Merge branch 'master' of adze:infra

33 files changed, 1235 insertions, 21 deletions

diff --git a/README.md b/README.md
index 0cf5ef4..8e987fd 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ servers and infrastructure.
 Be sure to keep things compatible with ansible 1.7.2 (the version in Debian
 jessie).
 
-Check out NOW_WHAT.md for next steps after creating a server with these
+Check out `NOW_WHAT.md` for next steps after creating a server with these
 scripts.
 
 Vault:
diff --git a/TODO b/TODO
index ea1357f..8e065ad 100644
--- a/TODO
+++ b/TODO
@@ -1,12 +1,16 @@
-- mediagoblin
+- logwatch
+- firewall: ufw or ferm
+- ghost
+- sigal
+- git-annex
+
+
+x mediagoblin
     https://issues.mediagoblin.org/ticket/5455
     https://issues.mediagoblin.org/ticket/5441
 - automate SSL with let's encrypt
     https://community.letsencrypt.org/t/howto-certificate-renewal-with-ansible/10214
-- docs for postfix+dovecot let's encrypt setup
-    https://ssl-tools.net/mailservers/
 - nginx default config: gzip, sendfile, autoindex, etc
-- email...
 - unattended updates: maybe create new file instead of overwriting?
 - mediagoblin required double-build to be successful?
 
@@ -14,10 +18,7 @@
     => root-title, readme, root-desc, agefile
     => proper agefile based on commit date?
 
-- prosody
-- a workstation target? eg, with "my" package list
 - gh-mirror (?)
 - import old cruft/README from nsa commissioning repo
 - review/refactor to ensure "copy" and "templates" are force=no when
   appropriate (user-modifiable stuff)
-- cgit: front-page README ("about"), logo?
diff --git a/hosts b/hosts
index 1dc5efa..061442f 100644
--- a/hosts
+++ b/hosts
@@ -2,5 +2,5 @@
 # "ansible_sudo=true"), or login as root (in which case,
 # "ansible_ssh_user=root")
 
-adze.robocracy.org  ansible_ssh_user=root
+adze.robocracy.org      ansible_user=bnewbold ansible_become=true ansible_become_user=root
 bnewbold.the-nsa.org    ansible_sudo=true
diff --git a/playbooks/init_adze.yml b/playbooks/init_adze.yml
index b1b5d60..6850327 100644
--- a/playbooks/init_adze.yml
+++ b/playbooks/init_adze.yml
@@ -11,21 +11,17 @@
     - admin_email: "root@robocracy.org"
     - main_user_name: bnewbold
     - hostname_fqdn: adze.robocracy.org
-    - mediagoblin_hostname: goblin.bnewbold.net
     - cgit_hostname: git.bnewbold.net
     - gitolite_hostname: git.bnewbold.net
-    - mediagoblin_email_sender: goblin@bnewbold.net
-    - mediagoblin_basedir: /srv/http/goblin.bnewbold.net
 
   roles:
-    - debian_stretch
+    - debian_bullseye
     - hostname
     - common
-    - nullmailer
     - nginx
     - git
-    - mediagoblin
     - znc
+    - mailserver
 
   tasks:
     - name: Create main user account
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a4818b0..a1f4500 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -13,28 +13,35 @@
 - name: Install necessities and nice-to-haves
   apt: pkg={{ item }} state=installed
   with_items:
+    # fail2ban in security
+    # rkhunter in security
     - apt-transport-https
     - apticron
     - aptitude
+    - bash-completion
     - bzip2
     - ca-certificates
     - curl
     - debian-goodies
     - dialog
     - dnsutils
+    - dstat
     - etckeeper
-    # fail2ban in security
+    - fd-find
     - file
     - git
     - htop
+    - httpie
     - iftop
     - ifupdown
     - iotop
     - iproute
     - iputils-ping
     - isc-dhcp-client
+    - jq
     - less
     - libui-dialog-perl
+    - lnav
     - locales
     - locales-all
     - lsof
@@ -42,27 +49,32 @@
     - man-db
     - manpages-dev
     - molly-guard
+    - moreutils
     - mosh
     - mtr-tiny
+    - net-tools
     - netbase
     - netcat
-    - net-tools
     - ngrep
     - openssh-server
     - openssl
+    - parallel
+    - pigz
     - pv
     - python
     - python-software-properties
-    # rkhunter in security
+    - ripgrep
     - screen
+    - sqlite3
     - sudo
     - tcpdump
     - tree
-    - unzip
     - unattended-upgrades
+    - unzip
     - util-linux
     - vim-nox
     - wget
+    - zip
   tags:
     - dependencies
 
