Update to 2021-12-01 19:13

roles/zimbra/tasks/antispam.yml

@@ -0,0 +1 @@
+---

roles/zimbra/tasks/apache.yml

@@ -0,0 +1 @@
+---

roles/zimbra/tasks/cas.yml

@@ -0,0 +1,239 @@
+---
+
+- name: Install cas client lib
+  get_url:
+    url: "{{ item.url }}"
+    checksum: sha1:{{ item.sha1 }}
+    dest: /opt/zimbra/jetty/common/lib/
+  loop: "{{ zcs_cas_libs }}"
+  tags: zcs
+
+- name: Get or generate a pre authentication key
+  shell: |
+    KEY=$(/opt/zimbra/bin/zmprov getDomain {{ item }} zimbrapreauthkey | perl -ne '/^(?:zimbraP|p)reAuthKey: (.*)/ && print $1')
+    [ -z $KEY ] && KEY=$(/opt/zimbra/bin/zmprov generateDomainPreAuthKey {{ item }} | perl -ne '/^(?:zimbraP|p)reAuthKey: (.*)/ && print $1')
+    echo $KEY
+  become_user: zimbra
+  register: zcs_preauthkeys
+  changed_when: False
+  loop: "{{ zcs_domains.keys() | list }}"
+  tags: zcs
+
+- name: Install preauth pages
+  template: src=cas_preauth.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbra/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
+  loop: "{{ zcs_preauthkeys.results }}"
+  notify: restart zimbra
+  tags: zcs
+
+- name: Install admin preauth pages
+  template: src=cas_preauth_admin.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
+  loop: "{{ zcs_preauthkeys.results }}"
+  notify: restart zimbra
+  tags: zcs
+
+- name: Configure CAS filters
+  blockinfile:
+    path: /opt/zimbra/jetty/etc/zimbra.web.xml.in
+    block: |2
+
+      {% for domain in zcs_domains.keys() | list %}
+      {% if zcs_domains[domain].cas is defined and zcs_domains[domain].cas.enabled is defined and zcs_domains[domain].cas.enabled %}
+      <!-- CAS filters for domain {{ domain }} -->
+      <filter>
+        <filter-name>CasSingleSignOutFilter{{ domain }}</filter-name>
+        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
+        <init-param>
+          <param-name>casServerUrlPrefix</param-name>
+          <param-value>{{ zcs_domains[domain].cas.server_url }}</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasSingleSignOutFilter{{ domain }}</filter-name>
+        <url-pattern>/*</url-pattern>
+      </filter-mapping>
+
+      <listener>
+        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
+      </listener>
+
+      <filter>
+        <filter-name>CasAuthenticationFilter{{ domain }}</filter-name>
+        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
+        <init-param>
+          <param-name>casServerLoginUrl</param-name>
+          <param-value>{{ zcs_domains[domain].cas.server_url }}/login</param-value>
+        </init-param>
+        <init-param>
+          <param-name>serverName</param-name>
+          <param-value>{{ zcs_domains[domain].public_url }}</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasAuthenticationFilter{{ domain }}</filter-name>
+        <url-pattern>/public/preauth_{{ domain }}.jsp</url-pattern>
+      </filter-mapping>
+
+      <filter>
+        <filter-name>CasValidationFilter{{ domain }}</filter-name>
+        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
+        <init-param>
+          <param-name>casServerUrlPrefix</param-name>
+          <param-value>{{ zcs_domains[domain].cas.server_url }}</param-value>
+        </init-param>
+        <init-param>
+          <param-name>serverName</param-name>
+          <param-value>{{ zcs_domains[domain].public_url }}</param-value>
+        </init-param>
+        <init-param>
+          <param-name>redirectAfterValidation</param-name>
+          <param-value>true</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasValidationFilter{{ domain }}</filter-name>
+        <url-pattern>/*</url-pattern>
+      </filter-mapping>
+      <!-- End CAS filter config for domain {{ domain }} -->
+
+      {% else %}
+
+      <!-- CAS not enabled for domain {{ domain }} -->
+
+      {% endif %}
+      {% endfor %}
+
+      <filter>
+        <filter-name>CasHttpServletRequestWrapperFilter</filter-name>
+        <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasHttpServletRequestWrapperFilter</filter-name>
+        <url-pattern>/public/*</url-pattern>
+      </filter-mapping>
+
+      <!-- prevent Zimbra from adding ;jsessionid=XXXX in the URL, which the CAS server could reject
+           as it doesn't match the initial service anymore -->
+      <session-config>
+        <tracking-mode>COOKIE</tracking-mode>
+      </session-config>
+    marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK" -->'
+    insertafter: '</error-page>'
+    validate: xmllint %s
+  notify: restart zimbra
+  tags: zcs
+
+- name: Configure CAS admin filters
+  blockinfile:
+    path: /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in
+    block: |2
+
+      {% for domain in zcs_domains.keys() | list %}
+      {% if zcs_domains[domain].cas is defined and zcs_domains[domain].cas.enabled is defined and zcs_domains[domain].cas.enabled %}
+      <!-- CAS filters for domain {{ domain }} -->
+      <filter>
+        <filter-name>CasSingleSignOutFilter{{ domain }}</filter-name>
+        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
+        <init-param>
+          <param-name>casServerUrlPrefix</param-name>
+          <param-value>{{ zcs_domains[domain].cas.server_url }}</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasSingleSignOutFilter{{ domain }}</filter-name>
+        <url-pattern>/*</url-pattern>
+      </filter-mapping>
+
+      <listener>
+        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
+      </listener>
+
+      <filter>
+        <filter-name>CasAuthenticationFilter{{ domain }}</filter-name>
+        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
+        <init-param>
+          <param-name>casServerLoginUrl</param-name>
+          <param-value>{{ zcs_domains[domain].cas.server_url }}/login</param-value>
+        </init-param>
+        <init-param>
+          <param-name>serverName</param-name>
+          <param-value>{{ zcs_domains[domain].admin_url }}</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasAuthenticationFilter{{ domain }}</filter-name>
+        <url-pattern>/public/preauth_{{ domain }}.jsp</url-pattern>
+      </filter-mapping>
+
+      <filter>
+        <filter-name>CasValidationFilter{{ domain }}</filter-name>
+        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
+        <init-param>
+          <param-name>casServerUrlPrefix</param-name>
+          <param-value>{{ zcs_domains[domain].cas.server_url }}</param-value>
+        </init-param>
+        <init-param>
+          <param-name>serverName</param-name>
+          <param-value>{{ zcs_domains[domain].admin_url }}</param-value>
+        </init-param>
+        <init-param>
+          <param-name>redirectAfterValidation</param-name>
+          <param-value>true</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasValidationFilter{{ domain }}</filter-name>
+        <url-pattern>/*</url-pattern>
+      </filter-mapping>
+
+      <!-- End of CAS filters settings for domaine {{ domain }} -->
+
+      {% else %}
+
+      <!-- CAS not enabled for domain {{ domain }} -->
+
+      {% endif %}
+      {% endfor %}
+
+      <filter>
+        <filter-name>CasHttpServletRequestWrapperFilter</filter-name>
+        <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasHttpServletRequestWrapperFilter</filter-name>
+        <url-pattern>/public/*</url-pattern>
+      </filter-mapping>
+
+      <!-- prevent Zimbra from adding ;jsessionid=XXXX in the URL, which the CAS server could reject
+           as it doesn't match the initial service anymore -->
+      <session-config>
+        <tracking-mode>COOKIE</tracking-mode>
+      </session-config>
+    marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK" -->'
+    insertafter: '</error-page>'
+    validate: xmllint %s
+  notify: restart zimbra
+  tags: zcs
+
+- name: Configure login and logout URL
+  shell: |
+    /opt/zimbra/bin/zmprov modifyDomain {{ item }} zimbraWebClientLoginURL "{{ zcs_domains[item].public_url | regex_replace('/$','') }}/public/preauth_{{ item }}.jsp"
+    /opt/zimbra/bin/zmprov modifyDomain {{ item }} zimbraAdminConsoleLoginURL "{{ zcs_domains[item].admin_url | regex_replace('/$','') }}/zimbraAdmin/public/preauth_{{ item }}.jsp"
+    /opt/zimbra/bin/zmprov modifyDomain {{ item }} zimbraWebClientLogoutURL "{{ zcs_domains[item].cas.server_url | regex_replace('/$','') }}/logout"
+    /opt/zimbra/bin/zmprov modifyDomain {{ item }} zimbraAdminConsoleLogoutURL "{{ zcs_domains[item].cas.server_url | regex_replace('/$','') }}/logout"
+  become_user: zimbra
+  loop: "{{ zcs_domains.keys() | list }}"
+  when:
+    - zcs_domains[item].cas is defined
+    - zcs_domains[item].cas.enabled is defined
+    - zcs_domains[item].cas.enabled == True
+  changed_when: False
+  tags: zcs
+

