src=etc_dovecot_conf.d_10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
+- template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
+- template: src=etc_dovecot_dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext
+
+- name: Ensure correct permissions on Dovecot config directory
+  shell: chown -R vmail:dovecot /etc/dovecot
+- shell: chmod -R o-rwx /etc/dovecot
+  notify: restart dovecot

roles/mailserver/tasks/dspam.yml

@@ -0,0 +1,23 @@
+- name: Install dspam and related packages
+  apt: pkg=$item state=installed
+  with_items:
+    - dspam
+    - dovecot-antispam
+    - postfix-pcre
+    - dovecot-sieve
+
+- name: Create dspam directory 
+  file: state=directory path=/decrypted-mail/dspam group=dspam owner=dspam
+
+- name: Put dspam configuration files in place
+  copy: src=etc_dspam_default.prefs dest=/etc/dspam/default.prefs owner=dspam group=dspam
+- copy: src=etc_dspam_dspam.conf dest=/etc/dspam/dspam.conf owner=dspam group=dspam
+- copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
+- copy: src=etc_dovecot_conf.d_20-imap.conf dest=/etc/dovecot/conf.d/20-imap.conf owner=vmail group=dovecot
+- copy: src=etc_dovecot_conf.d_90-plugin.conf dest=/etc/dovecot/conf.d/90-plugin.conf owner=vmail group=dovecot
+- copy: src=dot_dovecot.sieve dest=/decrypted-mail/${item.name}/${item.primary_user}/.dovecot.sieve owner=vmail group=dovecot
+  with_items:
+    - ${mail_virtual_domains}
+  notify:
+    - restart postfix
+    - restart dovecot

roles/mailserver/tasks/main.yml

@@ -0,0 +1,5 @@
+- include: postfix.yml tags=postfix
+- include: dovecot.yml tags=dovecot
+- include: opendkim.yml tags=opendkim
+- include: dspam.yml tags=dspam
+- include: solr.yml tags=solr

roles/mailserver/tasks/opendkim.yml

@@ -0,0 +1,34 @@
+---
+# Handy reference: http://stevejenkins.com/blog/2010/09/how-to-get-dkim-domainkeys-identified-mail-working-on-centos-5-5-and-postfix-using-opendkim/
+
+- name: Install OpenDKIM and related packages
+  apt: pkg=$item state=installed
+  with_items:
+    - opendkim
+    - opendkim-tools
+
+- name: Create OpenDKIM config directory 
+  file: state=directory path=/etc/opendkim group=opendkim owner=opendkim
+
+- name: Create OpenDKIM key directories
+  file: state=directory path=/etc/opendkim/keys/${item.name} group=opendkim owner=opendkim
+  with_items:
+    - ${mail_virtual_domains}
+
+- name: Generate OpenDKIM keys
+  command: opendkim-genkey -r -d ${item.name} -D /etc/opendkim/keys/${item.name}/ creates=/etc/opendkim/keys/${item.name}/default.private
+  with_items:
+    - ${mail_virtual_domains}
+
+- name: Put OpenDKIM configuration files into place
+  template: src=etc_opendkim_KeyTable.j2 dest=/etc/opendkim/KeyTable owner=opendkim group=opendkim
+- template: src=etc_opendkim_SigningTable.j2 dest=/etc/opendkim/SigningTable owner=opendkim group=opendkim
+- template: src=etc_opendkim_TrustedHosts.j2 dest=/etc/opendkim/TrustedHosts owner=opendkim group=opendkim
+- copy: src=etc_opendkim.conf dest=/etc/opendkim.conf owner=opendkim group=opendkim
+
+- name: Set OpenDKIM config directory permissions
+  command: chmod -R go-rwx /etc/opendkim
+- command: chown -R opendkim:opendkim /etc/opendkim
+  notify:
+    - restart opendkim
+    - restart postfix

roles/mailserver/tasks/postfix.yml

@@ -0,0 +1,27 @@
+- name: Install Postfix and related packages
+  apt: pkg=$item state=installed
+  with_items:
+    - postfix
+    - mysql-server
+    - postfix-mysql
+    - python-mysqldb
+    - libsasl2-modules
+    - sasl2-bin
+    - postgrey
+
+- name: Create database user for mail server
+  mysql_user: user={{ mail_mysql_username }} password={{ mail_mysql_password }} state=present priv="mailserver.*:ALL"
+
+- name: Create database for mail server
+  mysql_db: name={{ mail_mysql_database }} state=present
+
+  # i don't know why this import is failing but it is, so did this manually
+  # mysql_db: name={{ mail_mysql_database }} state=import target=templates/mailserver.sql.j2
+
+- name: Copy Postfix config files into place
+  template: src=etc_postfix_main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root
+- copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root
+- template: src=etc_postfix_mysql-virtual-mailbox-domains.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-domains.cf owner=root group=root
+- template: src=etc_postfix_mysql-virtual-mailbox-maps.cf.j2 dest=/etc/postfix/mysql-virtual-mailbox-maps.cf owner=root group=root
+- template: src=etc_postfix_mysql-virtual-alias-maps.cf.j2 dest=/etc/postfix/mysql-virtual-alias-maps.cf owner=root group=root
+  notify: restart postfix