diff --git a/roles/debian_bullseye/defaults/main.yml b/roles/debian_bullseye/defaults/main.yml
new file mode 100644
index 0000000..3703452
--- /dev/null
+++ b/roles/debian_bullseye/defaults/main.yml
@@ -0,0 +1,2 @@
+
+admin_email: "root"
diff --git a/roles/debian_bullseye/tasks/main.yml b/roles/debian_bullseye/tasks/main.yml
new file mode 100644
index 0000000..6ca1691
--- /dev/null
+++ b/roles/debian_bullseye/tasks/main.yml
@@ -0,0 +1,10 @@
+
+- name: Configure sources.list for bullseye
+  template: src=etc_apt_sources_list.j2 dest=/etc/apt/sources.list
+
+- name: Enable automatic upgrades
+  template: src=etc_apt_apt_confd_20auto_upgrades.j2 dest=/etc/apt/apt.conf.d/20auto-upgrades
+
+- name: Configure unattended upgrades for bullseye
+  template: src=etc_apt_apt_confd_50unattended_upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades
+
diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2
new file mode 100644
index 0000000..c75a5d7
--- /dev/null
+++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2
new file mode 100644
index 0000000..967abb1
--- /dev/null
+++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2
@@ -0,0 +1,94 @@
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+// 
+// {{ ansible_managed }}
+//
+// Lines below have the format format is "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "crontrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "bullseye", "bullseye-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "bullseye")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+        "o=Debian,n=bullseye";
+        "o=Debian,n=bullseye-updates";
+//      "o=Debian,n=bullseye-proposed-updates";
+        "o=Debian,n=bullseye,l=Debian-Security";
+
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+//      "o=Debian,a=stable";
+//      "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+	"vim";
+	"libc6";
+	"libc6-dev";
+	"libc6-i686";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "{{ admin_email }}";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade 
+Unattended-Upgrade::Automatic-Reboot "false";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
diff --git a/roles/debian_bullseye/templates/etc_apt_sources_list.j2 b/roles/debian_bullseye/templates/etc_apt_sources_list.j2
new file mode 100644
index 0000000..b0644bb
--- /dev/null
+++ b/roles/debian_bullseye/templates/etc_apt_sources_list.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+deb http://http.debian.net/debian/ bullseye main
+deb-src http://http.debian.net/debian/ bullseye main
+
+deb http://security.debian.org/debian-security bullseye-security main
+deb-src http://security.debian.org/debian-security bullseye-security main
+
+# bullseye-updates, previously known as 'volatile'
+deb http://http.debian.net/debian/ bullseye-updates main
+deb-src http://http.debian.net/debian/ bullseye-updates main
+
+# bullseye-backports, previously on backports.debian.org
+deb http://http.debian.net/debian/ bullseye-backports main
+deb-src http://http.debian.net/debian/ bullseye-backports main
diff --git a/roles/mailserver/handlers/main.yml b/roles/mailserver/handlers/main.yml
new file mode 100644
index 0000000..5c5caea
--- /dev/null
+++ b/roles/mailserver/handlers/main.yml
@@ -0,0 +1,8 @@
+- name: restart postfix
+  service: name=postfix state=restarted
+
+- name: restart dovecot
+  service: name=dovecot state=restarted
+
+- name: restart rspamd
+  service: name=rspamd state=restarted
diff --git a/roles/mailserver/tasks/dovecot.yml b/roles/mailserver/tasks/dovecot.yml
new file mode 100644
index 0000000..9d2c20e
--- /dev/null
+++ b/roles/mailserver/tasks/dovecot.yml
@@ -0,0 +1,39 @@
+- name: Install Dovecot and related packages
+  apt: pkg={{ item }} update_cache=yes state=installed
+  with_items:
+    - dovecot-core
+    - dovecot-imapd
+    - dovecot-lmtpd
+    - dovecot-antispam
+  tags:
+    - dependencies
+
+#- name: Copy dovecot.conf into place
+#  copy: src=etc_dovecot_dovecot.conf dest=/etc/dovecot/dovecot.conf
+
+#- name: Create before.d sieve scripts directory
+#  file: path=/etc/dovecot/sieve/before.d state=directory owner=vmail group=dovecot recurse=yes mode=0770
+#  notify: restart dovecot
+
+#- name: Configure sieve script moving spam into Junk folder
+#  copy: src=etc_dovecot_sieve_before.d_no-spam.sieve dest=/etc/dovecot/sieve/before.d/no-spam.sieve owner=vmail group=dovecot
+#  notify: restart dovecot
+
+#- name: Copy additional Dovecot configuration files in place
+#  copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }}
+#  with_items:
+#    - 10-auth.conf
+#    - 10-mail.conf
+#    - 10-master.conf
+#    - 90-antispam.conf
+#    - 90-plugin.conf
+#    - 90-sieve.conf
+#  notify: restart dovecot
+
+#- name: Update post-certificate-renewal task
+#  copy:
+#    content: "#!/bin/bash\n\n/etc/init.d/dovecot restart\n"
+#    dest: /etc/letsencrypt/postrenew/dovecot.sh
+#    mode: 0755
+#    owner: root
+#    group: root
diff --git a/roles/mailserver/tasks/main.yml b/roles/mailserver/tasks/main.yml
new file mode 100644
index 0000000..7691288
--- /dev/null
+++ b/roles/mailserver/tasks/main.yml
@@ -0,0 +1,6 @@
+- include: postfix.yml
+  tags: postfix
+- include: dovecot.yml
+  tags: dovecot
+- include: rspamd.yml
+  tags: rspamd
diff --git a/roles/mailserver/tasks/postfix.yml b/roles/mailserver/tasks/postfix.yml
new file mode 100644
index 0000000..a36acd6
--- /dev/null
+++ b/roles/mailserver/tasks/postfix.yml
@@ -0,0 +1,18 @@
+- name: Install Postfix and related packages
+  apt: pkg={{ item }} state=installed
+  with_items:
+    - libsasl2-modules
+    - postfix
+    - postfix-pcre
+    - sasl2-bin
+  tags:
+    - dependencies
+
+#- name: Copy main.cf
+#  template: src=etc_postfix_main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root
+#  notify: restart postfix
+
+#- name: Copy master.cf
+#  copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root
+#  notify: restart postfix
+
diff --git a/roles/mailserver/tasks/rspamd.yml b/roles/mailserver/tasks/rspamd.yml
new file mode 100644
index 0000000..4d870a8
--- /dev/null
+++ b/roles/mailserver/tasks/rspamd.yml
@@ -0,0 +1,52 @@
+---
+# Installs and configures the Rspamd spam filtering system.
+
+- name: Ensure repository key for Rspamd is in place
+  apt_key: url=https://rspamd.com/apt-stable/gpg.key state=present
+  when: ansible_architecture != "armv7l"
+  tags:
+    - dependencies
+
+- name: Ensure yunohost repository key for Rspamd is in place for ARM
+  apt_key: url=http://repo.yunohost.org/debian/yunohost.asc state=present
+  when: ansible_architecture == "armv7l"
+  tags:
+    - dependencies
+
+- name: Add Rspamd repository
+  apt_repository: repo="deb https://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main"
+  when: ansible_architecture != "armv7l"
+  tags:
+    - dependencies
+
+- name: Add yunohost Rspamd repository for ARM
+  apt_repository: repo="deb http://repo.yunohost.org/debian {{ ansible_distribution_release }} stable"
+  when: ansible_architecture == "armv7l"
+  tags:
+    - dependencies
+
+- name: Install Rspamd and Redis
+  apt: pkg={{ item }} state=installed update_cache=yes
+  with_items:
+    - rspamd
+  tags:
+    - dependencies
+
+#- name: Copy DMARC configuration into place