roles/zimbra/tasks/filebeat.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/zimbra.yml
+  tags: zcs,log

roles/zimbra/tasks/install.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Create temp dir
+  file: path=/tmp/zimbra state=directory
+  tags: zcs
+
+- name: Download Zimbra
+  get_url:
+    url: "{{ zcs_archive_url }}"
+    dest: /tmp/zimbra
+    checksum: "sha1:{{ zcs_archive_sha1 }}"
+  tags: zcs
+
+- name: Extract Zimbra archive
+  unarchive:
+    src: /tmp/zimbra/{{ zcs_archive_name }}
+    dest: /tmp/zimbra
+    remote_src: True
+  tags: zcs
+
+- name: Upload installation scripts
+  template: src={{ item }}.j2 dest=/tmp/zimbra/{{ item }}
+  loop:
+    - zcs_install_answers
+    - zcs_init_config
+  tags: zcs
+
+- name: Install Zimbra
+  shell: ./install.sh -s < /tmp/zimbra/zcs_install_answers
+  args:
+    chdir: /tmp/zimbra/{{ zcs_archive_name | splitext | first }}
+  tags: zcs
+
+- name: Provision initial configuration
+  shell: /opt/zimbra/libexec/zmsetup.pl -c /tmp/zimbra/zcs_init_config
+  tags: zcs

roles/zimbra/tasks/ldap.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle Zimbra LDAP ports
+  iptables_raw:
+    name: zcs_ldap_ports
+    state: "{{ (zcs_cluster_ip | length > 0 ) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports 389,636 -s {{ (zcs_cluster_ip + zcs_ldap_src_ip) | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs

roles/zimbra/tasks/logger.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Handle Zimbra logger ports
+  iptables_raw:
+    name: zcs_logger_ports
+    state: "{{ (zcs_cluster_ip | length > 0 ) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p udp --dport 514 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs
+

