Move to Debian 8

This merge switches Sovereign from systems based on Debian 7 to Debian
8.  It's a recursive merge of the jessie branch with direction to take
conflicting hunks from jessie (-Xours).  The merge was subsequently
cleaned up to match the jessie branch with a couple of exceptions noted
in the cleanup commit.

.gitignore

@@ -1,3 +1,4 @@
-.vagrant
-vagrant_ansible_inventory_default
+.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory
+.vagrant/machines
 tests.pyc
+secret

.travis.yml

@@ -4,8 +4,7 @@ cache:
   directories:
     - $HOME/.cache/pip
 install:
-  # TODO: use requirements.txt when ansible updated to >= 1.9
-  - pip install ansible
+  - pip install -r requirements.txt
   - pip install -r test-requirements.txt
 script:
   - ansible-playbook --syntax-check -i hosts site.yml

.vagrant/provisioners/ansible/inventory/secret/db_admin_password

@@ -0,0 +1 @@
+postgres

.vagrant/provisioners/ansible/inventory/secret/encfs_password

@@ -0,0 +1 @@
+testPassword

.vagrant/provisioners/ansible/inventory/secret/mail_db_opendmarc_password

@@ -0,0 +1 @@
+testPassword

.vagrant/provisioners/ansible/inventory/secret/mail_db_password

@@ -0,0 +1 @@
+testPassword

.vagrant/provisioners/ansible/inventory/secret/owncloud_db_password

@@ -0,0 +1 @@
+testPassword

.vagrant/provisioners/ansible/inventory/secret/selfoss_db_password

@@ -0,0 +1 @@
+testPassword

.vagrant/provisioners/ansible/inventory/secret/selfoss_password_hash

@@ -0,0 +1 @@
+f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7

.vagrant/provisioners/ansible/inventory/secret/wallabag_db_password

@@ -0,0 +1 @@
+testPassword

.vagrant/provisioners/ansible/inventory/secret/wallabag_salt

@@ -0,0 +1 @@
+testing

CONTRIBUTING.md

@@ -4,6 +4,8 @@
 
 Make sure you agree with the license (GPLv3). See [LICENSE.md](./LICENSE.md) for details.
 
+Code that is committed to the master branch should work with both Debian 8 "Jessie" (and Ubuntu 16.04 LTS "Xenial" once it is available).
+
 ## Development environment
 
 You'll want to set up a [local development environment](https://github.com/sovereign/sovereign/wiki/Development-Environment) so that you don't have to test on a remote server.
@@ -12,6 +14,10 @@ You'll want to set up a [local development environment](https://github.com/sover
 
 Sovereign is an Ansible playbook that uses the modules in this repository to configure a server. Modules should conform to the following design principles.
 
+### Naming
+
+Modules should be named after the software they add (as opposed to the functionality they provide). Soverign is currently inconsistent on this. For example, there are the `ircbouncer` and `blog` modules, but there are also the `owncloud` and `tarsnap` modules. Please name modules after the software used, though, so that it is possible to provide alternatives for functionality.
+
 ### Making decisions
 
 A module exists to make decisions about how a service should be installed and configured. Make these decisions and minimize or eliminate configuration options exposed to the user. When in doubt, make a decision, and if the community feedback is vocal enough, only then expose an option.
@@ -51,6 +57,7 @@ The design description should be succinct and to the point. Assume the reader is
 Consider the following checklist when reviewing a module's design.
 
 - Does the role create data on the server that is impossible or difficult to reproduce, e.g., private keys? If so, update the tarsnap role to include precious data in backups.
+- Does the role need an SSL certificate for a new subdomain?  If so, update the letsencrypt tasklist in the common role.
 - Does the role add an Apache virtual site?  If so, has somebody knowledgable in Apache configuration and security reviewed the configuration?
 - Does README.md need to be updated based on new or changed finalization instructions?
 

README.md

@@ -3,7 +3,7 @@
 Introduction
 ============
 
-Sovereign is a set of [Ansible](http://www.ansible.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) based entirely on open source software, so you’re in control.
+Sovereign is a set of [Ansible](http://ansible.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) based entirely on open source software, so you’re in control.
 
 If you’ve never used Ansible before, you might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
 
@@ -19,17 +19,17 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) over SSL via [Dovecot](http://dovecot.org/), complete with full text search provided by [Solr](https://lucene.apache.org/solr/).
 -   [POP3](https://en.wikipedia.org/wiki/Post_Office_Protocol) over SSL, also via Dovecot
 -   [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) over SSL via Postfix, including a nice set of [DNSBLs](https://en.wikipedia.org/wiki/DNSBL) to discard spam before it ever hits your filters.
--   Webmail via [Roundcube](http://www.roundcube.net/).
+-   Webmail via [Roundcube](http://www.roundcube.net/). **NOTE:** currently unavailable.
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
 -   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
 -   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
 -   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
--   Spam fighting via [DSPAM](http://dspam.sourceforge.net/) and [Postgrey](http://postgrey.schweikert.ch/).
--   Mail server verification via [OpenDKIM](http://www.opendkim.org/), so folks know you’re legit.
+-   Spam fighting via [Rspamd](https://www.rspamd.com/) and [Postgrey](http://postgrey.schweikert.ch/).
+-   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [OpenDMARC](http://www.trusteddomain.org/opendmarc/) so the Internet knows your mailserver is legit.
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [ownCloud](http://owncloud.org/).
--   Your own private [Dropbox](https://www.dropbox.com/), also via [ownCloud](http://owncloud.org/).
+-   Your own private storage cloud via [ownCloud](http://owncloud.org/).
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
 -   An IRC bouncer via [ZNC](http://wiki.znc.in/ZNC).
 -   [Monit](http://mmonit.com/monit/) to keep everything running smoothly (and alert you when it’s not).
@@ -41,7 +41,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   [RFC6238](http://tools.ietf.org/html/rfc6238) two-factor authentication compatible with [Google Authenticator](http://en.wikipedia.org/wiki/Google_Authenticator) and various hardware tokens
 -   Nightly backups to [Tarsnap](https://www.tarsnap.com/).
 -   Git hosting via [cgit](http://git.zx2c4.com/cgit/about/) and [gitolite](https://github.com/sitaramc/gitolite).
--   [Newebe](http://newebe.org), a social network.
 -   Read-it-later via [Wallabag](https://www.wallabag.org/)
 -   A bunch of nice-to-have tools like [mosh](http://mosh.mit.edu) and [htop](http://htop.sourceforge.net) that make life with a server a little easier.
 
@@ -54,36 +53,18 @@ What You’ll Need
 ----------------
 
 1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
-2.  [64-bit Debian 7](http://www.debian.org/) or an equivalent Linux distribution such as Ubuntu 14.04 LTS. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.) Support for Debian 8 and Ubuntu 16.04 is underway in the "jessie" branch.
-3.  A wildcard SSL certificate. You can either buy one or self-sign if you want to save money.
-4.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
+2.  [64-bit Debian 8.3](http://www.debian.org/) or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
+3.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
 
-Installation
-------------
-
-### 1. Get a wildcard SSL certificate
-
-Generate a private key and a certificate signing request (CSR):
-
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
-
-Purchase a wildcard cert from a certificate authority, such as [Positive SSL](https://positivessl.com) or [AlphaSSL](https://www.alphassl.com). You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in `roles/common/files/wildcard_public_cert.crt`.
-
-Download your certificate authority’s combined cert to `roles/common/files/wildcard_ca.pem`. You can also download the intermediate and root certificates separately and concatenate them together in that order.
-
-Lastly, test your certificate:
-
-    openssl verify -verbose -CAfile roles/common/files/wildcard_ca.pem roles/common/files/wildcard_public_cert.crt
+You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
 
-#### Self-signed SSL certificate
 
-Purchasing SSL certs, and wildcard certs specifically, can be a significant financial burden. It is possible to generate a self-signed SSL certificate (i.e. one that isn’t signed by a Certificate Authority) that is free of charge by nature. However, since a self-signed cert has no CA chain that can confirm its authenticity, some services might behave erratically when using such a certificate.
+Installation
+------------
 
-To create a self-signed SSL cert, run the following commands:
+### 1. Install required packages
 
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
-    openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
-    cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
+    apt-get install sudo
 
 ### 2. Get a Tarsnap machine key
 
@@ -118,7 +99,8 @@ Your new account will be automatically set up for passwordless `sudo`.
 
 ### 4. Configure your installation
 
-Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
+Modify the settings in `group_vars/sovereign` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
+All of the variables in `group_vars/sovereign` must be set for sovereign to function.
 
 Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
 
@@ -166,11 +148,26 @@ For Git hosting, copy your public key into place:
 
 	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
 
-Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
+Finally, replace the `host.example.net` in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
+
+### 5. Set up DNS
+
+If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
+
+Create `A` or `CNAME` records which point to your server's IP address:
+
+* `example.com`
+* `mail.example.com`
+* `www.example.com` (for Web hosting)
+* `autoconfig.example.com` (for email client automatic configuration)
+* `read.example.com` (for Wallabag)
+* `news.example.com` (for Selfoss)
+* `cloud.example.com` (for ownCloud)
+* `git.example.com` (for cgit)
 
-### 5. Run the Ansible Playbooks
+### 6. Run the Ansible Playbooks
 
-First, make sure you’ve [got Ansible 1.6+ installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
+First, make sure you’ve [got Ansible 1.9.3+ installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
 
 To run the whole dang thing:
 
@@ -182,23 +179,11 @@ To run just one or more piece, use tags. I try to tag all my includes for easy i
 
 You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
 
-The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
-
-### 6. Set up DNS
-
-If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
+The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `group_vars/sovereign`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
 
-Create `A` records which point to your server's IP address:
-
-* `example.com`
-* `mail.example.com`
-* `autoconfig.example.com` (for email client automatic configuration)
-* `read.example.com` (for Wallabag)
-* `news.example.com` (for Selfoss)
-* `cloud.example.com` (for ownCloud)
-* `git.example.com` (for cgit)
+### 7. Finish DNS set-up
 
-Create a `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
+Create an `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
 
 To ensure your emails pass DKIM checks you need to add a `txt` record. The name field will be `default._domainkey.EXAMPLE.COM.` The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file `/etc/opendkim/keys/EXAMPLE.COM/default.txt` it’ll look something like this:
 
@@ -208,7 +193,7 @@ For DMARC you'll also need to add a `txt` record. The name field should be `_dma
 
 Set up SPF and reverse DNS [as per this post](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Make sure to validate that it’s all working, for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
 
-### 7. Miscellaneous Configuration
+### 8. Miscellaneous Configuration
 
 Sign in to the ZNC web interface and set things up to your liking. It isn’t exposed through the firewall, so you must first set up an SSH tunnel:
 
@@ -222,7 +207,7 @@ Similarly, to access the server monitoring page, use another SSH tunnel:
 
 Again proceeding to http://localhost:2812 in your web browser.
 
-Finally, sign into ownCloud to set it up. You should select PostgreSQL as the configuration backend.
+Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `group_vars/sovereign`.
 
 How To Use Your New Personal Cloud
 ----------------------------------

Vagrantfile

@@ -1,21 +1,20 @@
 # -*- mode: ruby -*-
 
-Vagrant.configure("2") do |config|
-  #
-  # Common Settings
-  #
-
-  config.vm.hostname = "sovereign.local"
-  config.vm.network "private_network", ip: "172.16.100.2"
+Vagrant.configure('2') do |config|
+  config.vm.hostname = 'sovereign.local'
+  config.vm.network 'private_network', ip: '172.16.100.2'
 
   config.vm.provision :ansible do |ansible|
-    ansible.playbook = "site.yml"
+    ansible.playbook = 'site.yml'
     ansible.host_key_checking = false
-    ansible.extra_vars = { ansible_ssh_user: "vagrant", testing: true }
-
-    # ansible.tags = ["blog"]
-    # ansible.skip_tags = ["openvpn"]
-    # ansible.verbose = "vvvv"
+    ansible.extra_vars = { ansible_ssh_user: 'vagrant', testing: true }
+    ansible.groups = {
+      "testing" => ["jessie"]
+    }
+
+    # ansible.tags = ['blog']
+    # ansible.skip_tags = ['openvpn']
+    # ansible.verbose = 'vvvv'
   end
 
   config.vm.provider :virtualbox do |v|
@@ -23,42 +22,25 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.provider :vmware_fusion do |v|
-    v.vmx["memsize"] = "512"
+    v.vmx['memsize'] = '512'
   end
 
-  #
   # vagrant-cachier
   #
   # Install the plugin by running: vagrant plugin install vagrant-cachier
   # More information: https://github.com/fgrehm/vagrant-cachier
-  #
-
-  if Vagrant.has_plugin? "vagrant-cachier"
+  if Vagrant.has_plugin? 'vagrant-cachier'
     config.cache.enable :apt
     config.cache.scope = :box
   end
 
-  #
-  # Debian 7 64-bit (officially supported)
-  #
-
-  config.vm.define "debian", primary: true do |debian|
-    debian.vm.box = "box-cutter/debian78"
-  end
-
-  #
-  # Ubuntu 12.04 64-bit
-  #
-
-  config.vm.define "precise", autostart: false do |precise|
-    precise.vm.box = "box-cutter/ubuntu1204"
+  # Debian 8 64-bit (officially supported)
+  config.vm.define 'jessie', primary: true do |jessie|
+    jessie.vm.box = 'box-cutter/debian81'
   end
 
-  #
-  # Ubuntu 14.04 64-bit
-  #
-
-  config.vm.define "trusty", autostart: false do |trusty|
-    trusty.vm.box = "box-cutter/ubuntu1404"
+  # Ubuntu 16.04 (LTS) 64-bit (currently unavailable)
+  config.vm.define 'xenial', autostart: false do |xenial|
+    xenial.vm.box = 'box-cutter/ubuntu1604'
   end
 end

group_vars/sovereign

@@ -0,0 +1,57 @@
+---
+################################################################################
+# Set your variables here.
+################################################################################
+
+# common
+domain: (required)
+main_user_name: (required)
+
+# admin email
+# fail2ban reports will be sent to this address
+admin_email: "{{ main_user_name }}@{{ domain }}"
+
+# mail
+mail_virtual_domains:
+  - name: "{{ domain }}"
+    pk_id: 1
+mail_virtual_users:
+  - account: "{{ main_user_name }}"
+    domain: "{{ domain }}"
+    password_hash: TODO
+    domain_pk_id: 1
+mail_virtual_aliases:
+  - source: "root@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+  - source: "postmaster@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+  - source: "webmaster@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+
+# timezone
+# common_timezone will be used in the common and mailserver roles
+common_timezone: 'Etc/UTC'
+
+# znc
+irc_nick: (required)
+irc_ident: (required)
+irc_realname: (required)
+irc_quitmsg: (required)
+irc_password_hash: (required)
+irc_password_salt: (required)
+
+# xmpp
+prosody_admin: "{{ admin_email }}"
+prosody_virtual_domain: "{{ domain }}"
+prosody_accounts:
+  - name: "{{ main_user_name }}"
+    password: TODO
+
+# openvpn
+openvpn_clients:
+  - laptop
+  - phone
+  - tablet

vars/testing.yml → group_vars/testing

@@ -1,32 +1,23 @@
 ---
 ###############################################################################
-# Variables used when testing with Vagrant
-# For a complete reference look at the `vars/defaults.yml` file.
+# Variables used when testing with Vagrant.  Secrets are stored in
+# `.vagrant/provisioners/ansible/inventory/secret.
+#
+# selfoss_password_hash is the SHA512 hash of `foo`
+# 
 ###############################################################################
 
 # common
-common_timezone: 'Etc/UTC'
 domain: sovereign.local
 main_user_name: sovereign
-encfs_password: testPassword
 friendly_networks:
   - "172.16.100.0/24"
 
-db_admin_username: postgres
-db_admin_password: postgres
-
-# ircbouncer
-irc_nick: sovereign
-irc_ident: sovereign
-irc_realname: Mr. Sovereign
-irc_quitmsg: Bye
-irc_password_hash: "310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed" #foo
-irc_password_salt: "YdlPM5yjBmc/;JO6cfL5"
-irc_timezone: "America/New_York" #Example: "America/New_York"
+# admin email
+# fail2ban reports will be sent to this address
+admin_email: "{{ main_user_name }}@{{ domain }}"
 
 # mailserver
-mail_db_password: testPassword
-mail_db_opendmarc_password: testPassword
 mail_virtual_domains:
   - name: "{{ domain }}"
     pk_id: 1
@@ -45,15 +36,26 @@ mail_virtual_aliases:
   - source: "webmaster@{{ domain }}"
     destination: "{{ admin_email }}"
     domain_pk_id: 1
-mail_header_privacy: 1
 
-# z-push
-zpush_timezone: "America/New_York"  #Example: "America/New_York"
+# timezone
+# common_timezone will be used in the common and mailserver roles
+common_timezone: 'Etc/UTC'
+
+# znc
+irc_nick: sovereign
+irc_ident: sovereign
+irc_realname: Mr. Sovereign
+irc_quitmsg: Bye
+irc_password_hash: "310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed" #foo
+irc_password_salt: "YdlPM5yjBmc/;JO6cfL5"
+irc_timezone: "America/New_York" #Example: "America/New_York"
 
-# owncloud
-owncloud_db_password: testPassword
+# xmpp
+prosody_accounts:
+  - name: "{{ main_user_name }}"
+    password: foo
 
-# vpn
+# openvpn
 openvpn_key_country:  "US"
 openvpn_key_province: "California"
 openvpn_key_city: "Beverly Hills"
@@ -63,22 +65,3 @@ openvpn_clients:
   - laptop
   - phone
   - tablet
-
-# webmail
-webmail_db_password: testPassword
-
-# xmpp
-prosody_accounts:
-  - name: "{{ main_user_name }}"
-    password: foo
-
-# selfoss
-selfoss_db_password: testPassword
-selfoss_username: "{{ main_user_name }}"
-# this is the sha512 hash of the desired password
-selfoss_password_hash: "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7"
-# foo
-
-# wallabag
-wallabag_salt: testing
-wallabag_db_password: testPassword

hosts

@@ -1,2 +1,4 @@
-[TODO]
-TODO # put your host's IP here
+[sovereign]
+# hosts in the `sovereign` group  use vars defined in `group_vars/sovereign`
+# put your host's IP address or domain name below
+host.example.net

requirements.txt

@@ -1 +1 @@
-ansible==1.6.6
+ansible>=1.9.3,<2

roles/blog/templates/etc_apache2_sites-available_blog.j2

@@ -9,8 +9,7 @@
 <VirtualHost *:443>
     ServerName {{ domain }}
     ServerAlias www.{{ domain }}
-
-    Include /etc/apache2/ssl.conf
+    SSLEngine On
 