+#  template: src=etc_rspamd_local.d_dmarc.conf.j2 dest=/etc/rspamd/local.d/dmarc.conf owner=root group=root mode="0644"
+#  notify: restart rspamd
+
+#- name: Copy DKIM configuration into place
+#  copy: src=etc_rspamd_override.d_dkim_signing.conf dest=/etc/rspamd/override.d/dkim_signing.conf owner=root group=root mode="0644"
+#  notify: restart rspamd
+
+#- name: Create dkim key directory
+#  file: path=/var/lib/rspamd/dkim state=directory owner=_rspamd group=_rspamd
+
+#- name: Generate DKIM keys
+#  shell: rspamadm dkim_keygen -s default -d {{ item.name }} -k {{ item.name }}.default.key > {{ item.name }}.default.txt
+#  args:
+#    creates: /var/lib/rspamd/dkim/{{ item.name }}.default.key
+#    chdir: /var/lib/rspamd/dkim/
+#  with_items: "{{ mail_virtual_domains }}"
+
diff --git a/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 b/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2
new file mode 100644
index 0000000..1c3a07c
--- /dev/null
+++ b/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2
@@ -0,0 +1,26 @@
+# NOTE: We don't permanently redirect clients to the HTTPS address because some clients, like
+# Thunderbird, dont't follow redirections to the HTTPS URL.
+#
+# Additionally, documentation doesn't say whether the XML file should be served over either HTTP,
+# HTTPS or both, even though only the former is mentioned. Still, we allow clients to choose
+# between HTTP and HTTPS transports.
+
+<VirtualHost *:80>
+
+    ServerName {{ mail_server_autoconfig_hostname }}
+
+    DocumentRoot            "/var/www/autoconfig"
+    Options                 -Indexes
+
+    HostnameLookups         Off
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ mail_server_autoconfig_hostname }}
+    SSLEngine On
+
+    DocumentRoot            "/var/www/autoconfig"
+    Options                 -Indexes
+
+    HostnameLookups         Off
+</VirtualHost>
diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2
new file mode 100644
index 0000000..8ba6ae5
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2
@@ -0,0 +1,53 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = required
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/letsencrypt/live/{{ domain }}/fullchain.pem
+ssl_key = </etc/letsencrypt/live/{{ domain }}/privkey.pem
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca = /etc/ssl/ca.pem
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# How often to regenerate the SSL parameters file. Generation is quite CPU
+# intensive operation. The value is in hours, 0 disables regeneration
+# entirely.
+#ssl_parameters_regenerate = 168
+
+# SSL protocols to use
+ssl_protocols = !SSLv2 !SSLv3
+
+# SSL ciphers to use
+#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# DH parameters length to use.
+ssl_dh_parameters_length = 2048
diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2
new file mode 100644
index 0000000..b464365
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2
@@ -0,0 +1,48 @@
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@<your domain>.
+postmaster_address = postmaster@{{domain}}
+
+# Hostname to use in various parts of sent mails, eg. in Message-Id.
+# Default is the system's real hostname.
+hostname = {{ mail_server_hostname }}
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+protocol lda {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins sieve
+}
diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2
new file mode 100644
index 0000000..fcd59a5
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2
@@ -0,0 +1,64 @@
+##
+## IMAP specific settings
+##
+
+protocol imap {
+  # Maximum IMAP command line length. Some clients generate very long command
+  # lines with huge mailboxes, so you may need to raise this if you get
+  # "Too long argument" or "IMAP command line too large" errors often.
+  #imap_max_line_length = 64k
+
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins antispam fts fts_solr
+
+  # IMAP logout format string:
+  #  %i - total number of bytes read from client
+  #  %o - total number of bytes sent to client
+  #imap_logout_format = bytes=%i/%o
+
+  # Override the IMAP CAPABILITY response. If the value begins with '+',
+  # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+  #imap_capability = 
+
+  # How long to wait between "OK Still here" notifications when client is
+  # IDLEing.
+  #imap_idle_notify_interval = 2 mins
+
+  # ID field names and values to send to clients. Using * as the value makes
+  # Dovecot use the default value. The following fields have default values
+  # currently: name, version, os, os-version, support-url, support-email.
+  #imap_id_send = 
+
+  # ID fields sent by client to log. * means everything.
+  #imap_id_log =
+
+  # Workarounds for various client bugs:
+  #   delay-newmail:
+  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+  #     and CHECK commands. Some clients ignore them otherwise, for example OSX
+  #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+  #     may show user "Message no longer in server" errors. Note that OE6 still
+  #     breaks even with this workaround if synchronization is set to
+  #     "Headers Only".
+  #   tb-extra-mailbox-sep:
+  #     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+  #     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+  #     ignore the extra '/' instead of treating it as invalid mailbox name.
+  #   tb-lsub-flags:
+  #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+  #     This makes Thunderbird realize they aren't selectable and show them
+  #     greyed out, instead of only later giving "not selectable" popup error.
+  #
+  # The list is space-separated.
+  #imap_client_workarounds = 
+}
+
+protocol lmtp {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins sieve
+  postmaster_address = postmaster@{{ domain }}
+}
diff --git a/roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2 b/roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2
new file mode 100644
index 0000000..743b83b
--- /dev/null
+++ b/roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2
@@ -0,0 +1,138 @@
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/SQL
+#
+# For the sql passdb module, you'll need a database with a table that
+# contains fields for at least the username and password. If you want to
+# use the user@domain syntax, you might want to have a separate domain
+# field as well.
+#
+# If your users all have the same uig/gid, and have predictable home
+# directories, you can use the static userdb module to generate the home
+# dir based on the username and domain. In this case, you won't need fields
+# for home, uid, or gid in the database.
+#
+# If you prefer to use the sql userdb module, you'll want to add fields
+# for home, uid, and gid. Here is an example table:
+#
+# CREATE TABLE users (
+#     username VARCHAR(128) NOT NULL,
+#     domain VARCHAR(128) NOT NULL,
+#     password VARCHAR(64) NOT NULL,
+#     home VARCHAR(255) NOT NULL,
+#     uid INTEGER NOT NULL,
+#     gid INTEGER NOT NULL,
+#     active CHAR(1) DEFAULT 'Y' NOT NULL
+# );
+
+# Database driver: mysql, pgsql, sqlite
+driver = pgsql
+
+# Database connection string. This is driver-specific setting.
+#
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
+# pgsql:
+#   For available options, see the PostgreSQL documention for the
+#   PQconnectdb function of libpq.
+#   Use maxconns=n (default 5) to change how many connections Dovecot can
+#   create to pgsql.
+#
+# mysql:
+#   Basic options emulate PostgreSQL option names:
+#     host, port, user, password, dbname
+#
+#   But also adds some new settings:
+#     client_flags        - See MySQL manual
+#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
+#     ssl_cert, ssl_key   - For sending client-side certificates to server
+#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
+#     option_file         - Read options from the given file instead of
+#                           the default my.cnf location
+#     option_group        - Read options from the given group (default: client)
+# 
+#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
+#   Note that currently you can't use spaces in parameters.
+#
+# sqlite:
+#   The path to the database file.
+#
+# Examples:
+#   connect = host=192.168.1.1 dbname=users
+#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
+#   connect = /etc/dovecot/authdb.sqlite
+#
+connect = "host=127.0.0.1 dbname={{ mail_db_database }} user={{ mail_db_username }} password='{{ mail_db_password }}'"
+
+# Default password scheme.
+#
+# List of supported schemes is in
+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
+#
+default_pass_scheme = SHA512-CRYPT
+
+# passdb query to retrieve the password. It can return fields:
+#   password - The user's password. This field must be returned.
+#   user - user@domain from the database. Needed with case-insensitive lookups.
+#   username and domain - An alternative way to represent the "user" field.
+#
+# The "user" field is often necessary with case-insensitive lookups to avoid
+# e.g. "name" and "nAme" logins creating two different mail directories. If
+# your user and domain names are in separate fields, you can return "username"
+# and "domain" fields instead of "user".
+#
+# The query can also return other fields which have a special meaning, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#
+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
+# for full list):
+#   %u = entire user@domain
+#   %n = user part of user@domain
+#   %d = domain part of user@domain
+# 
+# Note that these can be used only as input to SQL query. If the query outputs
+# any of these substitutions, they're not touched. Otherwise it would be
+# difficult to have eg. usernames containing '%' characters.
+#
+# Example:
+#   password_query = SELECT userid AS user, pw AS password \
+#     FROM users WHERE userid = '%u' AND active = 'Y'
+#
+#password_query = \
+#  SELECT username, domain, password \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+
+password_query = SELECT email AS user, password FROM virtual_users WHERE email = '%u';
+
+# userdb query to retrieve the user information. It can return fields:
+#   uid - System UID (overrides mail_uid setting)
+#   gid - System GID (overrides mail_gid setting)
+#   home - Home directory
+#   mail - Mail location (overrides mail_location setting)
+#
+# None of these are strictly required. If you use a single UID and GID, and
+# home or mail directory fits to a template string, you could use userdb static
+# instead. For a list of all fields that can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#
+# Examples:
+#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
+#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
+#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
+#
+#user_query = \
+#  SELECT home, uid, gid \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+
+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
+# also have to return userdb fields in password_query prefixed with "userdb_"
+# string. For example:
+#password_query = \
+#  SELECT userid AS user, password, \
+#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
+#  FROM users WHERE userid = '%u'
+
+# Query to get a list of all usernames.
+#iterate_query = SELECT username AS user FROM users
diff --git a/roles/mailserver/templates/etc_postfix_main.cf.j2 b/roles/mailserver/templates/etc_postfix_main.cf.j2
new file mode 100644
index 0000000..2416789
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_main.cf.j2
@@ -0,0 +1,126 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Modified as per http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# Accept messages up to 50MB
+message_size_limit = 51200000
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# antispam
+smtpd_helo_required = yes
+smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
+smtpd_sender_restrictions = reject_unknown_address
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+invalid_hostname_reject_code = 554
+multi_recipient_bounce_reject_code = 554
+non_fqdn_reject_code = 554
+relay_domains_reject_code = 554
+unknown_address_reject_code = 554
+unknown_client_reject_code = 554
+unknown_hostname_reject_code = 554
+unknown_local_recipient_reject_code = 554
+unknown_relay_recipient_reject_code = 554
+unknown_virtual_alias_reject_code = 554
+unknown_virtual_mailbox_reject_code = 554
+unverified_recipient_reject_code = 554
+unverified_sender_reject_code = 554
+
+# TLS parameters
+smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ domain }}/privkey.pem
+smtpd_use_tls=yes
+smtpd_tls_auth_only = yes
+smtp_tls_security_level = may
+smtp_tls_loglevel = 2
+smtpd_tls_received_header = yes
+smtp_tls_note_starttls_offer = yes
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+# http://www.postfix.org/FORWARD_SECRECY_README.html
+smtp_tls_ciphers = medium
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparam2048.pem
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+
+# set to empty value for backwards compatibility
+# as per http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
+smtpd_relay_restrictions =
+
+smtpd_recipient_restrictions =
+  permit_sasl_authenticated,
+  permit_mynetworks,
+  reject_unauth_pipelining,
+  reject_unauth_destination,
+  reject_invalid_hostname,
+  reject_non_fqdn_hostname,
+  reject_non_fqdn_recipient,
+  reject_unknown_recipient_domain,
+  permit
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ mail_server_hostname }}
+myorigin = $mydomain
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ ' '.join(friendly_networks) }}
+#mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+# dovecot db
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+mailbox_transport = lmtp:unix:private/dovecot-lmtp
+
+dovecot_destination_recipient_limit = 1
+virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
+virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
+virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
+local_recipient_maps = $virtual_mailbox_maps
+
+# Milters: Rspamd
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = $smtpd_milters
+milter_protocol = 6
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
+milter_default_action = accept
+
+smtpd_client_restrictions = permit_sasl_authenticated
+
+# Postscreen
+postscreen_access_list = permit_mynetworks
+postscreen_dnsbl_sites =
+  sbl-xbl.spamhaus.org*2
+  cbl.abuseat.org*2
+  bl.spamcop.net*2
+  dnsbl.sorbs.net*1
+  spam.spamrats.com*2