roles/mailserver/tasks/solr.yml

@@ -0,0 +1,16 @@
+- name: Install Solr and related packages
+  apt: pkg=$item state=installed
+  with_items:
+    - solr-tomcat
+    - dovecot-solr
+
+- name: Work around Debian bug and copy Solr schema file into place
+  copy: src=solr-schema.xml dest=/etc/solr/conf/schema.xml group=root owner=root
+
+- name: Copy tweaked Solr/Tomcat config files into place
+  copy: src=etc_tomcat6_server.xml dest=/etc/tomcat6/server.xml group=tomcat6 owner=root
+- copy: src=etc_solr_conf_solrconfig.xml dest=/etc/solr/conf/solrconfig.xml group=root owner=root
+
+- name: Create Solr index directory
+  file: state=directory path=/decrypted-mail/solr group=tomcat6 owner=tomcat6
+  notify: restart solr

roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2

@@ -0,0 +1,48 @@
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@<your domain>.
+postmaster_address = postmaster@syntax.cc
+
+# Hostname to use in various parts of sent mails, eg. in Message-Id.
+# Default is the system's real hostname.
+hostname = {{ mail_server_hostname }}
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+protocol lda {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  #mail_plugins = $mail_plugins
+}

roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2

@@ -0,0 +1,138 @@
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/SQL
+#
+# For the sql passdb module, you'll need a database with a table that
+# contains fields for at least the username and password. If you want to
+# use the user@domain syntax, you might want to have a separate domain
+# field as well.
+#
+# If your users all have the same uig/gid, and have predictable home
+# directories, you can use the static userdb module to generate the home
+# dir based on the username and domain. In this case, you won't need fields
+# for home, uid, or gid in the database.
+#
+# If you prefer to use the sql userdb module, you'll want to add fields
+# for home, uid, and gid. Here is an example table:
+#
+# CREATE TABLE users (
+#     username VARCHAR(128) NOT NULL,
+#     domain VARCHAR(128) NOT NULL,
+#     password VARCHAR(64) NOT NULL,
+#     home VARCHAR(255) NOT NULL,
+#     uid INTEGER NOT NULL,
+#     gid INTEGER NOT NULL,
+#     active CHAR(1) DEFAULT 'Y' NOT NULL
+# );
+
+# Database driver: mysql, pgsql, sqlite
+driver = mysql
+
+# Database connection string. This is driver-specific setting.
+#
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
+# pgsql:
+#   For available options, see the PostgreSQL documention for the
+#   PQconnectdb function of libpq.
+#   Use maxconns=n (default 5) to change how many connections Dovecot can
+#   create to pgsql.
+#
+# mysql:
+#   Basic options emulate PostgreSQL option names:
+#     host, port, user, password, dbname
+#
+#   But also adds some new settings:
+#     client_flags        - See MySQL manual
+#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
+#     ssl_cert, ssl_key   - For sending client-side certificates to server
+#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
+#     option_file         - Read options from the given file instead of
+#                           the default my.cnf location
+#     option_group        - Read options from the given group (default: client)
+# 
+#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
+#   Note that currently you can't use spaces in parameters.
+#
+# sqlite:
+#   The path to the database file.
+#
+# Examples:
+#   connect = host=192.168.1.1 dbname=users
+#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
+#   connect = /etc/dovecot/authdb.sqlite
+#
+connect = host=127.0.0.1 dbname={{ mail_mysql_database }} user={{ mail_mysql_username }} password={{ mail_mysql_password }}
+
+# Default password scheme.
+#
+# List of supported schemes is in
+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
+#
+default_pass_scheme = SHA512-CRYPT
+
+# passdb query to retrieve the password. It can return fields:
+#   password - The user's password. This field must be returned.
+#   user - user@domain from the database. Needed with case-insensitive lookups.
+#   username and domain - An alternative way to represent the "user" field.
+#
+# The "user" field is often necessary with case-insensitive lookups to avoid
+# e.g. "name" and "nAme" logins creating two different mail directories. If
+# your user and domain names are in separate fields, you can return "username"
+# and "domain" fields instead of "user".
+#
+# The query can also return other fields which have a special meaning, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#
+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
+# for full list):
+#   %u = entire user@domain
+#   %n = user part of user@domain
+#   %d = domain part of user@domain
+# 
+# Note that these can be used only as input to SQL query. If the query outputs
+# any of these substitutions, they're not touched. Otherwise it would be
+# difficult to have eg. usernames containing '%' characters.
+#
+# Example:
+#   password_query = SELECT userid AS user, pw AS password \
+#     FROM users WHERE userid = '%u' AND active = 'Y'
+#
+#password_query = \
+#  SELECT username, domain, password \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+
+password_query = SELECT email AS user, password FROM virtual_users WHERE email = '%u';
+
+# userdb query to retrieve the user information. It can return fields:
+#   uid - System UID (overrides mail_uid setting)
+#   gid - System GID (overrides mail_gid setting)
+#   home - Home directory
+#   mail - Mail location (overrides mail_location setting)
+#
+# None of these are strictly required. If you use a single UID and GID, and
+# home or mail directory fits to a template string, you could use userdb static
+# instead. For a list of all fields that can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#
+# Examples:
+#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
+#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
+#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
+#
+#user_query = \
+#  SELECT home, uid, gid \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+
+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
+# also have to return userdb fields in password_query prefixed with "userdb_"
+# string. For example:
+#password_query = \
+#  SELECT userid AS user, password, \
+#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
+#  FROM users WHERE userid = '%u'
+
+# Query to get a list of all usernames.
+#iterate_query = SELECT username AS user FROM users

roles/mailserver/templates/etc_opendkim_KeyTable.j2

@@ -0,0 +1,3 @@
+{% for domain in mail_virtual_domains %}
+default._domainkey.{{ domain.name }} {{ domain.name }}:default:/etc/opendkim/keys/{{ domain.name}}/default.private
+{% endfor %}

roles/mailserver/templates/etc_opendkim_SigningTable.j2

@@ -0,0 +1,3 @@
+{% for domain in mail_virtual_domains %}
+*@{{ domain.name }} default._domainkey.{{ domain.name }}
+{% endfor %}

roles/mailserver/templates/etc_opendkim_TrustedHosts.j2

@@ -0,0 +1,8 @@
+127.0.0.1
+# TODO add your server's IP and DNS hosts
+{% for domain in mail_virtual_domains %}
+{{ domain.name }}
+{% endfor %}
+{% for domain in mail_virtual_domains %}
+mail.{{ domain.name }}
+{% endfor %}

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -0,0 +1,108 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Modified as per http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
+ 
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+ 
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+ 
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+ 
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+ 
+readme_directory = no
+
+# antispam
+smtpd_helo_required = yes
+smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
+smtpd_sender_restrictions = reject_unknown_address
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+invalid_hostname_reject_code = 554
+multi_recipient_bounce_reject_code = 554
+non_fqdn_reject_code = 554
+relay_domains_reject_code = 554
+unknown_address_reject_code = 554
+unknown_client_reject_code = 554
+unknown_hostname_reject_code = 554
+unknown_local_recipient_reject_code = 554
+unknown_relay_recipient_reject_code = 554
+unknown_virtual_alias_reject_code = 554
+unknown_virtual_mailbox_reject_code = 554
+unverified_recipient_reject_code = 554
+unverified_sender_reject_code = 554
+ 
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/wildcard_public_cert.crt
+smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
+smtpd_use_tls=yes
+#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_auth_only = yes
+smtp_tls_security_level = may
+smtp_tls_loglevel = 2
+smtpd_tls_received_header = yes
+smtp_tls_note_starttls_offer = yes
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+
+smtpd_recipient_restrictions =
+  permit_sasl_authenticated,
+  permit_mynetworks,
+  reject_unauth_pipelining,
+  reject_unauth_destination,
+  reject_invalid_hostname,
+  reject_non_fqdn_hostname,
+  reject_non_fqdn_recipient,
+  reject_unknown_recipient_domain,
+  reject_rbl_client multihop.dsbl.org,
+  reject_rbl_client zen.spamhaus.org,
+  reject_rbl_client cbl.abuseat.org,
+  reject_rbl_client bl.spamcop.net,
+  reject_rbl_client dnsbl.sorbs.net,
+  reject_rbl_client all.spamrats.com=127.0.0.36,
+  reject_rbl_client all.spamrats.com=127.0.0.38,
+  reject_rbl_client dnsbl.ahbl.org,
+  check_policy_service inet:127.0.0.1:10023,
+  permit
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+ 
+myhostname = {{ mail_server_hostname }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+#mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+# dovecot mysql
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
+virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
+virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
+local_recipient_maps = $virtual_mailbox_maps
+
+# OpenDKIM
+smtpd_milters = inet:127.0.0.1:8891
+non_smtpd_milters = $smtpd_milters
+milter_default_action = accept
+
+# new settings for dspam: only scan one mail at a time, localhost doesn't get scanned, everything else does
+dspam_destination_recipient_limit = 1
+smtpd_client_restrictions =
+  permit_sasl_authenticated
+  check_client_access pcre:/etc/postfix/dspam_filter_access

roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2

@@ -0,0 +1,5 @@
+user = {{ mail_mysql_username }}
+password = {{ mail_mysql_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_mysql_database }}
+query = SELECT destination FROM virtual_aliases WHERE source='%s'

roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2

@@ -0,0 +1,5 @@
+user = {{ mail_mysql_username }}
+password = {{ mail_mysql_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_mysql_database }}
+query = SELECT 1 FROM virtual_domains WHERE name='%s'

roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2

@@ -0,0 +1,5 @@
+user = {{ mail_mysql_username }}
+password = {{ mail_mysql_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_mysql_database }}
+query = SELECT 1 FROM virtual_users WHERE email='%s'

roles/mailserver/templates/mailserver.sql.j2

@@ -0,0 +1,36 @@
+CREATE TABLE `virtual_domains` (
+	`id` int(11) NOT NULL auto_increment,
+	`name` varchar(50) NOT NULL,
+	PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `virtual_users` (
+	`id` int(11) NOT NULL auto_increment,
+	`domain_id` int(11) NOT NULL,
+	`password` varchar(106) NOT NULL,
+	`email` varchar(100) NOT NULL,
+	PRIMARY KEY (`id`),
+	UNIQUE KEY `email` (`email`),
+	FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `virtual_aliases` (
+	`id` int(11) NOT NULL auto_increment,
+	`domain_id` int(11) NOT NULL,
+	`source` varchar(100) NOT NULL,
+	`destination` varchar(100) NOT NULL,
+	PRIMARY KEY (`id`),
+	FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+{% for virtual_domain in mail_virtual_domains %}
+	INSERT INTO `mailserver`.`virtual_domains` (`id`, `name`)
+	VALUES
+		('{{ virtual_domain.pk_id }}', '{{ virtual_domain.name }}');
+{% endfor %}
+
+{% for virtual_user in mail_virtual_users %}
+	INSERT INTO `mailserver`.`virtual_users`  (`domain_id`, `password` , `email`)
+	VALUES
+  	('{{ virtual_domain.domain_pk_id }}', '{{ virtual_user.password_hash }}', '{{ virtual_user.address }}');
+{% endfor %}

roles/mailserver/vars/main.yml

@@ -0,0 +1,19 @@
+---
+mail_server_hostname: mail.TODO.com
+mail_mysql_username: mailuser
+mail_mysql_password: TODO
+mail_mysql_database: mailserver
+mail_virtual_domains:
+  - name: TODO
+    pk_id: 1
+    primary_user: TODO
+  - name: TODO
+    pk_id: 2
+    primary_user: TODO
+mail_virtual_users:
+  - address: TODO@TODO.com
+    password_hash: TODO
+    domain_pk_id: 1
+  - address: TODO@TODO.com
+    password_hash: TODO@TODO.com
+    domain_pk_id: 2

roles/monitoring/files/etc_monit_conf.d_apache2

@@ -0,0 +1,8 @@
+check process apache2 with pidfile /var/run/apache2.pid
+  group www
+  start program = "/etc/init.d/apache2 start"
+  stop program = "/etc/init.d/apache2 stop"
+  if failed host localhost port 80 protocol http
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_dovecot

@@ -0,0 +1,6 @@
+check process dovecot with pidfile /var/run/dovecot/master.pid
+  group mail
+  start program = "/etc/init.d/dovecot start"
+  stop program = "/etc/init.d/dovecot stop"
+  if failed port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
+  if 3 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_mysql

@@ -0,0 +1,6 @@
+check process mysqld with pidfile /var/run/mysqld/mysqld.pid
+  group database
+  start program = "/etc/init.d/mysql start"
+  stop program = "/etc/init.d/mysql stop"
+  if failed host localhost port 3306 protocol mysql then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_postfix

@@ -0,0 +1,6 @@
+check process postfix with pidfile /var/spool/postfix/pid/master.pid
+  group mail
+  start program = "/etc/init.d/postfix start"
+  stop  program = "/etc/init.d/postfix stop"
+  if failed port 25 protocol smtp then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_sshd

@@ -0,0 +1,5 @@
+check process sshd with pidfile /var/run/sshd.pid
+  start program "/etc/init.d/ssh start"
+  stop program "/etc/init.d/ssh stop"
+  if failed host 127.0.0.1 port 22 protocol ssh then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_tomcat

@@ -0,0 +1,8 @@
+check process tomcat with pidfile "/var/run/tomcat6.pid"
+  group mail
+  start program = "/etc/init.d/tomcat6 start"
+  as uid6 tomcat gid tomcat6
+  stop program = "/etc/init.d/tomcat6 stop"
+  as uid6 tomcat gid tomcat6
+  if failed port 8080 then alert
+  if failed port 8080 for 5 cycles then restart

roles/monitoring/files/etc_monit_conf.d_znc

@@ -0,0 +1,8 @@
+check process znc with pidfile /var/run/znc/znc.pid
+  group irc
+  start program = "/etc/init.d/znc start"
+  stop program = "/etc/init.d/znc stop"
+  if failed host localhost port 6697 type tcpSSL protocol http
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_monitrc

