From 09bc73507a1ecabe6b82a9236d2f36a800a98200 Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@holzmarkt.com>
Date: Fri, 17 Jan 2025 13:15:09 +0100
Subject: [PATCH] Initial commit

---
 README.md                   | 42 +++++++++++++++++++++++++++++++++++++
 defaults/main.yml           |  6 ++++++
 tasks/main.yml              | 19 +++++++++++++++++
 templates/config.inc.php.j2 | 28 +++++++++++++++++++++++++
 4 files changed, 95 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/config.inc.php.j2

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..efba347
--- /dev/null
+++ b/README.md
@@ -0,0 +1,42 @@
+# Roundcube
+
+Requires additional PHP and web server setup, e.g. with this [nginx](https://git.notandy.de/ansible/roles/nginx) role:
+
+```
+roundcube_config:
+  imap_host: 'ssl://mail.example.com:993'
+  smtp_host: 'tls://mail.example.com:587'
+  des_key: "{{ lookup('passwordstore', 'example.com/roundcube-secret create=true length=24 nosymbols=true') }}"
+
+nginx:
+  add_headers:
+    Strict-Transport-Security: "max-age=63072000"
+    Content-Security-Policy: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:"
+    X-Frame-Options: "sameorigin"
+    X-Content-Type-Options: "nosniff"
+    X-XSS-Protection: "1; mode=block"
+  php:
+    ini:
+      date_timezone: Europe/Berlin
+  vhosts:
+    mail:
+      servername:
+      - mail.example.com
+      custom:
+      - root /var/lib/roundcube
+      - index index.php index.html index.htm
+      locations:
+      - match: /
+        custom:
+        - try_files $uri $uri/ /index.php?q=$uri&$args
+      - match: ^~ /data
+        custom:
+        - deny all
+      - match: '~ \.php$'
+        custom:
+        - include /etc/nginx/fastcgi_params
+        - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name
+        - fastcgi_param REDIRECT_STATUS 200
+        - fastcgi_param HTTPS On
+        - fastcgi_pass php-handler
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..7e57005
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,6 @@
+roundcube_config:
+  db_dsnw: 'sqlite:////var/lib/roundcube/db/roundcube?mode=0640'
+  #imap_host: 'ssl://imap.example.com:993'
+  #smtp_host: 'tls://smtp.example.com:587'
+  #des_key: Set this to a 24-char random character string!
+  cipher_method: AES-256-CBC
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..b5e239c
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: Install fail2ban
+  ansible.builtin.apt:
+    pkg: roundcube
+
+- name: Create db directory
+  ansible.builtin.file:
+    path: /var/lib/roundcube/db
+    owner: www-data
+    group: www-data
+    state: directory
+    mode: "0750"
+
+- name: Update config
+  ansible.builtin.template:
+    src: config.inc.php.j2
+    dest: /etc/roundcube/config.inc.php
+    owner: root
+    group: www-data
+    mode: "0640"
diff --git a/templates/config.inc.php.j2 b/templates/config.inc.php.j2
new file mode 100644
index 0000000..a513f1f
--- /dev/null
+++ b/templates/config.inc.php.j2
@@ -0,0 +1,28 @@
+<?php
+
+/* {{ ansible_managed }} */
+
+{% macro php_obj(obj) %}
+{%- if obj is string -%}
+'{{ obj|replace('\\', '\\\\')|replace('\'', '\\\'') }}'
+{%- elif obj is number -%}
+{{ obj }}
+{%- elif obj is boolean -%}
+{{ obj }}
+{%- elif obj is none -%}
+null
+{% elif obj is mapping %}
+[
+{% for key, value in obj.items() %}
+    '{{ key|replace('\\', '\\\\')|replace('\'', '\\\'') }}' => {{ php_obj(value)|indent }},
+{% endfor %}
+]
+{%- elif obj is iterable -%}
+[
+{% for item in obj %}
+{{ php_obj(item)|indent(first=true) }},
+{% endfor %}
+]
+{% endif %}
+{% endmacro %}
+$config = {{ php_obj(roundcube_config) }};