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_action = enforce
+postscreen_greet_action = enforce
+
+{% if mail_header_privacy == 1 %}
+# Remove local client IP from headers
+smtp_header_checks = pcre:/etc/postfix/maps/smtp_header_checks.pcre
+{% endif %}
diff --git a/roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2
new file mode 100644
index 0000000..daa0d00
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT destination FROM virtual_aliases WHERE source='%s'
diff --git a/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2 b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2
new file mode 100644
index 0000000..d9d35a9
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_domains WHERE name='%s'
diff --git a/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2
new file mode 100644
index 0000000..b2f7165
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_users WHERE email='%s'
diff --git a/roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j2
new file mode 100644
index 0000000..daa0d00
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT destination FROM virtual_aliases WHERE source='%s'
diff --git a/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j2 b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j2
new file mode 100644
index 0000000..d9d35a9
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_domains WHERE name='%s'
diff --git a/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2 b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2
new file mode 100644
index 0000000..b2f7165
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2
@@ -0,0 +1,5 @@
+user = {{ mail_db_username }}
+password = {{ mail_db_password }}
+hosts = 127.0.0.1
+dbname = {{ mail_db_database }}
+query = SELECT 1 FROM virtual_users WHERE email='%s'
diff --git a/roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2 b/roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2
new file mode 100644
index 0000000..a850af9
--- /dev/null
+++ b/roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2
@@ -0,0 +1,47 @@
+# Enables storing reporting information to redis
+reporting = true;
+
+# Actions to enforce based on DMARC disposition
+actions = {
+  quarantine = "add_header";
+  reject = "reject";
+}
+
+# From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
+# send_reports MUST be true
+send_reports = true;
+
+# report_settings MUST be present
+report_settings {
+  # The following elements MUST be present
+  # organisation name to use for reports
+  org_name = "{{ organization }}";
+  
+  # organisation domain
+  domain = "{{ domain }}";
+
+  # sender address to use for reports
+  email = "postmaster@{{ domain }}";
+
+  # The following elements MAY be present
+  # SMTP host to send reports to ("127.0.0.1" if unset)
+  # smtp = "127.0.0.1";
+	
+  # TCP port to use for SMTP (25 if unset)
+  # smtp_port = 25;
+	
+  # HELO to use for SMTP ("rspamd" if unset)
+  # helo = "rspamd";
+	
+  # Number of retries on temporary errors (2 if unset)
+  # retries = 2;
+	
+  # Send DMARC reports here instead of domain owners
+  # override_address = "postmaster@example.net";
+	
+  # Send DMARC reports here in addition to domain owners
+  additional_address = "postmaster@{{ domain }}";
+	
+  # Number of records to request with HSCAN
+  # hscan_count = 200
+}
diff --git a/roles/mailserver/templates/mailserver.sql.j2 b/roles/mailserver/templates/mailserver.sql.j2
new file mode 100644
index 0000000..203c3d8
--- /dev/null
+++ b/roles/mailserver/templates/mailserver.sql.j2
@@ -0,0 +1,57 @@
+-- If tables are not dropped, have to truncate before insert or use "insert or replace" (not postgres compatible)
+
+DROP TABLE IF EXISTS "virtual_users";
+DROP TABLE IF EXISTS "virtual_aliases";
+DROP TABLE IF EXISTS "virtual_domains";
+
+CREATE TABLE IF NOT EXISTS "virtual_domains" (
+        "id" SERIAL,
+        "name" TEXT NOT NULL,
+        PRIMARY KEY ("id")
+);
+
+CREATE UNIQUE INDEX name_idx ON virtual_domains (name);
+
+CREATE TABLE IF NOT EXISTS "virtual_users" (
+        "id" SERIAL,
+        "domain_id" int NOT NULL,
+        "password" TEXT NOT NULL,
+        "email" TEXT NOT NULL UNIQUE,
+        PRIMARY KEY ("id"),
+        FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+);
+
+
+CREATE UNIQUE INDEX email_idx ON virtual_users (email);
+
+CREATE TABLE IF NOT EXISTS "virtual_aliases" (
+        "id" SERIAL,
+        "domain_id" int NOT NULL,
+        "source" TEXT NOT NULL,
+        "destination" TEXT NOT NULL,
+        PRIMARY KEY ("id"),
+        FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
+);
+
+CREATE INDEX source_idx ON virtual_aliases (source);
+
+{% for virtual_domain in mail_virtual_domains %}
+INSERT INTO "virtual_domains" ("id", "name")
+        VALUES ('{{ virtual_domain.pk_id }}', '{{ virtual_domain.name }}');
+{% endfor %}
+
+{% for virtual_user in mail_virtual_users %}
+INSERT INTO "virtual_users"  ("domain_id", "password" , "email")
+	VALUES (
+		'{{ virtual_user.domain_pk_id }}',
+		'{{ virtual_user.password | doveadm_pw_hash }}',
+		'{{ virtual_user.account }}@{{ virtual_user.domain }}'
+	);
+{% endfor %}
+
+{% if mail_virtual_aliases is defined %}
+{% for virtual_alias in mail_virtual_aliases %}
+INSERT INTO "virtual_aliases" ("domain_id", "source", "destination")
+    VALUES ('{{ virtual_alias.domain_pk_id }}', '{{ virtual_alias.source }}', '{{virtual_alias.destination }}');
+{% endfor %}
+{% endif %}
diff --git a/roles/mailserver/templates/usr_share_z-push_config.php.j2 b/roles/mailserver/templates/usr_share_z-push_config.php.j2
new file mode 100644
index 0000000..a351df1
--- /dev/null
+++ b/roles/mailserver/templates/usr_share_z-push_config.php.j2
@@ -0,0 +1,306 @@
+<?php
+/***********************************************
+* File      :   config.php
+* Project   :   Z-Push
+* Descr     :   Main configuration file
+*
+* Created   :   01.10.2007
+*
+* Copyright 2007 - 2013 Zarafa Deutschland GmbH
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation with the following additional
+* term according to sec. 7:
+*
+* According to sec. 7 of the GNU Affero General Public License, version 3,
+* the terms of the AGPL are supplemented with the following terms:
+*
+* "Zarafa" is a registered trademark of Zarafa B.V.
+* "Z-Push" is a registered trademark of Zarafa Deutschland GmbH
+* The licensing of the Program under the AGPL does not imply a trademark license.
+* Therefore any rights, title and interest in our trademarks remain entirely with us.
+*
+* However, if you propagate an unmodified version of the Program you are
+* allowed to use the term "Z-Push" to indicate that you distribute the Program.
+* Furthermore you may use our trademarks where it is necessary to indicate
+* the intended purpose of a product or service provided you use it in accordance
+* with honest practices in industrial or commercial matters.
+* If you want to propagate modified versions of the Program under the name "Z-Push",
+* you may only do so if you have a written permission by Zarafa Deutschland GmbH
+* (to acquire a permission please contact Zarafa at trademark@zarafa.com).
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+
+/**********************************************************************************
+ *  Default settings
+ */