@@ -0,0 +1,250 @@
+###############################################################################
+## Monit control file
+###############################################################################
+##
+## Comments begin with a '#' and extend through the end of the line. Keywords
+## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
+##
+## Below you will find examples of some frequently used statements. For 
+## information about the control file and a complete list of statements and 
+## options, please have a look in the Monit manual.
+##
+##
+###############################################################################
+## Global section
+###############################################################################
+##
+## Start Monit in the background (run as a daemon):
+#
+  set daemon 120            # check services at 2-minute intervals
+#   with start delay 240    # optional: delay the first check by 4-minutes (by 
+#                           # default Monit check immediately after Monit start)
+#
+#
+## Set syslog logging with the 'daemon' facility. If the FACILITY option is
+## omitted, Monit will use 'user' facility by default. If you want to log to 
+## a standalone log file instead, specify the full path to the log file
+#
+# set logfile syslog facility log_daemon                       
+  set logfile /var/log/monit.log
+#
+#
+## Set the location of the Monit id file which stores the unique id for the
+## Monit instance. The id is generated and stored on first Monit start. By 
+## default the file is placed in $HOME/.monit.id.
+#
+# set idfile /var/.monit.id
+  set idfile /var/lib/monit/id
+#
+## Set the location of the Monit state file which saves monitoring states
+## on each cycle. By default the file is placed in $HOME/.monit.state. If
+## the state file is stored on a persistent filesystem, Monit will recover
+## the monitoring state across reboots. If it is on temporary filesystem, the
+## state will be lost on reboot which may be convenient in some situations.
+#
+  set statefile /var/lib/monit/state
+#
+## Set the list of mail servers for alert delivery. Multiple servers may be 
+## specified using a comma separator. If the first mail server fails, Monit 
+# will use the second mail server in the list and so on. By default Monit uses 
+# port 25 - it is possible to override this with the PORT option.
+#
+# set mailserver mail.bar.baz,               # primary mailserver
+#                backup.bar.baz port 10025,  # backup mailserver on port 10025
+#                localhost                   # fallback relay
+#
+
+set mailserver localhost
+
+## By default Monit will drop alert events if no mail servers are available. 
+## If you want to keep the alerts for later delivery retry, you can use the 
+## EVENTQUEUE statement. The base directory where undelivered alerts will be 
+## stored is specified by the BASEDIR option. You can limit the maximal queue
+## size using the SLOTS option (if omitted, the queue is limited by space 
+## available in the back end filesystem).
+#
+  set eventqueue
+      basedir /var/lib/monit/events # set the base directory where events will be stored
+      slots 100                     # optionally limit the queue size
+#
+#
+## Send status and events to M/Monit (for more informations about M/Monit 
+## see http://mmonit.com/). By default Monit registers credentials with 
+## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
+## have to register Monit credentials manually in M/Monit. It is possible to
+## disable credential registration using the commented out option below. 
+## Though, if safety is a concern we recommend instead using https when
+## communicating with M/Monit and send credentials encrypted.
+#
+# set mmonit http://monit:monit@192.168.1.10:8080/collector
+#     # and register without credentials     # Don't register credentials
+#
+#
+## Monit by default uses the following format for alerts if the the mail-format
+## statement is missing::
+## --8<--
+## set mail-format {
+##      from: monit@$HOST
+##   subject: monit alert --  $EVENT $SERVICE
+##   message: $EVENT Service $SERVICE
+##                 Date:        $DATE
+##                 Action:      $ACTION
+##                 Host:        $HOST
+##                 Description: $DESCRIPTION
+##
+##            Your faithful employee,
+##            Monit
+## }
+## --8<--
+##
+## You can override this message format or parts of it, such as subject
+## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
+## are expanded at runtime. For example, to override the sender, use:
+#
+# set mail-format { from: monit@foo.bar }
+#
+#
+## You can set alert recipients whom will receive alerts if/when a 
+## service defined in this file has errors. Alerts may be restricted on 
+## events by using a filter as in the second example below. 
+#
+# set alert sysadm@foo.bar                       # receive all alerts
+# set alert manager@foo.bar only on { timeout }  # receive just service-
+#                                                # timeout alert
+#
+#
+## Monit has an embedded web server which can be used to view status of 
+## services monitored and manage services from a web interface. See the
+## Monit Wiki if you want to enable SSL for the web server. 
+#
+# set httpd port 2812 and
+#     use address localhost  # only accept connection from localhost
+#     allow localhost        # allow localhost to connect to the server and