roles/zimbra/tasks/mailbox.yml

@@ -0,0 +1,158 @@
+---
+
+- name: Install needed tools
+  yum:
+    name:
+      - git
+  tags: zcs
+
+- name: Configure MySQL bind IP
+  ini_file:
+    section: mysqld
+    option: bind-address
+    value: 0.0.0.0
+    path: /opt/zimbra/conf/my.cnf
+    mode: 0640
+    owner: zimbra
+    group: zimbra
+  notify: restart zimbra
+  tags: zcs
+
+- name: Get MySQL root password
+  shell: /opt/zimbra/bin/zmlocalconfig -s mysql_root_password | awk '{ print $3 }'
+  become_user: zimbra
+  register: zcs_mysql_root_password
+  changed_when: False
+  tags: zcs
+
+- name: Create sqladmin user account
+  mysql_user:
+    name: sqladmin
+    password: '{{ mysql_admin_pass }}'
+    host: '%'
+    priv: '*.*:ALL,GRANT'
+    state: present
+    login_user: root
+    login_password: "{{ zcs_mysql_root_password.stdout }}"
+    login_unix_socket: /opt/zimbra/data/tmp/mysql/mysql.sock
+  when: mysql_admin_pass is defined
+  tags: zcs
+
+- name: Handle Zimbra store ports
+  iptables_raw:
+    name: zcs_store_ports
+    state: "{{ (zcs_cluster_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports 143,993,7143,7993 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p tcp -m multiport --dports 110,995,7110,7995 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p tcp -m multiport --dports 8080,8443,7071,7072,7073 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p tcp -m multiport --dports 7025,7026 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p tcp -m multiport --dports 8735,8736 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs
+
+- name: Handle Zimbra MySQL ports
+  iptables_raw:
+    name: zcs_mysql_ports
+    state: "{{ (zcs_mysql_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport 7306 -s {{ zcs_mysql_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs
+
+  #- name: Create ShareToolki cache dir
+  #  file: path=/opt/zimbra/addon_cache/sharetoolkit state=directory
+  #  tags: zcs
+  #
+  #- name: Clone ShareToolkit repo
+  #  git:
+  #    repo: https://github.com/Zimbra-Community/shared-mailbox-toolkit.git
+  #    dest: /opt/zimbra/addon_cache/sharetoolkit
+  #    force: True
+  #  register: zcs_sharetoolkit_repo
+  #  notify: restart zmmailboxd
+  #  tags: zcs
+  #
+  #- name: Remove previous ShareToolkit client zimlet
+  #  file: path=/opt/zimbra/zimlets-deployed/_dev/tk_barrydegraaff_sharetoolkit_client state=absent
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Create ShareToolkit client Zimlet directory
+  #  file: path=/opt/zimbra/zimlets-deployed/_dev/ state=directory
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Deploy ShareToolkit client zimlet
+  #  copy: src=/opt/zimbra/addon_cache/sharetoolkit/tk_barrydegraaff_sharetoolkit_client dest=/opt/zimbra/zimlets-deployed/_dev/ remote_src=True
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Undeploy previous ShareToolkit Zimlet
+  #  command: /opt/zimbra/bin/zmzimletctl undeploy tk_barrydegraaff_sharetoolkit_admin
+  #  become_user: zimbra
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Create a ZIP archive for ShareToolkit admin zimlet
+  #  archive:
+  #    path: /opt/zimbra/addon_cache/sharetoolkit/tk_barrydegraaff_sharetoolkit_admin/*
+  #    dest: /tmp/tk_barrydegraaff_sharetoolkit_admin.zip
+  #    format: zip
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Deploy new ShareToolkit admin zimlet
+  #  command: /opt/zimbra/bin/zmzimletctl deploy /tmp/tk_barrydegraaff_sharetoolkit_admin.zip
+  #  become_user: zimbra
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Remove previous Java server extension
+  #  file: path=/opt/zimbra/lib/ext/ShareToolkit state=absent
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Create ShareToolkit Java server extension dir
+  #  file: path=/opt/zimbra/lib/ext/ShareToolkit state=directory
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Deploy new Java server extension
+  #  copy: src=/opt/zimbra/addon_cache/sharetoolkit/extension/ShareToolkit/out/artifacts/ShareToolkit/ShareToolkit.jar dest=/opt/zimbra/lib/ext/ShareToolkit/ remote_src=True
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Enable the X-Authenticated-User header
+  #  command: /opt/zimbra/bin/zmprov modifyConfig {{ inner_item.attr }} {{ inner_item.value }}
+  #  become_user: zimbra
+  #  loop:
+  #    - attr: zimbraSmtpSendAddAuthenticatedUser
+  #      value: 'TRUE'
+  #    - attr: zimbraMtaSmtpdSaslAuthenticatedHeader
+  #      value: 'yes'
+  #  loop_control:
+  #    loop_var: inner_item
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Deploy ShareToolkit CLI tools
+  #  synchronize:
+  #    src: /opt/zimbra/addon_cache/sharetoolkit/bin/
+  #    dest: /usr/local/sbin/
+  #    rsync_opts:
+  #      - "--chmod=F755"
+  #  delegate_to: "{{ inventory_hostname }}"
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+  #
+  #- name: Flush Zimbra cache
+  #  command: /opt/zimbra/bin/zmprov flushCache all
+  #  become_user: zimbra
+  #  when: zcs_sharetoolkit_repo.changed
+  #  tags: zcs
+
+- name: Remove ADPassword listener (not working with JDK 13)
+  file: path=/opt/zimbra/lib/ext/adpassword state=absent
+  tags: zcs
+
+- include_tasks: cas.yml
+  tags: zcs