     DocumentRoot            "/var/www/{{ domain }}"
     DirectoryIndex          index.html

roles/common/DESIGN.md

@@ -0,0 +1,29 @@
+# Design Description for Common Role
+
+## Let's Encrypt Support
+
+[Let's Encrypt](https://letsencrypt.org) (LE) is an automated certificate authority that provides free SSL certificates that are trusted by all major browsers.  LE certificates are used by Sovereign instead of purchased certificates from authorities like RapidSSL in order to reduce the out-of-pocket cost of deploying Sovereign and avoid end-user problems with self-signed certificates.
+
+### Design approach
+
+The Let's Encrypt service uses DNS to look up domains being registered and then contact the client to verify. For this to work, DNS records must be configured before the playbook is run the first time.
+
+A single certificate is created using Let's Encrypt with SANs used for the subdomains.  At deploy-time, a script is used to query DNS for known subdomains, build a list of the subset that is registered, and use it when making the certificate request of Let's Encrypt.
+
+Several packages need access to the private key. Not all are run as root. An example is Prosody (XMPP). Such users are added to the ssl-cert group, and /etc/letsencrypt is set up to allow keys to be read by ssl-cert.
+
+Certificates and private keys are backed up using tarsnap.
+
+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
+
+### Testing support
+
+An isolated VM deployed with Vagrant is used for testing. The Let's Encrypt service cannot be used to get keys for it, since it is not bound with DNS. A self-signed wildcard key is therefore used for testing. The wildcard key, certificate, and chain are installed in the same way that Let's Encrypt keys are installed.
+
+### Alternative approaches
+
+Another way to generate certificates is to generate one certificate per domain and expect each module that uses a subdomain to generate its own certificate for the subdomain.
+
+This was prototyped. The common role included a parameterized task list that could be invoked by modules that needed to generate a key. The certificate renewal script run by cron could be modified to update all the certificates in the `live` directory.
+
+This approach was rejected due to complexity. This would have been the first time modules needed to invoke a task list from another module. Managing multiple certificates is also more complicated.

roles/common/defaults/main.yml

@@ -0,0 +1,34 @@
+common_timezone: 'Etc/UTC'
+admin_email: "{{ main_user_name }}@{{ domain }}"
+main_user_shell: "/bin/bash"
+friendly_networks:
+  - ""
+
+# encfs
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
+
+
+# let's encrypt
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
+
+# ssh
+kex_algorithms: "diffie-hellman-group-exchange-sha256"
+ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
+macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
+
+# ntp
+ntp_servers:
+  # use nearby ntp servers by default
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+  # use servers tailored to the server location
+  # See http://www.pool.ntp.org/en/use.html
+  # - 0.north-america.pool.ntp.org
+  # - 1.north-america.pool.ntp.org
+  # - 2.north-america.pool.ntp.org
+  # - 3.north-america.pool.ntp.org

roles/common/files/etc_apache2_conf-available_ssl-stapling-cache.conf

@@ -1 +0,0 @@
-SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)

roles/common/files/etc_cron-daily_letsencrypt-renew

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -o errexit
+# Renew all live certificates with LetsEncrypt.  This needs to run at least
+# once every three months, but recommended frequency is once a day.
+
+/root/letsencrypt/letsencrypt-auto renew -q -c /etc/letsencrypt/cli.conf \
+--pre-hook="find /etc/letsencrypt/prerenew/ -maxdepth 1 -type f -executable -exec {} \;" \
+--post-hook="find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f -executable -exec {} \;"

roles/common/files/letsencrypt-gencert

@@ -0,0 +1,13 @@
+#!/bin/bash
+d="$1"
+for i in www mail autoconfig read news cloud git; do
+  if (getent hosts $i.$1 > /dev/null); then
+    d="$d,$i.$1";
+  fi
+done
+# We are using the "standalone" letsencrypt plugin, which runs its own
+# webserver, so we need to temporarily free up the HTTP(S) ports by stopping
+# our own Apache.
+service apache2 stop
+/root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains $d
+service apache2 start

roles/common/files/wildcard_ca.pem

@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
-OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
-BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
-6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
-yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
-C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
-yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
-xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
-AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
-9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
-AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
-aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
-Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
-+0vEpa88MmGGUdXZ4NWI2IYe
+MIIDPjCCAiYCCQCIBIL0qFYY5DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJB
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRowGAYDVQQDDBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xNjAxMDkw
+OTU4MzNaFw0xNzAxMDgwOTU4MzNaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApT
+b21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
+BgNVBAMMESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA1Z12KXbGOq70H9rxgH+uBF2MSil5xTcxQKFpUhFOu0kIVoQ7Sa2n
+FPKYDC5aTKE7ajgO4cER44WgtBnEXGs7MHQEJL2tT0ETiDfTqSEhTpsXSzCxl7bo
+AZIrw9ntJKvTm4Ot04MXsUqeZyr6gk5XMOilluZWTLzbunigKOJItyM3VBRnLWZi
+ScznIkbKLGt2WjGIaENOR4cw+wwzOmH0UVxGtGWo/jklGtBZG8mb+fF8rH6L6VBa
+nIYHBGlg8Gy0eK430jMD/y2zqlOzY4gE5/BlwaxEupuzL+jtiYGyr7G1tUksQ49v
+UNimlAzUINB6bYnIk0MwpIxB0xECj0nz2wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQCEVVrT1ktgvA3CwuIr+/BWRfILIHyayy3FxIwF8wBymAwQiT/09JuNDsLuI2/t
+eOY9BZsaJ9BtGA7dajbwKDX83Z+WXcv2AwxbAhxUnpBCQF0MNT9Vh7ixE0rXbXeg
+bvy5D4n1MWTBaPK+MpuEEV5m/dRZOFIgf6AWDCB7QixWm7N2BGjqni5kr2EuqYw8
+JqxXXtTDTBA8BKMLxPRER+w39zD8fQouTn1pI8nVba/WdX1NlchzFrex6ByvKWQG
+joSPd39d68NNyytwmv5LWOQ2Shsk0d0UV9eoFrctPJh8cL4BPfNS7NQR12u55zn0
+NR+SN5v9/7fn+/KF1UZq5Jao
 -----END CERTIFICATE-----

roles/common/files/wildcard_private.key

@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPob
-ueyI6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4s
-CKrIyw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iap
-ngrrC6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx
-3oY6yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1
-BnmSxdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABAoIBADm/oYAavJ2nif+H
-CNgqDqDhW6CPegqenwbBaihAUzK00CdOM8mmMgt2SdFe3xvGqDssRpwtu3bEROnY
-r3WHreEIQ0gdc8MQhnvat32cLkWk+0MtQUeEpnJ0bzeRJOJEPxs+btu+1wIQvmFy
-uVOWqOq1a6xmwdemcfl0hRwFsdvO00MefOWgJpmBGBTBKuvhg1rUPP8xkHlD98ga
-+vpxG0vS5d2vHKa5FxcbbMaV9kxqjsc1Sm79zWlomwdmE5u0dUIIfNV1+VOmPqW2
-tjeD+JDieyX3uOKFpRTk7/5rOJd5hzHukIeUpl0n9mC/mY8lvoFAttszeTEwjkv0
-EhRBjaECgYEA3Rz8AoWJLDC63wfz3mUhtXzFxrxok85cNT35ohT9btnKyLKykvAE
-BCfHeYg8cwFFv0oUXpK9HWOqoJhsYN79+WYA1QE9n0XXAGl1K1/FlKsoAH3h5GAf
-CHGLsq6rEY3ixBmqEiKCWjNXgKeoMg9V/gjTNudWYqLvcsgMoD9vJbkCgYEAyiGi
-QZUa7pGFSa3+kPJo9wx6FylsAVnBluQETZpPdXSB43cTnfUlGj50OHAwFKwD4MP1
-Z+3mTW3+iedpEo3BWs47onanI9DSe6XcUUMXreP+aStJYOkQ3Sl5wr5A61NFF/yr
-+bdKEzXNXB5My5hbFLuSUtsXNVmVr6B7pz2wyfsCgYEAiXKyCVM/IPQtxeSoqM+O
-88VbIB4QmAjIcuRSoHmRzO2fy8ChlwuSQ48Cxb51bTwWQkHnhZ6L5pAFCg2WGWWk
-1Pqee8popvCAJSZpCoxfQvpeRGf8Gr3RrKsAnxNLDf94PlSBzwIaq72MoFIYEP5N
-gzuzKEcIAQqt9Fj82ER2cCkCgYEAnaEFC+ffjNRnAUJzF04zlRVh0NY4qAT691Ty
-FiKUfKBS+rRN1Azs1j6GG81BcZ2DmLC4nEfmJdP1gE26nwF1G/9geh3V0hRzUIHU
-Ansz6CO4rwNWwgB/ajmB/uCnd90EMOSWqLLLTZfTglcOxGcYAF8WiQ7aVnx6Qu//
-/jgZuikCgYB10Gf8Wl/TcWVBTwbDbA50VqZpUWXkcF+oo/w4FfI2f74TEQVkIs9m
-4SVhrtSAz3z2tuBEDB8SM2Uwe00/JSrbuOTvGcVTq64LDgH5fL38Hw8+7IvAZEOx
-26mAS685K1pq0HvvCuwzSIAjpo55tso3phG/YxC+DD11DglhL1SpBA==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVnXYpdsY6rvQf
+2vGAf64EXYxKKXnFNzFAoWlSEU67SQhWhDtJracU8pgMLlpMoTtqOA7hwRHjhaC0
+GcRcazswdAQkva1PQROIN9OpISFOmxdLMLGXtugBkivD2e0kq9Obg63TgxexSp5n
+KvqCTlcw6KWW5lZMvNu6eKAo4ki3IzdUFGctZmJJzOciRsosa3ZaMYhoQ05HhzD7
+DDM6YfRRXEa0Zaj+OSUa0FkbyZv58XysfovpUFqchgcEaWDwbLR4rjfSMwP/LbOq
+U7NjiATn8GXBrES6m7Mv6O2JgbKvsbW1SSxDj29Q2KaUDNQg0HpticiTQzCkjEHT
+EQKPSfPbAgMBAAECggEBAMcozbgO4vZnk3f3u13grK+pQFkMnll/Ac6OLxGyzULT
+7pArLNOesb5YB+ajeNElKa34ofdc+H62YYRI2ciIuWCNaiePKHxR4hIIarCvEMym
+0Grr9UfL4jdEvsUU84JTKTE+7dvbx0UmmtT5PyIqRCR3Y5tzGVbmZb5PJJO5la4X
+1Q8ZQHYvdFh52VXVpetp66yFpCu/EI8u9VSEBakvILpZ3yxjhskEXD18E304wn1e
+Ky+sBde6zUtXRc1rKxAzeQ/JyF1+1+xr8nI1kGryqXdNl/4S3JsdB5nL54U0pHaL
+XfLMZvRTVqKAsyjqLQzYE0bRnJz9sev85nu0J1sp/GECgYEA8Gi2izJmxpb3oDC7
+Eu388TeFOYrdg6AsXFkmKT5ssTRRT4ju03RrGWC8NlOJRhQxJloCICgmBWHLFWBG
+2OVGgOYhUr7/V12f/D2GICUcJ9SKkDbzKe0ACDPq9tzauVd9H8fY9gQfvhn0AA0v
+qG0+guGElxS+holIpbDP7VV0PykCgYEA43fp3VtneBHL4E4iZVBQaIBGMYOmE8v3
+cKSTCBgCU3jnbio85NHybI1Fw15cAXDOIsOlKescLyTw/IgRb3PbObNvpD8STS8d
+wVqen2Ir/mrsxWVn57jlSV5viGnIoI873YVJ9fl5pr/KbJ5A8//EnJwQLDq6MmQR
+zPMovp51L2MCgYEA0/rQ8t4HR5Z4VDSDz8YvYZaeD0YF2nkShH9LKdTUTFAgXiwU
+wjkF8oOckZ6JDVTinbmB5E7ib55yTq/s6HUJ/MBuo6KsTaHNXsH1EUUHlYtQfqcl
+NFO40oLM7M2CwyiEuNAj25F5V8tUnfMCkdV56DfoDLuK3+APQaItRU0zSjkCgYAW
+KGgvl+fMWm9xuiq/k8NBar1rtVdINmY0ItPvxeb0GqLwqEymPY1P5bMWBOsReNub
+p1M/checwAx5jQelw7NnO4N0jHBL9HsBisJI5FdEwUWvNOGaQPiU3Q4gS62vdkRu
+n71EqLig9a3SRtgs7I1KdClfJZldr0HMpSMi7myb4QKBgQDgeh5oDgypNBdMY4un
+Wpax1Mxse49T883Z3lIlVq+U7ZwnWLWfohSZK/kXUrolbdmo4z8yAlNKUO421sAF
+SWUWFAabEMnLq2ilv6WIG4i1ubFr4/DBV4fGcaYNMOxIENRDItn7RacddZ1EQVfC
+WBcstgic1QXyMJ+2LoC0LHdgCQ==
+-----END PRIVATE KEY-----

roles/common/files/wildcard_public_cert.crt

@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
-OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
-BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
-6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
-yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
-C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
-yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
-xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
-AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
-9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
-AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
-aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
-Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
-+0vEpa88MmGGUdXZ4NWI2IYe
+MIIDPjCCAiYCCQCIBIL0qFYY5DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJB
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRowGAYDVQQDDBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xNjAxMDkw
+OTU4MzNaFw0xNzAxMDgwOTU4MzNaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApT
+b21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
+BgNVBAMMESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA1Z12KXbGOq70H9rxgH+uBF2MSil5xTcxQKFpUhFOu0kIVoQ7Sa2n
+FPKYDC5aTKE7ajgO4cER44WgtBnEXGs7MHQEJL2tT0ETiDfTqSEhTpsXSzCxl7bo
+AZIrw9ntJKvTm4Ot04MXsUqeZyr6gk5XMOilluZWTLzbunigKOJItyM3VBRnLWZi
+ScznIkbKLGt2WjGIaENOR4cw+wwzOmH0UVxGtGWo/jklGtBZG8mb+fF8rH6L6VBa
+nIYHBGlg8Gy0eK430jMD/y2zqlOzY4gE5/BlwaxEupuzL+jtiYGyr7G1tUksQ49v
+UNimlAzUINB6bYnIk0MwpIxB0xECj0nz2wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQCEVVrT1ktgvA3CwuIr+/BWRfILIHyayy3FxIwF8wBymAwQiT/09JuNDsLuI2/t
+eOY9BZsaJ9BtGA7dajbwKDX83Z+WXcv2AwxbAhxUnpBCQF0MNT9Vh7ixE0rXbXeg
+bvy5D4n1MWTBaPK+MpuEEV5m/dRZOFIgf6AWDCB7QixWm7N2BGjqni5kr2EuqYw8
+JqxXXtTDTBA8BKMLxPRER+w39zD8fQouTn1pI8nVba/WdX1NlchzFrex6ByvKWQG
+joSPd39d68NNyytwmv5LWOQ2Shsk0d0UV9eoFrctPJh8cL4BPfNS7NQR12u55zn0
+NR+SN5v9/7fn+/KF1UZq5Jao
 -----END CERTIFICATE-----

roles/common/tasks/apache.yml

@@ -0,0 +1,17 @@
+---
+# Configures the Apache HTTP server with sane defaults.
+
+- name: Disable default Apache site
+  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
+  notify: restart apache
+
+- name: Enable Apache headers module
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
+  notify: restart apache
+
+- name: Create ServerName configuration file for Apache
+  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
+
+- name: Set ServerName for Apache
+  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
+  notify: restart apache

roles/common/tasks/encfs.yml

@@ -10,28 +10,19 @@
 - name: Create encrypted directory
   file: state=directory path=/encrypted
 
-- name: Add mail user to fuse group
-  user: name=mail append=yes groups=fuse
-
-- name: Add main user to fuse group
-  user: name={{ main_user_name }} append=yes groups=fuse
-
-# Check if the /encrypted directory is empty
-- name: Check for existing encfs
+- name: Check if the /encrypted directory is empty
   shell: ls /encrypted/*
   ignore_errors: True
   changed_when: False  # never report as "changed"
   register: encfs_check
 
-# If it is empty, we need to create the encfs
-- name: Create encfs
+- name: If /encrypted is empty, create the encfs there
   shell: printf "p\n{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
   when: encfs_check.rc > 0
 
-# If it isn't empty, we simply need to mount it (but only if /decrypted/test doesn't exist)
-- name: Mount encfs
+- name: If /encrypted isn't empty, mount it (but only if /decrypted/test doesn't exist)
   shell: printf "{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass creates="/decrypted/test"
   when: encfs_check.rc == 0
 
 - name: Set decrypted directory permissions
-  file: state=directory path=/decrypted group=mail mode=775
+  file: state=directory path=/decrypted group=mail mode=0775

roles/common/tasks/google_auth.yml

@@ -1,29 +1,15 @@
 ---
-# Defines tasks applicable for Google Authenticator
+# Defines tasks applicable for Google Authenticator.
 