+#    allow admin:monit      # require user 'admin' with password 'monit'
+#    allow @monit           # allow users of group 'monit' to connect (rw)
+#    allow @users readonly  # allow users of group 'users' to connect readonly
+#
+###############################################################################
+## Services
+###############################################################################
+##
+## Check general system resources such as load average, cpu and memory
+## usage. Each test specifies a resource, conditions and the action to be
+## performed should a test fail.
+#
+#  check system myhost.mydomain.tld
+#    if loadavg (1min) > 4 then alert
+#    if loadavg (5min) > 2 then alert
+#    if memory usage > 75% then alert
+#    if swap usage > 25% then alert
+#    if cpu usage (user) > 70% then alert
+#    if cpu usage (system) > 30% then alert
+#    if cpu usage (wait) > 20% then alert
+#
+#    
+## Check if a file exists, checksum, permissions, uid and gid. In addition
+## to alert recipients in the global section, customized alert can be sent to 
+## additional recipients by specifying a local alert handler. The service may 
+## be grouped using the GROUP option. More than one group can be specified by
+## repeating the 'group name' statement.
+#    
+#  check file apache_bin with path /usr/local/apache/bin/httpd
+#    if failed checksum and 
+#       expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
+#    if failed permission 755 then unmonitor
+#    if failed uid root then unmonitor
+#    if failed gid root then unmonitor
+#    alert security@foo.bar on {
+#           checksum, permission, uid, gid, unmonitor
+#        } with the mail-format { subject: Alarm! }
+#    group server
+#
+#    
+## Check that a process is running, in this case Apache, and that it respond
+## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
+## and number of children. If the process is not running, Monit will restart 
+## it by default. In case the service is restarted very often and the 
+## problem remains, it is possible to disable monitoring using the TIMEOUT
+## statement. This service depends on another service (apache_bin) which
+## is defined above.
+#    
+#  check process apache with pidfile /usr/local/apache/logs/httpd.pid
+#    start program = "/etc/init.d/httpd start" with timeout 60 seconds
+#    stop program  = "/etc/init.d/httpd stop"
+#    if cpu > 60% for 2 cycles then alert
+#    if cpu > 80% for 5 cycles then restart
+#    if totalmem > 200.0 MB for 5 cycles then restart
+#    if children > 250 then restart
+#    if loadavg(5min) greater than 10 for 8 cycles then stop
+#    if failed host www.tildeslash.com port 80 protocol http 
+#       and request "/somefile.html"
+#       then restart
+#    if failed port 443 type tcpssl protocol http
+#       with timeout 15 seconds
+#       then restart
+#    if 3 restarts within 5 cycles then timeout
+#    depends on apache_bin
+#    group server
+#    
+#    
+## Check filesystem permissions, uid, gid, space and inode usage. Other services,
+## such as databases, may depend on this resource and an automatically graceful
+## stop may be cascaded to them before the filesystem will become full and data
+## lost.
+#
+#  check filesystem datafs with path /dev/sdb1
+#    start program  = "/bin/mount /data"
+#    stop program  = "/bin/umount /data"
+#    if failed permission 660 then unmonitor
+#    if failed uid root then unmonitor
+#    if failed gid disk then unmonitor
+#    if space usage > 80% for 5 times within 15 cycles then alert
+#    if space usage > 99% then stop
+#    if inode usage > 30000 then alert
+#    if inode usage > 99% then stop
+#    group server
+#
+#
+## Check a file's timestamp. In this example, we test if a file is older 
+## than 15 minutes and assume something is wrong if its not updated. Also,
+## if the file size exceed a given limit, execute a script
+#
+#  check file database with path /data/mydatabase.db
+#    if failed permission 700 then alert
+#    if failed uid data then alert
+#    if failed gid data then alert
+#    if timestamp > 15 minutes then alert
+#    if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
+#
+#
+## Check directory permission, uid and gid.  An event is triggered if the 
+## directory does not belong to the user with uid 0 and gid 0.  In addition, 
+## the permissions have to match the octal description of 755 (see chmod(1)).
+#
+#  check directory bin with path /bin
+#    if failed permission 755 then unmonitor
+#    if failed uid 0 then unmonitor
+#    if failed gid 0 then unmonitor
+#
+#
+## Check a remote host availability by issuing a ping test and check the 
+## content of a response from a web server. Up to three pings are sent and 
+## connection to a port and an application level network check is performed.
+#
+#  check host myserver with address 192.168.1.1
+#    if failed icmp type echo count 3 with timeout 3 seconds then alert
+#    if failed port 3306 protocol mysql with timeout 15 seconds then alert
+#    if failed url http://user:password@www.foo.bar:8080/?querystring
+#       and content == 'action="j_security_check"'
+#       then alert
+#
+#
+###############################################################################
+## Includes
+###############################################################################
+##
+## It is possible to include additional configuration parts from other files or
+## directories.
+#
+   include /etc/monit/conf.d/*
+