+    // Defines the default time zone, change e.g. to "Europe/London" if necessary
+    define('TIMEZONE', '{{ zpush_timezone }}');
+
+    // Defines the base path on the server
+    define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
+
+    // Try to set unlimited timeout
+    define('SCRIPT_TIMEOUT', 0);
+
+    // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
+    define('USE_X_FORWARDED_FOR_HEADER', false);
+
+    // When using client certificates, we can check if the login sent matches the owner of the certificate.
+    // This setting specifies the owner parameter in the certificate to look at.
+    define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
+
+/**********************************************************************************
+ *  Default FileStateMachine settings
+ */
+    define('STATE_DIR', '/decrypted/zpush-state/');
+
+
+/**********************************************************************************
+ *  Logging settings
+ *  Possible LOGLEVEL and LOGUSERLEVEL values are:
+ *  LOGLEVEL_OFF            - no logging
+ *  LOGLEVEL_FATAL          - log only critical errors
+ *  LOGLEVEL_ERROR          - logs events which might require corrective actions
+ *  LOGLEVEL_WARN           - might lead to an error or require corrective actions in the future
+ *  LOGLEVEL_INFO           - usually completed actions
+ *  LOGLEVEL_DEBUG          - debugging information, typically only meaningful to developers
+ *  LOGLEVEL_WBXML          - also prints the WBXML sent to/from the device
+ *  LOGLEVEL_DEVICEID       - also prints the device id for every log entry
+ *  LOGLEVEL_WBXMLSTACK     - also prints the contents of WBXML stack
+ *
+ *  The verbosity increases from top to bottom. More verbose levels include less verbose
+ *  ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ *  LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ */
+    define('LOGFILEDIR', '/var/log/z-push/');
+    define('LOGFILE', LOGFILEDIR . 'z-push.log');
+    define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
+    define('LOGLEVEL', LOGLEVEL_INFO);
+    define('LOGAUTHFAIL', false);
+
+
+    // To save e.g. WBXML data only for selected users, add the usernames to the array
+    // The data will be saved into a dedicated file per user in the LOGFILEDIR
+    // Users have to be encapusulated in quotes, several users are comma separated, like:
+    //   $specialLogUsers = array('info@domain.com', 'myusername');
+    define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
+    $specialLogUsers = array();
+
+    // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
+    // Uncomment and modify the following line if the validation of the certificates fails.
+    // define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
+
+/**********************************************************************************
+ *  Mobile settings
+ */
+    // Device Provisioning
+    define('PROVISIONING', true);
+
+    // This option allows the 'loose enforcement' of the provisioning policies for older
+    // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution
+    // false (default) - Enforce provisioning for all devices
+    // true - allow older devices, but enforce policies on devices which support it
+    define('LOOSE_PROVISIONING', false);
+
+    // Default conflict preference
+    // Some devices allow to set if the server or PIM (mobile)
+    // should win in case of a synchronization conflict
+    //   SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
+    //   SYNC_CONFLICT_OVERWRITE_PIM    - PIM is overwritten, Server wins (default)
+    define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
+
+    // Global limitation of items to be synchronized
+    // The mobile can define a sync back period for calendar and email items
+    // For large stores with many items the time period could be limited to a max value
+    // If the mobile transmits a wider time period, the defined max value is used
+    // Applicable values:
+    //   SYNC_FILTERTYPE_ALL (default, no limitation)
+    //   SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS,
+    //   SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS
+    define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_3MONTHS);
+
+    // Interval in seconds before checking if there are changes on the server when in Ping.
+    // It means the highest time span before a change is pushed to a mobile. Set it to
+    // a higher value if you have a high load on the server.
+    define('PING_INTERVAL', 30);
+
+    // Interval in seconds to force a re-check of potentially missed notifications when
+    // using a changes sink. Default are 300 seconds (every 5 min).
+    // This can also be disabled by setting it to false
+    define('SINK_FORCERECHECK', 300);
+
+    // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
+    // It will only affect new/modified contacts on the mobile which then are synced to the server.
+    // Possible values are:
+    // SYNC_FILEAS_FIRSTLAST    - fileas will be "Firstname Middlename Lastname"
+    // SYNC_FILEAS_LASTFIRST    - fileas will be "Lastname, Firstname Middlename"
+    // SYNC_FILEAS_COMPANYONLY  - fileas will be "Company"
+    // SYNC_FILEAS_COMPANYLAST  - fileas will be "Company (Lastname, Firstname Middlename)"
+    // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)"
+    // SYNC_FILEAS_LASTCOMPANY  - fileas will be "Lastname, Firstname Middlename (Company)"
+    // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)"
+    // The company-fileas will only be set if a contact has a company set. If one of
+    // company-fileas is selected and a contact doesn't have a company set, it will default
+    // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first
+    // option is selected for company).
+    // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set
+    // SYNC_FILEAS_LASTFIRST will be used
+    define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST);
+
+    // Amount of items to be synchronized per request
+    // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
+    // Exporting too much items can cause mobile timeout on busy systems.
+    // Z-Push will use the lowest value, either set here or by the mobile.
+    // default: 100 - value used if mobile does not limit amount of items
+    define('SYNC_MAX_ITEMS', 100);
+
+    // The devices usually send a list of supported properties for calendar and contact
+    // items. If a device does not includes such a supported property in Sync request,
+    // it means the property's value will be deleted on the server.
+    // However some devices do not send a list of supported properties. It is then impossible
+    // to tell if a property was deleted or it was not set at all if it does not appear in Sync.
+    // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
+    // supported properties.
+    // See also https://jira.zarafa.com/browse/ZP-302.
+    // Possible values:
+    // false - do not unset properties which are not sent during Sync (default)
+    // true  - unset properties which are not sent during Sync
+    define('UNSET_UNDEFINED_PROPERTIES', false);
+
+    // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked
+    // in the semantic sanity checks and contacts with larger photos are not synchronized.
+    // This limitation is not being followed by the ActiveSync clients which set much bigger
+    // contact photos. You can override the default value of the max photo size.
+    // default: 49152 - 48 KB default max photo size in bytes
+    define('SYNC_CONTACTS_MAXPICTURESIZE', 49152);
+
+/**********************************************************************************
+ *  Backend settings
+ */
+    // the backend data provider
+    define('BACKEND_PROVIDER', 'BackendIMAP');
+
+
+    // ************************
+    //  BackendZarafa settings
+    // ************************
+    // Defines the server to which we want to connect
+    define('MAPI_SERVER', 'file:///var/run/zarafa');
+
+
+    // ************************
+    //  BackendIMAP settings
+    // ************************
+    // Defines the server to which we want to connect
+    define('IMAP_SERVER', 'localhost');
+    // connecting to default port (143)
+    define('IMAP_PORT', 993);
+    // best cross-platform compatibility (see http://php.net/imap_open for options)
+    define('IMAP_OPTIONS', '/ssl/novalidate-cert');
+    // overwrite the "from" header if it isn't set when sending emails
+    // options: 'username'    - the username will be set (usefull if your login is equal to your emailaddress)
+    //        'domain'    - the value of the "domain" field is used
+    //        '@mydomain.com' - the username is used and the given string will be appended
+    define('IMAP_DEFAULTFROM', '');
+    // copy outgoing mail to this folder. If not set d-push will try the default folders
+    define('IMAP_SENTFOLDER', 'Sent');
+    // forward messages inline (default false - as attachment)
+    define('IMAP_INLINE_FORWARD', false);
+    // don't use imap_mail() to send emails.
+    // true (default, uses imap_mail, which is broken - false uses mail(),
+    // which handles cc and from in a more sane way)
+    define('IMAP_USE_IMAPMAIL', false);
+
+
+    // ************************
+    //  BackendMaildir settings
+    // ************************
+    define('MAILDIR_BASE', '/tmp');
+    define('MAILDIR_SUBDIR', 'Maildir');
+
+    // **********************
+    //  BackendVCardDir settings
+    // **********************
+    define('VCARDDIR_DIR', '/home/%u/.kde/share/apps/kabc/stdvcf');
+
+
+/**********************************************************************************
+ *  Search provider settings
+ *
+ *  Alternative backend to perform SEARCH requests (GAL search)
+ *  By default the main Backend defines the preferred search functionality.
+ *  If set, the Search Provider will always be preferred.
+ *  Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php)
+ */
+    define('SEARCH_PROVIDER', '');
+    // Time in seconds for the server search. Setting it too high might result in timeout.
+    // Setting it too low might not return all results. Default is 10.
+    define('SEARCH_WAIT', 10);
+    // The maximum number of results to send to the client. Setting it too high
+    // might result in timeout. Default is 10.
+    define('SEARCH_MAXRESULTS', 10);
+
+
+/**********************************************************************************
+ *  Synchronize additional folders to all mobiles
+ *
+ *  With this feature, special folders can be synchronized to all mobiles.
+ *  This is useful for e.g. global company contacts.
+ *
+ *  This feature is supported only by certain devices, like iPhones.
+ *  Check the compatibility list for supported devices:
+ *      http://z-push.sf.net/compatibility
+ *
+ *  To synchronize a folder, add a section setting all parameters as below:
+ *      store:      the ressource where the folder is located.
+ *                  Zarafa users use 'SYSTEM' for the 'Public Folder'
+ *      folderid:   folder id of the folder to be synchronized
+ *      name:       name to be displayed on the mobile device
+ *      type:       supported types are:
+ *                      SYNC_FOLDER_TYPE_USER_CONTACT
+ *                      SYNC_FOLDER_TYPE_USER_APPOINTMENT
+ *                      SYNC_FOLDER_TYPE_USER_TASK
+ *                      SYNC_FOLDER_TYPE_USER_MAIL
+ *
+ *  Additional notes:
+ *  - on Zarafa systems use backend/zarafa/listfolders.php script to get a list
+ *    of available folders
+ *
+ *  - all Z-Push users must have full writing permissions (secretary rights) so
+ *    the configured folders can be synchronized to the mobile
+ *
+ *  - this feature is only partly suitable for multi-tenancy environments,
+ *    as ALL users from ALL tenents need access to the configured store & folder.
+ *    When configuring a public folder, this will cause problems, as each user has
+ *    a different public folder in his tenant, so the folder are not available.
+
+ *  - changing this configuration could cause HIGH LOAD on the system, as all
+ *    connected devices will be updated and load the data contained in the
+ *    added/modified folders.
+ */
+
+    $additionalFolders = array(
+        // demo entry for the synchronization of contacts from the public folder.
+        // uncomment (remove '/*' '*/') and fill in the folderid
+/*
+        array(
+            'store'     => "SYSTEM",
+            'folderid'  => "",
+            'name'      => "Public Contacts",
+            'type'      => SYNC_FOLDER_TYPE_USER_CONTACT,
+        ),
+*/
+    );
+
+?>
\ No newline at end of file
diff --git a/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2 b/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2
new file mode 100644
index 0000000..8ca98ab
--- /dev/null
+++ b/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<clientConfig version="1.1">
+    <emailProvider id="{{ domain }}">
+        <domain>{{ domain }}</domain>
+        <displayName>{{ domain }}</displayName>
+        <displayShortName>{{ domain }}</displayShortName>
+        <incomingServer type="imap">
+            <hostname>{{ mail_server_hostname }}</hostname>
+            <port>993</port>
+            <socketType>SSL</socketType>
+            <authentication>password-cleartext</authentication>
+            <username>%EMAILADDRESS%</username>
+        </incomingServer>
+        <incomingServer type="pop3">
+            <hostname>{{ mail_server_hostname }}</hostname>
+            <port>995</port>
+            <socketType>SSL</socketType>
+            <authentication>password-cleartext</authentication>
+            <username>%EMAILADDRESS%</username>
+        </incomingServer>
+        <outgoingServer type="smtp">
+            <hostname>{{ mail_server_hostname }}</hostname>
+            <port>587</port>
+            <socketType>STARTTLS</socketType>
+            <authentication>password-cleartext</authentication>
+            <username>%EMAILADDRESS%</username>
+        </outgoingServer>
+    </emailProvider>
+</clientConfig>
diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt
index ada7075..bf9d0d7 100644
--- a/roles/nginx/HOWTO_letsencrypt.txt
+++ b/roles/nginx/HOWTO_letsencrypt.txt
@@ -39,6 +39,21 @@ cert), do something like this:
                                 -d static.bnewbold.net \
                                 -d git.bnewbold.net
 