roles/zimbra/tasks/main.yml

@@ -0,0 +1,211 @@
+---
+
+#- name: Build config for domains
+#  set_fact: zcs_domains_conf={{ zcs_domains_conf | default([]) + [zcs_domain_defaults | combine(zcs_domains[item])] }}
+#  with_items: "{{ zcs_domains.keys() | list }}"
+#  tags: zcs
+#- set_fact: zcs_domains={{ zcs_domains_conf | default([]) }}
+#  tags: zcs
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: zcs
+
+- name: Install dependencies
+  package: name={{ zcs_packages }}
+  tags: zcs
+
+- name: Check if zimbra is installed
+  stat: path=/opt/zimbra/bin/zmprov
+  register: zcs_zmprov
+  tags: zcs
+
+  #- name: Stop postfix
+  #  service: name=postfix state=stopped enabled=False
+  #  tags: zcs
+
+- include_tasks: install.yml
+  when:
+    - zcs_install == True
+    - not zcs_zmprov.stat.exists
+  tags: zcs
+
+- name: Exit if not installed
+  meta: end_host
+  when: zcs_install != True and (zcs_zmprov is not defined or zcs_zmprov.stat is not defined or not zcs_zmprov.stat.exists)
+  tags: zcs
+
+- set_fact: zcs_i_am_primary_ldap={{ (inventory_hostname == zcs_primary_ldap) | ternary(True,False) }}
+  tags: zcs
+
+- name: Fetch the LDAP admin pass
+  shell: /opt/zimbra/bin/zmlocalconfig -s zimbra_ldap_password | awk '{ print $3}'
+  changed_when: False
+  register: zcs_ldap_admin_pass
+  when: zcs_ldap_admin_pass is not defined
+  tags: zcs
+- set_fact: zcs_ldap_admin_pass={{ zcs_ldap_admin_pass.stdout }}
+  when: zcs_ldap_admin_pass.stdout is defined
+  tags: zcs
+
+- name: Install wrapper scripts
+  template: src=zimbra_wrapper.j2 dest=/usr/local/bin/{{ item }} mode=0755
+  loop:
+    - zmprov
+    - zmcontrol
+    - zmhostname
+    - zmmailbox
+    - zmlocalconfig
+  tags: zcs
+
+  #- name: Check installed components
+  #  command: rpm -q zimbra-{{ item }}
+  #  args:
+  #    warn: False
+  #  register: zcs_components
+  #  failed_when: False
+  #  changed_when: False
+  #  loop:
+  #    - ldap
+  #    - logger
+  #    - mta
+  #    - dnscache
+  #    - snmp
+  #    - store
+  #    - apache
+  #    - spell
+  #    - memcached
+  #    - proxy
+  #    - drive
+  #  tags: zcs
+
+- name: List enabled components
+  shell: '/opt/zimbra/bin/zmprov getServer {{ inventory_hostname }} zimbraServiceEnabled | perl -ne ''m/^zimbraServiceEnabled: (\w+)/ && print "$1\n"'''
+  become_user: zimbra
+  register: zcs_enabled_components
+  changed_when: False
+  tags: zcs
+- set_fact: zcs_enabled_components={{ zcs_enabled_components.stdout_lines }}
+  tags: zcs
+
+- include_tasks: "{{ component }}.yml"
+  loop: "{{ zcs_enabled_components }}"
+  loop_control:
+    loop_var: component
+  tags: zcs
+
+- name: Handle general ports
+  iptables_raw:
+    name: zcs_general_ports
+    state: "{{ (zcs_cluster_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports 22 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs
+
+- include_tasks: zmldapsync.yml
+  when: zcs_i_am_primary_ldap == True
+  tags: zcs
+
+- name: Install backup help script
+  get_url:
+    url: https://git.fws.fr/dani/zimbra/raw/branch/master/zmbh/zmbh.pl
+    dest: /opt/zimbra/bin/zmbh
+    mode: '0755'
+  tags: zcs
+
+- name: Remove old backup helper script
+  file: path=/usr/local/bin/zmbh.pl state=absent
+  tags: zcs
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /opt/zimbra/addon_cache
+    - dir: /opt/zimbra/meta
+      mode: '0700'
+  tags: zcs
+
+  #- include_tasks: backup.yml
+  #  when: zcs_i_am_primary_ldap == True
+  #  tags: zcs
+
+- name: Identify logger host
+  shell: /opt/zimbra/bin/zmprov gcf zimbraLogHostname | awk '{ print $2 }'
+  become_user: zimbra
+  register: zcs_log_hostname
+  changed_when: False
+  tags: zcs
+- set_fact: zcs_log_hostname={{ zcs_log_hostname.stdout }}
+  tags: zcs
+
+- name: Deploy syslog config
+  template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf
+  notify: restart rsyslog
+  tags: zcs
+
+- name: Fix logrotate config to reload rsyslog
+  replace:
+    path: /etc/logrotate.d/zimbra
+    regexp: '^(.*)/var/run/syslog\*\.pid(.*)'
+    replace: '\1/run/rsyslogd.pid\2'
+  tags: zcs
+
+- name: Set correct SELinux context
+  block:
+    - sefcontext:
+        target: "/opt/zimbra/log(/.*)?"
+        setype: var_log_t
+    - sefcontext:
+        target: "/etc/rc.d/init.d/zimbra"
+        setype: bin_t
+    - command: restorecon -R /opt/zimbra/log /etc/rc.d/init.d/zimbra
+      changed_when: False
+  when: ansible_selinux.status == 'enabled'
+  tags: zcs
+
+- name: Deploy Let's Encrypt hook
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/20zimbra.sh mode=755
+  when: zcs_letsencrypt == True
+  tags: zcs
+
+- name: Remove Let's Encrypt hook
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/20zimbra.sh state=absent
+  when: zcs_letsencrypt != True
+  tags: zcs
+
+- name: Create pre and post backup hook dir
+  file: path=/etc/backup/{{ item }}.d state=directory
+  loop:
+    - pre
+    - post
+  tags: zcs
+
+  # The cert bundle provided by Zimbra is not very up to date
+  # so link the system wide one here
+- name: Push system trusted CA store to Zimbra
+  file: src=/etc/pki/tls/cert.pem dest=/opt/zimbra/common/etc/ssl/cert.pem state=link
+  tags: zcs
+
+- name: Deploy pre and post backup scripts
+  template: src={{ item }}_backup.sh.j2 dest=/etc/backup/{{ item }}.d/zimbra.sh mode=0750
+  loop:
+    - pre
+    - post
+  tags: zcs
+
+- name: Create backup mount point
+  file: path=/home/lbkp/zimbra state=directory
+  tags: zcs
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - /tmp/zimbra
+    - /tmp/tk_barrydegraaff_sharetoolkit_admin.zip
+  tags: zcs
+
+- include: filebeat.yml

roles/zimbra/tasks/memcached.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Handle Zimbra memcached ports
+  iptables_raw:
+    name: zcs_memcached_ports
+    state: "{{ (zcs_cluster_ip | length > 0 ) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports 11211 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p udp -m multiport --dports 11211 -s {{ zcs_cluster_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs

roles/zimbra/tasks/mta.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Configure Zimbra's sendmail as alternative to sendmail
+  alternatives:
+    name: mta
+    link: /usr/sbin/sendmail
+    path: /opt/zimbra/common/sbin/sendmail
+    priority: 90
+  tags: zcs
+
+- name: Set zimbra's sendmail as the default sendmail
+  command: update-alternatives --set mta /opt/zimbra/common/sbin/sendmail
+  changed_when: False
+  tags: zcs
+
+- name: Override zmpostfixpolicyd to support recipient delimiter
+  copy: src=zmpostfixpolicyd dest=/opt/zimbra/libexec/zmpostfixpolicyd
+  notify: restart zimbra
+  tags: zcs
+
+- name: Handle Zimbra mta ports
+  iptables_raw:
+    name: zcs_mta_ports
+    state: present
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports 25,465,587 -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs
+
+- name: Enable always_bcc
+  lineinfile:
+    dest: /opt/zimbra/common/conf/main.cf
+    regexp: '^always_bcc =.*'
+    line: always_bcc = {{ zcs_always_bcc }}
+  when: zcs_always_bcc is defined
+  notify: restart zimbra
+  tags: zcs

roles/zimbra/tasks/opendkim.yml

@@ -0,0 +1 @@
+---

roles/zimbra/tasks/proxy.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Handle Zimbra proxy ports
+  iptables_raw:
+    name: zcs_proxy_ports
+    state: present
+    rules: "{% if zcs_http_src_ip | length > 0 %}-A INPUT -m state --state NEW -p tcp -m multiport --dports 80,443 -s {{ zcs_http_src_ip | join(',') }} -j ACCEPT\n{% endif %}
+            {% if zcs_clients_src_ip | length > 0 %}-A INPUT -m state --state NEW -p tcp -m multiport --dports 110,995,143,993 -s {{ zcs_clients_src_ip | join(',') }} -j ACCEPT\n{% endif %}
+            {% if zcs_admin_src_ip | length > 0 %}-A INPUT -m state --state NEW -p tcp -m multiport --dports 9071 -s {{ zcs_admin_src_ip | join(',') }} -j ACCEPT{% endif %}"
+  when: iptables_manage | default(True)
+  tags: zcs
+
+- name: Enable proxy for the admin interface
+  command: /opt/zimbra/bin/zmprov ms {{ inventory_hostname }} zimbraReverseProxyAdminEnabled TRUE
+  changed_when: False
+  become_user: zimbra
+  tags: zcs
+
+- name: Build a list of vhosts to be used for Let's Encrypt cert
+  shell: |
+    for DOMAIN in $(/opt/zimbra/bin/zmprov getAllDomains); do
+      /opt/zimbra/bin/zmprov getDomain $DOMAIN zimbraVirtualHostname | perl -ne 'm/^zimbraVirtualHostname: (.*)/ && print "$1\n"'
+    done
+  become_user: zimbra
+  register: zcs_vhosts
+  changed_when: False
+  when: zcs_letsencrypt == True
+  tags: zcs
+- set_fact: zcs_vhosts={{ zcs_vhosts.stdout_lines }}
+  when: zcs_vhosts.stdout_lines is defined
+  tags: zcs
+

roles/zimbra/tasks/snmp.yml

@@ -0,0 +1 @@
+---

roles/zimbra/tasks/spell.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle Zimbra spell ports
+  iptables_raw:
+    name: zcs_spell_ports
+    state: "{{ (zcs_cluster_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport  7780 -s {{ zcs_http_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: zcs

roles/zimbra/tasks/zmldapsync.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Install zmldapsync dependencies
+  yum:
+    name:
+      - perl-LDAP
+      - perl-YAML-Tiny
+      - perl-Data-UUID
+      - perl-String-ShellQuote
+      - perl-Array-Diff
+      - perl-List-MoreUtils
+      - perl-Hash-Merge-Simple
+      - perl-Text-Unidecode
+      - perl-Email-MIME
+      - perl-Email-Sender
+  tags: zcs
+
+- name: Install zmldapsync
+  get_url:
+    url: "{{ item.url }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - url: https://git.fws.fr/dani/zimbra/raw/branch/master/zmldapsync/zmldapsync.pl
+      dest: /opt/zimbra/bin/zmldapsync
+      mode: 755
+    - url: https://git.fws.fr/dani/zimbra/raw/branch/master/zmldapsync/zmldapsync.yml
+      dest: /opt/zimbra/conf/zmldapsync.yml.dist
+      mode: 640
+  tags: zcs
+
+- name: Remove old zmldapsync script
+  file: path=/opt/zimbra/bin/zmldapsync.pl state=absent
+  tags: zcs
+
+- name: Deploy zmldapsync configuration
+  template: src=zmldapsync.yml.j2 dest=/opt/zimbra/conf/zmldapsync.yml owner=root group=zimbra mode=0640
+  tags: zcs
+
+- name: Deploy zmldapsync systemd units
+  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
+  loop:
+    - zmldapsync.service
+    - zmldapsync.timer
+  register: zcs_zmldapsync_unit
+  tags: zcs
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: zcs_zmldapsync_unit.changed
+  tags: zcs
+
+- name: Enable zmldapsync timer
+  systemd: name=zmldapsync.timer state={{ (zcs_domains.keys() | length > 0) | ternary('started','stopped') }} enabled={{ (zcs_domains.keys() | length > 0) | ternary(True,False) }}
+  when: zcs_domains.keys() | length > 0
+  tags: zcs