roles/monitoring/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart monit
+  service: name=monit state=restarted

roles/monitoring/tasks/main.yml

@@ -0,0 +1 @@
+- include: monit.yml tags=monit

roles/monitoring/tasks/monit.yml

@@ -0,0 +1,17 @@
+- name: Install monit
+  apt: pkg=monit state=installed
+
+- name: Copy monit master config file into place
+  copy: src=etc_monit_monitrc dest=/etc/monit/monitrc
+
+- name: Copy monit service config files into place
+  copy: src=etc_monit_conf.d_${item} dest=/etc/monit/conf.d/${item}
+  with_items:
+    - apache2
+    - dovecot
+    - mysql
+    - postfix
+    - sshd
+    - tomcat
+    - znc
+  notify: restart monit

roles/owncloud/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+
+- include: owncloud.yml tags=owncloud

roles/owncloud/tasks/owncloud.yml

@@ -0,0 +1,41 @@
+---
+# Installs the ownCloud personal cloud software
+# as per http://www.debiantutorials.com/how-to-install-owncloud-on-wheezy/
+
+- name: Create database user for ownCloud
+  mysql_user: user={{ owncloud_mysql_username }} password={{ owncloud_mysql_password }} state=present priv="owncloud.*:ALL"
+
+- name: Create database for ownCloud
+  mysql_db: name={{ owncloud_mysql_database }} state=present
+
+- name: Install ownCloud dependencies
+  apt: pkg=python-software-properties
+
+- name: Ensure repository key for ownCloud is in place
+  apt_key: url=http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/Release.key state=present
+
+- name: Add ownCloud OpenSuSE repository
+  apt_repository: repo='deb http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/ /'
+
+- name: Install ownCloud from OpenSuSE repository
+  apt: pkg=owncloud update_cache=yes
+
+- name: Store ownCloud data securely
+  command: mv /var/www/owncloud/data /decrypted-mail/owncloud-data creates=/decrypted-mail/owncloud-data
+- file: src=/decrypted-mail/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
+
+- name: Enable Apache module dependencies for ownCloud
+  command: a2enmod $item
+  with_items:
+    - rewrite
+    - headers
+  notify: restart apache
+
+- name: Configure the Apache HTTP server for ownCloud
+  template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud group=www-data owner=www-data
+- command: a2ensite owncloud
+  notify: restart apache
+
+- name: Install ownCloud cronjob
+  cron: name="ownCloud" user="www-data" minute="*/5" job="php -f /var/www/owncloud/cron.php > /dev/null"
+

roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2

@@ -0,0 +1,23 @@
+NameVirtualHost *:443
+
+<VirtualHost *:443>
+    ServerName {{ owncloud_domain }}
+
+    SSLEngine on
+    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
+
+    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
+    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
+    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+
+    DocumentRoot            /var/www/owncloud
+
+    ErrorLog                /var/log/apache2/owncloud.info-error_log
+    CustomLog               /var/log/apache2/owncloud.info-access_log common
+
+    <Directory /var/www/owncloud>
+        AllowOverride All
+        Order allow,deny
+        allow from all
+    </Directory>
+</VirtualHost>

roles/owncloud/vars/main.yml

@@ -0,0 +1,4 @@
+owncloud_domain: cloud.TODO.com
+owncloud_mysql_username: owncloud
+owncloud_mysql_password: TODO
+owncloud_mysql_database: owncloud

roles/vpn/files/etc_dnsmasq.conf

@@ -0,0 +1,626 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+domain-needed
+
+# Never forward addresses in the non-routed address spaces.
+bogus-priv
+
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+#resolv-file=
+
+# By  default,  dnsmasq  will  send queries to any of the upstream
+# servers it knows about and tries to favour servers to are  known
+# to  be  up.  Uncommenting this forces dnsmasq to try each query
+# with  each  server  strictly  in  the  order  they   appear   in
+# /etc/resolv.conf
+#strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+#server=/localnet/192.168.0.1
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+#local=/localnet/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# IP on the machine, obviously).
+# server=10.1.2.3@192.168.1.1#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=
+# Or you can specify which interface _not_ to listen on
+#except-interface=
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+listen-address=127.0.0.1,10.8.0.1
+
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP and TFTP on it.
+#no-dhcp-interface=
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+#expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=thekelleys.org.uk
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=192.168.0.50,192.168.0.150,12h
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only 
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
+# hosts. Use the DHCPv4 lease to derive the name, network segment and 
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC alogrithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overriden by ra-stateless, ra-names, et al, the router 
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the 
+# clients don't use SLAAC addresses.
+#enable-ra
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
+
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with Ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with Ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two Ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose Ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with Ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Give a fixed IPv6 address and name to client with 
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also the they [] around the IPv6 address are obilgatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running 
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0           # option ip-forwarding off
+#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+#dhcp-option=46,8           # netbios node type
+
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for Etherboot gPXE. The idea is to send two different
+# filenames, the first loads gPXE, and the second tells gPXE what to
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=tag:!gpxe,undionly.kpxe
+#dhcp-boot=mybootimage
+
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
+#dhcp-option=encap:175, 177, string   # bus-id
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files available via FTP.
+#tftp-root=/var/ftpd
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=net:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fasion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
+# Set the limit on DHCP leases, the default is 150
+#dhcp-lease-max=150
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come form /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records.  These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+# Include a another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d

roles/vpn/files/etc_rc.local

@@ -0,0 +1,20 @@
+#!/bin/sh -e
+# 
+# rc.local
+# 
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+# 
+# In order to enable or disable this script just change the execution
+# bits.
+# 
+  
+iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
+iptables -A FORWARD -j REJECT
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+
+/etc/init.d/dnsmasq restart
+
+exit 0

roles/vpn/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart dnsmasq
+  service: name=dnsmasq state=restarted
+
+- name: restart openvpn
+  service: name=openvpn state=restarted

roles/vpn/tasks/main.yml

@@ -0,0 +1 @@
+- include: openvpn.yml tags=openvpn

roles/vpn/tasks/openvpn.yml

@@ -0,0 +1,63 @@
+---
+# Installs the OpenVPN virtual private network server.
+# ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
+
+- name: Install OpenVPN and dependencies from apt
+  apt: pkg=$item state=installed
+  with_items:
+    - openvpn
+    - udev
+    - dnsmasq
+
+- name: Copy setup scripts into place
+  command: cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
+
+- name: Put easy-rsa parameter settings in place
+  template: src=etc_openvpn_easy-rsa_2.0_vars.j2 dest=/etc/openvpn/easy-rsa/2.0/vars
+
+###### manually:
+# cd /etc/openvpn/easy-rsa/2.0/
+# . /etc/openvpn/easy-rsa/2.0/vars
+# . /etc/openvpn/easy-rsa/2.0/clean-all
+# . /etc/openvpn/easy-rsa/2.0/build-ca
+# . /etc/openvpn/easy-rsa/2.0/build-key-server server
+#
+# for each client:
+# . /etc/openvpn/easy-rsa/2.0/build-key $client_name
+#####
+
+- name: Generate Diffie-Hellman parameters
+  command: . /etc/openvpn/easy-rsa/2.0/build-dh creates=/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
+
+- name: Copy certificates and key files into place
+  command: cp /etc/openvpn/easy-rsa/2.0/keys/$item /etc/openvpn creates=/etc/openvpn/$item
+  with_items:
+    - ca.crt
+    - ca.key
+    - dh1024.pem
+    - server.crt
+    - server.key
+
+- name: Copy rc.local with firewall and dnsmasq rules into place
+  copy: src=etc_rc.local dest=/etc/rc.local
+
+- name: Enable IPv4 traffic forwarding
+  lineinfile: dest=/etc/sysctl.conf regexp="^net.ipv4.ip_forward" line="net.ipv4.ip_forward=1"
+- command: echo 1 > /proc/sys/net/ipv4/ip_forward
+
+- name: Allow OpenVPN through firewall
+  command: $item
+  with_items:
+    - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+    - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
+    - iptables -A FORWARD -j REJECT
+    - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+
+- name: Copy OpenVPN configuration file into place
+  template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
+  notify: restart openvpn
+
+- name: Copy dnsmasq configuration file into place
+  copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
+  notify: restart dnsmasq
+

roles/vpn/templates/etc_openvpn_easy-rsa_2.0_vars.j2

@@ -0,0 +1,72 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="`pwd`"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="$EASY_RSA/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=1024
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="{{ key_country }}"
+export KEY_PROVINCE="{{ key_province }}"
+export KEY_CITY="{{ key_city }}"
+export KEY_ORG="{{ key_org }}"
+export KEY_EMAIL="{{ key_email }}"
+export KEY_CN={{ key_cn }}
+export KEY_NAME={{ key_name }}
+export KEY_OU={{ key_ou }}
+export PKCS11_MODULE_PATH=changeme
+export PKCS11_PIN=1234

roles/vpn/templates/etc_openvpn_server.conf.j2

@@ -0,0 +1,301 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca ca.crt
+cert server.crt
+key server.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh1024.pem 1024
+# Substitute 2048 for 1024 if you are using
+# 2048 bit keys. 
+dh dh1024.pem
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.8.0.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses.  You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.10.0 255.255.255.0"
+;push "route 192.168.20.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir ccd
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+;push "redirect-gateway def1 bypass-dhcp"
+push "redirect-gateway def1"
+push "dhcp-option DNS 10.8.0.1"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+;push "dhcp-option DNS 208.67.222.222"
+;push "dhcp-option DNS 208.67.220.220"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC        # Blowfish (default)
+;cipher AES-128-CBC   # AES
+;cipher DES-EDE3-CBC  # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+;user nobody
+;group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status openvpn-status.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log         openvpn.log
+;log-append  openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 3
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20

roles/vpn/vars/main.yml

@@ -0,0 +1,8 @@
+key_country: TODO
+key_province: TODO
+key_city: TODO
+key_org: TODO
+key_email: TODO
+key_ou: TODO
+key_cn: TODO
+key_name: TODO

site.yml

@@ -0,0 +1,18 @@
+---
+# This is the top-level playbook that defines our entire infrastructure.
+
+- hosts: all
+  user: TODO
+  sudo: True
+  gather_facts: False
+
+  roles:
+    - common
+    - mailserver
+    - blog
+    - ircbouncer
+    - monitoring
+    - owncloud
+    - vpn
+
+