+    sudo letsencrypt certonly \
+        --non-interactive \
+        --agree-tos \
+        --email bnewbold@the-nsa.org \
+        --webroot -w /var/www/letsencrypt \
+                                -d bnewbold.the-nsa.org \
+                                -d files.bnewbold.the-nsa.org \
+                                -d hashbase.bnewbold.the-nsa.org \
+                                -d modelthing.the-nsa.org \
+                                -d obscurity.bnewbold.the-nsa.org \
+                                -d repro.bnewbold.the-nsa.org \
+                                -d perf.bnewbold.the-nsa.org --expand
+
+        # formerly: very-flat.com
+
 The above will yield a cert at the following path (presumably path has the
 first domain name):
 
diff --git a/roles/nginx/HOWTO_new_site.txt b/roles/nginx/HOWTO_new_site.txt
index 1834e93..777665b 100644
--- a/roles/nginx/HOWTO_new_site.txt
+++ b/roles/nginx/HOWTO_new_site.txt
@@ -21,6 +21,11 @@ For a reverse proxied website:
         listen [::]:80;
         server_name <example.com>;
 
+        location = /favicon.ico {
+            access_log off;
+            log_not_found off;
+        }
+
         location /theme_static/ {
             alias /some/static/files/dir/theme_static/;
         }
@@ -35,19 +40,32 @@ For a reverse proxied website:
 
 For SSL stuff, add this to the body:
 
-     listen 443 ssl spdy;
-     listen [::]:443 ssl spdy;
+     listen 443 ssl http2;
+     listen [::]:443 ssl http2;
 
      ssl_certificate /etc/letsencrypt/live/<cert-name>/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/<cert-name>/privkey.pem;
    
      add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'";
+     #add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
      add_header X-Frame-Options "SAMEORIGIN";       # 'always' if nginx > 1.7.5
      add_header X-Content-Type-Options "nosniff";   # 'always' if nginx > 1.7.5
      add_header X-Xss-Protection "1";
      # Enable STS with one year period (breaks http; optional)
      #add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
 
+
+    if ($scheme = http) {
+        return 301 https://$server_name$request_uri;
+    }
+
+    # Let's Encrypt SSL Certs
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        autoindex off;
+    }
+
+
 If your site is going to have inline Javascript (pretty common), you might need
 to swith the Content-Security-Policy line to: