Merge branch 'master' into jessie

# Conflicts:
#	README.md
#	Vagrantfile
#	roles/mailserver/tasks/dovecot.yml

.travis.yml

@@ -1,6 +1,7 @@
 language: python
 python: "2.7"
 install:
-  - pip install ansible
+  - pip install ansible ansible-lint
 script:
   - ansible-playbook --syntax-check -i hosts site.yml
+  - ansible-lint site.yml

AUTHORS.md

@@ -0,0 +1,7 @@
+# Authors
+
+Originated by [Alex Payne](https://al3x.net) ([@al3x](https://github.com/al3x)).
+
+Major contributions from [Luke Cyca](http://lukecyca.com/) ([@lukecyca](https://github.com/lukecyca)).
+
+Other talented and generous contributors to Sovereign can be viewed [on GitHub](https://github.com/sovereign/sovereign/graphs/contributors).

CONTRIBUTING.md

@@ -0,0 +1,10 @@
+# Contributing to Sovereign
+
+_This document will be expanded upon._
+
+You'll want to set up a [local development environment](https://github.com/sovereign/sovereign/wiki/Development-Environment) so that you don’t have to test on a remote server.
+
+Make sure you agree with the license (GPLv3). See [LICENSE.md](./LICENSE.md) for details.
+
+If you issue a pull request, please specify what distribution you used for testing (if any).
+Code that is committed to the master branch should work with both Debian 7 and Ubuntu 14.04 LTS (Debian 8 support is coming up).

LICENSE.md

@@ -0,0 +1,24 @@
+# License
+
+Original content is [GPLv3](http://gplv3.fsf.org/), the same license used by [Ansible](http://www.ansible.com/):
+
+```
+Sovereign: a set of Ansible playbooks to configure a personal cloud.
+
+Copyright (C) 2015 Alex Payne and contributors
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+```
+
+All files and templates based on third-party software should be considered under their respective licenses.

README.md

@@ -1,34 +1,20 @@
-[![Build Status](https://travis-ci.org/sovereign/sovereign.svg?branch=jessie)](https://travis-ci.org/sovereign/sovereign)
+[![Build Status](https://travis-ci.org/sovereign/sovereign.svg?branch=master)](https://travis-ci.org/sovereign/sovereign)
 
 Introduction
 ============
 
-Sovereign is a set of [Ansible](http://ansibleworks.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) (I know I know). It’s based entirely on open source software, so you’re in control.
+Sovereign is a set of [Ansible](http://ansibleworks.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) based entirely on open source software, so you’re in control.
 
-If you’ve never used Ansible before, you a) are in for a treat and b) might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
+If you’ve never used Ansible before, you might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
 
-Background and Motivations
---------------------------
+The original author's [background and motivations](https://github.com/sovereign/sovereign/wiki/Background-and-Motivations) might be of interest. tl;dr: frustrations with Google Apps and concerns about privacy and long-term support.
 
-I had been a paying Google Apps customer for personal and corporate use since the service was in beta. Until several weeks ago, that is. I was about to set up another Google Apps account for a new project when I stopped to consider what I would be funding with my USD \$50 per user per year:
-
-1.  [A seriously questionable privacy track record](https://en.wikipedia.org/wiki/Criticism_of_Google#Privacy).
-2.  [A dwindling commitment to open standards](https://www.eff.org/deeplinks/2013/05/google-abandons-open-standards-instant-messaging).
-3.  [A lack of long-term commitment to products](http://www.quora.com/Google-Products/What-are-all-the-Google-products-that-have-been-shut-down).
-4.  Development of Google+: a cynical and [unimaginative Facebook ripoff](http://gigaom.com/2012/03/15/google-plus-the-problem-isnt-design-its-a-lack-of-demand/) that’s [intruding into progressively more Google products](http://bits.blogs.nytimes.com/2012/03/06/google-defending-google-plus-shares-usage-numbers/?_r=0).
-
-To each her/his own, but personally I saw little reason to continue participating in the Google ecosystem. It had been years since I last ran my own server for email and such, but it’s only gotten cheaper and easier to do so. Plus, none of the commercial alternatives I looked at provided all the services I was looking for.
-
-Rather than writing up a long and hard-to-follow set of instructions, I decided to share my server setup in a format that you can more or less just clone, configure, and run. Ansible seemed like the most appropriate way to do that: it’s simple, straightforward, and easy to pick up.
-
-I’ve been using this setup for about a month now and it’s been great. It’s also replaced some non-Google services I used, saving me money and making me feel like I’ve got a little more privacy.
-
-A big chunk of the initial version was inspired by [this post by Drew Crawford](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Unlike Drew, my goal is not “NSA-proofing” email, just providing a reasonable alternative to Google Apps that isn’t wildly insecure. If you need serious privacy and security (ex: for dissident activities), Sovereign might be useful as a starting point but will require additional work. Be careful out there.
+Sovereign offers useful cloud services while being reasonably secure and low-maintenance. Use it to set up your server, SSH in every couple weeks, but mostly forget about it.
 
 Services Provided
 -----------------
 
-What do you get if you point this thing at a VPS? All kinds of good stuff!
+What do you get if you point Sovereign at a server? All kinds of good stuff!
 
 -   [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) over SSL via [Dovecot](http://dovecot.org/), complete with full text search provided by [Solr](https://lucene.apache.org/solr/).
 -   [POP3](https://en.wikipedia.org/wiki/Post_Office_Protocol) over SSL, also via Dovecot
@@ -59,8 +45,6 @@ What do you get if you point this thing at a VPS? All kinds of good stuff!
 -   Read-it-later via [Wallabag](https://www.wallabag.org/)
 -   A bunch of nice-to-have tools like [mosh](http://mosh.mit.edu) and [htop](http://htop.sourceforge.net) that make life with a server a little easier.
 
-No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintenance. Set it up, SSH in every couple weeks, but mostly forget about it.
-
 Don’t want one or more of the above services? Comment out the relevant role in `site.yml`. Or get more granular and comment out the associated `include:` directive in one of the playbooks.
 
 Usage
@@ -81,7 +65,7 @@ Installation
 
 Generate a private key and a certificate signing request (CSR):
 
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
+    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
 
 Purchase a wildcard cert from a certificate authority, such as [Positive SSL](https://positivessl.com) or [AlphaSSL](https://www.alphassl.com). You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in `roles/common/files/wildcard_public_cert.crt`.
 
@@ -97,7 +81,7 @@ Purchasing SSL certs, and wildcard certs specifically, can be a significant fina
 
 To create a self-signed SSL cert, run the following commands:
 
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
+    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
     openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
     cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
 
@@ -198,6 +182,8 @@ To run just one or more piece, use tags. I try to tag all my includes for easy i
 
 You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
 
+The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
+
 ### 6. Set up DNS
 
 If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
@@ -233,12 +219,12 @@ Finally, sign into ownCloud to set it up. You should select PostgreSQL as the co
 How To Use Your New Personal Cloud
 ----------------------------------
 
-We’re collecting known-good client setups [on our wiki](https://github.com/al3x/sovereign/wiki/Usage).
+We’re collecting known-good client setups [on our wiki](https://github.com/sovereign/sovereign/wiki/Usage).
 
 Troubleshooting
 ---------------
 
-If you run into an errors, please check the [wiki page](https://github.com/al3x/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/al3x/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
+If you run into an errors, please check the [wiki page](https://github.com/sovereign/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/sovereign/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
 
 ### Reboots
 
@@ -252,15 +238,3 @@ IRC
 ===
 
 Ask questions and provide feedback in `#sovereign` on [Freenode](http://freenode.net).
-
-Contributing
-============
-
-You may want to set up a [local development environment](https://github.com/al3x/sovereign/wiki/Development-Environment) so that you don’t have to test on your real server.
-
-If you improve one of the provided playbooks or add an exciting new one, send a pull request. Everyone benefits.
-
-License
--------
-
-Original content is [GPLv3](http://gplv3.fsf.org), same as Ansible. All files and templates based on third-party software should be considered under their respective licenses.

roles/blog/tasks/blog.yml

@@ -1,11 +1,11 @@
 - name: Create directory for blog HTML
-  file: state=directory path=/var/www/{{ domain }} group=www-data owner=www-data
+  file: state=directory path=/var/www/{{ domain }} group=www-data owner={{ main_user_name }}
 
 - name: Rename existing Apache blog virtualhost
   command: mv /etc/apache2/sites-available/{{ domain }} /etc/apache2/sites-available/{{ domain }}.conf removes=/etc/apache2/sites-available/{{ domain }}
 
 - name: Remove old sites-enabled/{{ domain }} symlink (new one will be created by a2ensite)
-  command: rm /etc/apache2/sites-enabled/{{ domain }} removes=/etc/apache2/sites-enabled/{{ domain }}
+  file: path=/etc/apache2/sites-enabled/{{ domain }} state=absent
 
 - name: Configure the Apache HTTP server for the blog
   template: src=etc_apache2_sites-available_blog.j2 dest=/etc/apache2/sites-available/{{ domain }}.conf group=root owner=root

roles/blog/templates/etc_apache2_sites-available_blog.j2

@@ -10,14 +10,7 @@
     ServerName {{ domain }}
     ServerAlias www.{{ domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            "/var/www/{{ domain }}"
     DirectoryIndex          index.html

roles/common/tasks/encfs.yml

@@ -4,6 +4,8 @@
     - encfs
     - fuse
     - libfuse-dev
+  tags:
+    - dependencies
 
 - name: Create encrypted directory
   file: state=directory path=/encrypted

roles/common/tasks/google_auth.yml

@@ -7,14 +7,17 @@
     #- libpam-google-authenticator    wasn't available in wheezy
     - libpam0g-dev
     - libqrencode3
+  tags:
+    - dependencies
 
 - name: Download Google authenticator pam module
   get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
            dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
 
 - name: Extract Google authenticator
-  command: tar xjf libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
-           chdir=/root creates=/root/libpam-google-authenticator-{{ google_auth_version }}
+  unarchive: src=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
+             creates=/root/libpam-google-authenticator-{{ google_auth_version }}
+             dest=/root copy=no
 
 - name: Install Google authenticator
   command: make install

roles/common/tasks/google_auth_mod.yml

@@ -8,6 +8,8 @@
     - libpam-google-authenticator
     - libpam0g-dev
     - libqrencode3
+  tags:
+    - dependencies
 
 - name: Update sshd config to enable challenge responses
   lineinfile: dest=/etc/ssh/sshd_config

roles/common/tasks/main.yml

@@ -3,12 +3,18 @@
 - name: Set up closest mirror autoselect (ubuntu-only)
   template: src=apt_sources.list.j2 dest=/etc/apt/sources.list
   when: ansible_distribution == 'Ubuntu'
+  tags:
+    - dependencies
 
 - name: Update apt cache
   apt: update_cache=yes
+  tags:
+    - dependencies
 
 - name: Upgrade all safe packages
   apt: upgrade=safe
+  tags:
+    - dependencies
 
 - name: Install necessities and nice-to-haves
   apt: pkg={{ item }} state=installed
@@ -32,6 +38,8 @@
     - molly-guard
     - vim
     - zsh
+  tags:
+    - dependencies
 
 - name: Set timezone to UTC
   action: shell echo Etc/UTC > /etc/timezone
@@ -43,10 +51,6 @@
   action: command dpkg-reconfigure -f noninteractive tzdata
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
-- name: Install unattended upgrades (Debian/Ubuntu only)
-  apt: pkg=unattended-upgrades state=installed
-  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
-
 - name: Apticron email configuration
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
 

roles/common/tasks/ntp.yml

@@ -3,6 +3,8 @@
 
 - name: Install ntp
   apt: pkg=ntp state=installed
+  tags:
+    - dependencies
 
 - name: Configure ntp
   template: src=ntp.conf.j2 dest=/etc/ntp.conf

roles/common/tasks/security.yml

@@ -2,8 +2,11 @@
   apt: pkg={{ item }} state=installed
   with_items:
     - fail2ban
+    - whois
     - lynis
     - rkhunter
+  tags:
+    - dependencies
 
 - name: Copy fail2ban configuration into place
   template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
@@ -19,7 +22,7 @@
 - name: Update sshd config for PFS and more secure defaults
   template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
   notify: restart ssh
-  
+
 - name: Update ssh config for more secure defaults
   template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config
 

roles/common/tasks/ssl.yml

@@ -19,3 +19,10 @@
 
 - name: Enable NameVirtualHost for HTTPS
   lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
+
+- name: Add common Apache SSL config
+  template:
+    src=etc_apache2_ssl.conf.j2
+    dest=/etc/apache2/ssl.conf
+    owner=root
+    group=root

roles/common/tasks/ufw.yml

@@ -4,6 +4,8 @@
 # ufw includes sensible icmp defaults
 - name: Install ufw
   apt: pkg=ufw state=present
+  tags:
+    - dependencies
 
 - name: Deny everything
   ufw: policy=deny

roles/common/templates/etc_apache2_ssl.conf.j2

@@ -0,0 +1,14 @@
+SSLEngine on
+SSLProtocol ALL -SSLv2 -SSLv3
+SSLHonorCipherOrder On
+SSLCompression off
+{% if ansible_distribution_release != 'wheezy' %}
+    SSLUseStapling On
+    SSLStaplingResponderTimeout 5
+    SSLStaplingReturnResponderErrors off
+{% endif %}
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
+SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
+SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

roles/git/tasks/cgit.yml

@@ -5,6 +5,8 @@
     - groff
     - libssl-dev
     - python-pip
+  tags:
+    - dependencies
 
 - name: Install cgit pip dependencies
   pip: name={{ item }}
@@ -17,9 +19,9 @@
            dest=/root/cgit-{{ cgit_version }}.tar.xz
 
 - name: Decompress cgit source
-  command: tar xvfJ /root/cgit-{{ cgit_version }}.tar.xz
-           chdir=/root
-           creates=/root/cgit-{{ cgit_version }}/configure
+  unarchive: src=/root/cgit-{{ cgit_version }}.tar.xz
+             dest=/root copy=no
+             creates=/root/cgit-{{ cgit_version }}/configure
 
 - name: Build and install cgit
   shell: make get-git ; make ; make install
@@ -30,13 +32,13 @@
 - name: Copy cgitrc
   template: src=etc_cgitrc.j2 dest=/etc/cgitrc
             group=www-data
-            owner=www-data
+            owner=root
 
 - name: Rename existing Apache cgit virtualhost
   command: mv /etc/apache2/sites-available/cgit /etc/apache2/sites-available/cgit.conf removes=/etc/apache2/sites-available/cgit
 
 - name: Remove old sites-enabled/cgit symlink (new one will be created by a2ensite)
-  command: rm /etc/apache2/sites-enabled/cgit removes=/etc/apache2/sites-enabled/cgit
+  file: path=/etc/apache2/sites-enabled/cgit state=absent
 
 - name: Configure the Apache HTTP server for cgit
   template: src=etc_apache2_sites-available_cgit.j2

roles/git/tasks/gitolite_packaged.yml

@@ -9,6 +9,8 @@
 
 - name: Install gitolite3 package
   apt: pkg=gitolite3 state=installed
+  tags:
+    - dependencies
 
 - name: Copy .gitolite.rc file
   copy: src=home_git_.gitolite.rc

roles/git/templates/etc_apache2_sites-available_cgit.j2

@@ -7,15 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ cgit_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
-
+    Include /etc/apache2/ssl.conf
     DocumentRoot /var/www/htdocs/cgit/
 
     <Directory "/var/www/htdocs/cgit/">

roles/ircbouncer/tasks/znc.yml

@@ -15,12 +15,16 @@
     - pkg-config
     - python3-dev
     - swig
+  tags:
+    - dependencies
 
 - name: Download znc release
   get_url: url=http://znc.in/releases/archive/znc-{{ znc_version }}.tar.gz dest=/root/znc-{{ znc_version }}.tar.gz
 
 - name: Decompress znc source
-  command: tar xzf /root/znc-{{ znc_version }}.tar.gz chdir=/root creates=/root/znc-{{ znc_version }}/configure
+  unarchive: src=/root/znc-{{ znc_version }}.tar.gz
+             dest=/root copy=no
+             creates=/root/znc-{{ znc_version }}/configure
 
 - name: Build and install znc
   shell: ./configure --enable-python && make && make install executable=/bin/bash chdir=/root/znc-{{ znc_version }} creates=/usr/local/bin/znc

roles/mailserver/files/etc_default_opendmarc

@@ -0,0 +1,10 @@
+# Command-line options specified here will override the contents of
+# /etc/opendmarc.conf. See opendmarc(8) for a complete list of options.
+#DAEMON_OPTS=""
+#
+# Uncomment to specify an alternate socket
+# Note that setting this will override any Socket value in opendkim.conf
+SOCKET="inet:54321" # listen on all interfaces on port 54321
+#SOCKET="local:/var/run/opendmarc/opendmarc.sock" # default
+#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
+#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345

roles/mailserver/files/etc_opendmarc_import.sql

@@ -0,0 +1,89 @@
+-- OpenDMARC database schema
+--
+-- Copyright (c) 2012, The Trusted Domain Project.
+--      All rights reserved.
+
+USE opendmarc;
+
+-- A table for mapping domain names and their DMARC policies to IDs
+CREATE TABLE IF NOT EXISTS domains (
+        id INT NOT NULL AUTO_INCREMENT,
+        name VARCHAR(255) NOT NULL,
+        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+        PRIMARY KEY(id),
+        UNIQUE KEY(name)
+);
+
+-- A table for logging reporting requests
+CREATE TABLE IF NOT EXISTS requests (
+        id INT NOT NULL AUTO_INCREMENT,
+        domain INT NOT NULL,
+        repuri VARCHAR(255) NOT NULL,
+        adkim TINYINT NOT NULL,
+        aspf TINYINT NOT NULL,
+        policy TINYINT NOT NULL,
+        spolicy TINYINT NOT NULL,
+        pct TINYINT NOT NULL,
+        locked TINYINT NOT NULL,
+        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        lastsent TIMESTAMP NOT NULL DEFAULT '0000-00-00 00:00:00',
+
+        PRIMARY KEY(id),
+        KEY(lastsent),
+        UNIQUE KEY(domain)
+);
+
+-- A table for reporting hosts
+CREATE TABLE IF NOT EXISTS reporters (
+        id INT NOT NULL AUTO_INCREMENT,
+        name VARCHAR(255) NOT NULL,
+        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+        PRIMARY KEY(id),
+        UNIQUE KEY(name)
+);
+
+-- A table for IP addresses
+CREATE TABLE IF NOT EXISTS ipaddr (
+	id INT NOT NULL AUTO_INCREMENT,
+	addr VARCHAR(64) NOT NULL,
+	firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+	PRIMARY KEY(id),
+	UNIQUE KEY(addr)
+);
+
+-- A table for messages
+CREATE TABLE IF NOT EXISTS messages (
+        id INT NOT NULL AUTO_INCREMENT,
+        date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        jobid VARCHAR(128) NOT NULL,
+        reporter INT UNSIGNED NOT NULL,
+        policy TINYINT UNSIGNED NOT NULL,
+        disp TINYINT UNSIGNED NOT NULL,
+        ip INT UNSIGNED NOT NULL,
+        env_domain INT UNSIGNED NOT NULL,
+        from_domain INT UNSIGNED NOT NULL,
+        policy_domain INT UNSIGNED NOT NULL,
+        spf TINYINT UNSIGNED NOT NULL,
+        align_dkim TINYINT UNSIGNED NOT NULL,
+        align_spf TINYINT UNSIGNED NOT NULL,
+        sigcount TINYINT UNSIGNED NOT NULL,
+
+        PRIMARY KEY(id),
+        KEY(date),
+        UNIQUE KEY(reporter, date, jobid)
+);
+
+-- A table for signatures
+CREATE TABLE IF NOT EXISTS signatures (
+        id INT NOT NULL AUTO_INCREMENT,
+        message INT NOT NULL,
+        domain INT NOT NULL,
+        pass TINYINT NOT NULL,
+        error TINYINT NOT NULL,
+
+        PRIMARY KEY(id),
+        KEY(message)
+);

roles/mailserver/files/etc_postfix_master.cf

@@ -117,4 +117,4 @@ mailman   unix  -       n       n       -       -       pipe
 dspam     unix  -       n       n       -       10      pipe
   flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user ${user}@${domain} -i -f $sender -- $recipient
 dovecot   unix  -       n       n       -       -       pipe
-  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop}
+  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/lmtp -f ${sender} -d ${user}@${nexthop}

roles/mailserver/handlers/main.yml

@@ -13,3 +13,6 @@
 - name: import sql postfix
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
   notify: restart postfix
+
+- name: restart opendmarc
+  service: name=opendmarc state=restarted

roles/mailserver/tasks/autoconfig.yml

@@ -5,13 +5,13 @@
 #
 
 - name: Create directory for mail autoconfiguration virtualhost
-  file: state=directory path=/var/www/autoconfig group=www-data owner=www-data
+  file: state=directory path=/var/www/autoconfig group=www-data owner=root
 
 - name: Create directory holding the autoconfig XML file
-  file: state=directory path=/var/www/autoconfig/mail group=www-data owner=www-data
+  file: state=directory path=/var/www/autoconfig/mail group=www-data owner=root
 
 - name: Create the autoconfig XML file
-  template: src=var_www_autoconfig_mail_config-v1.1.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml group=www-data owner=www-data
+  template: src=var_www_autoconfig_mail_config-v1.1.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml group=www-data owner=root
 
 - name: Configure the mail autoconfiguration virtualhost
   template: src=etc_apache2_sites-available_autoconfig.j2 dest=/etc/apache2/sites-available/autoconfig.conf group=root owner=root

roles/mailserver/tasks/dmarc.yml

@@ -0,0 +1,45 @@
+- name: Install OpenDMARC milter and related packages
+  apt: pkg={{ item }} state=installed update_cache=yes
+  with_items:
+      - mysql-server
+      - python-mysqldb
+      - opendmarc
+
+- name: Copy OpenDMARC configuration file into place
+  template: src=etc_opendmarc.conf.j2 dest=/etc/opendmarc.conf owner=root group=root
+  notify: restart opendmarc
+
+- name: Create OpenDMARC configuration directory
+  file: state=directory path=/etc/opendmarc
+
+- name: Copy OpenDMARC ignore hosts file into place
+  template: src=etc_opendmarc_ignore.hosts.j2 dest=/etc/opendmarc/ignore.hosts owner=root group=root
+
+- name: Copy OpenDMARC defaults file into place
+  copy: src=etc_default_opendmarc dest=/etc/default/opendmarc owner=root group=root
+  notify:
+    - restart opendmarc
+    - restart postfix
+
+- name: Copy OpenDMARC database schema file into place
+  copy: src=etc_opendmarc_import.sql dest=/etc/opendmarc/import.sql owner=root group=root
+
+- name: Create database user for OpenDMARC reports
+  mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
+
+- name: Create database for OpenDMARC reports
+  mysql_db: name={{ mail_db_opendmarc_database }} state=present
+
+- name: Import database schema for OpenDMARC reports
+  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/etc/opendmarc/import.sql
+  tags: import_mysql_postfix
+
+- name: Copy nightly OpenDMARC report generation script into place
+  template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="755"
+
+- name: Touch initial report dat file with correct permissions
+  file: path=/var/run/opendmarc/opendmarc.dat state=touch owner=opendmarc group=opendmarc
+
+- name: Activate OpenDMARC report cronjob
+  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log"
+

roles/mailserver/tasks/dovecot.yml

@@ -1,9 +1,11 @@
 - name: Add wheezy-backports to get a reasonably current Dovecot on Debian 7
   apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main'
   when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
 
 - name: Install Dovecot and related packages on Debian 7
-  apt: pkg={{ item }} update_cache=yes state=installed default_release=wheezy-backports
+  apt: pkg={{ item }} update_cache=yes state=latest default_release=wheezy-backports
   with_items:
     - dovecot-core
     - dovecot-imapd
@@ -12,6 +14,8 @@
     - dovecot-pgsql
     - dovecot-pop3d
   when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
 
 - name: Install Dovecot and related packages on distributions other than Debian 7
   apt: pkg={{ item }} update_cache=yes state=installed
@@ -23,18 +27,26 @@
     - dovecot-pgsql
     - dovecot-pop3d
   when: ansible_distribution_release != 'wheezy'
+  tags:
+    - dependencies
 
-- name: Install Dovecot Postgres dependency for distributions other than Ubuntu Trusty
-  apt: pkg={{ item }} state=installed
-  with_items:
-    - postgresql-9.1
-  when: ansible_distribution_release != 'trusty'
+- name: Install Postgres 9.1 for Dovecot on older distributions
+  apt: pkg=postgresql-9.1 state=present
+  when: ansible_distribution_release != 'trusty' and ansible_distribution_release != 'jessie'
+  tags:
+    - dependencies
 
-- name: Install Dovecot Postgres dependency for Ubuntu trusty
-  apt: pkg={{ item }} state=installed
-  with_items:
-    - postgresql-9.3
+- name: Install Postgres 9.3 for Dovecot on Ubuntu Trusty
+  apt: pkg=postgresql-9.3 state=present
   when: ansible_distribution_release == 'trusty'
+  tags:
+    - dependencies
+
+- name: Install Postgres 9.4 for Dovecot on Debian Jessie
+  apt: pkg=postgresql-9.4 state=present
+  when: ansible_distribution_release == 'jessie'
+  tags:
+    - dependencies
 
 - name: Create vmail group
   group: name=vmail state=present gid=5000

roles/mailserver/tasks/dspam.yml

@@ -1,10 +1,24 @@
-- name: Install dspam and related packages
+- name: Install dspam and related packages on wheezy
+  apt: pkg={{ item }} state=installed default_release=wheezy-backports
+  with_items:
+    - dovecot-antispam
+    - dovecot-sieve
+    - dspam
+    - postfix-pcre
+  when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
+
+- name: Install dspam and related packages on distributions other than wheezy
   apt: pkg={{ item }} state=installed
   with_items:
     - dovecot-antispam
     - dovecot-sieve
     - dspam
     - postfix-pcre
+  when: ansible_distribution_release != 'wheezy'
+  tags:
+    - dependencies
 
 - name: Create dspam directory
   file: state=directory path=/decrypted/dspam group=dspam owner=dspam

roles/mailserver/tasks/main.yml

@@ -1,8 +1,10 @@
 - include: postfix.yml tags=postfix
 - include: dovecot.yml tags=dovecot
 - include: opendkim.yml tags=opendkim
+- include: dmarc.yml tags=dmarc
 - include: dspam.yml tags=dspam
 - include: solr.yml tags=solr
 - include: checkrbl.yml tags=checkrbl
 - include: z-push.yml tags=zpush
 - include: autoconfig.yml tags=autoconfig
+

roles/mailserver/tasks/opendkim.yml

@@ -6,6 +6,8 @@
   with_items:
     - opendkim
     - opendkim-tools
+  tags:
+    - dependencies
 
 - name: Create OpenDKIM config directory
   file: state=directory path=/etc/opendkim group=opendkim owner=opendkim

roles/mailserver/tasks/postfix.yml

@@ -1,28 +1,33 @@
-- name: Install Postfix 9.1 and related packages for distributions other than Ubuntu Trusty
-  apt: pkg={{ item }} state=installed
-  with_items:
-    - libsasl2-modules
-    - postfix
-    - postfix-pcre
-    - postfix-pgsql
-    - postgresql-9.1
-    - postgrey
-    - python-psycopg2
-    - sasl2-bin
-  when: ansible_distribution_release != 'trusty'
+- name: Install Postgres 9.1 on older distributions
+  apt: pkg=postgresql-9.1 state=present
+  when: ansible_distribution_release != 'trusty' and ansible_distribution_release != 'jessie'
+  tags:
+    - dependencies
+
+- name: Install Postgres 9.3 on Ubuntu Trusty
+  apt: pkg=postgresql-9.3 state=present
+  when: ansible_distribution_release == 'trusty'
+  tags:
+    - dependencies
+
+- name: Install Postgres 9.4 on Debian Jessie
+  apt: pkg=postgresql-9.4 state=present
+  when: ansible_distribution_release == 'jessie'
+  tags:
+    - dependencies
 
-- name: Install Postfix 9.3 and related packages for Ubuntu Trusty
+- name: Install Postfix and related packages
   apt: pkg={{ item }} state=installed
   with_items:
     - libsasl2-modules
     - postfix
     - postfix-pcre
     - postfix-pgsql
-    - postgresql-9.3
     - postgrey
     - python-psycopg2
     - sasl2-bin
-  when: ansible_distribution_release == 'trusty'
+  tags:
+    - dependencies
 
 - name: Set postgres password
   command: sudo -u {{ db_admin_username }} psql -d {{ db_admin_username }} -c "ALTER USER postgres with  password '{{ db_admin_password }}';"

roles/mailserver/tasks/solr.yml

@@ -1,8 +1,20 @@
-- name: Install Solr and related packages
+- name: Install Solr and related packages on wheezy from backports
+  apt: pkg={{ item }} state=installed default_release=wheezy-backports
+  with_items:
+    - dovecot-solr
+    - solr-tomcat
+  when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
+
+- name: Install Solr and related packages on distributions other than wheezy
   apt: pkg={{ item }} state=installed
   with_items:
     - dovecot-solr
     - solr-tomcat
+  when: ansible_distribution_release != 'wheezy'
+  tags:
+    - dependencies
 
 - name: Work around Debian bug and copy Solr schema file into place
   copy: src=solr-schema.xml dest=/etc/solr/conf/schema.xml group=root owner=root

roles/mailserver/tasks/z-push.yml

@@ -5,6 +5,8 @@
     - php5
     - php5-cli
     - php5-imap
+  tags:
+    - dependencies
 
 - name: Download z-push release
   get_url:
@@ -12,16 +14,22 @@
     dest=/root/z-push-{{ zpush_version }}.tar.gz
 
 - name: Decompress z-push source
-  command: tar xzf z-push-{{ zpush_version }}.tar.gz chdir=/root creates=/root/z-push-{{ zpush_version }}
+  unarchive: src=/root/z-push-{{ zpush_version }}.tar.gz
+             dest=/root copy=no
+             creates=/root/z-push-{{ zpush_version }}
 
 - name: Create /usr/share/z-push
   file: state=directory path=/usr/share/z-push
 
 - name: Copy z-push source files to /usr/share/z-push
   shell: cp -R z-push-{{ zpush_version }}/* /usr/share/z-push/ chdir=/root
+  tags:
+    - skip_ansible_lint
 
 - name: Remove downloaded, temporary z-push source files
   shell: rm -rf z-push* chdir=/root
+  tags:
+    - skip_ansible_lint
 
 - name: Ensure z-push state and log directories are in place
   file: state=directory path={{ item }} owner=www-data group=www-data mode=755

roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2

@@ -18,14 +18,7 @@
 <VirtualHost *:443>
     ServerName {{ mail_server_autoconfig_hostname }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            "/var/www/autoconfig"
     Options                 -Indexes

roles/mailserver/templates/etc_opendkim_TrustedHosts.j2

@@ -4,5 +4,5 @@
 {{ domain.name }}
 {% endfor %}
 {% for domain in mail_virtual_domains %}
-mail.{{ domain.name }}
-{% endfor %}
+{{ mail_server_hostname }}
+{% endfor %}

roles/mailserver/templates/etc_opendmarc.conf.j2

@@ -0,0 +1,85 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
+
+##  AuthservID (string)
+##      defaults to MTA name
+#
+AuthservID {{ mail_server_hostname }}
+
+##  ForensicReports { true | false }
+##      default "false"
+##
+# ForensicReports false
+
+PidFile /var/run/opendmarc.pid
+
+##  RejectFailures { true | false }
+##      default "false"
+##
+RejectFailures false
+
+##  Syslog { true | false }
+##      default "false"
+##
+##  Log via calls to syslog(3) any interesting activity.
+#
+Syslog true
+
+##  SyslogFacility facility-name
+##      default "mail"
+##
+##  Log via calls to syslog(3) using the named facility.  The facility names
+##  are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+
+##  TrustedAuthservIDs string
+##      default HOSTNAME
+##
+##  Specifies one or more "authserv-id" values to trust as relaying true
+##  upstream DKIM and SPF results.  The default is to use the name of
+##  the MTA processing the message.  To specify a list, separate each entry
+##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
+##  the host running the filter as reported by the gethostname(3) function.
+#
+TrustedAuthservIDs {{ mail_server_hostname }}
+
+
+##  UMask mask
+##      default (none)
+##
+##  Requests a specific permissions mask to be used for file creation.  This
+##  only really applies to creation of the socket when Socket specifies a
+##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+##  files are normally created by the mkstemp(3) function that enforces a
+##  specific file mode on creation regardless of the process umask.  See
+##  umask(2) for more information.
+#
+UMask 0002
+
+##  UserID user[:group]
+##      default (none)
+##
+##  Attempts to become the specified userid before starting operations.
+##  The process will be assigned all of the groups and primary group ID of
+##  the named userid unless an alternate group is specified.
+#
+UserID opendmarc:opendmarc
+
+## The path to the Ignored Hosts list. This file should contain a list of
+## networks and hosts that you trust. Their mail will not be checked by
+## OpenDMARC.
+#
+IgnoreHosts /etc/opendmarc/ignore.hosts
+
+## The path under which the History file should be created.
+## This file is necessary if you want to be able to create aggregate
+## reports to send out to other organizations
+#
+HistoryFile /var/run/opendmarc/opendmarc.dat
+
+## Adds a “Dmarc-Filter” header with the opendmarc version in every processed mail.
+## This is good to have during testing.
+#
+SoftwareHeader true

roles/mailserver/templates/etc_opendmarc_ignore.hosts.j2

@@ -0,0 +1,4 @@
+localhost
+10.0.0.0/24
+{{ ansible_default_ipv4.address }}
+{{ "/n".join(friendly_networks) }}

roles/mailserver/templates/etc_opendmarc_report.sh.j2

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+DB_SERVER='localhost'
+DB_USER='{{ mail_db_opendmarc_username }}'
+DB_PASS='{{ mail_db_opendmarc_password }}'
+DB_NAME='{{ mail_db_opendmarc_database }}'
+WORK_DIR='/var/run/opendmarc'
+REPORT_EMAIL='{{ admin_email }}'
+
+mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
+touch ${WORK_DIR}/opendmarc.dat
+chown opendmarc:opendmarc ${WORK_DIR}/opendmarc.dat
+
+/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
+
+{% for domain in mail_virtual_domains %}
+/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org '{{ domain.name }}'
+{% endfor %}
+
+/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -91,15 +91,17 @@ recipient_delimiter = +
 inet_interfaces = all
 
 # dovecot db
-virtual_transport = dovecot
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+mailbox_transport = lmtp:unix:private/dovecot-lmtp
+
 dovecot_destination_recipient_limit = 1
 virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
 virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
 local_recipient_maps = $virtual_mailbox_maps
 
-# OpenDKIM
-smtpd_milters = inet:127.0.0.1:8891
+# OpenDKIM and OpenDMARC
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
 non_smtpd_milters = $smtpd_milters
 milter_default_action = accept
 

roles/monitoring/tasks/collectd.yml

@@ -1,17 +1,37 @@
-- name: Install collectd dependencies
+- name: Add wheezy-backports to be compatible with Dovecot packages on Debian 7
+  apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main'
+  when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
+
+- name: Install collectd dependencies on wheezy from backports
+  apt: pkg={{ item }} state=installed default_release=wheezy-backports
+  with_items:
+    - libcurl4-openssl-dev
+    - librrd2-dev
+    - python-dev
+  when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
+
+- name: Install collectd dependencies on distributions other than wheezy
   apt: pkg={{ item }} state=installed
   with_items:
     - libcurl4-openssl-dev
     - librrd2-dev
     - python-dev
+  when: ansible_distribution_release != 'wheezy'
+  tags:
+    - dependencies
 
 - name: Download collectd
   get_url: url=http://collectd.org/files/collectd-{{collectd_version}}.tar.gz
            dest=/root/collectd-{{collectd_version}}.tar.gz
 
 - name: Extract collectd
-  command: tar xzf collectd-{{collectd_version}}.tar.gz
-           chdir=/root creates=/root/collectd-{{collectd_version}}
+  unarchive: src=/root/collectd-{{collectd_version}}.tar.gz
+             dest=/root copy=no
+             creates=/root/collectd-{{collectd_version}}
 
 - name: Build and install collectd
   shell: ./configure ; make all ; make install
@@ -28,8 +48,9 @@
   when: collectd_librato_email|length > 0
 
 - name: Extract collectd-librato plugin
-  command: tar xzf collectd-librato-{{collectd_librato_version}}.tar.gz
-           chdir=/root creates=/root/collectd-librato-{{collectd_librato_version}}
+  unarchive: src=/root/collectd-librato-{{collectd_librato_version}}.tar.gz
+             dest=/root copy=no
+             creates=/root/collectd-librato-{{collectd_librato_version}}
   when: collectd_librato_email|length > 0
 
 - name: Install collectd-librato plugin

roles/monitoring/tasks/logwatch.yml

@@ -3,6 +3,8 @@
   with_items:
     - libdate-manip-perl
     - logwatch
+  tags:
+    - dependencies
 
 - name: Configure logwatch
   template: src=etc_logwatch_conf_logwatch.conf.j2 dest=/etc/logwatch/conf/logwatch.conf

roles/monitoring/tasks/monit.yml

@@ -7,6 +7,8 @@
 
 - name: Install monit
   apt: pkg=monit state=installed
+  tags:
+    - dependencies
 
 - name: Copy monit master config file into place
   copy: src=etc_monit_monitrc dest=/etc/monit/monitrc

roles/newebe/tasks/newebe.yml

@@ -15,6 +15,8 @@
     - python-setuptools
     - python-lxml
     - supervisor
+  tags:
+    - dependencies
 
 - name: Install Newebe
   pip: name='git+https://github.com/gelnior/newebe.git#egg=newebe'

roles/newebe/templates/etc_apache2_sites-available_newebe.j2

@@ -7,15 +7,8 @@
 <VirtualHost *:443>
 
     ServerName {{ newebe_domain }}
-    SSLEngine On
-
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+
+    Include /etc/apache2/ssl.conf
 
     ErrorLog /var/log/apache2/newebe.info-error_log
     CustomLog /var/log/apache2/newebe.info-access_log common

roles/news/tasks/selfoss.yml

@@ -2,9 +2,21 @@
   git: repo=https://github.com/SSilence/selfoss.git
        dest=/var/www/selfoss
        accept_hostkey=yes
+       version=master
 
-- name: Set selfoss permissions
-  action: file owner=www-data group=www-data path=/var/www/selfoss recurse=yes state=directory
+- name: Set selfoss ownership
+  action: file owner=root group=www-data path=/var/www/selfoss recurse=yes state=directory
+
+# only data/cache, data/favicons, data/logs, data/thumbnails, data/sqlite public/ should be writeable by httpd
+- name: Set selfoss permission
+  action: file path=/var/www/selfoss/{{ item }} mode=0775
+  with_items:
+    - data/cache
+    - data/favicons
+    - data/logs
+    - data/thumbnails
+    - data/sqlite
+    - public
 
 - name: Install selfoss dependencies
   apt: pkg={{ item }} state=present
@@ -12,6 +24,8 @@
     - php5
     - php5-pgsql
     - php5-gd
+  tags:
+    - dependencies
 
 - name: Create database user for selfoss
   postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_username }} password="{{ selfoss_db_password }}" state=present
@@ -20,7 +34,7 @@
   postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_database }} state=present owner={{ selfoss_db_username }}
 
 - name: Install selfoss config.ini
-  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=www-data
+  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=root
 
 - name: Enable Apache rewrite module
   command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load
@@ -38,7 +52,7 @@
   command: mv /etc/apache2/sites-available/selfoss /etc/apache2/sites-available/selfoss.conf removes=/etc/apache2/sites-available/selfoss
 
 - name: Remove old sites-enabled/selfoss symlink (new one will be created by a2ensite)
-  command: rm /etc/apache2/sites-enabled/selfoss removes=/etc/apache2/sites-enabled/selfoss
+  file: path=/etc/apache2/sites-enabled/selfoss state=absent
 
 - name: Configure the Apache HTTP server for selfoss
   template: src=etc_apache2_sites-available_selfoss.j2 dest=/etc/apache2/sites-available/selfoss.conf group=root owner=root

roles/news/templates/etc_apache2_sites-available_selfoss.j2

@@ -7,14 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ selfoss_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            /var/www/selfoss
     Options                 -Indexes

roles/owncloud/tasks/owncloud.yml

@@ -5,10 +5,14 @@
 - name: Install Postgres 9.1 on distributions other than Ubuntu Trusty
   apt: pkg=postgresql-9.1 state=present
   when: ansible_distribution_release != 'trusty'
+  tags:
+    - dependencies
 
 - name: Install Postgres 9.3 on Ubuntu Trusty
   apt: pkg=postgresql-9.3 state=present
   when: ansible_distribution_release == 'trusty'
+  tags:
+    - dependencies
 
 - name: Install ownCloud dependencies
   apt: pkg={{ item }} state=present
@@ -16,6 +20,8 @@
     - libapache2-mod-php5
     - php-apc
     - python-psycopg2
+  tags:
+    - dependencies
 
 - name: Set postgres password
   command: sudo -u {{ db_admin_username }} psql -d {{ db_admin_username }} -c "ALTER USER postgres with  password '{{ db_admin_password }}';"
@@ -29,29 +35,43 @@
 - name: Ensure repository key for ownCloud is in place for Debian 7
   apt_key: url=http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/Release.key state=present
   when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
 
 - name: Add ownCloud OpenSuSE repository for Debian 7
   apt_repository: repo='deb http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/ /'
   when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
 
 - name: Ensure repository key for ownCloud is in place for Ubuntu 14.04
   apt_key: url=http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_14.04/Release.key state=present
   when: ansible_distribution_release == 'trusty'
+  tags:
+    - dependencies
 
 - name: Add ownCloud OpenSuSE repository for Ubuntu 14.04
   apt_repository: repo='deb http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_14.04/ /'
   when: ansible_distribution_release == 'trusty'
+  tags:
+    - dependencies
 
 - name: Ensure repository key for ownCloud is in place for Ubuntu 12.04
   apt_key: url=http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_12.04/Release.key state=present
   when: ansible_distribution_release == 'precise'
+  tags:
+    - dependencies
 
 - name: Add ownCloud OpenSuSE repository for Ubuntu 12.04
   apt_repository: repo='deb http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_12.04/ /'
   when: ansible_distribution_release == 'precise'
+  tags:
+    - dependencies
 
 - name: Install ownCloud (possibly from OpenSuSE repository)
   apt: pkg=owncloud update_cache=yes
+  tags:
+    - dependencies
 
 - name: Owncloud www directory
   file: state=directory path=/var/www/owncloud
@@ -76,7 +96,7 @@
   command: mv /etc/apache2/sites-available/owncloud /etc/apache2/sites-available/owncloud.conf removes=/etc/apache2/sites-available/owncloud
 
 - name: Remove old sites-enabled/owncloud symlink (new one will be created by a2ensite)
-  command: rm /etc/apache2/sites-enabled/owncloud removes=/etc/apache2/sites-enabled/owncloud
+  file: path=/etc/apache2/sites-enabled/owncloud state=absent
 
 - name: Configure the Apache HTTP server for ownCloud
   template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud.conf group=root owner=root

roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2

@@ -7,14 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ owncloud_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            /var/www/owncloud
     Options                 -Indexes

roles/readlater/tasks/wallabag.yml

@@ -20,6 +20,8 @@
     - php5-mcrypt
     - php5-pgsql
     - php5-tidy
+  tags:
+    - dependencies
 
 - name: Create database user for wallabag
   postgresql_user: login_host=localhost
@@ -38,34 +40,48 @@
                  owner={{ wallabag_db_username }}
   notify: import wallabag sql
 
-- name: Build Composer
-  shell: curl -sS https://getcomposer.org/installer | php
-         chdir=/root
-         creates=/root/composer.phar
+- name: Get Composer installer
+  get_url: url=https://getcomposer.org/installer
+           dest=/tmp/composer-installer
+
+- name: Install Composer
+  command: php /tmp/composer-installer
+           chdir=/root
+           creates=/root/composer.phar
 
 - name: Initialize composer
   command: php /root/composer.phar install
            chdir=/var/www/wallabag
            creates=/var/www/wallabag/vendor/autoload.php
 
-- name: Set wallabag permissions
-  file: owner=www-data
+- name: Set wallabag ownership
+  file: owner=root
         group=www-data
         path=/var/www/wallabag
         recurse=yes
         state=directory
 
+# the httpd only needs write access to the wallabag assets, cache and db directories
+- name: Set wallabag assets, cache and db permissions
+  file: path=/var/www/wallabag/{{ item }}
+        mode=0775
+        state=directory
+  with_items:
+    - assets
+    - cache
+    - db
+
 - name: Create the configuration file
   template: src=var_www_wallabag_inc_poche_config.inc.php.j2
             dest=/var/www/wallabag/inc/poche/config.inc.php
-            owner=www-data
+            owner=root
             group=www-data
 
 - name: Rename existing Apache wallabag virtualhost
   command: mv /etc/apache2/sites-available/wallabag /etc/apache2/sites-available/wallabag.conf removes=/etc/apache2/sites-available/wallabag
 
 - name: Remove old sites-enabled/wallabag symlink (new one will be created by a2ensite)
-  command: rm /etc/apache2/sites-enabled/wallabag removes=/etc/apache2/sites-enabled/wallabag
+  file: path=/etc/apache2/sites-enabled/wallabag state=absent
 
 - name: Configure the Apache HTTP server for wallabag
   template: src=etc_apache2_sites-available_wallabag.j2

roles/readlater/templates/etc_apache2_sites-available_wallabag.j2

@@ -7,14 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ wallabag_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            /var/www/wallabag
     Options                 -Indexes

roles/tarsnap/tasks/tarsnap.yml

@@ -1,66 +1,72 @@
 - name: Check if tarsnap {{ tarsnap_version }} is installed
   shell: tarsnap --version | grep {{ tarsnap_version }} --color=never
-  register: tarnsap_installed
-  changed_when: "tarnsap_installed.stderr != ''"
+  register: tarsnap_installed
+  changed_when: "tarsnap_installed.stderr != ''"
   ignore_errors: yes
+  tags:
+    - dependencies
 
 - name: Install dependencies for Tarsnap
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   apt: pkg={{ item }} state=installed
   with_items:
     - e2fslibs-dev
     - libssl-dev
     - zlib1g-dev
+  tags:
+    - dependencies
 
 - name: Download the current tarsnap code signing key
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   get_url:
     url=https://www.tarsnap.com/tarsnap-signing-key.asc
     dest=/root/tarsnap-signing-key.asc
 
 - name: Add the tarsnap code signing key to your list of keys
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   command:
     gpg --import tarsnap-signing-key.asc
     chdir=/root/
 
 - name: Download tarsnap SHA file
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   get_url:
     url="https://www.tarsnap.com/download/tarsnap-sigs-{{ tarsnap_version }}.asc"
     dest="/root/tarsnap-sigs-{{ tarsnap_version }}.asc"
 
 - name: Make the command that gets the current sha
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   template:
     src=getSha.sh
     dest=/root/getSha.sh
     mode=0755
 
 - name: get the SHA256sum for this tarsnap release
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   command:
     ./getSha.sh
     chdir=/root
   register: tarsnap_sha
 
 - name: Download Tarsnap source
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   get_url:
     url="https://www.tarsnap.com/download/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
     dest="/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
     sha256sum={{ tarsnap_sha.stdout_lines[0] }}
 
 - name: Decompress Tarsnap source
-  when: tarnsap_installed|failed
-  command: tar xzf /root/tarsnap-autoconf-{{ tarsnap_version }}.tgz chdir=/root creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/COPYING
+  when: tarsnap_installed|failed
+  unarchive: src=/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz
+             dest=/root copy=no
+             creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/COPYING
 
 - name: Configure Tarsnap for local build
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   command: ./configure chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/Makefile
 
 - name: Build and install Tarsnap
-  when: tarnsap_installed|failed
+  when: tarsnap_installed|failed
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
 
 - name: Copy Tarsnap key file into place

roles/vpn/tasks/openvpn.yml

@@ -8,6 +8,8 @@
     - dnsmasq
     - openvpn
     - udev
+  tags:
+    - dependencies
 
 - name: Generate RSA keys for the CA and Server
   command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
@@ -152,6 +154,8 @@
 
 - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
   command: cp {{ openvpn_path }}/{{ item[1] }} {{ openvpn_path }}/{{ item[0] }}
+  tags:
+    - skip_ansible_lint
   with_nested:
     - openvpn_clients
     - ["ca.crt", "ta.key"]

roles/webmail/tasks/roundcube.yml

@@ -1,9 +1,13 @@
 - name: Add backports for Roundcube on Debian
   lineinfile: dest=/etc/apt/sources.list line="deb http://http.debian.net/debian wheezy-backports main"
   when: ansible_distribution_release == 'wheezy'
-  
+  tags:
+    - dependencies
+
 - name: Update apt cache for backports
   apt: update_cache=yes
+  tags:
+    - dependencies
 
 - name: Install Roundcube from wheezy-backports
   apt: pkg={{ item }} state=latest default_release=wheezy-backports
@@ -12,6 +16,8 @@
   - roundcube-pgsql
   - roundcube-plugins
   when: ansible_distribution_release == 'wheezy'
+  tags:
+    - dependencies
 
 - name: Install Roundcube on Ubuntu 14.04 LTS
   apt: pkg={{ item }} state=latest
@@ -20,6 +26,8 @@
   - roundcube-pgsql
   - roundcube-plugins
   when: ansible_distribution_release == 'trusty'
+  tags:
+    - dependencies
 
 - name: Configure Roundcube database
   template: src={{ item.src }} dest={{ item.dest }} group={{ item.group }} mode={{ item.mode }} owner=root force=yes
@@ -34,7 +42,9 @@
     dest=/root/carddav_{{ carddav_version }}.tar.gz
 
 - name: Decompress carddav plugin source
-  command: tar xzf carddav_{{ carddav_version }}.tar.gz chdir=/root creates=/root/rcmcarddav-carddav_{{ carddav_version }}
+  unarchive: src=/root/carddav_{{ carddav_version }}.tar.gz
+             dest=/root copy=no
+             creates=/root/rcmcarddav-carddav_{{ carddav_version }}
 
 - name: Move carddav plugin files to /usr/share/roundcube/plugins/carddav
   command: mv rcmcarddav-carddav_{{ carddav_version }} /usr/share/roundcube/plugins/carddav chdir=/root creates=/usr/share/roundcube/plugins/carddav
@@ -43,6 +53,7 @@
   git: repo=https://github.com/alexandregz/twofactor_gauthenticator.git
        dest=/usr/share/roundcube/plugins/twofactor_gauthenticator
        accept_hostkey=yes
+       version=master
 
 - name: Link plugins into /var/lib/roundcube/plugins
   file: state=link src=/usr/share/roundcube/plugins/{{ item }} dest=/var/lib/roundcube/plugins/{{ item }} force=yes
@@ -54,7 +65,7 @@
   command: mv /etc/apache2/sites-available/roundcube /etc/apache2/sites-available/roundcube.conf removes=/etc/apache2/sites-available/roundcube
 
 - name: Remove old sites-enabled/roundcube symlink (new one will be created by a2ensite)
-  command: rm /etc/apache2/sites-enabled/roundcube removes=/etc/apache2/sites-enabled/roundcube
+  file: path=/etc/apache2/sites-enabled/roundcube state=absent
 
 - name: Configure the Apache HTTP server for roundcube
   template: src=etc_apache2_sites-available_roundcube.j2 dest=/etc/apache2/sites-available/roundcube.conf group=root owner=root force=yes

roles/webmail/templates/etc_apache2_sites-available_roundcube.j2

@@ -7,14 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ webmail_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     # Those aliases do not work properly with several hosts on your apache server
     # Uncomment them to use it or adapt them to your configuration

roles/xmpp/tasks/prosody.yml

@@ -1,12 +1,31 @@
 - name: Ensure repository key for Prosody is in place
   apt_key: url=https://prosody.im/files/prosody-debian-packages.key state=present
+  tags:
+    - dependencies
 
 # Prosody supplies repo for sid, squeeze, wheezy, jessie, trusty, saucy, raring, quantal, precise and lucid
 - name: Add Prosody Debian/Ubuntu repository
   apt_repository: repo="deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"
+  tags:
+    - dependencies
 
 - name: Install Prosody from official repository
   apt: pkg=prosody update_cache=yes
+  tags:
+    - dependencies
+
+- name: Install lua-sec-prosody on Debian Wheezy and Ubuntu Precise
+  apt: pkg=lua-sec-prosody update_cache=yes
+  when: ansible_distribution_release == 'wheezy' or ansible_distribution_release == 'precise'
+  tags:
+    - dependencies
+
+
+- name: Install lua-sec 0.5+
+  apt: pkg=lua-sec update_cache=yes
+  when: ansible_distribution_release == 'trusty' or ansible_distribution_release == 'jessie'
+  tags:
+    - dependencies
 
 - name: Add prosody user to ssl-cert group
   user: name=prosody groups=ssl-cert append=yes

vars/defaults.yml

@@ -63,6 +63,9 @@ mail_db_database: mailserver
 # mail_virtual_domains: (required)
 # mail_virtual_users: (required)
 # mail_virtual_aliases: (required)
+mail_db_opendmarc_username: opendmarc
+# mail_db_opendmarc_password: (required)
+mail_db_opendmarc_database: opendmarc
 
 # z-push
 zpush_version: 2.1.1-1788
@@ -97,7 +100,7 @@ openvpn_protocol: "udp"
 # openvpn_clients: (required)
 
 # webmail
-webmail_domain: "mail.{{ domain }}"
+webmail_domain: "{{ mail_server_hostname }}"
 webmail_db_username: "roundcube"
 # webmail_db_password: (required)
 webmail_db_database: "roundcube"
@@ -123,7 +126,7 @@ gitolite_version: 3.5.3.1
 newebe_domain: "newebe.{{ domain }}"
 
 # wallabag
-wallabag_version: 1.7.1
+wallabag_version: 1.9.1
 wallabag_domain: "read.{{ domain }}"
 # wallabag_salt: (required)
 wallabag_db_username: wallabag

vars/user.yml

@@ -7,7 +7,7 @@
 # common
 domain: TODO.com
 main_user_name: TODO
-encfs_password: TODO
+encfs_password: TODO    # NOTE: must not contain dollar sign characters '$'
 
 # database
 db_admin_username: postgres
@@ -24,6 +24,7 @@ irc_timezone: TODO      #Example: "America/New_York"
 
 # mailserver
 mail_db_password: TODO
+mail_db_opendmarc_password: TODO
 mail_virtual_domains:
   - name: "{{ domain }}"
     pk_id: 1