 - name: Ensure required packages are installed
   apt: pkg={{ item }} state=present
   with_items:
-    #- libpam-google-authenticator    wasn't available in wheezy
+    - libpam-google-authenticator
     - libpam0g-dev
     - libqrencode3
   tags:
     - dependencies
 
-- name: Download Google authenticator pam module
-  get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
-           dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
-
-- name: Extract Google authenticator
-  unarchive: src=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
-             creates=/root/libpam-google-authenticator-{{ google_auth_version }}
-             dest=/root copy=no
-
-- name: Install Google authenticator
-  command: make install
-           chdir=/root/libpam-google-authenticator-{{ google_auth_version }}
-           creates=/usr/local/bin/google-authenticator
-
 - name: Update sshd config to enable challenge responses
   lineinfile: dest=/etc/ssh/sshd_config
               regexp=^ChallengeResponseAuthentication
@@ -38,10 +24,10 @@
               state=present
 
 - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
-  command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
+  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
            creates=/home/{{ main_user_name }}/.google_authenticator
-  sudo: yes
-  sudo_user: "{{ main_user_name }}"
+  become: yes
+  become_user: "{{ main_user_name }}"
   when: ansible_ssh_user != "vagrant"
 
 - name: Retrieve generated keys from server

roles/common/tasks/google_auth_mod.yml

@@ -1,41 +0,0 @@
----
-# Defines tasks applicable for Google Authenticator
-# Ubuntu trusty version, uses standard libpam-google-authenticator package
-
-- name: Ensure required packages are installed
-  apt: pkg={{ item }} state=present
-  with_items:
-    - libpam-google-authenticator
-    - libpam0g-dev
-    - libqrencode3
-  tags:
-    - dependencies
-
-- name: Update sshd config to enable challenge responses
-  lineinfile: dest=/etc/ssh/sshd_config
-              regexp=^ChallengeResponseAuthentication
-              line="ChallengeResponseAuthentication yes"
-              state=present
-  notify: restart ssh
-
-- name: Add Google authenticator to PAM
-  lineinfile: dest=/etc/pam.d/sshd
-              line="auth required pam_google_authenticator.so"
-              insertbefore=BOF
-              state=present
-
-- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
-  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
-           creates=/home/{{ main_user_name }}/.google_authenticator
-  sudo: yes
-  sudo_user: "{{ main_user_name }}"
-  when: ansible_ssh_user != "vagrant"
-
-- name: Retrieve generated keys from server
-  fetch: src=/home/{{ main_user_name }}/.google_authenticator
-         dest=/tmp/sovereign-google-auth-files
-  when: ansible_ssh_user != "vagrant"
-
-- pause: seconds=5
-         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
-  when: ansible_ssh_user != "vagrant"

roles/common/tasks/letsencrypt.yml

@@ -0,0 +1,104 @@
+- name: Download LetsEncrypt release
+  git: repo=https://github.com/letsencrypt/letsencrypt
+       dest=/root/letsencrypt
+       version=master
+       force=yes
+
+- name: Create directory for LetsEncrypt configuration and certificates
+  file: state=directory path=/etc/letsencrypt group=root owner=root
+
+- name: Configure LetsEncrypt
+  template:
+    src=etc_letsencrypt_cli.conf.j2
+    dest=/etc/letsencrypt/cli.conf
+    owner=root
+    group=root
+
+- name: Install LetsEncrypt package dependencies
+  command: /root/letsencrypt/letsencrypt-auto --help
+  register: le_deps_result
+  changed_when: "'Bootstrapping dependencies' in le_deps_result.stdout"
+
+- name: Create directory for pre-renewal scripts
+  file: state=directory path=/etc/letsencrypt/prerenew group=root owner=root
+
+- name: Create directory for post-renewal scripts
+  file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root
+
+- name: Create pre-renew hook to stop apache
+  copy:
+    content: "#!/bin/bash\n\nservice apache2 stop\n"
+    dest: /etc/letsencrypt/prerenew/apache
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Create post-renew hook to start apache
+  copy:
+    content: "#!/bin/bash\n\nservice apache2 start\n"
+    dest: /etc/letsencrypt/postrenew/apache
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Install crontab entry for LetsEncrypt
+  copy:
+    src: etc_cron-daily_letsencrypt-renew
+    dest: /etc/cron.daily/letsencrypt-renew
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Create live directory for LetsEncrypt cron job
+  file: state=directory path=/etc/letsencrypt/live group=root owner=root
+
+- name: Get an SSL certificate for {{ domain }} from Let's Encrypt
+  script: letsencrypt-gencert {{ domain }} creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem
+  when: ansible_ssh_user != "vagrant"
+
+- name: Modify permissions to allow ssl-cert group access
+  file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=0750
+  when: ansible_ssh_user != "vagrant"
+
+### Several steps to install a self-signed wildcard key to support offline testing
+
+- name: Create live directory for testing keys
+  file: dest=/etc/letsencrypt/live/{{ domain }} state=directory
+    owner=root group=root mode=0755
+  when: ansible_ssh_user == "vagrant"
+
+- name: Copy SSL wildcard private key for testing
+  copy: src=wildcard_private.key
+    dest=/etc/letsencrypt/live/{{ domain }}/privkey.pem
+    owner=root group=ssl-cert mode=0640
+  register: private_key
+  when: ansible_ssh_user == "vagrant"
+
+- name: Copy SSL public certificate into place for testing
+  copy: src=wildcard_public_cert.crt
+    dest=/etc/letsencrypt/live/{{ domain }}/cert.pem
+    group=root owner=root mode=0644
+  register: certificate
+  notify: restart apache
+  when: ansible_ssh_user == "vagrant"
+
+- name: Copy SSL CA combined certificate into place for testing
+  copy: src=wildcard_ca.pem
+    dest=/etc/letsencrypt/live/{{ domain }}/chain.pem
+    group=root owner=root mode=0644
+  register: ca_certificate
+  notify: restart apache
+  when: ansible_ssh_user == "vagrant"
+
+- name: Create a combined SSL cert for testing
+  shell: cat /etc/letsencrypt/live/{{ domain }}/cert.pem
+    /etc/letsencrypt/live/{{ domain }}/chain.pem >
+    /etc/letsencrypt/live/{{ domain }}/fullchain.pem
+  when: (private_key.changed or certificate.changed or ca_certificate.changed) and ansible_ssh_user == "vagrant"
+
+- name: Set permissions on combined SSL public cert
+  file: name=/etc/letsencrypt/live/{{ domain }}/fullchain.pem mode=0644
+  notify: restart apache
+  when: ansible_ssh_user == "vagrant"
+
+### Back to normal

roles/common/tasks/main.yml

@@ -1,11 +1,4 @@
 ---
-# Defines tasks applicable across all machines in the infrastructure.
-- name: Set up closest mirror autoselect (ubuntu-only)
-  template: src=apt_sources.list.j2 dest=/etc/apt/sources.list
-  when: ansible_distribution == 'Ubuntu'
-  tags:
-    - dependencies
-
 - name: Update apt cache
   apt: update_cache=yes
   tags:
@@ -28,14 +21,13 @@
     - htop
     - iftop
     - iotop
+    - molly-guard
     - mosh
     - python-software-properties
-    - ruby1.9.3
+    - ruby
     - screen
     - sudo
-    - update-notifier-common
     - unattended-upgrades
-    - molly-guard
     - vim
     - zsh
   tags:
@@ -61,41 +53,18 @@
 - name: Apticron email configuration
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
 
-- name: Disable default Apache site
-  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
-  notify: restart apache
-
-- name: Enable Apache headers module
-  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
-  notify: restart apache
-
-- name: Set ServerName for Apache
-  template: src=fqdn.j2 dest=/etc/apache2/conf.d/fqdn
-  notify: restart apache
-  when: ansible_distribution_release != 'trusty'
-
-- name: Create ServerName configuration file for Apache for Ubuntu Trusty
-  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
-  when: ansible_distribution_release == 'trusty'
-
-- name: Set ServerName for Apache for Ubuntu Trusty
-  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
-  notify: restart apache
-  when: ansible_distribution_release == 'trusty'
-
 - name: Create decrypted directory (even if encfs isn't used)
   file: state=directory path=/decrypted
 
 - name: Set decrypted directory permissions
-  file: state=directory path=/decrypted group=mail mode=775
+  file: state=directory path=/decrypted group=mail mode=0775
 
 - include: encfs.yml tags=encfs
 - include: users.yml tags=users
+- include: apache.yml tags=apache
 - include: ssl.yml tags=ssl
+- include: letsencrypt.yml tags=letsencrypt
 - include: ufw.yml tags=ufw
 - include: security.yml tags=security
 - include: ntp.yml tags=ntp
 - include: google_auth.yml tags=google_auth
-  when: ansible_distribution_release != 'trusty'
-- include: google_auth_mod.yml tags=google_auth
-  when: ansible_distribution_release == 'trusty'

roles/common/tasks/ntp.yml

@@ -11,6 +11,10 @@
   notify:
     - restart ntp
 
-- name: Ensure ntpd is running and enabled
-  service: name=ntp state=started enabled=yes
+- name: Ensure ntpd is running
+  service: name=ntp state=started
 
+# Work around https://github.com/ansible/ansible-modules-core/issues/915
+# otherwise we'd use enabled=yes in previous task
+- name: Ensure ntp is enabled
+  command: update-rc.d ntp enable creates=/etc/rc3.d/S03ntp

roles/common/tasks/ssl.yml

@@ -1,27 +1,3 @@
-- name: Copy SSL private key into place
-  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
-  register: private_key
-  notify: restart apache
-
-- name: Copy SSL public certificate into place
-  copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
-  register: certificate
-  notify: restart apache
-
-- name: Copy CA combined certificate into place
-  copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
-  register: ca_certificate
-  notify: restart apache
-
-- name: Create a combined version of the public cert with intermediate and root CAs
-  shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
-    /etc/ssl/certs/wildcard_combined.pem
-  when: private_key.changed or certificate.changed or ca_certificate.changed
-
-- name: Set permissions on combined public cert
-  file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
-  notify: restart apache
-
 - name: Create strong Diffie-Hellman group
   command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
     creates=/etc/ssl/private/dhparam2048.pem
@@ -30,38 +6,18 @@
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
   notify: restart apache
 
-- name: Enable NameVirtualHost for HTTPS
-  lineinfile:
-    dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443'
-    insertafter='^<IfModule mod_ssl.c>'
-    line='    NameVirtualHost *:443'
-  notify: restart apache
-
 - name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache
   command: a2enmod socache_shmcb
     creates=/etc/apache2/mods-enabled/socache_shmcb.load
   notify: restart apache
-  when: ansible_distribution_release != 'wheezy'
 
-- name: Add Apache SSL stapling cache configuration
-  copy:
-    src=etc_apache2_conf-available_ssl-stapling-cache.conf
-    dest=/etc/apache2/conf-available/ssl-stapling-cache.conf
+- name: Add common Apache SSL config
+  template: src=etc_apache2_conf-available_ssl.conf.j2
+    dest=/etc/apache2/conf-available/ssl.conf
     owner=root
     group=root
-  when: ansible_distribution_release != 'wheezy'
-  notify: restart apache
-
-- name: Enable Apache SSL stapling cache configuration
-  command: a2enconf ssl-stapling-cache
-    creates=/etc/apache2/conf-enabled/ssl-stapling-cache.conf
-  when: ansible_distribution_release != 'wheezy'
   notify: restart apache
 
-- name: Add common Apache SSL config
-  template:
-    src=etc_apache2_ssl.conf.j2
-    dest=/etc/apache2/ssl.conf
-    owner=root
-    group=root
+- name: Enable Apache SSL config
+  command: a2enconf ssl creates=/etc/apache2/conf-enabled/ssl.conf
   notify: restart apache

roles/common/tasks/ufw.yml

@@ -1,7 +1,7 @@
 ---
-# Installs and configures ufw, which in turn uses iptables for firewall management
+# Installs and configures ufw, which in turn uses iptables for firewall management.
+# ufw includes sensible ICMP defaults.
 
-# ufw includes sensible icmp defaults
 - name: Install ufw
   apt: pkg=ufw state=present
   tags:
@@ -37,8 +37,3 @@
   register: ufw_config
   changed_when: False  # never report as "changed"
   tags: ufw
-
-- name: Disable logging (workaround for known bug in Debian 7)
-  ufw: logging=off
-  when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
-  tags: ufw

roles/common/templates/apt_sources.list.j2

@@ -1,5 +0,0 @@
-# This file is generated by Sovereign
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }} main restricted universe multiverse
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }}-updates main restricted universe multiverse
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }}-backports main restricted universe multiverse
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }}-security main restricted universe multiverse

roles/common/templates/etc_apache2_ssl.conf.j2 → roles/common/templates/etc_apache2_conf-available_ssl.conf.j2

@@ -1,14 +1,14 @@
-SSLEngine on
 SSLProtocol ALL -SSLv2 -SSLv3
 SSLHonorCipherOrder On
 SSLCompression off
-{% if ansible_distribution_release != 'wheezy' %}
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-{% endif %}
+SSLUseStapling On
+SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+
+SSLCertificateKeyFile	/etc/letsencrypt/live/{{ domain }}/privkey.pem
+SSLCertificateFile	/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+
 Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

roles/common/templates/etc_fail2ban_jail.local.j2

@@ -28,11 +28,7 @@ maxretry = 1
 enabled = true
 filter = dovecot-pop3imap
 action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,993,995", protocol=tcp]
-{% if ansible_distribution == 'Ubuntu' %}
 logpath = /var/log/mail.log
-{% else %}
-logpath = /var/log/maillog
-{% endif %}
 maxretry = 20
 findtime = 1200
 bantime = 1200

roles/common/templates/etc_letsencrypt_cli.conf.j2

@@ -0,0 +1,8 @@
+rsa-key-size = 4096
+server = {{ letsencrypt_server }}
+authenticator = standalone
+register-unsafely-without-email = True
+keep = True
+expand = True
+agree-tos = True
+non-interactive = True

roles/common/templates/etc_ssh_ssh_config.j2

@@ -1,3 +1,8 @@
+# Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.
+Host github.com
+    KexAlgorithms {{ kex_algorithms }},diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+
+Host *
     Ciphers {{ ciphers }}
     KexAlgorithms {{ kex_algorithms }}
     SendEnv LANG LC_*

roles/common/templates/sudoers.j2

@@ -1 +1,4 @@
-+{{ main_user_name }} ALL=(ALL) NOPASSWD: ALL
+{{ main_user_name }} ALL=(ALL) NOPASSWD: ALL
+
+# Allow SSH agent forwarding when using sudo
+Defaults    env_keep+=SSH_AUTH_SOCK

roles/git/defaults/main.yml

@@ -0,0 +1,3 @@
+cgit_version: 0.12
+cgit_domain: "git.{{ domain }}"
+gitolite_version: 3.6.4

roles/git/tasks/cgit.yml

@@ -46,7 +46,7 @@
             group=root
             owner=root
 
-- name: Enable Apache cgi module
+- name: Enable Apache CGI module
   command: a2enmod cgi creates=/etc/apache2/mods-enabled/cgi.load
   notify: restart apache
 

roles/git/tasks/gitolite.yml

@@ -7,23 +7,10 @@
 - name: Add www-data to the git group
   user: name=www-data groups=git append=yes
 
-- name: Download gitolite release
-  git: repo=git://github.com/sitaramc/gitolite
-       dest=/home/git/gitolite
-       version=v{{ gitolite_version }}
-       accept_hostkey=yes
-
-- name: Give git user file permissions
-  file: path=/home/git/gitolite
-        state=directory
-        recurse=yes
-        owner=git
-        group=git
-
-- name: Install gitolite
-  command: ./gitolite/install -ln /usr/local/bin
-           chdir=/home/git
-           creates=/usr/local/bin/gitolite
+- name: Install gitolite3 package
+  apt: pkg=gitolite3 state=installed
+  tags:
+    - dependencies
 
 - name: Copy .gitolite.rc file
   copy: src=home_git_.gitolite.rc

roles/git/tasks/gitolite_packaged.yml

@@ -1,31 +0,0 @@
-- name: Create gitolite group
-  group: name=git state=present
-
-- name: Create gitolite user
-  user: name=git state=present home=/home/git system=yes group=git
-
-- name: Add www-data to the git group
-  user: name=www-data groups=git append=yes
-
-- name: Install gitolite3 package
-  apt: pkg=gitolite3 state=installed
-  tags:
-    - dependencies
-
-- name: Copy .gitolite.rc file
-  copy: src=home_git_.gitolite.rc
-        dest=/home/git/.gitolite.rc
-        group=git
-        owner=git
-        mode=0644
-
-- name: Copy SSH public key to server
-  copy: src=gitolite.pub
-        dest=/home/git/{{ main_user_name }}.pub
-        group=git
-        owner=git
-        mode=0644
-
-- name: Setup gitolite
-  command: su - git -c 'gitolite setup -pk {{ main_user_name }}.pub'
-           chdir=/home/git

roles/git/tasks/main.yml

@@ -1,5 +1,2 @@
 - include: gitolite.yml tags=gitolite
-  when: ansible_distribution_release != 'trusty'
-- include: gitolite_packaged.yml tags=gitolite
-  when: ansible_distribution_release == 'trusty'
 - include: cgit.yml tags=cgit

roles/git/templates/etc_apache2_sites-available_cgit.j2

@@ -6,15 +6,13 @@
 
 <VirtualHost *:443>
     ServerName {{ cgit_domain }}
+    SSLEngine On
 
-    Include /etc/apache2/ssl.conf
     DocumentRoot /var/www/htdocs/cgit/
-
     <Directory "/var/www/htdocs/cgit/">
         AllowOverride None
         Options +ExecCGI
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
 
     Alias /cgit.png         /var/www/htdocs/cgit/cgit.png

roles/ircbouncer/defaults/main.yml

@@ -0,0 +1 @@
+irc_timezone: "{{ common_timezone|default('Etc/UTC') }}"

roles/ircbouncer/files/etc_init.d_znc

@@ -1,139 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          znc
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: ZNC IRC bouncer
-# Description:       ZNC is an IRC bouncer
-### END INIT INFO
- 
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-DESC="ZNC daemon"
-NAME=znc
-DAEMON=/usr/local/bin/$NAME
-DATADIR=/var/lib/znc
-DAEMON_ARGS="--datadir=$DATADIR"
-PIDDIR=/var/run/znc
-PIDFILE=$PIDDIR/$NAME.pid
-SCRIPTNAME=/etc/init.d/$NAME
-USER=znc
-GROUP=znc
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-  # Return
-  #   0 if daemon has been started
-  #   1 if daemon was already running
-  #   2 if daemon could not be started
-  if [ ! -d $PIDDIR ]
-  then
-    mkdir $PIDDIR
-  fi
-  chown $USER:$GROUP $PIDDIR
-  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1
-  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-  # Return
-  #   0 if daemon has been stopped
-  #   1 if daemon was already stopped
-  #   2 if daemon could not be stopped
-  #   other if a failure occurred
-  start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER
-  RETVAL="$?"
-  [ "$RETVAL" = 2 ] && return 2
-  # Wait for children to finish too if this is a daemon that forks
-  # and if the daemon is only ever run from this initscript.
-  # If the above conditions are not satisfied then add some other code
-  # that waits for the process to drop all resources that could be
-  # needed by services started subsequently.  A last resort is to
-  # sleep for some time.
-  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER
-  [ "$?" = 2 ] && return 2
-  # Many daemons don't delete their pidfiles when they exit.
-  rm -f $PIDFILE
-  return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-  start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER
-  return 0
-}
-
-case "$1" in
-  start)
-  [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-  do_start
-  case "$?" in
-    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-  esac
-  ;;
-  stop)
-  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-  do_stop
-  case "$?" in
-    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-  esac
-  ;;
-  status)
-  status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
-  ;;
-  reload)
-  log_daemon_msg "Reloading $DESC" "$NAME"
-  do_reload
-  log_end_msg $?
-  ;;
-  restart)
-  log_daemon_msg "Restarting $DESC" "$NAME"
-  do_stop
-  case "$?" in
-    0|1)
-    do_start
-    case "$?" in
-      0) log_end_msg 0 ;;
-      1) log_end_msg 1 ;; # Old process is still running
-      *) log_end_msg 1 ;; # Failed to start
-    esac
-    ;;
-    *)
-    # Failed to stop
-    log_end_msg 1
-    ;;
-  esac
-  ;;
-  *)
-  echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2
-  exit 3
-  ;;
-esac
-
-:

roles/ircbouncer/files/etc_systemd_system_znc.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=ZNC, an IRC bouncer
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/znc --datadir=/usr/lib/znc
+PIDFile=/var/run/znc/znc.pid
+User=znc
+
+[Install]
+WantedBy=multi-user.target

roles/ircbouncer/tasks/znc.yml

@@ -1,64 +1,59 @@
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
 
-- name: Install znc dependencies
+- name: Install znc
   apt: pkg={{ item }} state=installed
   with_items:
-    - automake
-    - build-essential
-    - checkinstall
-    - g++
-    - libperl-dev
-    - libsasl2-dev
-    - libssl-dev
-    - libtool
-    - openssl
-    - pkg-config
-    - python3-dev
-    - swig
-  tags:
-    - dependencies
-
-- name: Download znc release
-  get_url: url=http://znc.in/releases/archive/znc-{{ znc_version }}.tar.gz dest=/root/znc-{{ znc_version }}.tar.gz
-
-- name: Decompress znc source
-  unarchive: src=/root/znc-{{ znc_version }}.tar.gz
-             dest=/root copy=no
-             creates=/root/znc-{{ znc_version }}/configure
-
-- name: Build and install znc
-  shell: ./configure --enable-python && make && make install executable=/bin/bash chdir=/root/znc-{{ znc_version }} creates=/usr/local/bin/znc
-  notify: restart znc
+    - znc
 
 - name: Create znc group
   group: name=znc state=present
 
 - name: Create znc user
-  user: name=znc state=present home=/var/lib/znc system=yes group=znc shell=/usr/sbin/nologin
+  user: name=znc state=present home=/usr/lib/znc system=yes group=znc shell=/usr/sbin/nologin
 
-- name: Copy znc init file into place
-  copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755
+- name: Ensure pid directory exists
+  file: state=directory path=/var/run/znc group=znc owner=znc
 
-- name: Create a combined version of the private key with public cert and intermediate + root CAs
-  shell: cat /etc/ssl/private/wildcard_private.key /etc/ssl/certs/wildcard_combined.pem >
-    /var/lib/znc/znc.pem creates=/var/lib/znc/znc.pem
+- name: Ensure configuration folders exist
+  file: state=directory path=/usr/lib/znc/{{ item }} group=znc owner=znc
+  with_items:
+    - moddata
+    - modules
+    - users
+
+- name: Copy znc service file into place
+  copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
+
+- name: Create a combined version of the SSL private key and full certificate chain
+  shell: cat /etc/letsencrypt/live/{{ domain }}/privkey.pem
+    /etc/letsencrypt/live/{{ domain }}/fullchain.pem >
+    /usr/lib/znc/znc.pem
+    creates=/usr/lib/znc/znc.pem
   notify: restart znc
 
+- name: Update post-certificate-renewal task
+  template:
+    src: etc_letsencrypt_postrenew_znc.sh.j2
+    dest: /etc/letsencrypt/postrenew/znc.sh
+    owner: root
+    group: root
+    mode: 0755
+
 - name: Ensure znc user and group can read cert
-  file: path=/var/lib/znc/znc.pem group=znc owner=znc mode=640
+  file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=0640
   notify: restart znc
 
 - name: Check for existing config file
-  command: cat /var/lib/znc/configs/znc.conf
+  command: cat /usr/lib/znc/configs/znc.conf
   register: znc_config
   ignore_errors: True
   changed_when: False  # never report as "changed"
 
 - name: Create znc config directory
-  file: state=directory path=/var/lib/znc/configs group=znc owner=znc
+  file: state=directory path=/usr/lib/znc/configs group=znc owner=znc
 
 - name: Copy znc configuration file into place
-  template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
+  template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
   when: znc_config.rc != 0
   notify: restart znc
 
@@ -67,4 +62,4 @@
   tags: ufw
 
 - name: Ensure znc is a system service
-  service: name=znc state=started enabled=true
+  service: name=znc state=restarted enabled=true

roles/ircbouncer/templates/etc_letsencrypt_postrenew_znc.sh.j2

@@ -0,0 +1,7 @@
+#!/bin/bash
+# Executed by /etc/cron.daily/letsencrypt-renew
+
+cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem
+chown znc.znc /usr/lib/znc/znc.pem
+chmod 640 /usr/lib/znc/znc.pem
+service znc restart

roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2 → roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2

@@ -16,7 +16,7 @@ MaxBufferSize = 500
 Motd = Connected to ZNC
 PidFile = /var/run/znc/znc.pid
 ProtectWebSessions = true
-SSLCertFile = /var/lib/znc/znc.pem
+SSLCertFile = /usr/lib/znc/znc.pem
 ServerThrottle = 30
 Skin = _default_
 StatusPrefix = *

roles/mailserver/defaults/main.yml

@@ -0,0 +1,29 @@
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"
+
+mail_db_username: 'mailuser'
+mail_db_password: "{{ lookup('password', secret + '/' + 'mail_db_password', length=32) }}"
+mail_db_database: 'mailserver'
+
+mail_server_hostname: "mail.{{ domain }}"
+mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
+mail_header_privacy: 1
+
+# virtual domains
+mail_virtual_domains: []
+mail_virtual_users: []
+mail_virtual_aliases: []
+
+# opendmarc
+mail_db_opendmarc_username: opendmarc
+mail_db_opendmarc_database: opendmarc
+mail_db_opendmarc_password: "{{ lookup('password', secret + '/' + 'mail_db_opendmarc_password', length=32) }}"
+
+# zpush
+zpush_version: 2.1.1-1788
+# common_timezone is a sovereign variable
+zpush_timezone: "{{ common_timezone|default('Etc/UTC') }}"

roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf

@@ -7,19 +7,6 @@
 # their configuration. Note that %variable expansion is done for all values.
 
 plugin {
-  # Antispam (DSPAM)
-  antispam_backend = dspam
-  antispam_allow_append_to_spam = YES
-  antispam_spam = Spam;Junk
-  antispam_trash = trash;Trash
-  antispam_signature = X-DSPAM-Signature
-  antispam_signature_missing = error
-  antispam_dspam_binary = /usr/bin/dspam
-  antispam_dspam_args = --user;%u;--deliver=;--source=error
-  antispam_dspam_spam = --class=spam
-  antispam_dspam_notspam = --class=innocent
-  antispam_dspam_result_header = X-DSPAM-Result
-
   # FTS (full text search with Solr)
   fts = solr
   fts_solr = break-imap-search url=http://localhost:8080/solr/

roles/mailserver/files/etc_dspam_default.prefs

@@ -1,43 +0,0 @@
-# $Id: default.prefs,v 1.2 2011/04/19 07:17:03 sbajic Exp $
-# default.prefs v3.2
-# Default preferences for DSPAM
-
-# This file serves two purposes. First, it sets the default preferences each
-# user will see when using the preferences section of the DSPAM Control
-# Center. Second, it may be symbolically linked (or copied) into DSPAM_HOME to
-# set the system-wide default preferences, overriding any commandline or
-# dspam.conf parameters. If symlinked, an administrator can edit these options 
-# in the DSPAM Administrative Suite.
-
-# Training Mode: TEFT, TOE, TUM, NOTRAIN
-trainingMode=TEFT
-
-# Spam Action: quarantine, tag, deliver
-spamAction=deliver         # { quarantine | tag | deliver } -> default:quarantine
-
-# Spam Subject: the text to be prepended onto the subject line of tagged spams
-spamSubject=[SPAM]
-
-# Bayesian Noise Reduction: on/off
-enableBNR=on
-
-# Automatic Whitelisting: on/off
-enableWhitelist=on
-
-# Statistical Sedation: 0-10
-statisticalSedation=5
-
-# Signature Location: message, headers, attachment
-signatureLocation=headers
-
-# Whitelist Threshold: the minimum number of innocent hits from a recipient to
-# be automatically whitelisted. Do not set this value too low!
-whitelistThreshold=10
-
-# showFactors: when set to on, the determining factors for each message will
-# be added to a X-DSPAM-Factors message header.
-showFactors=on
-
-# optIn/optOut: Depending on the opt mode set, you can also use one of these.
-#optIn=on
-#optOut=off

roles/mailserver/files/etc_dspam_dspam.conf

@@ -1,699 +0,0 @@
-## $Id: dspam.conf.in,v 1.100 2011/07/09 00:00:52 sbajic Exp $
-## dspam.conf -- DSPAM configuration file
-##
-
-#
-# DSPAM Home: Specifies the base directory to be used for DSPAM storage
-#
-Home /decrypted/dspam
-
-#
-# StorageDriver: Specifies the storage driver backend (library) to use.
-# You'll only need to set this if you are using dynamic storage driver plugins
-# from a binary distribution. The default build statically links the storage
-# driver (when only one is specified at configure time), overriding this
-# setting, which only comes into play if multiple storage drivers are specified
-# at configure time. When using dynamic linking, be sure to include the path
-# to the library if necessary, and some systems may use an extension other
-# than .so (e.g. OSX uses .dylib).
-#
-# Options include:
-#
-#   libmysql_drv.so     libpgsql_drv.so
-#   libsqlite3_drv.so   libhash_drv.so
-#
-# IMPORTANT: Switching storage drivers requires more than merely changing
-# this option. If you do not wish to lose all of your data, you will need to
-# migrate it to the new backend before making this change.
-#
-StorageDriver /usr/lib/x86_64-linux-gnu/dspam/libhash_drv.so
-
-#
-# Trusted Delivery Agent: Specifies the local delivery agent DSPAM should call
-# when delivering mail as a trusted user. Use %u to specify the user DSPAM is
-# processing mail for. It is generally a good idea to allow the MTA to specify
-# the pass-through arguments at run-time, but they may also be specified here.
-#
-# Most operating system defaults:
-#TrustedDeliveryAgent "/usr/bin/procmail"       # Linux
-#TrustedDeliveryAgent "/usr/bin/mail"           # Solaris
-#TrustedDeliveryAgent "/usr/libexec/mail.local" # FreeBSD
-#TrustedDeliveryAgent "/usr/bin/procmail"       # Cygwin
-#
-# Other popular configurations:
-#TrustedDeliveryAgent "/usr/cyrus/bin/deliver"	# Cyrus
-#TrustedDeliveryAgent "/bin/maildrop"		# Maildrop
-#TrustedDeliveryAgent "/usr/local/sbin/exim -oMr spam-scanned -oi" # Exim
-#
-TrustedDeliveryAgent "/usr/sbin/sendmail"
-
-#
-# Untrusted Delivery Agent: Specifies the local delivery agent and arguments
-# DSPAM should use when delivering mail and running in untrusted user mode.
-# Because DSPAM will not allow pass-through arguments to be specified to
-# untrusted users, all arguments should be specified here. Use %u to specify
-# the user DSPAM is processing mail for. This configuration parameter is only
-# necessary if you plan on allowing untrusted processing.
-#
-UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u"
-
-#
-# SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP
-# delivery to deliver your message to the mail server instead of using a
-# delivery agent. You will need to configure with --enable-daemon to use host
-# delivery, however you do not need to operate in daemon mode. Specify an IP
-# address or UNIX path to a domain socket below as a host.
-#
-# If you would like to set up DeliveryHost's on a per-domain basis, use
-# the syntax: DeliveryHost.domain.com 1.2.3.4
-#
-#DeliveryHost		127.0.0.1
-#DeliveryPort		2424
-#DeliveryIdent		localhost
-#DeliveryProto		LMTP
-
-#
-# FallbackDomains: If you want to specify certain domains as fallback domains,
-# enable this option. For example, you could create a user @domain.com, and
-# if bob@domain.com does not resolve to a known user on the system, the user
-# could default to your @domain.com user. NOTE: This also requires designating
-# fallbackDomain for the domain name;
-# e.g. dspam_admin ch pref domain.com fallbackDomain on
-#
-#FallbackDomains on
-
-#
-# Quarantine Agent: DSPAM's default behavior is to quarantine all mail it
-# thinks is spam. If you wish to override this behavior, you may specify
-# a quarantine agent which will be called with all messages DSPAM thinks is
-# spam. Use %u to specify the user DSPAM is processing mail for.
-#
-#QuarantineAgent	"/usr/bin/procmail -d spam"
-
-#
-# DSPAM can optionally process "plused users" (addresses in the user+detail
-# form) by truncating the username just before the "+", so all internal
-# processing occurs for "user", but delivery will be performed for
-# "user+detail". This is only useful if the LDA can handle "plused users"
-# (for example Cyrus IMAP) and when configured for LMTP delivery above
-#
-#EnablePlusedDetail	on
-
-#
-# Character to use as seperator between user names and address extensions.
-# If you change this value then please adjust QuarantineMailbox to use the
-# new specified character. The default is '+'.
-#
-#PlusedCharacter	+
-
-#
-# Turn this feature on if you want to force DSPAM to lowercase the "plused
-# users" username.
-#
-#PlusedUserLowercase	on
-
-#
-# Quarantine Mailbox: DSPAM's LMTP code can send spam mail using LMTP to a
-# "plused" mailbox (such as user+quarantine) leaving quarantine processing
-# for retraining or deletion to be performed by the LDA and the mail client.
-# "plused" mailboxes are supported by Cyrus IMAP and possibly other LDAs. If
-# you don't set/change PlusedCharacter then the mailbox name must have the +
-# since the + is the default used character.
-#
-#QuarantineMailbox	+quarantine
-
-#
-# OnFail: What to do if local delivery or quarantine should fail. If set
-# to "unlearn", DSPAM will unlearn the message prior to exiting with an
-# un successful return code. The default option, "error" will not unlearn
-# the message but return the appropriate error code. The unlearn option
-# is use-ful on some systems where local delivery failures will cause the
-# message to be requeued for delivery, and could result in the message
-# being processed multiple times. During a very large failure, however,
-# this could cause a significant load increase.
-#
-OnFail error
-
-#
-# Trusted Users: Only the users specified below will be allowed to perform
-# administrative functions in DSPAM such as setting the active user and
-# accessing tools. All other users attempting to run DSPAM will be restricted;
-# their uids will be forced to match the active username and they will not be
-# able to specify delivery agent privileges or use tools.
-#
-Trust root
-Trust dspam
-Trust www-data
-Trust mail
-Trust daemon
-Trust amavis
-Trust vmail
-#Trust nobody
-#Trust majordomo
-
-#
-# Debugging: Enables debugging for some or all users. IMPORTANT: DSPAM must
-# be compiled with debug support in order to use this option. DSPAM should
-# never be running in production with debug active unless you are
-# troubleshooting problems.
-#
-# DebugOpt: One or more of: process, classify, spam, fp, inoculation, corpus
-#   process     standard message processing
-#   classify    message classification using --classify
-#   spam        error correction of missed spam
-#   fp          error correction of false positives
-#   inoculation message inoculations (source=inoculation)
-#   corpus      corpusfed messages (source=corpus)
-#
-#Debug *
-#Debug bob bill
-#
-#DebugOpt process spam fp
-
-#
-# ClassAlias: Alias a particular class to spam/nonspam. This is useful if
-# classifying things other than spam.
-#
-#ClassAliasSpam badstuff
-#ClassAliasNonspam goodstuff
-
-#
-# Training Mode: The default training mode to use for all operations, when
-# one has not been specified on the commandline or in the user's preferences.
-# Acceptable values are:
-#     toe     Train on Error (Only)
-#     teft    Train Everything (Trains on every message)
-#     tum     Train Until Mature (Train only tokens without enough data)
-#     notrain Do not train or store signatures (large ISP systems, post-train)
-#
-TrainingMode teft
-
-#
-# TestConditionalTraining: By default, dspam will retrain certain errors
-# until the condition is no longer met. This usually accelerates learning.
-# Some people argue that this can increase the risk of errors, however.
-#
-TestConditionalTraining on
-
-#
-# Features: Specify features to activate by default; can also be specified
-# on the commandline. See the documentation for a list of available features.
-# If _any_ features are specified on the commandline, these are ignored.
-#
-#Feature noise
-Feature whitelist
-
-# Training Buffer: The training buffer waters down statistics during training.
-# It is designed to prevent false positives, but can also dramatically reduce
-# dspam's catch rate during initial training. This can be a number from 0
-# (no buffering) to 10 (maximum buffering). If you are paranoid about false
-# positives, you should probably enable this option.
-#
-#Feature tb=5
-
-#
-# Algorithms: Specify the statistical algorithms to use, overriding any
-# defaults configured in the build. The options are:
-#    naive       Naive-Bayesian (All Tokens)
-#    graham      Graham-Bayesian ("A Plan for Spam")
-#    burton      Burton-Bayesian (SpamProbe)
-#    robinson    Robinson's Geometric Mean Test (Obsolete)
-#    chi-square  Fisher-Robinson's Chi-Square Algorithm
-#
-# You may have multiple algorithms active simultaneously, but it is strongly
-# recommended that you group Bayesian algorithms with other Bayesian
-# algorithms, and any use of Chi-Square remain exclusive.
-#
-# NOTE: For standard "CRM114" Markovian weighting, use 'naive', or consider
-#       using 'burton' for slightly better accuracy
-#
-# Don't mess with this unless you know what you're doing
-#
-#Algorithm chi-square
-#Algorithm naive
-Algorithm graham burton
-
-#
-# Tokenizer: Specify the tokenizer to use. The tokenizer is the piece
-# responsible for parsing the message into individual tokens. Depending on
-# how many resources you are willing to trade off vs. accuracy, you may
-# choose to use a less or more detailed tokenizer:
-#   word    uniGram (single word) tokenizer
-#           Tokenizes message into single individual words/tokens
-#           example: "free" and "viagra"
-#   chain   biGram (chained tokens) tokenizer (default)
-#           Single words + chains adjacent tokens together
-#           example: "free" and "viagra" and "free viagra"
-#   sbph    Sparse Binary Polynomial Hashing tokenizer
-#           Creates sparse token patterns across sliding window of 5-tokens
-#           example: "the quick * fox jumped" and "the * * fox jumped"
-#   osb     Orthogonal Sparse biGram tokenizer
-#           Similar to SBPH, but only uses the biGrams
-#           example: "the * * fox" and "the * * * jumped"
-#
-# In general the reccomendation is to use 'osb' for new installations.
-# The default value of 'chain' remains here as not to surprise anyone upgrading
-# that has not changed from the default value.
-#
-Tokenizer chain
-
-#
-# PValue: Specify the technique used for calculating Probability Values,
-# overriding any defaults configured in the build. These options are:
-#    bcr         Bayesian Chain Rule (Graham's Technique - "A Plan for Spam")
-#    robinson    Robinson's Technique (used in Chi-Square)
-#    markov      Markovian Weighted Technique (for Markovian discrimination)
-#
-# Unlike the "Algorithms" property, you may only have one of these defined.
-# Use of the chi-square algorithm automatically changes this to robinson.
-#
-# Don't mess with this unless you know what you're doing.
-#
-#PValue robinson
-#PValue markov
-PValue bcr
-
-#
-# WebStats: Enable this if you are using the CGI, which writes .stats files
-WebStats on
-
-#
-# ImprobabilityDrive: Calculate odds-ratios for ham/spam, and add to
-# X-DSPAM-Improbability headers
-#
-#ImprobabilityDrive on
-
-#
-# Preferences: Specify any preferences to set by default, unless otherwise
-# overridden by the user (see next section) or a default.prefs file.
-# If user or default.prefs are found, the user's preferences will override any
-# defaults.
-#
-Preference "trainingMode=TEFT"		# { TOE | TUM | TEFT | NOTRAIN } -> default:teft
-Preference "spamAction=tag"		# { quarantine | tag | deliver } -> default:quarantine
-Preference "spamSubject=[SPAM]"		# { string } -> default:[SPAM]
-Preference "statisticalSedation=5"	# { 0 - 10 } -> default:0
-Preference "enableBNR=on"		# { on | off } -> default:off
-Preference "enableWhitelist=on"		# { on | off } -> default:on
-Preference "signatureLocation=headers"	# { message | headers } -> default:message
-Preference "tagSpam=off"		# { on | off }
-Preference "tagNonspam=off"		# { on | off }
-Preference "showFactors=off"		# { on | off } -> default:off
-Preference "optIn=off"			# { on | off }
-Preference "optOut=off"			# { on | off }
-Preference "whitelistThreshold=10"	# { Integer } -> default:10
-Preference "makeCorpus=off"		# { on | off } -> default:off
-Preference "storeFragments=off"		# { on | off } -> default:off
-Preference "localStore="		# { on | off } -> default:username
-Preference "processorBias=on"		# { on | off } -> default:on
-Preference "fallbackDomain=off"		# { on | off } -> default:off
-Preference "trainPristine=off"		# { on | off } -> default:off
-Preference "optOutClamAV=off"		# { on | off } -> default:off
-Preference "ignoreRBLLookups=off"	# { on | off } -> default:off
-Preference "RBLInoculate=off"		# { on | off } -> default:off
-Preference "notifications=off"		# { on | off } -> default:off
-
-#
-# Overrides: Specifies the user preferences which may override configuration
-# and commandline defaults. Any other preferences supplied by an untrusted user
-# will be ignored.
-#
-AllowOverride enableBNR
-AllowOverride enableWhitelist
-AllowOverride fallbackDomain
-AllowOverride ignoreGroups
-AllowOverride ignoreRBLLookups
-AllowOverride localStore
-AllowOverride makeCorpus
-AllowOverride optIn
-AllowOverride optOut
-AllowOverride optOutClamAV
-AllowOverride processorBias
-AllowOverride RBLInoculate
-AllowOverride showFactors
-AllowOverride signatureLocation
-AllowOverride spamAction
-AllowOverride spamSubject
-AllowOverride statisticalSedation
-AllowOverride storeFragments
-AllowOverride tagNonspam
-AllowOverride tagSpam
-AllowOverride trainPristine
-AllowOverride trainingMode
-AllowOverride whitelistThreshold
-AllowOverride dailyQuarantineSummary
-AllowOverride notifications
-
-# --- Profiles ---
-
-#
-# You can specify multiple storage profiles, and specify the server to
-# use on the commandline with --profile. For example:
-#
-#Profile DECAlpha
-#MySQLServer.DECAlpha	10.0.0.1
-#MySQLPort.DECAlpha	3306
-#MySQLUser.DECAlpha	dspam
-#MySQLPass.DECAlpha	changeme
-#MySQLDb.DECAlpha	dspam
-#MySQLCompress.DECAlpha	true
-#MySQLReconnect.DECAlpha	true
-#
-#Profile Sun420R
-#MySQLServer.Sun420R	10.0.0.2
-#MySQLPort.Sun420R	3306
-#MySQLUser.Sun420R	dspam
-#MySQLPass.Sun420R	changeme
-#MySQLDb.Sun420R	dspam
-#MySQLCompress.Sun420R	false
-#MySQLReconnect.Sun420R	true
-#
-#DefaultProfile	DECAlpha
-
-#
-# If you're using storage profiles, you can set failovers for each profile.
-# Of course, if you'll be failing over to another database, that database
-# must have the same information as the first. If you're using a global
-# database with no training, this should be relatively simple. If you're
-# configuring per-user data, however, you'll need to set up some type of
-# replication between databases.
-#
-#Failover.DECAlpha	SUN420R
-#Failover.Sun420R	DECAlpha
-
-# If the storage fails, the agent will follow each profile's failover up to
-# a maximum number of failover attempts. This should be set to a maximum of
-# the number of profiles you have, otherwise the agent could loop and try
-# the same profile multiple times (unless this is your desired behavior).
-#
-#FailoverAttempts	1
-
-#
-# Ignored headers: If DSPAM is behind other tools which may add a header to
-# incoming emails, it may be beneficial to ignore these headers - especially
-# if they are coming from another spam filter. If you are _not_ using one of
-# these tools, however, leaving the appropriate headers commented out will
-# allow DSPAM to use them as telltale signs of forged email.
-#
-#IgnoreHeader X-Spam-Status
-#IgnoreHeader X-Spam-Scanned
-#IgnoreHeader X-Virus-Scanner-Result
-
-#
-# Lookup: Perform lookups on streamlined blackhole list servers (see
-# http://www.nuclearelephant.com/projects/sbl/). The streamlined blacklist
-# server is machine-automated, unsupervised blacklisting system designed to
-# provide real-time and highly accurate blacklisting based on network spread.
-# When performing a lookup, DSPAM will automatically learn the inbound message
-# as spam if the source IP is listed. Until an official public RABL server is
-# available, this feature is only useful if you are running your own
-# streamlined blackhole list server for internal reporting among multiple mail
-# servers. Provide the name of the lookup zone below to use.
-#
-# This function performs standard reverse-octet.domain lookups, and while it
-# will function with many RBLs, it's strongly discouraged to use those
-# maintained by humans as they're often inaccurate and could hurt filter
-# learning and accuracy.
-#
-#Lookup		"sbl.yourdomain.com"
-
-#
-# RBLInoculate: If you want to inoculate the user from RBL'd messages it would
-# have otherwise missed, set this to on.
-#
-#RBLInoculate	off
-
-#
-# Notifications: Enable the sending of notification emails to users (first
-# message, quarantine full, etc.)
-#
-Notifications	off
-
-#
-# QuarantineWarnSize: You may specify a size when DSPAM should send a "Quarantine
-# Full" message to each user. This is only working if you enable notifications
-# (see above). Value is in bytes. Default is 2097152 -> 2MB.
-#
-#QuarantineWarnSize 2097152
-
-#
-# Purge configuration: Set dspam_clean purge default options, if not otherwise
-# specified on the commandline
-#
-PurgeSignatures 14	# Stale signatures
-PurgeNeutral	90	# Tokens with neutralish probabilities
-PurgeUnused	90	# Unused tokens
-PurgeHapaxes	30	# Tokens with less than 5 hits (hapaxes)
-PurgeHits1S	15	# Tokens with only 1 spam hit
-PurgeHits1I	15	# Tokens with only 1 innocent hit
-
-#
-# Purge configuration for SQL-based installations using purge.sql
-#
-#PurgeSignature	off	# Specified in purge.sql
-#PurgeNeutral	90
-#PurgeUnused	off	# Specified in purge.sql
-#PurgeHapaxes	off	# Specified in purge.sql
-#PurgeHits1S	off	# Specified in purge.sql
-#PurgeHits1I	off	# Specified in purge.sql
-
-#
-# Local Mail Exchangers: Used for source address tracking, tells DSPAM which
-# mail exchangers are local and therefore should be ignored in the Received:
-# header when tracking the source of an email. Note: you should use the address
-# of the host as appears between brackets [ ] in the Received header.
-# By default DSPAM is considering the following IPs always as LocalMX:
-#	10.0.0.0/8	- Private IP addresses (RFC 1918)
-#	127.0.0.0/8	- Localhost Loopback Address (RFC 1700)
-#	169.254.0.0/16	- Zeroconf / APIPA (RFC 3330)
-#	172.16.0.0/12	- Private IP addresses (RFC 1918)
-#	192.168.0.0/16	- Private IP addresses (RFC 1918)
-#
-LocalMX 127.0.0.1
-
-#
-# Logging: Disabling logging for users will make usage graphs unavailable to
-# them. Disabling system logging will make admin graphs unavailable.
-#
-SystemLog	on
-UserLog		on
-
-#
-# TrainPristine: for systems where the original message remains server side
-# and can therefore be presented in pristine format for retraining. This option
-# will cause DSPAM to cease all writing of signatures and DSPAM headers to the
-# message, and deliver the message in as pristine format as possible. This mode
-# REQUIRES that the original message in its pristine format (as of delivery)
-# be presented for retraining, as in the case of webmail, imap, or other
-# applications where the message is actually kept server-side during reading,
-# and is preserved. DO NOT use this switch unless the original message can be
-# presented for retraining with the ORIGINAL HEADERS and NO MODIFICATIONS.
-#
-# NOTE: You can't use this setting with dspam_trian; if you're going to use it,
-#       wait until after you train any corpora.
-#
-#TrainPristine on
-
-#
-# Opt: in or out; determines DSPAM's default filtering behavior. If this value
-# is set to in, users must opt-in to filtering by dropping a .dspam file in
-# /var/dspam/opt-in/user.dspam (or if you have homedirs configured, a .dspam
-# folder in their home directory).  The default is opt-out, which means all
-# users will be filtered unless a .nodspam file is dropped in
-# /var/dspam/opt-out/user.nodspam
-#
-Opt out
-
-#
-# TrackSources: specify which (if any) source addresses to track and report
-# them to syslog (mail.info). This is useful if you're running a firewall or
-# blacklist and would like to use this information. Spam reporting also drops
-# RABL blacklist files (see http://www.nuclearelephant.com/projects/rabl/).
-#
-#TrackSources spam nonspam virus
-
-#
-# ParseToHeaders: In lieu of setting up individual aliases for each user,
-# DSPAM can be configured to automatically parse the To: address for spam and
-# false positive forwards. From there, it can be configured to either set the
-# DSPAM user based on the username specified in the header and/or change the
-# training class and source accordingly. The options below can be used to
-# customize most common types of header parsing behavior to avoid the need for
-# multiple aliases, or if using LMTP, aliases entirely..
-#
-# ParseToHeader: Parse the To: headers of an incoming message. This must be
-#                set to 'on' to use either of the following features.
-#
-# ChangeModeOnParse: Automatically change the class (to spam or innocent)
-#   depending on whether spam- or notspam- was specified, and change the source
-#   to 'error'. This is convenient if you're not using aliases at all, but
-#   are delivering via LMTP.
-#
-# ChangeUserOnParse: Automatically change the username to match that specified
-#   in the To: header. For example, spam-bob@domain.tld will set the username
-#   to bob, ignoring any --user passed in. This may not always be desirable if
-#   you are using virtual email addresses as usernames. Options:
-#     on or user	take the portion before the @ sign only
-#     full		take everything after the initial {spam,notspam}-.
-#
-#ParseToHeaders on
-#ChangeModeOnParse on
-#ChangeUserOnParse on
-
-#
-# Broken MTA Options: Some MTAs don't support the proper functionality
-# necessary. In these cases you can activate certain features in DSPAM to
-# compensate. 'returnCodes' causes DSPAM to return an exit code of 99 if
-# the message is spam, 0 if not, or a negative code if an error has occured.
-# Specifying 'case' causes DSPAM to force the input usernames to lowercase.
-# Specifying 'lineStripping' causes DSPAM to strip ^M's from messages passed
-# in.
-#
-#Broken returnCodes
-#Broken case
-#Broken lineStripping
-
-#
-# MaxMessageSize: You may specify a maximum message size for DSPAM to process.
-# If the message is larger than the maximum size, it will be delivered
-# without processing. Value is in bytes.
-#
-#MaxMessageSize 4194304
-
-# --- ClamAV ---
-
-#
-# Virus Checking: If you are running clamd, DSPAM can perform stream-based
-# virus checking using TCP. Uncomment the values below to enable virus
-# checking.
-#
-# ClamAVResponse: reject (reject or drop the message with a permanent failure)
-#                 accept (accept the message and quietly drop the message)
-#                 spam   (treat as spam and quarantine/tag/whatever)
-#
-#ClamAVPort		3310
-#ClamAVHost		127.0.0.1
-#ClamAVResponse		accept
-
-# --- CLIENT / SERVER ---
-
-#
-# Daemonized Server: If you are running DSPAM as a daemonized server using
-# --daemon, the following parameters will override the default. Use the
-# ServerPass option to set up accounts for each client machine. The DSPAM
-# server will process and deliver the message based on the parameters
-# specified. If you want the client machine to perform delivery, use
-# the --stdout option in conjunction with a local setup.
-#
-# ServerHost: Not enabling ServerHost will bind DSPAM server to all available
-# interfaces.
-#
-# ServerPort: Default upstream configuration is to run dspam daemon on port
-# 24. On Debian, dspam being run as a unprivileged user, default port is
-# set to 2424.
-#
-#ServerHost		127.0.0.1
-#ServerPort		2424
-#ServerQueueSize	32
-#ServerPID		/var/run/dspam/dspam.pid
-
-#
-# ServerMode specifies the type of LMTP server to start. This can be one of:
-#     dspam: DSPAM-proprietary DLMTP server, for communicating with dspamc
-#  standard: Standard LMTP server, for communicating with Postfix or other MTA
-#      auto: Speak both DLMTP and LMTP; auto-detect by ServerPass.IDENT
-#
-#ServerMode dspam
-
-# If supporting DLMTP (dspam) mode, dspam clients will require authentication
-# as they will be passing in parameters. The idents below will be used to
-# determine which clients will be speaking DLMTP, so if you will be using
-# both LMTP and DLMTP from the same host, be sure to use something other
-# than the server's hostname below (which will be sent by the MTA during a
-# standard LMTP LHLO).
-#
-#ServerPass.Relay1	"secret"
-#ServerPass.Relay2	"password"
-
-# If supporting standard LMTP mode, server parameters will need to be specified
-# here, as they will not be passed in by the mail server. The ServerIdent
-# specifies the 250 response code ident sent back to connecting clients and
-# should be set to the hostname of your server, or an alias.
-#
-# NOTE: If you specify --user in ServerParameters, the RCPT TO will be
-#       used only for delivery, and not set as the active user for processing.
-#
-#ServerParameters	"--deliver=innocent -d %u"
-#ServerIdent		"localhost.localdomain"
-
-# If you wish to use a local domain socket instead of a TCP socket, uncomment
-# the following. It is strongly recommended you use local domain sockets if
-# you are running the client and server on the same machine, as it eliminates
-# much of the bandwidth overhead.
-#
-ServerDomainSocketPath	"/var/run/dspam/dspam.sock"
-
-#
-# Client Mode: If you are running DSPAM in client/server mode, uncomment and
-# set these variables. A ClientHost beginning with a / will be treated as
-# a domain socket.
-#
-#ClientHost	/var/run/dspam/dspam.sock
-#ClientIdent	"secret@Relay1"
-#
-#ClientHost	127.0.0.1
-#ClientPort	2424
-#ClientIdent	"secret@Relay1"
-
-# --- RABL ---
-
-# RABLQueue: Touch files in the RABL queue
-# If you are a reporting streamlined blackhole list participant, you can
-# touch ip addresses within the directory the rabl_client process is watching.
-#
-#RABLQueue	/var/spool/rabl
-
-# ---  ---
-
-# DataSource: If you are using any type of data source that does not include
-# email-like headers (such as documents), uncomment the line below. This
-# will cause the entire input to be treated like a message "body"
-#
-#DataSource document
-
-# ProcessorWordFrequency: By default, words are only counted once per message.
-# If you are classifying large documents, however, you may wish to count once
-# per occurrence instead.
-#
-#ProcessorWordFrequency occurrence
-
-# ProcessorURLContext: By default, a URL context is generated for URLs, which
-# records their tokens as separate from words found in documents. To use
-# URL tokens in the same context as words, turn this feature off.
-#
-ProcessorURLContext on
-
-# ProcessorBias: Bias causes the filter to lean more toward 'innocent', and
-# usually greatly reduces false positives. It is the default behavior of
-# most Bayesian filters (including dspam).
-#
-# NOTE: You probably DONT want this if you're using Markovian Weighting, unless
-# you are paranoid about false positives.
-#
-ProcessorBias on
-
-# StripRcptDomain: Cut the domain (including the at sign) from recipients.
-# This is particularly useful if the recipient name is equal to real user
-# accounts as recipients with domains tend to cause permission issues with
-# dspam-web.
-#
-StripRcptDomain off
-
-# --- Split Configuration File Support ---
-
-# Include a directory with configuration items.
-Include /etc/dspam/dspam.d/
-
-# ---  ---
-
-## EOF

roles/mailserver/files/etc_opendmarc_import.sql

@@ -1,89 +0,0 @@
---
-
-USE opendmarc;
-
-CREATE TABLE IF NOT EXISTS domains (
-        id INT NOT NULL AUTO_INCREMENT,
-        name VARCHAR(255) NOT NULL,
-        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-
-        PRIMARY KEY(id),
-        UNIQUE KEY(name)
-);
-
-CREATE TABLE IF NOT EXISTS requests (
-        id INT NOT NULL AUTO_INCREMENT,
-        domain INT NOT NULL,
-        repuri VARCHAR(255) NOT NULL,
-        adkim TINYINT NOT NULL,
-        aspf TINYINT NOT NULL,
-        policy TINYINT NOT NULL,
-        spolicy TINYINT NOT NULL,
-        pct TINYINT NOT NULL,
-        locked TINYINT NOT NULL,
-        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        lastsent TIMESTAMP NOT NULL DEFAULT '0000-00-00 00:00:00',
-
-        PRIMARY KEY(id),
-        KEY(lastsent),
-        UNIQUE KEY(domain)
-);
-
-CREATE TABLE IF NOT EXISTS reporters (
-        id INT NOT NULL AUTO_INCREMENT,
-        name VARCHAR(255) NOT NULL,
-        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-
-        PRIMARY KEY(id),
-        UNIQUE KEY(name)
-);
-
-CREATE TABLE IF NOT EXISTS ipaddr (
-	id INT NOT NULL AUTO_INCREMENT,
-	addr VARCHAR(64) NOT NULL,
-	firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-
-	PRIMARY KEY(id),
-	UNIQUE KEY(addr)
-);
-
-CREATE TABLE IF NOT EXISTS messages (
-        id INT NOT NULL AUTO_INCREMENT,
-        date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        jobid VARCHAR(128) NOT NULL,
-        reporter INT UNSIGNED NOT NULL,
-        policy TINYINT UNSIGNED NOT NULL,
-        disp TINYINT UNSIGNED NOT NULL,
-        ip INT UNSIGNED NOT NULL,
-        env_domain INT UNSIGNED NOT NULL,
-        from_domain INT UNSIGNED NOT NULL,
-        policy_domain INT UNSIGNED NOT NULL,
-        spf TINYINT UNSIGNED NOT NULL,
-        align_dkim TINYINT UNSIGNED NOT NULL,
-        align_spf TINYINT UNSIGNED NOT NULL,
-        sigcount TINYINT UNSIGNED NOT NULL,
-
-        PRIMARY KEY(id),
-        KEY(date),
-        UNIQUE KEY(reporter, date, jobid)
-);
-
-CREATE TABLE IF NOT EXISTS signatures (
-        id INT NOT NULL AUTO_INCREMENT,
-        message INT NOT NULL,
-        domain INT NOT NULL,
-        pass TINYINT NOT NULL,
-        error TINYINT NOT NULL,
-
-        PRIMARY KEY(id),
-        KEY(message)
-);

roles/mailserver/files/etc_postfix_dspam_filter_access

@@ -1 +0,0 @@
-/./   FILTER dspam:dspam

roles/mailserver/files/etc_postfix_master.cf

@@ -13,21 +13,22 @@ smtp       inet  n       -       -       -       1       postscreen
 smtpd      pass  -       -       -       -       -       smtpd
 dnsblog    unix  -       -       -       -       0       dnsblog
 tlsproxy   unix  -       -       -       -       0       tlsproxy
-#submission inet  n       -       -       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_etrn_restrictions=reject
-#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-
-# SMTP over SSL/TLS on port 465.
-smtps     inet  n       -       -       -       -       smtpd
-  -o syslog_name=postfix/smtps
-  -o smtpd_tls_wrappermode=yes
+submission inet  n       -       -       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_etrn_restrictions=reject
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
   -o smtpd_sasl_security_options=noanonymous,noplaintext
   -o smtpd_sasl_tls_security_options=noanonymous
 
+# SMTP over SSL/TLS on port 465.
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
+#  -o smtpd_sasl_security_options=noanonymous,noplaintext
+#  -o smtpd_sasl_tls_security_options=noanonymous
+
 #628       inet  n       -       -       -       -       qmqpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
@@ -113,8 +114,5 @@ scalemail-backend unix	-	n	n	-	2	pipe
 mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
-# spam protection
-dspam     unix  -       n       n       -       10      pipe
-  flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user ${user}@${domain} -i -f $sender -- $recipient
 dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/lmtp -f ${sender} -d ${user}@${nexthop}

roles/mailserver/files/etc_rmilter.conf.common

@@ -0,0 +1,12 @@
+spamd {
+	servers = r:localhost:11333;
+	whitelist = 127.0.0.1/32, 192.168.0.0/16, [::1]/128;
+};
+
+redis {
+	servers_id = localhost;
+	id_prefix = "message_id.";
+};
+
+tempdir = /tmp;
+max_size = 10M;

roles/mailserver/files/etc_tomcat6_server.xml → roles/mailserver/files/etc_tomcat7_server.xml

@@ -20,7 +20,9 @@
      Documentation at /docs/config/server.html
  -->
 <Server port="8005" shutdown="SHUTDOWN">
-
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
   <!--APR library loader. Documentation at /docs/apr.html -->
   <!--
   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
@@ -29,9 +31,8 @@
   <Listener className="org.apache.catalina.core.JasperListener" />
   <!-- Prevent memory leaks due to use of particular java/javax APIs-->
   <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
   <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
 
   <!-- Global JNDI resources
        Documentation at /docs/jndi-resources-howto.html
@@ -80,12 +81,13 @@
                redirectPort="8443" />
     -->
     <!-- Define a SSL HTTP/1.1 Connector on port 8443
-         This connector uses the JSSE configuration, when using APR, the
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
+         This connector uses the BIO implementation that requires the JSSE
+         style configuration. When using the APR/native implementation, the
+         OpenSSL style configuration is required as described in the APR/native
+         documentation -->
     <!--
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
+               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS" />
     -->
 
@@ -113,26 +115,19 @@
       <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
       -->
 
-      <!-- The request dumper valve dumps useful debugging information about
-           the request and response data received and sent by Tomcat.
-           Documentation at: /docs/config/valve.html -->
-      <!--
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-      -->
-
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
 
-      <!-- Define the default virtual host
-           Note: XML Schema validation will not work with Xerces 2.2.
-       -->
       <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="true"
-            xmlValidation="false" xmlNamespaceAware="false">
+            unpackWARs="true" autoDeploy="true">
 
         <!-- SingleSignOn valve, share authentication between web applications
              Documentation at: /docs/config/valve.html -->
@@ -141,11 +136,11 @@
         -->
 
         <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html -->
-        <!--
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
         <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
-        -->
+               prefix="localhost_access_log." suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 
       </Host>
     </Engine>

roles/mailserver/files/lib_systemd_system_rmilter.socket

@@ -0,0 +1,8 @@
+[Unit]
+Description=Another sendmail milter for different mail checks
+
+[Socket]
+ListenStream=9900
+
+[Install]
+WantedBy=sockets.target

roles/mailserver/handlers/main.yml

@@ -8,7 +8,7 @@
   service: name=opendkim state=restarted
 
 - name: restart solr
-  service: name=tomcat6 state=restarted
+  service: name=tomcat7 state=restarted
 
 - name: import sql postfix
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
@@ -16,3 +16,9 @@
 
 - name: restart opendmarc
   service: name=opendmarc state=restarted
+
+- name: restart rspamd
+  service: name=rspamd state=restarted
+
+- name: import opendmarc schema
+  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/usr/share/doc/opendmarc/schema.mysql

roles/mailserver/tasks/dovecot.yml

@@ -1,23 +1,4 @@
-- name: Add wheezy-backports to get a reasonably current Dovecot on Debian 7
-  apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main'
-  when: ansible_distribution_release == 'wheezy'
-  tags:
-    - dependencies
-
-- name: Install Dovecot and related packages on Debian 7
-  apt: pkg={{ item }} update_cache=yes state=latest default_release=wheezy-backports
-  with_items:
-    - dovecot-core
-    - dovecot-imapd
-    - dovecot-lmtpd
-    - dovecot-managesieved
-    - dovecot-pgsql
-    - dovecot-pop3d
-  when: ansible_distribution_release == 'wheezy'
-  tags:
-    - dependencies
-
-- name: Install Dovecot and related packages on distributions other than Debian 7
+- name: Install Dovecot and related packages
   apt: pkg={{ item }} update_cache=yes state=installed
   with_items:
     - dovecot-core
@@ -26,25 +7,11 @@
     - dovecot-managesieved
     - dovecot-pgsql
     - dovecot-pop3d
-  when: ansible_distribution_release != 'wheezy'
-  tags:
-    - dependencies
-
-- name: Install Postgres 9.1 for Dovecot on older distributions
-  apt: pkg=postgresql-9.1 state=present
-  when: ansible_distribution_release != 'trusty' and ansible_distribution_release != 'jessie'
   tags:
     - dependencies
 
-- name: Install Postgres 9.3 for Dovecot on Ubuntu Trusty
-  apt: pkg=postgresql-9.3 state=present
-  when: ansible_distribution_release == 'trusty'
-  tags:
-    - dependencies
-
-- name: Install Postgres 9.4 for Dovecot on Debian Jessie
-  apt: pkg=postgresql-9.4 state=present
-  when: ansible_distribution_release == 'jessie'
+- name: Install Postgres for Dovecot
+  apt: pkg=postgresql state=present
   tags:
     - dependencies
 
@@ -55,7 +22,7 @@
   user: name=vmail group=vmail state=present uid=5000 home=/decrypted shell=/usr/sbin/nologin
 
 - name: Ensure mail domain directories are in place
-  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=770
+  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=0770
   with_items: mail_virtual_domains
 
 - name: Ensure mail directories are in place
@@ -71,10 +38,13 @@
     - 10-auth.conf
     - 10-mail.conf
     - 10-master.conf
-    - 10-ssl.conf
     - auth-sql.conf.ext
   notify: restart dovecot
 
+- name: Template 10-ssl.conf
+  template: src=etc_dovecot_conf.d_10-ssl.conf.j2 dest=/etc/dovecot/conf.d/10-ssl.conf
+  notify: restart dovecot
+
 - name: Template 15-lda.conf
   template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
   notify: restart dovecot
@@ -85,7 +55,7 @@
 
 - name: Ensure correct permissions on Dovecot config directory
   file: state=directory path=/etc/dovecot
-          group=dovecot owner=vmail mode=770 recurse=yes
+          group=dovecot owner=vmail mode=0770 recurse=yes
   notify: restart dovecot
 
 - name: Set firewall rules for dovecot
@@ -94,3 +64,11 @@
     - imaps
     - pop3s
   tags: ufw
+
+- name: Update post-certificate-renewal task
+  copy:
+    content: "#!/bin/bash\n\nservice dovecot restart\n"
+    dest: /etc/letsencrypt/postrenew/dovecot.sh
+    mode: 0755
+    owner: root
+    group: root

roles/mailserver/tasks/dspam.yml

@@ -1,44 +0,0 @@
-- name: Install dspam and related packages on wheezy
-  apt: pkg={{ item }} state=installed default_release=wheezy-backports
-  with_items:
-    - dovecot-antispam
-    - dovecot-sieve
-    - dspam
-    - postfix-pcre
-  when: ansible_distribution_release == 'wheezy'
-  tags:
-    - dependencies
-
-- name: Install dspam and related packages on distributions other than wheezy
-  apt: pkg={{ item }} state=installed
-  with_items:
-    - dovecot-antispam
-    - dovecot-sieve
-    - dspam
-    - postfix-pcre
-  when: ansible_distribution_release != 'wheezy'
-  tags:
-    - dependencies
-
-- name: Create dspam directory
-  file: state=directory path=/decrypted/dspam group=dspam owner=dspam
-
-- name: Put dspam configuration files in place
-  copy: src=etc_dspam_{{ item }} dest=/etc/dspam/{{ item }} owner=dspam group=dspam
-  with_items:
-    - default.prefs
-    - dspam.conf
-  notify:
-    - restart postfix
-    - restart dovecot
-
-- name: Put dspam postfix configuration in place
-  copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
-  notify: restart postfix
-
-- name: Put dspam dovecot configuration in place
-  copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }} owner=vmail group=dovecot
-  with_items:
-    - 20-imap.conf
-    - 90-plugin.conf
-  notify: restart dovecot

roles/mailserver/tasks/main.yml

@@ -1,8 +1,8 @@
 - include: postfix.yml tags=postfix
 - include: dovecot.yml tags=dovecot
 - include: opendkim.yml tags=opendkim
-- include: dmarc.yml tags=dmarc
-- include: dspam.yml tags=dspam
+- include: opendmarc.yml tags=dmarc
+- include: rspamd.yml tags=rspamd
 - include: solr.yml tags=solr
 - include: checkrbl.yml tags=checkrbl
 - include: z-push.yml tags=zpush

roles/mailserver/tasks/opendkim.yml

@@ -38,7 +38,7 @@
 
 - name: Set OpenDKIM config directory permissions
   file: state=directory path=/etc/opendkim
-          group=opendkim owner=opendkim mode=700 recurse=yes
+          group=opendkim owner=opendkim mode=0700 recurse=yes
   notify:
     - restart opendkim
     - restart postfix

roles/mailserver/tasks/dmarc.yml → roles/mailserver/tasks/opendmarc.yml

@@ -1,9 +1,9 @@
 - name: Install OpenDMARC milter and related packages
-  apt: pkg={{ item }} state=installed update_cache=yes cache_valid_time=3600
+  apt: pkg={{ item }} state=installed update_cache=yes
   with_items:
-      - mysql-server
-      - python-mysqldb
-      - opendmarc
+    - mysql-server
+    - python-mysqldb
+    - opendmarc
 
 - name: Patch opendmarc scripts (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742447)
   lineinfile: dest=/usr/sbin/{{ item }} regexp='^require DBD::' line='require DBD::mysql;'
@@ -34,25 +34,18 @@
     - restart opendmarc
     - restart postfix
 
-- name: Copy OpenDMARC database schema file into place
-  copy: src=etc_opendmarc_import.sql dest=/etc/opendmarc/import.sql owner=root group=root
-
 - name: Create database user for OpenDMARC reports
   mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
 
 - name: Create database for OpenDMARC reports
   mysql_db: name={{ mail_db_opendmarc_database }} state=present
-
-- name: Import database schema for OpenDMARC reports
-  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/etc/opendmarc/import.sql
-  tags: import_mysql_postfix
+  notify: import opendmarc schema
 
 - name: Copy nightly OpenDMARC report generation script into place
   template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="755"
 
-- name: Touch initial report dat file with correct permissions
-  file: path=/var/run/opendmarc/opendmarc.dat state=touch owner=opendmarc group=opendmarc
+- name: Ensure initial report dat file exists with correct permissions
+  copy: content="" dest=/var/run/opendmarc/opendmarc.dat owner=opendmarc group=opendmarc
 
 - name: Activate OpenDMARC report cronjob
-  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log"
-
+  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log 2>&1 || tail /var/log/opendmarc_report.log"

roles/mailserver/tasks/postfix.yml

@@ -1,18 +1,5 @@
-- name: Install Postgres 9.1 on older distributions
-  apt: pkg=postgresql-9.1 state=present
-  when: ansible_distribution_release != 'trusty' and ansible_distribution_release != 'jessie'
-  tags:
-    - dependencies
-
-- name: Install Postgres 9.3 on Ubuntu Trusty
-  apt: pkg=postgresql-9.3 state=present
-  when: ansible_distribution_release == 'trusty'
-  tags:
-    - dependencies
-
-- name: Install Postgres 9.4 on Debian Jessie
-  apt: pkg=postgresql-9.4 state=present
-  when: ansible_distribution_release == 'jessie'
+- name: Install Postgres
+  apt: pkg=postgresql state=present
   tags:
     - dependencies
 
@@ -29,12 +16,14 @@
   tags:
     - dependencies
 
-- name: Set postgres password
-  command: sudo -u {{ db_admin_username }} psql -d {{ db_admin_username }} -c "ALTER USER postgres with  password '{{ db_admin_password }}';"
+- name: Set password for PostgreSQL admin user
+  become: true
+  become_user: postgres
+  postgresql_user: name={{ db_admin_username }} password={{ db_admin_password }} encrypted=yes
   notify: import sql postfix
 
 - name: Create database user for mail server
-  postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_username }} password="{{ mail_db_password }}" state=present
+  postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_username }} password="{{ mail_db_password }}" encrypted=yes state=present
   notify: import sql postfix
 
 - name: Create database for mail server
@@ -74,4 +63,5 @@
   with_items:
     - smtp
     - ssmtp
+    - submission
   tags: ufw

roles/mailserver/tasks/rspamd.yml

@@ -0,0 +1,36 @@
+---
+# Installs and configures the Rspamd spam filtering system.
+
+- name: Ensure repository key for Rspamd is in place
+  apt_key: url=https://rspamd.com/apt-stable/gpg.key state=present
+  tags:
+    - dependencies
+
+- name: Add Rspamd repository
+  apt_repository: repo="deb https://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main"
+  tags:
+    - dependencies
+
+- name: Install Rspamd, Rmilter, and Redis
+  apt: pkg={{ item }} state=installed update_cache=yes
+  with_items:
+    - rspamd
+    - rmilter
+    - redis-server
+  tags:
+    - dependencies
+
+- name: Configure rmilter
+  copy: src=etc_rmilter.conf.common dest=/etc/rmilter.conf.common
+
+- name: Configure rmilter service
+  copy: src=lib_systemd_system_rmilter.socket dest=/lib/systemd/system/rmilter.socket
+
+- name: Start redis
+  service: name=redis-server state=started
+
+- name: Start rspamd systemd listener
+  service: name=rspamd state=started
+
+- name: Start rmilter systemd listener
+  service: name=rmilter state=started

roles/mailserver/tasks/solr.yml

@@ -1,18 +1,8 @@
-- name: Install Solr and related packages on wheezy from backports
-  apt: pkg={{ item }} state=installed default_release=wheezy-backports
-  with_items:
-    - dovecot-solr
-    - solr-tomcat
-  when: ansible_distribution_release == 'wheezy'
-  tags:
-    - dependencies
-
-- name: Install Solr and related packages on distributions other than wheezy
+- name: Install Solr and related packages
   apt: pkg={{ item }} state=installed
   with_items:
     - dovecot-solr
     - solr-tomcat
-  when: ansible_distribution_release != 'wheezy'
   tags:
     - dependencies
 
@@ -20,7 +10,7 @@
   copy: src=solr-schema.xml dest=/etc/solr/conf/schema.xml group=root owner=root
 
 - name: Copy tweaked Tomcat config file into place
-  copy: src=etc_tomcat6_server.xml dest=/etc/tomcat6/server.xml group=tomcat6 owner=root
+  copy: src=etc_tomcat7_server.xml dest=/etc/tomcat7/server.xml group=tomcat7 owner=root
   notify: restart solr
 
 - name: Copy tweaked Solr config file into place
@@ -28,5 +18,5 @@
   notify: restart solr
 
 - name: Create Solr index directory
-  file: state=directory path=/decrypted/solr group=tomcat6 owner=tomcat6
+  file: state=directory path=/decrypted/solr group=tomcat7 owner=tomcat7
   notify: restart solr

roles/mailserver/tasks/z-push.yml

@@ -8,10 +8,6 @@
   tags:
     - dependencies
 
-- name: Enable imap module on Trusty
-  command: php5enmod imap
-  when: ansible_distribution_release == 'trusty'
-
 - name: Download z-push release
   get_url:
     url=http://download.z-push.org/final/2.1/z-push-{{ zpush_version }}.tar.gz
@@ -36,7 +32,7 @@
     - skip_ansible_lint
 
 - name: Ensure z-push state and log directories are in place
-  file: state=directory path={{ item }} owner=www-data group=www-data mode=755
+  file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
   with_items:
     - /decrypted/zpush-state
     - /var/log/z-push
@@ -45,19 +41,12 @@
 - name: Copy z-push's config.php into place
   template: src=usr_share_z-push_config.php.j2 dest=/usr/share/z-push/config.php
 
-- name: Configure z-push apache alias and php settings
-  copy: src=etc_apache2_conf.d_z-push.conf dest=/etc/apache2/conf.d/z-push.conf
-  notify: restart apache
-  when: ansible_distribution_release != 'trusty'
-
-- name: Create z-push apache alias and php configuration file for Ubuntu Trusty
+- name: Create z-push apache alias and php configuration file
   copy: src=etc_apache2_conf.d_z-push.conf dest=/etc/apache2/conf-available/z-push.conf
-  when: ansible_distribution_release == 'trusty'
 
-- name: Enable z-push Apache alias and PHP configuration file for Ubuntu Trusty
+- name: Enable z-push Apache alias and PHP configuration file
   command: a2enconf z-push creates=/etc/apache2/conf-enabled/z-push.conf
   notify: restart apache
-  when: ansible_distribution_release == 'trusty'
 
 - name: Configure z-push logrotate
   copy: src=etc_logrotate_z-push dest=/etc/logrotate.d/z-push owner=root group=root mode=0644

roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2

@@ -17,8 +17,7 @@
 
 <VirtualHost *:443>
     ServerName {{ mail_server_autoconfig_hostname }}
-
-    Include /etc/apache2/ssl.conf
+    SSLEngine On
 
     DocumentRoot            "/var/www/autoconfig"
     Options                 -Indexes

roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf → roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2

@@ -9,8 +9,8 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/wildcard_combined.pem
-ssl_key = </etc/ssl/private/wildcard_private.key
+ssl_cert = </etc/letsencrypt/live/{{ domain }}/fullchain.pem
+ssl_key = </etc/letsencrypt/live/{{ domain }}/privkey.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often

roles/mailserver/templates/etc_opendmarc.conf.j2

@@ -1,41 +1,336 @@
-# This is a basic configuration that can easily be adapted to suit a standard
-# installation. For more advanced options, see opendkim.conf(5) and/or
-# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
+##
+## opendmarc.conf -- configuration file for OpenDMARC filter
+##
+## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
+##
 
 ##  AuthservID (string)
-##      defaults to MTA name
+##  	defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.  
 #
 AuthservID {{ mail_server_hostname }}
 
-##  ForensicReports { true | false }
-##      default "false"
+##  AuthservIDWithJobID { true | false }
+##  	default "false"
+##
+##  If "true", requests that the authserv-id portion of the added
+##  Authentication-Results header fields contain the job ID of the message
+##  being evaluated.
+#
+# AuthservIDWithJobID false
+
+##  AutoRestart { true | false }
+##  	default "false"
+##
+##  Automatically re-start on failures. Use with caution; if the filter fails
+##  instantly after it starts, this can cause a tight fork(2) loop.
+#
+# AutoRestart false
+
+##  AutoRestartCount n
+##  	default 0
+##
+##  Sets the maximum automatic restart count.  After this number of automatic
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
+##  limit.
+#
+# AutoRestartCount 0
+
+##  AutoRestartRate n/t[u]
+##  	default (no limit)
+##
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
+##  faster than the rate defined here, it will give up and terminate.  This
+##  is a string of the form n/t[u] where n is an integer limiting the count
+##  of restarts in the given interval and t[u] defines the time interval
+##  through which the rate is calculated; t is an integer and u defines the
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
+##  default, meaning restart rate is not limited.
+#
+# AutoRestartRate n/t[u]
+
+##  Background { true | false }
+##  	default "true"
+##
+##  Causes opendmarc to fork and exits immediately, leaving the service
+##  running in the background.
+#
+# Background true
+
+##  BaseDirectory (string)
+##  	default (none)
+##
+##  If set, instructs the filter to change to the specified directory using
+##  chdir(2) before doing anything else.  This means any files referenced
+##  elsewhere in the configuration file can be specified relative to this
+##  directory.  It's also useful for arranging that any crash dumps will be
+##  saved to a specific location.
+#
+# BaseDirectory /var/run/opendmarc
+
+##  ChangeRootDirectory (string)
+##  	default (none)
+##
+##  Requests that the operating system change the effective root directory of
+##  the process to the one specified here prior to beginning execution.
+##  chroot(2) requires superuser access.  A warning will be generated if
+##  UserID is not also set.
+# 
+# ChangeRootDirectory /var/chroot/opendmarc
+
+##  CopyFailuresTo (string)
+##  	default (none)
+##
+##  Requests addition of the specified email address to the envelope of
+##  any message that fails the DMARC evaluation.
+#
+# CopyFailuresTo postmaster@localhost
+
+##  DNSTimeout (integer)
+##  	default 5
+## 
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
+##  (NOT YET IMPLEMENTED)
+#
+# DNSTimeout 5
+
+##  EnableCoredumps { true | false }
+##  	default "false"
+##
+##  On systems that have such support, make an explicit request to the kernel
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
+##  systems suppress core dumps during crashes for security reasons if the
+##  user ID has changed during the lifetime of the process.  Currently only
+##  supported on Linux.
+#
+# EnableCoreDumps false
+
+##  FailureReports { true | false }
+##  	default "false"
+##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+# 
+# FailureReports false
+
+##  FailureReportsBcc (string)
+##  	default (none)
+##
+##  When failure reports are enabled and one is to be generated, always
+##  send one to the address(es) specified here.  If a failure report is
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
+##  If no request is made, they address(es) are used in a To: field.  There
+##  is no default.
+# 
+# FailureReportsBcc postmaster@example.coom
+
+##  FailureReportsOnNone { true | false }
+##  	default "false"
+##
+##  Supplements the "FailureReports" setting by generating reports for
+##  domains that advertise "none" policies.  By default, reports are only
+##  generated (when enabled) for sending domains advertising a "quarantine"
+##  or "reject" policy.
+# 
+# FailureReportsOnNone false
+
+##  FailureReportsSentBy string
+##  	default "USER@HOSTNAME"
+##
+##  Specifies the email address to use in the From: field of failure
+##  reports generated by the filter.  The default is to use the userid of
+##  the user running the filter and the local hostname to construct an
+##  email address.  "postmaster" is used in place of the userid if a name
+##  could not be determined.
+# 
+# FailureReportsSentBy USER@HOSTNAME
+
+##  HistoryFile path
+##  	default (none)
+##
+##  If set, specifies the location of a text file to which records are written
+##  that can be used to generate DMARC aggregate reports.  Records are groups
+##  of rows containing information about a single received message, and
+##  include all relevant information needed to generate a DMARC aggregate
+##  report.  It is expected that this will not be used in its raw form, but
+##  rather periodically imported into a relational database from which the
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
+#
+HistoryFile /var/run/opendmarc/opendmarc.dat
+
+##  IgnoreAuthenticatedClients { true | false }
+##  	default "false"
+##
+##  If set, causes mail from authenticated clients (i.e., those that used
+##  SMTP UATH) to be ignored by the filter.
+#
+# IgnoreAuthenticatedClients false
+
+##  IgnoreHosts path
+##  	default (internal)
+##
+##  Specifies the path to a file that contains a list of hostnames, IP
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
+##  connections are to be ignored by the filter.  If not specified, defaults
+##  to "127.0.0.1" only.
+#
+IgnoreHosts /etc/opendmarc/ignore.hosts
+
+##  IgnoreMailFrom domain[,...]
+##  	default (none)
 ##
-# ForensicReports false
+##  Gives a list of domain names whose mail (based on the From: domain) is to
+##  be ignored by the filter.  The list should be comma-separated.  Matching
+##  against this list is case-insensitive.  The default is an empty list,
+##  meaning no mail is ignored.
+#
+# IgnoreMailFrom example.com
 
+##  MilterDebug (integer)
+##  	default 0
+##
+##  Sets the debug level to be requested from the milter library.
+#
+# MilterDebug 0
+
+##  PidFile path
+##  	default (none)
+##
+##  Specifies the path to a file that should be created at process start
+##  containing the process ID.
+##
+#
 PidFile /var/run/opendmarc.pid
 
+##  PublicSuffixList path
+##  	default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+# PublicSuffixList path
+
+##  RecordAllMessages { true | false }
+##  	default "false"
+##
+##  If set and "HistoryFile" is in use, all received messages are recorded
+##  to the history file.  If not set (the default), only messages for which
+##  the From: domain published a DMARC record will be recorded in the
+##  history file.
+#
+# RecordAllMessages false
+
 ##  RejectFailures { true | false }
-##      default "false"
+##  	default "false"
 ##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
 RejectFailures false
 
+##  ReportCommand string
+##  	default "/usr/sbin/sendmail -t"
+##
+##  Indicates the shell command to which failure reports should be passed for
+##  delivery when "FailureReports" is enabled.
+#
+# ReportCommand /usr/sbin/sendmail -t
+
+##  RequiredHeaders { true | false }
+##  	default "false"
+##
+##  If set, the filter will ensure the header of the message conforms to the
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
+##  Messages failing this test are rejected without further processing.  A
+##  From: field from which no domain name could be extracted will also be
+##  rejected.
+#
+# RequiredHeaders false
+
+##  Socket socketspec
+##  	default (none)
+##
+##  Specifies the socket that should be established by the filter to receive
+##  connections from sendmail(8) in order to provide service.  socketspec is
+##  in one of two forms: local:path, which creates a UNIX domain socket at
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
+##  a TCP socket on the specified port for the appropriate protocol family.
+##  If the host is not given as either a hostname or an IP address, the
+##  socket will be listening on all interfaces.  This option is mandatory
+##  either in the configuration file or on the command line.  If an IP
+##  address is used, it must be enclosed in square brackets.
+#
+# Socket inet:8893@localhost
+
+##  SoftwareHeader { true | false }
+##  	default "false"
+##
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
+##  presence of this filter in the path of the message from injection to
+##  delivery.  The product's name, version, and the job ID are included in
+##  the header field's contents.
+#
+SoftwareHeader true
+
+##  SPFIgnoreResults { true | false }
+##	default "false"
+##
+##  Causes the filter to ignore any SPF results in the header of the
+##  message.  This is useful if you want the filter to perfrom SPF checks
+##  itself, or because you don't trust the arriving header.
+#
+# SPFIgnoreResults false
+
+##  SPFSelfValidate { true | false }
+##	default false
+##
+##  Enable internal spf checking with --with-spf
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
+##
+##  Causes the filter to perform a fallback SPF check itself when
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
+##  is also set, it never looks for SPF results in headers and
+##  always performs the SPF check itself when this is set.
+#
+# SPFSelfValidate false
+
 ##  Syslog { true | false }
-##      default "false"
+##  	default "false"
 ##
 ##  Log via calls to syslog(3) any interesting activity.
 #
 Syslog true
 
 ##  SyslogFacility facility-name
-##      default "mail"
+##  	default "mail"
 ##
 ##  Log via calls to syslog(3) using the named facility.  The facility names
 ##  are the same as the ones allowed in syslog.conf(5).
 #
 # SyslogFacility mail
 
+##  TemporaryDirectory path
+##  	default /var/tmp
+##
+##  Specifies the directory in which temporary files should be written.
+#
+# TemporaryDirectory /var/tmp
+
 ##  TrustedAuthservIDs string
-##      default HOSTNAME
+##  	default HOSTNAME
 ##
 ##  Specifies one or more "authserv-id" values to trust as relaying true
 ##  upstream DKIM and SPF results.  The default is to use the name of
@@ -45,9 +340,8 @@ Syslog true
 #
 TrustedAuthservIDs {{ mail_server_hostname }}
 
-
 ##  UMask mask
-##      default (none)
+##  	default (none)
 ##
 ##  Requests a specific permissions mask to be used for file creation.  This
 ##  only really applies to creation of the socket when Socket specifies a
@@ -59,27 +353,10 @@ TrustedAuthservIDs {{ mail_server_hostname }}
 UMask 0002
 
 ##  UserID user[:group]
-##      default (none)
+##  	default (none)
 ##
 ##  Attempts to become the specified userid before starting operations.
 ##  The process will be assigned all of the groups and primary group ID of
 ##  the named userid unless an alternate group is specified.
 #
 UserID opendmarc:opendmarc
-
-## The path to the Ignored Hosts list. This file should contain a list of
-## networks and hosts that you trust. Their mail will not be checked by
-## OpenDMARC.
-#
-IgnoreHosts /etc/opendmarc/ignore.hosts
-
-## The path under which the History file should be created.
-## This file is necessary if you want to be able to create aggregate
-## reports to send out to other organizations
-#
-HistoryFile /var/run/opendmarc/opendmarc.dat
-
-## Adds a “Dmarc-Filter” header with the opendmarc version in every processed mail.
-## This is good to have during testing.
-#
-SoftwareHeader true

roles/mailserver/templates/etc_opendmarc_report.sh.j2

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# ensure this script errors out if any of its steps do
+set -e
+
 DB_SERVER='localhost'
 DB_USER='{{ mail_db_opendmarc_username }}'
 DB_PASS='{{ mail_db_opendmarc_password }}'

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -40,8 +40,8 @@ smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
 smtp_tls_protocols = !SSLv2,!SSLv3
 smtpd_tls_protocols = !SSLv2,!SSLv3
-smtpd_tls_cert_file=/etc/ssl/certs/wildcard_combined.pem
-smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ domain }}/privkey.pem
 smtpd_use_tls=yes
 smtpd_tls_auth_only = yes
 smtp_tls_security_level = may
@@ -100,16 +100,14 @@ virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
 local_recipient_maps = $virtual_mailbox_maps
 
-# OpenDKIM and OpenDMARC
-smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
+# Milters: OpenDKIM, OpenDMARC, Rspamd
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321,inet:127.0.0.1:9900
 non_smtpd_milters = $smtpd_milters
+milter_protocol = 6
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
 milter_default_action = accept
 
-# new settings for dspam: only scan one mail at a time, localhost doesn't get scanned, everything else does
-dspam_destination_recipient_limit = 1
-smtpd_client_restrictions =
-  permit_sasl_authenticated
-  check_client_access pcre:/etc/postfix/dspam_filter_access
+smtpd_client_restrictions = permit_sasl_authenticated
 
 # Postscreen
 postscreen_access_list = permit_mynetworks

roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2

@@ -20,8 +20,8 @@
         </incomingServer>
         <outgoingServer type="smtp">
             <hostname>{{ mail_server_hostname }}</hostname>
-            <port>465</port>
-            <socketType>SSL</socketType>
+            <port>587</port>
+            <socketType>STARTTLS</socketType>
             <authentication>password-cleartext</authentication>
             <username>%EMAILADDRESS%</username>
         </outgoingServer>

roles/monitoring/defaults/main.yml

@@ -0,0 +1,4 @@
+collectd_version: 5.4.1
+collectd_librato_version: 0.0.10
+collectd_librato_email: "" # (optional)
+collectd_librato_api_token: "" # (optional)

roles/monitoring/files/etc_apache2_sites-available_00-status.conf

@@ -3,8 +3,6 @@
 <VirtualHost *:80>
   <Location />
     SetHandler server-status
-    Order deny,allow
-    Deny from all
-    Allow from 127.0.0.1
+    Require ip 127.0.0.1
   </Location>
 </VirtualHost>

roles/monitoring/files/etc_init.d_collectd

@@ -1,206 +0,0 @@
-#! /bin/bash
-#
-# collectd - start and stop the statistics collection daemon
-# http://collectd.org/
-#
-# Copyright (C) 2005-2006 Florian Forster <octo@verplant.org>
-# Copyright (C) 2006-2009 Sebastian Harl <tokkee@debian.org>
-#
-
-### BEGIN INIT INFO
-# Provides:          collectd
-# Required-Start:    $local_fs $remote_fs
-# Required-Stop:     $local_fs $remote_fs
-# Should-Start:      $network $named $syslog $time cpufrequtils
-# Should-Stop:       $network $named $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: manage the statistics collection daemon
-# Description:       collectd is the statistics collection daemon.
-#                    It is a small daemon which collects system information
-#                    periodically and provides mechanisms to monitor and store
-#                    the values in a variety of ways.
-### END INIT INFO
-
-. /lib/lsb/init-functions
-
-export PATH=/opt/collectd/sbin:/opt/collectd/bin:/sbin:/bin:/usr/sbin:/usr/bin
-
-DISABLE=0
-
-DESC="statistics collection and monitoring daemon"
-NAME=collectd
-DAEMON=/opt/collectd/sbin/collectd
-
-CONFIGFILE=/opt/collectd/etc/collectd.conf
-PIDFILE=/opt/collectd/var/run/collectd.pid
-
-USE_COLLECTDMON=1
-COLLECTDMON_DAEMON=/opt/collectd/sbin/collectdmon
-COLLECTDMON_PIDFILE=/opt/collectd/var/run/collectdmon.pid
-
-MAXWAIT=30
-
-# Gracefully exit if the package has been removed.
-test -x $DAEMON || exit 0
-
-if [ -r /etc/default/$NAME ]; then
-	. /etc/default/$NAME
-fi
-
-if test "$ENABLE_COREFILES" == 1; then
-	ulimit -c unlimited
-fi
-
-if test "$USE_COLLECTDMON" == 1; then
-	_PIDFILE="$COLLECTDMON_PIDFILE"
-else
-	_PIDFILE="$PIDFILE"
-fi
-
-# return:
-#   0 if config is fine
-#   1 if there is a syntax error
-#   2 if there is no configuration
-check_config() {
-	if test ! -e "$CONFIGFILE"; then
-		return 2
-	fi
-	if ! $DAEMON -t -C "$CONFIGFILE"; then
-		return 1
-	fi
-	return 0
-}
-
-# return:
-#   0 if the daemon has been started
-#   1 if the daemon was already running
-#   2 if the daemon could not be started
-#   3 if the daemon was not supposed to be started
-d_start() {
-	if test "$DISABLE" != 0; then
-		# we get here during restart
-		log_progress_msg "disabled by /etc/default/$NAME"
-		return 3
-	fi
-
-	if test ! -e "$CONFIGFILE"; then
-		# we get here during restart
-		log_progress_msg "disabled, no configuration ($CONFIGFILE) found"
-		return 3
-	fi
-
-	check_config
-	rc="$?"
-	if test "$rc" -ne 0; then
-		log_progress_msg "not starting, configuration error"
-		return 2
-	fi
-
-	if test "$USE_COLLECTDMON" == 1; then
-		start-stop-daemon --start --quiet --oknodo --pidfile "$_PIDFILE" \
-			--exec $COLLECTDMON_DAEMON -- -P "$_PIDFILE" -- -C "$CONFIGFILE" \
-			|| return 2
-	else
-		start-stop-daemon --start --quiet --oknodo --pidfile "$_PIDFILE" \
-			--exec $DAEMON -- -C "$CONFIGFILE" -P "$_PIDFILE" \
-			|| return 2
-	fi
-	return 0
-}
-
-still_running_warning="
-WARNING: $NAME might still be running.
-In large setups it might take some time to write all pending data to
-the disk. You can adjust the waiting time in /etc/default/collectd."
-
-# return:
-#   0 if the daemon has been stopped
-#   1 if the daemon was already stopped
-#   2 if daemon could not be stopped
-d_stop() {
-	PID=$( cat "$_PIDFILE" 2> /dev/null ) || true
-
-	start-stop-daemon --stop --quiet --oknodo --pidfile "$_PIDFILE"
-	rc="$?"
-
-	if test "$rc" -eq 2; then
-		return 2
-	fi
-
-	sleep 1
-	if test -n "$PID" && kill -0 $PID 2> /dev/null; then
-		i=0
-		while kill -0 $PID 2> /dev/null; do
-			i=$(( $i + 2 ))
-			echo -n " ."
-
-			if test $i -gt $MAXWAIT; then
-				log_progress_msg "$still_running_warning"
-				return 2
-			fi
-
-			sleep 2
-		done
-		return "$rc"
-	fi
-	return "$rc"
-}
-
-case "$1" in
-	start)
-		log_daemon_msg "Starting $DESC" "$NAME"
-		d_start
-		case "$?" in
-			0|1) log_end_msg 0 ;;
-			2) log_end_msg 1 ;;
-			3) log_end_msg 255; true ;;
-			*) log_end_msg 1 ;;
-		esac
-		;;
-	stop)
-		log_daemon_msg "Stopping $DESC" "$NAME"
-		d_stop
-		case "$?" in
-			0|1) log_end_msg 0 ;;
-			2) log_end_msg 1 ;;
-		esac
-		;;
-	status)
-		status_of_proc -p "$_PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $?
-		;;
-	restart|force-reload)
-		log_daemon_msg "Restarting $DESC" "$NAME"
-		check_config
-		rc="$?"
-		if test "$rc" -eq 1; then
-			log_progress_msg "not restarting, configuration error"
-			log_end_msg 1
-			exit 1
-		fi
-		d_stop
-		rc="$?"
-		case "$rc" in
-			0|1)
-				sleep 1
-				d_start
-				rc2="$?"
-				case "$rc2" in
-					0|1) log_end_msg 0 ;;
-					2) log_end_msg 1 ;;
-					3) log_end_msg 255; true ;;
-					*) log_end_msg 1 ;;
-				esac
-				;;
-			*)
-				log_end_msg 1
-				;;
-		esac
-		;;
-	*)
-		echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
-		exit 3
-		;;
-esac
-
-# vim: syntax=sh noexpandtab sw=4 ts=4 :

roles/monitoring/files/etc_monit_conf.d_apache2

@@ -1,8 +1,8 @@
-check process apache2 with pidfile /var/run/apache2.pid
+check process apache2 with pidfile /var/run/apache2/apache2.pid
   group www
-  start program = "/etc/init.d/apache2 start"
-  stop program = "/etc/init.d/apache2 stop"
+  start program = "systemctl start apache2"
+  stop program = "systemctl stop apache2"
   if failed host localhost port 80 protocol http
     with timeout 10 seconds
     then restart
-  if 5 restarts within 5 cycles then timeout
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_dovecot

@@ -1,7 +1,7 @@
 check process dovecot with pidfile /var/run/dovecot/master.pid
   group mail
-  start program = "/etc/init.d/dovecot start"
-  stop program = "/etc/init.d/dovecot stop"
+  start program = "systemctl start dovecot"
+  stop program = "systemctl stop dovecot"
   if failed port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
   if failed port 995 type tcpssl sslauto protocol pop for 5 cycles then restart
   if 3 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_pgsql

@@ -1,6 +1,6 @@
-check process postgres with pidfile /var/run/postgresql/9.1-main.pid
+check process postgres with pidfile /var/run/postgresql/9.4-main.pid
   group database
-  start program = "/etc/init.d/postgresql start"
-  stop program = "/etc/init.d/postgresql stop"
+  start program = "systemctl start postgresql"
+  stop program = "systemctl stop postgresql"
   if failed host localhost port 5432 protocol pgsql then restart
   if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_postfix

@@ -1,6 +1,6 @@
 check process postfix with pidfile /var/spool/postfix/pid/master.pid
   group mail
-  start program = "/etc/init.d/postfix start"
-  stop  program = "/etc/init.d/postfix stop"
+  start program = "systemctl start postfix"
+  stop  program = "systemctl stop postfix"
   if failed port 25 protocol smtp then restart
-  if 5 restarts within 5 cycles then timeout
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_sshd

@@ -1,5 +1,5 @@
 check process sshd with pidfile /var/run/sshd.pid
-  start program "/etc/init.d/ssh start"
-  stop program "/etc/init.d/ssh stop"
+  start program "systemctl start ssh"
+  stop program  "systemctl stop ssh"
   if failed host 127.0.0.1 port 22 protocol ssh then restart
-  if 5 restarts within 5 cycles then timeout
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/files/etc_monit_conf.d_tomcat

@@ -1,6 +1,6 @@
-check process tomcat with pidfile "/var/run/tomcat6.pid"
+check process tomcat with pidfile "/var/run/tomcat7.pid"
   group mail
-  start program = "/etc/init.d/tomcat6 start"
-  stop program = "/etc/init.d/tomcat6 stop"
+  start program = "systemctl start tomcat7"
+  stop program = "systemctl stop tomcat7"
   if failed port 8080 then alert
   if failed port 8080 for 5 cycles then restart

roles/monitoring/files/etc_monit_conf.d_znc

@@ -1,7 +1,7 @@
 check process znc with pidfile /var/run/znc/znc.pid
   group irc
-  start program = "/etc/init.d/znc start"
-  stop program = "/etc/init.d/znc stop"
+  start program = "systemctl start znc"
+  stop program = "systemctl stop znc"
   if failed host localhost port 6643 protocol http
     with timeout 10 seconds
     then restart

roles/monitoring/tasks/collectd.yml

@@ -1,67 +1,14 @@
-- name: Add wheezy-backports to be compatible with Dovecot packages on Debian 7
-  apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main'
-  when: ansible_distribution_release == 'wheezy'
-  tags:
-    - dependencies
-
-- name: Install collectd dependencies on wheezy from backports
-  apt: pkg={{ item }} state=installed default_release=wheezy-backports
-  with_items:
-    - libcurl4-openssl-dev
-    - librrd2-dev
-    - python-dev
-  when: ansible_distribution_release == 'wheezy'
-  tags:
-    - dependencies
-
-- name: Install collectd dependencies on distributions other than wheezy
-  apt: pkg={{ item }} state=installed
-  with_items:
-    - libcurl4-openssl-dev
-    - librrd2-dev
-    - python-dev
-  when: ansible_distribution_release != 'wheezy'
-  tags:
-    - dependencies
-
-- name: Download collectd
-  get_url: url=http://collectd.org/files/collectd-{{collectd_version}}.tar.gz
-           dest=/root/collectd-{{collectd_version}}.tar.gz
-
-- name: Extract collectd
-  unarchive: src=/root/collectd-{{collectd_version}}.tar.gz
-             dest=/root copy=no
-             creates=/root/collectd-{{collectd_version}}
-
-- name: Build and install collectd
-  shell: ./configure ; make all ; make install
-         executable=/bin/bash
-         chdir=/root/collectd-{{collectd_version}}
-         creates=/opt/collectd/sbin/collectdmon
-
-- name: Copy collectd init file into place
-  copy: src=etc_init.d_collectd dest=/etc/init.d/collectd mode=0755
-
-- name: Download collectd-librato plugin
-  get_url: url=https://github.com/librato/collectd-librato/archive/v{{collectd_librato_version}}.tar.gz
-           dest=/root/collectd-librato-{{collectd_librato_version}}.tar.gz
-  when: collectd_librato_email|length > 0
-
-- name: Extract collectd-librato plugin
-  unarchive: src=/root/collectd-librato-{{collectd_librato_version}}.tar.gz
-             dest=/root copy=no
-             creates=/root/collectd-librato-{{collectd_librato_version}}
-  when: collectd_librato_email|length > 0
-
-- name: Install collectd-librato plugin
-  command: make install
-           chdir=/root/collectd-librato-{{collectd_librato_version}}
-           creates=/opt/collectd-librato-{{collectd_librato_version}}
-  when: collectd_librato_email|length > 0
+- name: Install collectd
+  apt: pkg=collectd state=installed
 
 - name: Copy collectd configuration file into place
-  template: src=opt_etc_collectd.conf.j2 dest=/opt/collectd/etc/collectd.conf
+  template: src=etc_collectd_collectd.conf.j2 dest=/etc/collectd/collectd.conf
   notify: restart collectd
 
-- name: Ensure collectd is a system service
-  service: name=collectd state=started enabled=true
+- name: Ensure collectd is started
+  service: name=collectd state=started
+
+# Work around https://github.com/ansible/ansible-modules-core/issues/915
+# otherwise we'd use enabled=yes in previous task
+- name: Ensure collectd is enabled
+  command: update-rc.d collectd enable creates=/etc/rc3.d/S03collectd

roles/monitoring/tasks/monit.yml

@@ -14,6 +14,15 @@
   copy: src=etc_monit_monitrc dest=/etc/monit/monitrc
   notify: restart monit
 
+- name: Determine if ZNC is installed
+  stat: path=/usr/lib/znc/configs/znc.conf
+  register: znc_config_file
+
+- name: Copy ZNC monit service config files into place
+  copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
+  notify: restart monit
+  when: znc_config_file.stat.exists == True
+
 - name: Copy monit service config files into place
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
   with_items:
@@ -25,11 +34,3 @@
     - tomcat
   notify: restart monit
 
-- name: Determine if ZNC is installed
-  stat: path=/var/lib/znc/configs/znc.conf
-  register: znc_config_file
-
-- name: Copy ZNC monit service config files into place
-  copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
-  notify: restart monit
-  when: znc_config_file.stat.exists == True

roles/monitoring/templates/opt_etc_collectd.conf.j2 → roles/monitoring/templates/etc_collectd_collectd.conf.j2

@@ -1,4 +1,4 @@
-BaseDir     "/opt/collectd"
+BaseDir "/etc/collectd"
 
 LoadPlugin syslog
 LoadPlugin cpu
@@ -7,26 +7,23 @@ LoadPlugin load
 LoadPlugin memory
 LoadPlugin disk
 LoadPlugin df
+LoadPlugin rrdtool
+
+<Plugin rrdtool>
+  DataDir "/opt/collectd/var/lib/collectd/rrd"
+</Plugin>
 
 {% if (collectd_librato_email|length and collectd_librato_api_token|length) %}
 <LoadPlugin python>
   Globals true
 </LoadPlugin>
 
-<Plugin python>
-  ModulePath "/opt/collectd-librato-{{ collectd_librato_version }}/lib"
-  Import "collectd-librato"
-
-  <Module "collectd-librato">
-    Email    "{{ collectd_librato_email }}"
-    APIToken "{{ collectd_librato_api_token }}"
-    TypesDB  "/opt/collectd/share/collectd/types.db"
-  </Module>
-</Plugin>
-{% else %}
-LoadPlugin rrdtool
-
-<Plugin rrdtool>
-  DataDir "/opt/collectd/var/lib/collectd/rrd"
+<Plugin write_http>
+  <URL "https://collectd.librato.com/v1/measurements">
+    User "{{ collectd_librato_email }}"
+    Password "{{ collectd_librato_api_token }}"
+    Format "JSON"
+  </URL>
 </Plugin>
 {% endif %}
+

roles/newebe/files/newebe.conf

@@ -1,5 +0,0 @@
-[program:newebe]
-autorestart=false
-command=newebe_server.py --configfile=/usr/local/etc/newebe/config.yaml
-redirect_stderr=true
-user=newebe

roles/newebe/files/supervisor.conf

@@ -1,7 +0,0 @@
-; supervisor config file
-
-[supervisord]
-nodaemon=true
-
-[include]
-files = /etc/supervisor/conf.d/*.conf

roles/newebe/handlers/main.yml

@@ -1,3 +0,0 @@
----
-- name: restart supervisor
-  service: name=supervisor state=restarted

roles/newebe/tasks/main.yml

@@ -1 +0,0 @@
-- include: newebe.yml tags=newebe

roles/newebe/tasks/newebe.yml

@@ -1,87 +0,0 @@
-- name: Install Dependencies
-  apt: pkg={{ item }}
-  with_items:
-    - build-essential
-    - couchdb
-    - git
-    - libxml2-dev
-    - libxslt-dev
-    - python
-    - python-dev
-    - python-imaging
-    - python-imaging
-    - python-pip
-    - python-pycurl
-    - python-setuptools
-    - python-lxml
-    - supervisor
-  tags:
-    - dependencies
-
-- name: Install Newebe
-  pip: name='git+https://github.com/gelnior/newebe.git#egg=newebe'
-
-- name: Add group Newebe
-  group: name=newebe
-
-- name: Add user Newebe
-  user: name=newebe groups=newebe shell=/usr/sbin/nologin
-
-- name: Create Newebe Config folder
-  file: path=/usr/local/etc/newebe/
-        owner=newebe
-        group=newebe
-        state=directory
-
-- name: Create Newebe folder
-  file: path=/usr/local/var/newebe/
-        owner=newebe
-        group=newebe
-        state=directory
-
-- name: Create Newebe log folder
-  file: path=/usr/local/var/log/newebe/
-        owner=newebe
-        group=newebe
-        state=directory
-
-- name: Set Newebe config file
-  template: src=usr_local_etc_newebe_config.j2
-            dest=/usr/local/etc/newebe/config.yaml
-            owner=newebe
-            group=newebe
-
-- name: Set Supervisor config file
-  copy: src=newebe.conf dest=/etc/supervisor/conf.d/newebe.conf
-
-- name: Set Newebe Supervisor config file
-  copy: src=supervisor.conf dest=/etc/supervisor/supervisor.conf
-  notify: restart supervisor
-
-- name: Ensure Supervisor is running
-  service: name=supervisor state=running
-
-- name: Ensure that newebe is started
-  supervisorctl: name=newebe state=started
-
-- name: Add mod_proxy module to Apache
-  apache2_module: state=present name=proxy
-
-- name: Add proxy_http module to Apache
-  apache2_module: state=present name=proxy_http
-
-- name: Rename existing Apache newebe virtualhost
-  command: mv /etc/apache2/sites-available/newebe /etc/apache2/sites-available/newebe.conf removes=/etc/apache2/sites-available/newebe
-
-- name: Remove old sites-enabled/newebe symlink (new one will be created by a2ensite)
-  file: path=/etc/apache2/sites-enabled/newebe state=absent
-
-- name: Configure the Apache HTTP server for Newebe
-  template: src=etc_apache2_sites-available_newebe.j2
-            dest=/etc/apache2/sites-available/newebe.conf
-            group=root
-            owner=root
-
-- name: Enable the site
-  command: a2ensite newebe.conf creates=/etc/apache2/sites-enabled/newebe.conf
-  notify: restart apache

roles/newebe/templates/etc_apache2_sites-available_newebe.j2

@@ -1,20 +0,0 @@
-<VirtualHost *:80>
-    ServerName {{ newebe_domain }}
-
-    Redirect permanent / https://{{ newebe_domain }}/
-</VirtualHost>
-
-<VirtualHost *:443>
-
-    ServerName {{ newebe_domain }}
-
-    Include /etc/apache2/ssl.conf
-
-    ErrorLog /var/log/apache2/newebe.info-error_log
-    CustomLog /var/log/apache2/newebe.info-access_log common
-
-
-    ProxyPass / http://127.0.0.1:8282/
-    ProxyPassReverse / http://127.0.0.1:8282/
-
-</VirtualHost>