debops.roundcube default variables

Packages and installation

roundcube__required_php_packages

List of PHP packages required by Roundcube. Refer to the official Roundcube documentation for details.

roundcube__required_php_packages:
  - 'iconv'
  - 'openssl'
  - 'session'
  - 'sockets'
  - 'xml'
  # Included in the xml package
  #- 'dom'
  - 'mbstring'
  - 'json'
roundcube__optional_php_packages

List of recommended/optional PHP packages for Roundcube. Refer to the official Roundcube documentation for details.

roundcube__optional_php_packages:
  - '{{ "ldap"      if roundcube__ldap_enabled|bool      else [] }}'
  - '{{ "memcached" if roundcube__memcached_enabled|bool else [] }}'
  - '{{ "redis"     if roundcube__redis_enabled|bool     else [] }}'
  - 'fileinfo'
  - 'enchant'
  - 'zip'
roundcube__custom_php_packages

List of user defined PHP packages for Roundcube.

roundcube__custom_php_packages: []
roundcube__base_php_packages

List of base PHP packages required by Roundcube.

roundcube__base_php_packages:
  - '{{ roundcube__required_php_packages }}'
  - '{{ roundcube__apt_php_packages }}'
  - '{{ roundcube__optional_php_packages }}'
  - '{{ [ "mysql" ] if (roundcube__database_map[roundcube__database].dbtype == "mysql") else [] }}'
  - '{{ [ "pgsql" ] if (roundcube__database_map[roundcube__database].dbtype == "postgresql") else [] }}'
  - '{{ [ "sqlite3" ] if (roundcube__database_map[roundcube__database].dbtype == "sqlite") else [] }}'
roundcube__apt_php_packages

PHP packages which are installed via APT repository if they are available in a sufficiently new version in the current distribution. The required minimal versions are taken from the file:composer.json.dist of the Roundcube 1.3.0 release. If you install an older version of Roundcube you may want to adjust this list.

roundcube__apt_php_packages: '{{ [ "mail-mime", "net-smtp", "pear" ]
                                 if ansible_distribution_release in [ "stretch", "buster", "sid", "xenial", "yakkety", "zesty", "artful" ]
                                 else [] }}'
roundcube__packages

List of additional APT packages (e. g. language dictionaries) that should be installed with Roundcube.

roundcube__packages: []
roundcube__base_packages

APT packages required for the Roundcube installation.

roundcube__base_packages: [ 'curl', 'file', 'unzip', 'aspell', 'aspell-en' ]

Roundcube user account

roundcube__user

Roundcube system user account.

roundcube__user: 'roundcube'
roundcube__group

Roundcube system user group.

roundcube__group: 'roundcube'
roundcube__home

Path to the home directory of the Roundcube system account.

roundcube__home: '{{ (ansible_local.fhs.home | d("/var/local"))
                     + "/" + roundcube__user }}'
roundcube__comment

The GECOS string set for the Roundcube account.

roundcube__comment: 'Roundcube Webmail'
roundcube__shell

The default shell of the Roundcube account.

roundcube__shell: '/usr/sbin/nologin'

Roundcube source and deployment

roundcube__git_gpg_key

The GPG key used to sign Roundcube releases.

roundcube__git_gpg_key: '4295 5C9D 6F2A CA9D 3E96  D55F 3E54 28D0 262C 54F8'
roundcube__git_additional_gpg_keys

List of additional GPG keys to add to the Roundcue user account. This might be needed if multiple people/organizations sign git commits or tags in the Roundcube repository, or installation from a private repository is used instead of a public one.

roundcube__git_additional_gpg_keys: []
roundcube__git_repo

Roundcube source repository. You can specify a public or private git repository using the https:// protocol. See Deployment from private or internal git repository for more details.

roundcube__git_repo: 'https://github.com/roundcube/roundcubemail.git'
roundcube__git_dir

Roundcube source directory on the host.

roundcube__git_dir: '{{ roundcube__src + "/"
                        + roundcube__git_repo
                          .split("@" if ("@" in roundcube__git_repo)
                                     else "://")[1] }}'
roundcube__git_version

Roundcube release tag to deploy.

roundcube__git_version: '1.4.7'
roundcube__git_dest

Default path where Roundcube source files will be deployed.

roundcube__git_dest: '{{ roundcube__www + "/sites/" + roundcube__user + "/public" }}'
roundcube__src

Base path for git bare repository with Roundcube source.

roundcube__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
                    + "/" + roundcube__user }}'
roundcube__www

Base web root directory for Roundcube website.

roundcube__www: '{{ ansible_local.nginx.www
                    if (ansible_local|d() and ansible_local.nginx|d())
                    else "/srv/www" }}'
roundcube__webserver_user

Roundcube webserver user (needs read-only access to the website code).

roundcube__webserver_user: '{{ ansible_local.nginx.user|d("www-data") }}'

Database configuration

roundcube__database

Database definition to use from the roundcube__database_map.

roundcube__database: 'sqlite-default'
roundcube__database_user

Database user account to use for Roundcube.

roundcube__database_user: 'roundcube'
roundcube__database_password_path

Path to the database password file.

roundcube__database_password_path: '{{ secret + "/credentials/" + inventory_hostname
                                       + "/roundcube/" + roundcube__database
                                       + "/" + roundcube__database_user + "/password" }}'
roundcube__database_password

Database password for the account given in roundcube__database_user.

roundcube__database_password: '{{ lookup("password", roundcube__database_password_path + " length=30") }}'
roundcube__database_name

Name of the database to use for Roundcube.

roundcube__database_name: '{{ roundcube__database_user
                              if roundcube__database == "postgresql-default"
                              else "roundcubemail" }}'
roundcube__database_map

Database connection definitions. Selet the database connection to use in roundcube__database.

roundcube__database_map:

  sqlite-default:
    dbtype: 'sqlite'
    dbname: 'db/roundcube.db'

  mysql-default:
    dbtype: 'mysql'
    dbname: '{{ roundcube__database_name }}'
    dbuser: '{{ roundcube__database_user }}'
    dbpass: '{{ roundcube__database_password }}'
    dbhost: 'localhost'
    dbtableprefix: ''

  postgresql-default:
    dbtype: 'postgresql'
    dbname: '{{ roundcube__database_name }}'
    dbuser: '{{ roundcube__database_user }}'
    dbpass: '{{ roundcube__database_password }}'
    dbhost: 'localhost'
    dbtableprefix: ''
roundcube__database_schema_map

Database type to schema mapping.

roundcube__database_schema_map:
  mysql:      '{{ roundcube__git_dest + "/SQL/mysql.initial.sql" }}'
  postgresql: '{{ roundcube__git_dest + "/SQL/postgres.initial.sql" }}'
roundcube__database_schema

Initial Roundcube database schema loaded by Ansible.

roundcube__database_schema: '{{ roundcube__database_schema_map[
                                  roundcube__database_map[
                                    roundcube__database
                                  ].dbtype
                                ]
                                if roundcube__database_schema_map[
                                     roundcube__database_map[
                                       roundcube__database
                                     ].dbtype
                                   ]|d()
                                else "" }}'

Cache configuration

roundcube__memcached_enabled

Enable or disable support for memcached service. It will be enabled automatically if local instance of memcached is detected.

roundcube__memcached_enabled: '{{ True
                                  if (ansible_local|d() and ansible_local.memcached|d() and
                                      (ansible_local.memcached.installed|d())|bool)
                                  else False }}'
roundcube__memcached_hosts

List of the memcached instances to use by Roundcube. By default only the local instance will be used, if detected. See debops.memcached for more details.

roundcube__memcached_hosts: [ 'localhost:11211' ]
roundcube__redis_enabled

Enable or disable support for redis service. It will be enabled automatically if local instance of redis is detected.

roundcube__redis_enabled: '{{ True
                              if (ansible_local|d() and ansible_local.redis_server|d() and
                                  (ansible_local.redis_server.installed|d())|bool)
                              else False }}'
roundcube__redis_host

The address of the Redis server instance to use. Currently only a single server is supported by Roundcube. By default the Redis instance on the same host will be used, if it's detected via Ansible local facts.

roundcube__redis_server: 'localhost'
roundcube__redis_port

The TCP port to use for Redis connections.

roundcube__redis_port: '{{ ansible_local.redis_server.port|d("6379") }}'
roundcube__redis_database

The Redis "database" number to use.

roundcube__redis_database: '1'
roundcube__redis_password

Specify the password required for authentication to Redis.

roundcube__redis_password: '{{ ansible_local.redis_server.password|d("") }}'
roundcube__redis_hosts

List of the Redis instances which should be used by Roundcube. Currently only a single instance is supported, but the variable expects a list.

roundcube__redis_hosts: [ '{{ ([ roundcube__redis_server,
                                 roundcube__redis_port,
                                 roundcube__redis_database,
                                 roundcube__redis_password ])
                              | join(":") }}' ]
roundcube__session_storage

Select the session storage type to use. Currently supported are redis and memcached. The session storage will be selected automatically by detecting available cache services via Ansible local facts. If the variable is empty, session storage will not be configured and will fall back to the db storage type.

roundcube__session_storage: '{{ "redis"
                                if roundcube__redis_enabled|bool
                                else ("memcached"
                                      if roundcube__memcached_enabled|bool
                                      else "") }}'

LDAP configuration

These variables configure the access to the LDAP address book managed by DebOps. See debops.ldap and debops.slapd role documentation to learn more about managing LDAP infrastructure with DebOps, and Roundcube LDAP Address Books documentation to learn more about configuring LDAP access in Roundcube.

roundcube__ldap_enabled

Enable or disable LDAP integration in Roundcube.

roundcube__ldap_enabled: '{{ ansible_local.ldap.enabled
                             if (ansible_local|d() and ansible_local.ldap|d() and
                                 ansible_local.ldap.enabled is defined)
                             else False }}'
roundcube__ldap_password_enabled

Enable or disable support for changing user passwords using the "password" Roundcube plugin. The plugin will be configured to use LDAP Password Modify Extended Operation (RFC 3062).

If the password change support is disabled, the "password" plugin will be disabled as well. Password change via other mechanisms can be configured separately via Ansible inventory variables.

roundcube__ldap_password_enabled: '{{ roundcube__ldap_enabled }}'
roundcube__ldap_addressbook_name

The name of the LDAP address book. It will be visible on the address book list and as the source of the search results.

roundcube__ldap_addressbook_name: 'LDAP Address Book'
roundcube__ldap_hosts

List of the FQDN addresses of the LDAP directory servers which should be used by Roundcube.

roundcube__ldap_hosts: '{{ ansible_local.ldap.hosts|d([]) }}'
roundcube__ldap_port

The TCP port to use to connect to the LDAP directory.

roundcube__ldap_port: '{{ ansible_local.ldap.port|d("389") }}'
roundcube__ldap_use_tls

Enable or disable support for STARTTLS extension while connecting to the LDAP directory.

roundcube__ldap_use_tls: '{{ ansible_local.ldap.start_tls|d(True) }}'
roundcube__ldap_base_dn

The Base Distinguished Name of the LDAP directory, defined as a YAML list.

roundcube__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
roundcube__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the Roundcube application account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

roundcube__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
roundcube__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the Roundcube application to access the LDAP directory.

roundcube__ldap_self_rdn: '{{ "uid=" + roundcube__user }}'
roundcube__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the Roundcube application to access the LDAP directory.

roundcube__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
roundcube__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the Roundcube application to access the LDAP directory.

roundcube__ldap_self_attributes:
  uid: '{{ roundcube__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ roundcube__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "Roundcube" application to access the LDAP directory'
roundcube__ldap_binddn

The Distinguished Name of the account LDAP object used by the Roundcube application to bind to the LDAP directory.

roundcube__ldap_binddn: '{{ ([ roundcube__ldap_self_rdn ] + roundcube__ldap_device_dn) | join(",") }}'
roundcube__ldap_bindpw

The password stored in the account LDAP object used by the Roundcube application to bind to the LDAP directory.

roundcube__ldap_bindpw: '{{ lookup("password", secret + "/ldap/credentials/"
                                   + roundcube__ldap_binddn | to_uuid + ".password length=32") }}'
roundcube__ldap_people_rdn

The Relative Distinguished Name of the people subtree which contains personal LDAP entries.

roundcube__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn|d([]) }}'
roundcube__ldap_people_dn

The Distinguished Name of the people subtree which will be used for LDAP address book searches.

roundcube__ldap_people_dn: '{{ [ roundcube__ldap_people_rdn ]
                               + roundcube__ldap_base_dn }}'
roundcube__ldap_groups_rdn

The Relative Distinguished Name of the groups subtree which contains group LDAP entries.

roundcube__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn|d([]) }}'
roundcube__ldap_groups_dn

The Distinguished Name of the groups subtree which will be used for LDAP address book searches.

roundcube__ldap_groups_dn: '{{ [ roundcube__ldap_groups_rdn ]
                               + roundcube__ldap_base_dn }}'
roundcube__ldap_hidden

Show or hide the LDAP address book in the Address Books interface. Hiding the LDAP address book still allows for searching its contents and autocompletion of recipient e-mail addresses.

Since the default LDAP address book configuration disables direct browsing of the contents and is read-only, displaying an entry for it is not very useful. Therefore it will be hidden by default.

roundcube__ldap_hidden: True
roundcube__ldap_field_map

YAML dictionary which defines mapping between Roundcube address book fields and LDAP entry attributes. Some of the fields are not mapped yet because they don't work or there are currently no good LDAP equivalents.

roundcube__ldap_field_map:
  name: 'cn'
  firstname: 'givenName'
  #middlename
  #prefix
  #suffix
  surname: 'sn'
  #nicname
  #maidenname
  #gender
  #spouse
  #organization
  #department
  jobtitle: 'title'
  #assistant
  #manager
  email: 'mail:*'
  'phone:home': 'homePhone'
  'phone:work': 'telephoneNumber'
  'phone:mobile': 'mobile'
  'phone:pager': 'pager'
  'phone:workfax': 'facsimileTelephoneNumber'
  street: 'street'
  zipcode: 'postalCode'
  region: 'st'
  locality: 'l'
  #address
  #birthday
  #anniversary
  #website
  #im
  notes: 'description:*'
  photo: 'jpegPhoto'

Roundcube application options

roundcube__fqdn

The default DNS address of the RoundCube web application, used in the HTTP server configuration.

roundcube__fqdn: 'webmail.{{ roundcube__domain }}'
roundcube__domain

The DNS domain of the RoundCube installation.

roundcube__domain: '{{ ansible_domain }}'
roundcube__imap_srv_rr

List which contains the result of the dig query for IMAP server SRV resource records in the host's domain. See RFC 6186 for details.

roundcube__imap_srv_rr: '{{ q("dig", "_imaps._tcp." + roundcube__domain + "./SRV", "flat=0") }}'
roundcube__imap_fqdn

The FQDN address of the IMAP server which stores user mailboxes. By default the host is located using DNS SRV resource records; if there are none, role checks if a local Dovecot installation is present and uses the host FQDN as the IMAP server address. Finally, the static imap.<domain> is used.

Use of FQDN instead of localhost is required for X.509 certificate verification and for correct information in system logs.

roundcube__imap_fqdn: '{{ (roundcube__imap_srv_rr | selectattr("target", "defined")
                           | map(attribute="target")
                           | map("regex_replace", "\.$","")
                           | list | first)
                          if ("NXDOMAIN" not in roundcube__imap_srv_rr and
                              roundcube__imap_srv_rr[0])
                          else (ansible_fqdn
                                if (ansible_local|d() and ansible_local.dovecot|d() and
                                    (ansible_local.dovecot.installed|d())|bool)
                                else ("imap." + roundcube__domain)) }}'
roundcube__imap_port

TCP port used for IMAP connections

roundcube__imap_port: '{{ (roundcube__imap_srv_rr | selectattr("target", "defined")
                           | map(attribute="port") | list | sort | first)
                          if ("NXDOMAIN" not in roundcube__imap_srv_rr and
                              roundcube__imap_srv_rr[0])
                          else "993" }}'
roundcube__imap_server

The IMAP host chosen to perform the log-in. This variable is also called default_server by Roundcube .

Leave blank to show a textbox at login, give a list of hosts to display a pulldown menu or set one host as string. To use SSL/TLS connection, enter hostname with prefix ssl:// or tls:// Supported replacement variables: %n - hostname ($_SERVER['SERVER_NAME']) %t - hostname without the first part %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) %s - domain name after the '@' from e-mail address provided at login screen For example %n = mail.domain.tld, %t = domain.tld

roundcube__imap_server: '{{ ("ssl://"
                             if (roundcube__imap_port == "993")
                             else ("tls://"
                                   if (roundcube__imap_port == "143")
                                   else "tls://"))
                             + roundcube__imap_fqdn }}'
roundcube__smtp_srv_rr

List which contains the result of the dig query for SMTP (submission) server SRV resource records in the host's domain. See RFC 6186 for details.

roundcube__smtp_srv_rr: '{{ q("dig", "_submissions._tcp." + roundcube__domain + "./SRV", "flat=0") }}'
roundcube__smtp_fqdn

The FQDN address of the SMTP (submission) server which will be used to send e-mail messages. By default the host is located using DNS SRV resource records; if there are none, role checks if a local Postfix installation is present and uses the host FQDN as the SMTP (submission) server address. Finally, the static smtp.<domain> is used.

Use of FQDN instead of localhost is required for X.509 certificate verification and for correct information in system logs.

roundcube__smtp_fqdn: '{{ (roundcube__smtp_srv_rr | selectattr("target", "defined")
                           | map(attribute="target")
                           | map("regex_replace", "\.$","")
                           | list | first)
                          if ("NXDOMAIN" not in roundcube__smtp_srv_rr and
                              roundcube__smtp_srv_rr[0])
                          else (ansible_fqdn
                                if (ansible_local|d() and ansible_local.postfix|d() and
                                    (ansible_local.postfix.installed|d())|bool)
                                else ("smtp." + roundcube__domain)) }}'
roundcube__smtp_port

SMTP port.

SMTP port (default is 25; use 587 for STARTTLS or 465 for the deprecated SSL over SMTP (aka SMTPS))

roundcube__smtp_port: '{{ (roundcube__smtp_srv_rr | selectattr("target", "defined")
                           | map(attribute="port") | list | sort | first)
                          if ("NXDOMAIN" not in roundcube__smtp_srv_rr and
                              roundcube__smtp_srv_rr[0])
                          else "465" }}'
roundcube__smtp_server

SMTP server host (for sending mails).

Enter hostname with prefix tls:// to use STARTTLS, or use prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS) Supported replacement variables: %h - user's IMAP hostname %n - hostname ($_SERVER['SERVER_NAME']) %t - hostname without the first part %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) %z - IMAP domain (IMAP hostname without the first part) For example %n = mail.domain.tld, %t = domain.tld

roundcube__smtp_server: '{{ ("ssl://"
                             if (roundcube__smtp_port == "465")
                             else ("tls://"
                                   if (roundcube__smtp_port == "587")
                                   else "tls://"))
                             + roundcube__smtp_fqdn }}'
roundcube__smtp_user

SMTP username (if required) if you use %u as the username Roundcube will use the current username for login.

roundcube__smtp_user: '%u'
roundcube__smtp_pass

SMTP password (if required) if you use %p as the password Roundcube will use the current user's password for login.

roundcube__smtp_pass: '%p'
roundcube__sieve_srv_rr

List which contains the result of the dig query for Sieve server SRV resource records in the host's domain. See RFC 5804 for details.

roundcube__sieve_srv_rr: '{{ q("dig", "_sieve._tcp." + roundcube__domain + "./SRV", "flat=0") }}'
roundcube__sieve_fqdn

The FQDN address of the Sieve server which allows manageement of the Sieve filter scripts. By default the host is located using DNS SRV resource records; if there are none, role checks if a local Dovecot installation is present and uses the host FQDN as the Sieve server address. Finally, the static sieve.<domain> is used.

Use of FQDN instead of localhost is required for X.509 certificate verification and for correct information in system logs.

roundcube__sieve_fqdn: '{{ (roundcube__sieve_srv_rr | selectattr("target", "defined")
                            | map(attribute="target")
                            | map("regex_replace", "\.$","")
                            | list | first)
                           if ("NXDOMAIN" not in roundcube__sieve_srv_rr and
                               roundcube__sieve_srv_rr[0])
                           else (ansible_fqdn
                                 if (ansible_local|d() and ansible_local.dovecot|d() and
                                     (ansible_local.dovecot.installed|d())|bool)
                                 else ("sieve." + roundcube__domain)) }}'
roundcube__sieve_port

TCP port used for Sieve connections

roundcube__sieve_port: '{{ (roundcube__sieve_srv_rr | selectattr("target", "defined")
                            | map(attribute="port") | list | sort | first)
                           if ("NXDOMAIN" not in roundcube__sieve_srv_rr and
                               roundcube__sieve_srv_rr[0])
                           else "4190" }}'
roundcube__sieve_server

The Sieve host chosen to access the Sieve configuration interface. Replacement variables supported in host name: %h - user's IMAP hostname %n - http hostname ($_SERVER['SERVER_NAME']) %d - domain (http hostname without the first part) For example %n = mail.domain.tld, %d = domain.tld

roundcube__sieve_server: '{{ "tls://" + roundcube__sieve_fqdn }}'
roundcube__product_name

Name your service. This is displayed on the login screen and in the window title

roundcube__product_name: '{{ ansible_local.machine.organization|d("Roundcube") + " Webmail" }}'
roundcube__des_key

Encryption key for the users imap password which is stored in the session record (and the client cookie if remember password is enabled).

roundcube__des_key: '{{ lookup("password", secret + "/credentials/" + inventory_hostname + "/roundcube/des_key chars=hexdigits length=24") }}'
roundcube__username_domain

Specify a domain (realm) to add to usernames without a specified domain. Defining a default domain helps avoid creating separate RoundCube profiles when users use logins with and without a domain specified.

The default is to create a domain based on the host DNS domain.

roundcube__username_domain: '%d'
roundcube__log_driver

Define the log driver. Currently available: syslog, stdout, file.

roundcube__log_driver: 'syslog'

Roundcube configuration file

These variables define the contents of the config/config.inc.php local configuration file. See roundcube__configuration for more details.

roundcube__original_configuration

The list defines the Roundcube configuration options stored in the config.inc.php.sample configuration file. Modifications to these configuration options should be done using the subsequent variables.

roundcube__original_configuration:

    # [[[ init
  - name: 'init_config'
    raw: |
      $config = array();
    section: 'init'

    # [[[  sql
  - name: 'db_dsnw'
    comment: |
      Database connection string (DSN) for read+write operations
      Format (compatible with PEAR MDB2): db_provider://user:password@host/database
      Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
      For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
      Note: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
            or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
      Note: Various drivers support various additional arguments for connection,
            for Mysql: key, cipher, cert, capath, ca, verify_server_cert,
            for Postgres: application_name, sslmode, sslcert, sslkey,
            sslrootcert, sslcrl, sslcompression, service.
            e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
    value: 'mysql://roundcube:pass@localhost/roundcubemail'
    section: 'sql'

  - name: 'db_dsnr'
    comment: |
      Database DSN for read-only operations (if empty write database will be used)
      useful for database replication
    value: ''
    section: 'sql'
    state: 'init'

  - name: 'db_dsnw_noread'
    comment: 'Disable the use of already estabilished dsnw connections for subsequent reads'
    value: False
    section: 'sql'
    state: 'init'

  - name: 'db_persistent'
    comment: |
      use persistent db-connections
      beware this will not "always" work as expected
      see: http://www.php.net/manual/en/features.persistent-connections.php
    value: False
    section: 'sql'
    state: 'init'

  - name: 'db_prefix'
    comment: 'You can define specific table (and sequence) names prefix'
    value: ''
    section: 'sql'
    state: 'init'

  - name: 'db_table_dsn'
    comment: |
      Mapping of table names and connections to use for ALL operations.
      This can be used in a setup with replicated databases and a DB master
      where read/write access to cache tables should not go to master.
    array:
      - 'cache':          'r'
        'cache_index':    'r'
        'cache_thread':   'r'
        'cache_messages': 'r'
    section: 'sql'
    state: 'init'

  - name: 'db_max_allowed_packet'
    comment: |
      It is possible to specify database variable values e.g. some limits here.
      Use them if your server is not MySQL or for better performance.
      For example Roundcube uses max_allowed_packet value (in bytes)
      which limits query size for database cache operations.
    value: null
    section: 'sql'
    state: 'init'

    # [[[ logging
  - name: 'log_driver'
    comment: |
      Log driver: 'syslog', 'stdout' or 'file'.
    value: 'file'
    section: 'logging'
    state: 'init'

  - name: 'log_date_format'
    comment: |
      Date format for log entries
      (read http://php.net/manual/en/function.date.php for all format characters)
    value: 'd-M-Y H:i:s O'
    section: 'logging'
    state: 'init'

  - name: 'log_session_id'
    comment: |
      Length of the session ID to prepend each log line with
      set to 0 to avoid session IDs being logged.
    value: 8
    section: 'logging'
    state: 'init'

  - name: 'log_file_ext'
    comment: 'Default extension used for log file name'
    value: '.log'
    section: 'logging'
    state: 'init'

  - name: 'syslog_id'
    comment: 'Syslog ident string to use, if using the "syslog" log driver.'
    value: 'roundcube'
    section: 'logging'
    state: 'init'

  - name: 'syslog_facility'
    comment: |
      Syslog facility to use, if using the 'syslog' log driver.
      For possible values see installer or http://php.net/manual/en/function.openlog.php
    value: 'LOG_USER'
    quotes: False
    section: 'logging'
    state: 'init'

  - name: 'per_user_logging'
    comment: |
      Activate this option if logs should be written to per-user directories.
      Data will only be logged if a directory <log_dir>/<username>/ exists and is writable.
    value: False
    section: 'logging'
    state: 'init'

  - name: 'smtp_log'
    comment: 'Log sent messages to <log_dir>/sendmail.log or to syslog'
    value: True
    section: 'logging'
    state: 'init'

  - name: 'log_logins'
    comment: 'Log successful/failed logins to <log_dir>/userlogins.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

  - name: 'session_debug'
    comment: |
      Log session debug information/authentication errors to <log_dir>/session.log or to syslog
    value: False
    section: 'logging'
    state: 'init'

  - name: 'sql_debug'
    comment: 'Log SQL queries to <log_dir>/sql.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

  - name: 'imap_debug'
    comment: 'Log IMAP conversation to <log_dir>/imap.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

  - name: 'ldap_debug'
    comment: 'Log LDAP conversation to <log_dir>/ldap.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

  - name: 'smtp_debug'
    comment: 'Log SMTP conversation to <log_dir>/smtp.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

  - name: 'memcache_debug'
    comment: 'Log Memcache conversation to <log_dir>/memcache.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

  - name: 'apc_debug'
    comment: 'Log APC conversation to <log_dir>/apc.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

  - name: 'redis_debug'
    comment: 'Log Redis conversation to <log_dir>/redis.log or to syslog'
    value: False
    section: 'logging'
    state: 'init'

    # [[[ imap
  - name: 'default_host'
    comment: |
      The IMAP host chosen to perform the log-in.
      Leave blank to show a textbox at login, give a list of hosts
      to display a pulldown menu or set one host as string.
      To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
      Supported replacement variables:
      %n - hostname ($_SERVER['SERVER_NAME'])
      %t - hostname without the first part
      %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
      %s - domain name after the '@' from e-mail address provided at login screen
      For example %n = mail.domain.tld, %t = domain.tld
      WARNING: After hostname change update of mail_host column in users table is
               required to match old user data records with the new host.
    value: 'localhost'
    section: 'imap'

  - name: 'default_port'
    comment: 'TCP port used for IMAP connections'
    value: 143
    section: 'imap'
    state: 'init'

  - name: 'imap_auth_type'
    comment: |
      IMAP authentication method (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or null).
      Use 'IMAP' to authenticate with IMAP LOGIN command.
      By default the most secure method (from supported) will be selected.
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_conn_options'
    comment: |
      IMAP socket context options
      See http://php.net/manual/en/context.ssl.php
      The example below enables server certificate validation
      Note: These can be also specified as an array of options indexed by hostname
    array:
      - ssl:
          - verify_peer: True
            verify_depth: 3
            cafile: '/etc/ssl/certs/ca-certificates.crt'
    section: 'imap'
    state: 'init'

  - name: 'imap_timeout'
    comment: 'IMAP connection timeout, in seconds. Default: 0 (use default_socket_timeout)'
    value: 0
    section: 'imap'
    state: 'init'

  - name: 'imap_auth_cid'
    comment: 'Optional IMAP authentication identifier to be used as authorization proxy'
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_auth_pw'
    comment: 'Optional IMAP authentication password to be used for imap_auth_cid'
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_delimiter'
    comment: |
      If you know your imap's folder delimiter, you can specify it here.
      Otherwise it will be determined automatically
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_vendor'
    comment: |
      If you know your imap's folder vendor, you can specify it here.
      Otherwise it will be determined automatically. Use lower-case
      identifiers, e.g. 'dovecot', 'cyrus', 'gimap', 'hmail', 'uw-imap'.
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_ns_personal'
    comment: |
      If IMAP server doesn't support NAMESPACE extension, but you're
      using shared folders or personal root folder is non-empty, you'll need to
      set these options. All can be strings or arrays of strings.
      Note: Folders need to be ended with directory separator, e.g. "INBOX."
            (special directory "~" is an exception to this rule)
      Note: These can be used also to overwrite server's namespaces
      Note: Set these to FALSE to disable access to specified namespace
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_ns_other'
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_ns_shared'
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_force_caps'
    comment: |
      By default IMAP capabilities are readed after connection to IMAP server
      In some cases, e.g. when using IMAP proxy, there's a need to refresh the list
      after login. Set to True if you've got this case.
    value: False
    section: 'imap'
    state: 'init'

  - name: 'imap_force_lsub'
    comment: |
      By default list of subscribed folders is determined using LIST-EXTENDED
      extension if available. Some servers (dovecot 1.x) returns wrong results
      for shared namespaces in this case. https://github.com/roundcube/roundcubemail/issues/2474
      Enable this option to force LSUB command usage instead.
      Deprecated: Use imap_disabled_caps = array('LIST-EXTENDED')
    value: False
    section: 'imap'
    state: 'init'

  - name: 'imap_force_ns'
    comment: |
      Some server configurations (e.g. Courier) doesn't list folders in all namespaces
      Enable this option to force listing of folders in all namespaces
    value: False
    section: 'imap'
    state: 'init'

  - name: 'imap_skip_hidden_folders'
    comment: |
      Some servers return hidden folders (name starting witha dot)
      from user home directory. IMAP RFC does not forbid that.
      Enable this option to hide them and disable possibility to create such.
    value: False
    section: 'imap'
    state: 'init'

  - name: 'imap_dual_use_folders'
    comment: |
      Some servers do not support folders with both folders and messages inside
      If your server supports that use true, if it does not, use false.
      By default it will be determined automatically (once per user session).
    value: null
    section: 'imap'
    state: 'init'

  - name: 'imap_disabled_caps'
    comment: |
      List of disabled imap extensions.
      Use if your IMAP server has broken implementation of some feature
      and you can't remove it from CAPABILITY string on server-side.
      For example UW-IMAP server has broken ESEARCH.
      Note: Because the list is cached, re-login is required after change.
    value: []
    section: 'imap'
    state: 'init'

  - name: 'imap_log_session'
    comment: |
      Log IMAP session identifiers after each IMAP login.
      This is used to relate IMAP session with Roundcube user sessions
    value: False
    section: 'imap'
    state: 'init'

  - name: 'imap_cache'
    comment: |
      Type of IMAP indexes cache. Supported values: 'db', 'apc' and 'memcache' or 'memcached'.
    value: null
    section: 'imap'
    state: 'init'

  - name: 'messages_cache'
    comment: |
      Enables messages cache. Only 'db' cache is supported.
      This requires an IMAP server that supports QRESYNC and CONDSTORE
      extensions (RFC7162). See synchronize() in program/lib/Roundcube/rcube_imap_cache.php
      for further info, or if you experience syncing problems.
    value: False
    section: 'imap'
    state: 'init'

  - name: 'imap_cache_ttl'
    comment: 'Lifetime of IMAP indexes cache. Possible units: s, m, h, d, w'
    value: '10d'
    section: 'imap'
    state: 'init'

  - name: 'messages_cache_ttl'
    comment: 'Lifetime of messages cache. Possible units: s, m, h, d, w'
    value: '10d'
    section: 'imap'
    state: 'init'

  - name: 'messages_cache_threshold'
    comment: |
      Maximum cached message size in kilobytes.
      Note: On MySQL this should be less than (max_allowed_packet - 30%)
    value: 50
    section: 'imap'
    state: 'init'

    # [[[ smtp
  - name: 'smtp_server'
    comment: |
      SMTP server host (for sending mails).
      Enter hostname with prefix tls:// to use STARTTLS, or use
      prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS)
      Supported replacement variables:
      %h - user's IMAP hostname
      %n - hostname ($_SERVER['SERVER_NAME'])
      %t - hostname without the first part
      %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
      %z - IMAP domain (IMAP hostname without the first part)
      For example %n = mail.domain.tld, %t = domain.tld
    value: 'localhost'
    section: 'smtp'

  - name: 'smtp_port'
    comment: |
      SMTP port (default is 25; use 587 for STARTTLS or 465 for the
      deprecated SSL over SMTP (aka SMTPS))
    value: 587
    section: 'smtp'

  - name: 'smtp_user'
    comment: |
      SMTP username (if required) if you use %u as the username Roundcube
      will use the current username for login
    value: '%u'
    section: 'smtp'

  - name: 'smtp_pass'
    comment: |
      SMTP password (if required) if you use %p as the password Roundcube
      will use the current user's password for login
    value: '%p'
    section: 'smtp'

  - name: 'smtp_auth_type'
    comment: |
      SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
      best server supported one)
    value: null
    section: 'smtp'
    state: 'init'

  - name: 'smtp_auth_cid'
    comment: |
      Optional SMTP authentication identifier to be used as authorization proxy
    value: null
    section: 'smtp'
    state: 'init'

  - name: 'smtp_auth_pw'
    comment: |
      Optional SMTP authentication password to be used for smtp_auth_cid
    value: null
    section: 'smtp'
    state: 'init'

  - name: 'smtp_helo_host'
    comment: |
      SMTP HELO host
      Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages
      Leave this blank and you will get the server variable 'server_name' or
      localhost if that isn't defined.
    value: ''
    section: 'smtp'
    state: 'init'

  - name: 'smtp_timeout'
    comment: |
      SMTP connection timeout, in seconds. Default: 0 (use default_socket_timeout)
      Note: There's a known issue where using ssl connection with
      timeout > 0 causes connection errors (https://bugs.php.net/bug.php?id=54511)
    value: 0
    section: 'smtp'
    state: 'init'

  - name: 'smtp_conn_options'
    comment: |
      SMTP socket context options
      See http://php.net/manual/en/context.ssl.php
      The example below enables server certificate validation, and
      requires 'smtp_timeout' to be non zero.
      Note: These can be also specified as an array of options indexed by hostname
    array:
      - ssl:
          - verify_peer: True
            verify_depth: 3
            cafile: '/etc/ssl/certs/ca-certificates.crt'
    section: 'smtp'
    state: 'init'

    # [[[ ldap
  - name: 'ldap_cache'
    comment: |
      Type of LDAP cache. Supported values: 'db', 'apc' and 'memcache' or 'memcached'.
    value: 'db'
    section: 'ldap'
    state: 'init'

  - name: 'ldap_cache_ttl'
    comment: 'Lifetime of LDAP cache. Posibble units: s, m, h, d, w'
    value: '10m'
    section: 'ldap'
    state: 'init'

    # [[[ cache
  - name: 'memcache_hosts'
    comment: |
      Use these hosts for accessing memcached
      Define any number of hosts in the form of hostname:port or unix:///path/to/socket.file
      Example: array('localhost:11211', '192.168.1.12:11211', 'unix:///var/tmp/memcached.sock');
    value: null
    section: 'cache'
    state: 'init'

  - name: 'memcache_pconnect'
    comment: |
      Controls the use of a persistent connections to memcache servers
      See http://php.net/manual/en/memcache.addserver.php
    value: True
    section: 'cache'
    state: 'init'

  - name: 'memcache_timeout'
    comment: |
      Value in seconds which will be used for connecting to the daemon
      See http://php.net/manual/en/memcache.addserver.php
    value: 1
    section: 'cache'
    state: 'init'

  - name: 'memcache_retry_interval'
    comment: |
      Controls how often a failed server will be retried (value in seconds).
      Setting this parameter to -1 disables automatic retry.
      See http://php.net/manual/en/memcache.addserver.php
    value: 15
    section: 'cache'
    state: 'init'

  - name: 'redis_hosts'
    comment: |
      Use these hosts for accessing Redis.
      Currently only one host is supported. Cluster support may come in a future release.
      You can pass 4 fields, host, port (optional), database (optional) and password (optional).
      Unset fields will be set to the default values host=127.0.0.1, port=6379.
      Examples:
          array('localhost:6379');
          array('192.168.1.1:6379:1:secret');
          array('unix:///var/run/redis/redis-server.sock:1:secret');
    value: null
    section: 'cache'
    state: 'init'

  - name: 'memcache_max_allowed_packet'
    comment: 'Maximum size of an object in memcache (in bytes). Default: 2MB'
    value: '2M'
    section: 'cache'
    state: 'init'

  - name: 'apc_mac_allowed_packet'
    comment: 'Maximum size of an object in APC cache (in bytes). Default: 2MB'
    value: '2M'
    section: 'cache'
    state: 'init'

  - name: 'redis_max_allowed_packet'
    comment: 'Maximum size of an object in Redis cache (in bytes). Default: 2MB'
    value: '2M'
    section: 'cache'
    state: 'init'

    # [[[ system
  - name: 'enable_installer'
    comment: |
      THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
      ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
    value: False
    section: 'system'
    state: 'init'

  - name: 'dont_override'
    comment: "Don't allow these settings to be overridden by the user"
    value: []
    section: 'system'
    state: 'init'

  - name: 'disabled_actions'
    comment: 'List of disabled UI elements/actions'
    value: []
    section: 'system'
    state: 'init'

  - name: 'advanced_prefs'
    comment: |
      Define which settings should be listed under the 'advanced' block
      which is hidden by default
    value: []
    section: 'system'
    state: 'init'

  - name: 'support_url'
    comment: |
      Provide an URL where a user can get support for this Roundcube installation
      PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
    value: ''
    section: 'system'

  - name: 'skin_logo'
    comment: |
      Logo image replacement. Specifies location of the image as:
      - URL relative to the document root of this Roundcube installation
      - full URL with http:// or https:// prefix
      - URL relative to the current skin folder (when starts with a '/')

      An array can be used to specify different logos for specific template files
      The array key specifies the place(s) the logo should be applied to and
      is made up of (up to) 3 parts:
      - skin name prefix (always with colon, can be replaced with *)
      - template name (or * for all templates)
      - logo type - it is used for logos used on multiple templates
        the available types include '[favicon]' for favicon, '[print]' for logo on all print
        templates (e.g. messageprint, contactprint) and '[small]' for small screen logo in supported skins

      Example config for skin_logo

      array(
        // show the image /images/logo_login_small.png for the Login screen in the Elastic skin on small screens
        "elastic:login[small]" => "/images/logo_login_small.png",
        // show the image /images/logo_login.png for the Login screen in the Elastic skin
        "elastic:login" => "/images/logo_login.png",
        // show the image /images/logo_small.png in the Elastic skin
        "elastic:*[small]" => "/images/logo_small.png",
        // show the image /images/larry.png in the Larry skin
        "larry:*" => "/images/larry.png",
        // show the image /images/logo_login.png on the login template in all skins
        "login" => "/images/logo_login.png",
        // show the image /images/logo_print.png for all print type logos in all skins
        "[print]" => "/images/logo_print.png",
      );
    value: null
    section: 'system'
    state: 'init'

  - name: 'auto_create_user'
    comment: |
      Automatically create a new Roundcube user when log-in the first time.
      A new user will be created once the IMAP login succeeds.
      Set to false if only registered users can use this service
    value: True
    section: 'system'
    state: 'init'

  - name: 'user_aliases'
    comment: 'Enables possibility to log in using email address from user identities'
    value: False
    section: 'system'
    state: 'init'

  - name: 'log_dir'
    comment: |
      use this folder to store log files
      must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
      This is used by the 'file' log driver.
    value: "RCUBE_INSTALL_PATH . 'logs/'"
    quotes: False
    section: 'system'
    state: 'init'

  - name: 'temp_dir'
    comment: |
      Use this folder to store temp files
      Must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
    value: "RCUBE_INSTALL_PATH . 'temp/'"
    quotes: False
    section: 'system'
    state: 'init'

  - name: 'temp_dir_ttl'
    comment: |
      Expire files in temp_dir after 48 hours
      Possible units: s, m, h, d, w
    value: '48h'
    section: 'system'
    state: 'init'

  - name: 'force_https'
    comment: |
      Enforce connections over https
      With this option enabled, all non-secure connections will be redirected.
      It can be also a port number, hostname or hostname:port if they are
      different than default HTTP_HOST:443
    value: False
    section: 'system'
    state: 'init'

  - name: 'use_https'
    comment: |
      Tell PHP that it should work as under secure connection
      even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
      e.g. when you're running Roundcube behind a https proxy
      This option is mutually exclusive to 'force_https' and only either one of
      them should be set to true.
    value: False
    section: 'system'
    state: 'init'

  - name: 'login_autocomplete'
    comment: |
      Allow browser-autocompletion on login form.
      0 - disabled, 1 - username and host only, 2 - username, host, password
    value: 0
    section: 'system'
    state: 'init'

  - name: 'login_lc'
    comment: |
      Forces conversion of logins to lower case.
      0 - disabled, 1 - only domain part, 2 - domain and local part.
      If users authentication is case-insensitive this must be enabled.
      Note: After enabling it all user records need to be updated, e.g. with query:
            UPDATE users SET username = LOWER(username);
    value: 2
    section: 'system'
    state: 'init'

  - name: 'login_username_maxlen'
    comment: 'Maximum length (in bytes) of logon username and password.'
    value: 1024
    section: 'system'
    state: 'init'

  - name: 'login_password_maxlen'
    value: 1024
    section: 'system'
    state: 'init'

  - name: 'login_username_filter'
    comment: |
      Logon username filter. Regular expression for use with preg_match().
      Example: '/^[a-z0-9_@.-]+$/'
    value: null
    section: 'system'
    state: 'init'

  - name: 'login_rate_limit'
    comment: |
      Brute-force attacks prevention.
      The value specifies maximum number of failed logon attempts per minute.
    value: 3
    section: 'system'
    state: 'init'

  - name: 'skin_include_php'
    comment: 'Includes should be interpreted as PHP files'
    value: False
    section: 'system'
    state: 'init'

  - name: 'display_product_info'
    comment: |
      Display product name and software version on login screen
      0 - hide product name and version number,
      1 - show product name only,
      2 - show product name and version number
    value: 1
    section: 'system'
    state: 'init'

  - name: 'session_lifetime'
    comment: 'Session lifetime in minutes'
    value: 10
    section: 'system'
    state: 'init'

  - name: 'session_domain'
    comment: 'Session domain: .example.org'
    value: ''
    section: 'system'
    state: 'init'

  - name: 'session_name'
    comment: |
      Session name. Default: 'roundcube_sessid'
    value: null
    section: 'system'
    state: 'init'

  - name: 'session_auth_name'
    comment: |
      Session authentication cookie name. Default: 'roundcube_sessauth'
    value: null
    section: 'system'
    state: 'init'

  - name: 'session_path'
    comment: |
      Session path. Defaults to PHP session.cookie_path setting.
    value: null
    section: 'system'
    state: 'init'

  - name: 'session_storage'
    comment: |
      Backend to use for session storage. Can either be 'db' (default), 'redis', 'memcache', or 'php'

      If set to 'memcache' or 'memcached', a list of servers need to be specified in 'memcache_hosts'
      Make sure the Memcache extension (https://pecl.php.net/package/memcache) version >= 2.0.0
      or the Memcached extension (https://pecl.php.net/package/memcached) version >= 2.0.0 is installed.

      If set to 'redis', a server needs to be specified in 'redis_hosts'
      Make sure the Redis extension (https://pecl.php.net/package/redis) version >= 2.0.0 is installed.

      Setting this value to 'php' will use the default session save handler configured in PHP
    value: 'db'
    section: 'system'
    state: 'init'

  - name: 'proxy_whitelist'
    comment: |
      List of trusted proxies
      X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
    value: []
    section: 'system'
    state: 'init'

  - name: 'trusted_host_pattern'
    comment: |
      List of trusted host names
      Attackers can modify Host header of the HTTP request causing $_SERVER['SERVER_NAME']
      or $_SERVER['HTTP_HOST'] variables pointing to a different host, that could be used
      to collect user names and passwords. Some server configurations prevent that, but not all.
      An empty list accepts any host name. The list can contain host names
      or PCRE patterns (without // delimiters, that will be added automatically).
    value: []
    section: 'system'
    state: 'init'

  - name: 'ip_check'
    comment: 'Check client IP in session authorization'
    value: False
    section: 'system'
    state: 'init'

  - name: 'x_frame_options'
    comment: |
      X-Frame-Options HTTP header value sent to prevent from Clickjacking.
      Possible values: sameorigin|deny|allow-from <uri>.
      Set to false in order to disable sending the header.
    value: 'sameorigin'
    section: 'system'
    state: 'init'

  - name: 'des_key'
    comment: |
      this key is used to encrypt the users imap password which is stored
      in the session record (and the client cookie if remember password is enabled).
      please provide a string of exactly 24 chars.
      YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
    value: 'rcmail-!24ByteDESkey*Str'
    section: 'system'

  - name: 'cipher_method'
    comment: |
      Encryption algorithm. You can use any method supported by OpenSSL.
      Default is set for backward compatibility to DES-EDE3-CBC,
      but you can choose e.g. AES-256-CBC which we consider a better choice.
    value: 'DES-EDE3-CBC'
    section: 'system'
    state: 'init'

  - name: 'username_domain'
    comment: |
      Automatically add this domain to user names for login
      Only for IMAP servers that require full e-mail addresses for login
      Specify an array with 'host' => 'domain' values to support multiple hosts
      Supported replacement variables:
      %h - user's IMAP hostname
      %n - hostname ($_SERVER['SERVER_NAME'])
      %t - hostname without the first part
      %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
      %z - IMAP domain (IMAP hostname without the first part)
      For example %n = mail.domain.tld, %t = domain.tld
    value: ''
    section: 'system'
    state: 'init'

  - name: 'username_domain_forced'
    comment: |
      Force domain configured in username_domain to be used for login.
      Any domain in username will be replaced by username_domain.
    value: False
    section: 'system'
    state: 'init'

  - name: 'mail_domain'
    comment: |
      This domain will be used to form e-mail addresses of new users
      Specify an array with 'host' => 'domain' values to support multiple hosts
      Supported replacement variables:
      %h - user's IMAP hostname
      %n - http hostname ($_SERVER['SERVER_NAME'])
      %d - domain (http hostname without the first part)
      %z - IMAP domain (IMAP hostname without the first part)
      For example %n = mail.domain.tld, %t = domain.tld
    value: ''
    section: 'system'
    state: 'init'

  - name: 'password_charset'
    comment: |
      Password character set, to change the password for user
      authentication or for password change operations
    value: 'UTF-8'
    section: 'system'
    state: 'init'

  - name: 'sendmail_delay'
    comment: 'How many seconds must pass between emails sent by a user'
    value: 0
    section: 'system'
    state: 'init'

  - name: 'max_message_size'
    comment: |
      Message size limit. Note that SMTP server(s) may use a different value.
      This limit is verified when user attaches files to a composed message.
      Size in bytes (possible unit suffix: K, M, G)
    value: '100M'
    section: 'system'
    state: 'init'

  - name: 'max_recipients'
    comment: |
      Maximum number of recipients per message (including To, Cc, Bcc).
      Default: 0 (no limit)
    value: 0
    section: 'system'
    state: 'init'

  - name: 'max_disclosed_recipients'
    comment: |
      Maximum number of recipients per message exluding Bcc header.
      This is a soft limit, which means we only display a warning to the user.
      Default: 5
    value: 5
    section: 'system'
    state: 'init'

  - name: 'max_group_members'
    comment: |
      Maximum allowed number of members of an address group. Default: 0 (no limit)
      If 'max_recipients' is set this value should be less or equal
    value: 0
    section: 'system'
    state: 'init'

  - name: 'product_name'
    comment: |
      Name your service. This is displayed on the login screen and in the window title
    value: 'Roundcube Webmail'
    section: 'system'

  - name: 'useragent'
    comment: 'Add this user-agent to message headers when sending'
    value: "'Roundcube Webmail/'.RCUBE_VERSION"
    quotes: False
    section: 'system'
    state: 'init'

  - name: 'include_host_config'
    comment: |
      Try to load host-specific configuration
      See https://github.com/roundcube/roundcubemail/wiki/Configuration:-Multi-Domain-Setup
      for more details
    value: False
    section: 'system'
    state: 'init'

  - name: 'generic_message_footer'
    comment: |
      Path to a text file which will be added to each sent message
      Paths are relative to the Roundcube root folder
    value: ''
    section: 'system'
    state: 'init'

  - name: 'generic_message_footer_html'
    comment: |
      Path to a text file which will be added to each sent HTML message
      Paths are relative to the Roundcube root folder
    value: ''
    section: 'system'
    state: 'init'

  - name: 'http_received_header'
    comment: |
      Add a received header to outgoing mails containing the creators IP and hostname
    value: False
    section: 'system'
    state: 'init'

  - name: 'http_received_header_encrypt'
    comment: |
      Whether or not to encrypt the IP address and the host name
      these could, in some circles, be considered as sensitive information;
      however, for the administrator, these could be invaluable help
      when tracking down issues.
    value: False
    section: 'system'
    state: 'init'

  - name: 'line_length'
    comment: |
      Number of chars allowed for line when wrapping text.
      Text wrapping is done when composing/sending messages
    value: 72
    section: 'system'
    state: 'init'

  - name: 'send_format_flowed'
    comment: 'Send plaintext messages as format=flowed'
    value: True
    section: 'system'
    state: 'init'

  - name: 'mdn_use_from'
    comment: |
      According to RFC2298, return receipt envelope sender address must be
      empty. If this option is true, Roundcube will use user's identity as
      envelope sender for MDN responses.
    value: False
    section: 'system'
    state: 'init'

  - name: 'identities_level'
    comment: |
      Set identities access level:
      0 - many identities with possibility to edit all params
      1 - many identities with possibility to edit all params but not email address
      2 - one identity with possibility to edit all params
      3 - one identity with possibility to edit all params but not email address
      4 - one identity with possibility to edit only signature
    value: 0
    section: 'system'
    state: 'init'

  - name: 'identity_image_size'
    comment: |
      Maximum size of uploaded image in kilobytes
      Images (in html signatures) are stored in database as data URIs
    value: 64
    section: 'system'
    state: 'init'

  - name: 'client_mimetypes'
    comment: |
      Mimetypes supported by the browser.
      Attachments of these types will open in a preview window
      Either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
    value: null
    section: 'system'
    state: 'init'

  - name: 'mime_magic'
    comment: |
      Path to a local mime magic database file for PHPs finfo extension.
      Set to null if the default path should be used.
    value: null
    section: 'system'
    state: 'init'

  - name: 'mime_types'
    comment: |
      Absolute path to a local mime.types mapping table file.
      This is used to derive mime-types from the filename extension or vice versa.
      Such a file is usually part of the apache webserver. If you don't find a file named mime.types on your system,
      download it from http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types
    value: null
    section: 'system'
    state: 'init'

  - name: 'im_identify_path'
    comment: |
      Path to imagemagick identify binary (if not set we'll use Imagick or GD extensions)
    value: null
    section: 'system'
    state: 'init'

  - name: 'im_convert_path'
    comment: |
      Path to imagemagick convert binary (if not set we'll use Imagick or GD extensions)
    value: null
    section: 'system'
    state: 'init'

  - name: 'image_thumbnail_size'
    comment: |
      Size of thumbnails from image attachments displayed below the message content.
      Note: whether images are displayed at all depends on the 'inline_images' option.
      Set to 0 to display images in full size.
    value: 240
    section: 'system'
    state: 'init'

  - name: 'contact_photo_size'
    comment: 'Maximum size of uploaded contact photos in pixel'
    value: 160
    section: 'system'
    state: 'init'

  - name: 'email_dns_check'
    comment: 'Enable DNS checking for e-mail address validation'
    value: False
    section: 'system'
    state: 'init'

  - name: 'no_save_sent_messages'
    comment: |
      Disables saving sent messages in Sent folder (like gmail) (Default: false)
      Note: useful when SMTP server stores sent mail in user mailbox
    value: False
    section: 'system'
    state: 'init'

  - name: 'use_secure_urls'
    comment: |
      Improve system security by using special URL with security token.
      This can be set to a number defining token length. Default: 16.
      Warning: This requires http server configuration. Sample:
         RewriteRule ^/roundcubemail/[a-zA-Z0-9]{16}/(.*) /roundcubemail/$1 [PT]
         Alias /roundcubemail /var/www/roundcubemail/
      Note: Use assets_path to not prevent the browser from caching assets
    value: False
    section: 'system'
    state: 'init'

  - name: 'assets_path'
    comment: |
      Allows to define separate server/path for image/js/css files
      Warning: If the domain is different cross-domain access to some
      resources need to be allowed
      Sample:
         <FilesMatch ".(eot|ttf|woff)">
         Header set Access-Control-Allow-Origin "*"
         </FilesMatch>
    value: ''
    section: 'system'
    state: 'init'

  - name: 'assets_dir'
    comment: |
      While assets_path is for the browser, assets_dir informs
      PHP code about the location of asset files in filesystem
    value: ''
    section: 'system'
    state: 'init'

    # [[[ plugins
  - name: 'plugins'
    comment: 'List of active plugins (in plugins/ directory)'
    value: [ 'archive', 'zipdownload' ]
    section: 'plugins'

    # [[[ ui
  - name: 'message_sort_col'
    comment: |
      Default messages sort column. Use empty value for default server's sorting,
      or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc'
    value: ''
    section: 'ui'
    state: 'init'

  - name: 'message_sort_order'
    comment: 'Default messages sort order'
    value: 'DESC'
    section: 'ui'
    state: 'init'

  - name: 'list_cols'
    comment: |
      These cols are shown in the message list. Available cols are:
      subject, from, to, fromto, cc, replyto, date, size, status, flag, attachment, priority
    value: [ 'subject', 'status', 'fromto', 'date', 'size', 'flag', 'attachment' ]
    section: 'ui'
    state: 'init'

  - name: 'language'
    comment: |
      The default locale setting (leave empty for auto-detection)
      RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
    value: null
    section: 'ui'
    state: 'init'

  - name: 'date_format'
    comment: 'Use this format for date display (date or strftime format)'
    value: 'Y-m-d'
    section: 'ui'
    state: 'init'

  - name: 'date_formats'
    comment: |
      Give this choice of date formats to the user to select from
      Note: do not use ambiguous formats like m/d/Y
    value: [ 'Y-m-d', 'Y/m/d', 'Y.m.d', 'd-m-Y', 'd/m/Y', 'd.m.Y', 'j.n.Y' ]
    section: 'ui'
    state: 'init'

  - name: 'time_format'
    comment: 'Use this format for time display (date or strftime format)'
    value: 'H:i'
    section: 'ui'
    state: 'init'

  - name: 'time_formats'
    comment: 'Give this choice of time formats to the user to select from'
    value: [ 'G:i', 'H:i', 'g:i a', 'h:i A' ]
    section: 'ui'
    state: 'init'

  - name: 'date_short'
    comment: |
      Use this format for short date display (derived from date_format and
      time_format)
    value: 'D H:i'
    section: 'ui'
    state: 'init'

  - name: 'date_long'
    comment: |
      Use this format for detailed date/time formatting (derived from
      date_format and time_format)
    value: 'Y-m-d H:i'
    section: 'ui'
    state: 'init'

  - name: 'drafts_mbox'
    comment: |
      Store draft message is this mailbox
      Leave blank if draft messages should not be stored
      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
    value: 'Drafts'
    section: 'ui'
    state: 'init'

  - name: 'junk_mbox'
    comment: |
      Store spam messages in this mailbox
      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
    value: 'Junk'
    section: 'ui'
    state: 'init'

  - name: 'sent_mbox'
    comment: |
      Store sent message is this mailbox
      Leave blank if sent messages should not be stored
      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
    value: 'Sent'
    section: 'ui'
    state: 'init'

  - name: 'trash_mbox'
    comment: |
      Move messages to this folder when deleting them
      Leave blank if they should be deleted directly
      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
    value: 'Trash'
    section: 'ui'
    state: 'init'

  - name: 'create_default_folders'
    comment: |
      Automatically create the above listed default folders on user login
    value: False
    section: 'ui'
    state: 'init'

  - name: 'protect_default_folders'
    comment: |
      Protect the default folders from renames, deletes, and subscription changes
    value: True
    section: 'ui'
    state: 'init'

  - name: 'show_real_foldernames'
    comment: |
      Disable localization of the default folder names listed above
    value: False
    section: 'ui'
    state: 'init'

  - name: 'quota_zero_as_unlimited'
    comment: |
      If in your system 0 quota means no limit set this option to true
    value: False
    section: 'ui'
    state: 'init'

  - name: 'enable_spellcheck'
    comment: |
      Make use of the built-in spell checker. It is based on GoogieSpell.
    value: True
    section: 'ui'
    state: 'init'

  - name: 'spellcheck_engine'
    comment: |
      Set the spell checking engine. Possible values:
      - 'googie'  - the default (also used for connecting to Nox Spell Server, see 'spellcheck_uri' setting)
      - 'pspell'  - requires the PHP Pspell module and aspell installed
      - 'enchant' - requires the PHP Enchant module
      - 'atd'     - install your own After the Deadline server or check with
                    the people at http://www.afterthedeadline.com before using their API
      Since Google shut down their public spell checking service, the default settings
      connect to http://spell.roundcube.net which is a hosted service provided by Roundcube.
      You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly.
    value: 'googie'
    section: 'ui'
    state: 'init'

  - name: 'spellcheck_uri'
    comment: |
      For locally installed Nox Spell Server or After the Deadline services,
      please specify the URI to call it.
      Get Nox Spell Server from http://orangoo.com/labs/?page_id=72 or
      the After the Deadline package from http://www.afterthedeadline.com.
      Leave empty to use the public API of service.afterthedeadline.com
    value: ''
    section: 'ui'
    state: 'init'

  - name: 'spellcheck_languages'
    comment: |
      These languages can be selected for spell checking.
      Configure as a PHP style hash array: array('en'=>'English', 'de'=>'Deutsch');
      Leave empty for default set of available language.
    value: null
    section: 'ui'
    state: 'init'

  - name: 'spellcheck_ignore_caps'
    comment: |
      Makes that words with all letters capitalized will be ignored (e.g. GOOGLE)
    value: False
    section: 'ui'
    state: 'init'

  - name: 'spellcheck_ignore_nums'
    comment: |
      Makes that words with numbers will be ignored (e.g. g00gle)
    value: False
    section: 'ui'
    state: 'init'

  - name: 'spellcheck_ignore_syms'
    comment: |
      Makes that words with symbols will be ignored (e.g. g@@gle)
    value: False
    section: 'ui'
    state: 'init'

  - name: 'sig_max_lines'
    comment: |
      Number of lines at the end of a message considered to contain the signature.
      Increase this value if signatures are not properly detected and colored
    value: 15
    section: 'ui'
    state: 'init'

  - name: 'max_pagesize'
    comment: |
      Don't let users set pagesize to more than this value if set
    value: 200
    section: 'ui'
    state: 'init'

  - name: 'min_refresh_interval'
    comment: |
      Minimal value of user's 'refresh_interval' setting (in seconds)
    value: 60
    section: 'ui'
    state: 'init'

  - name: 'undo_timeout'
    comment: |
      Specifies for how many seconds the Undo button will be available
      after object delete action. Currently used with supporting address book sources.
      Setting it to 0, disables the feature.
    value: 0
    section: 'ui'
    state: 'init'

  - name: 'compose_responses_static'
    comment: |
      A static list of canned responses which are immutable for the user
    array:
      - [ 'name': 'Canned Response 1', 'text': 'Static Response One' ]
      - [ 'name': 'Canned Response 2', 'text': 'Static Response Two' ]
    section: 'ui'
    state: 'init'

  - name: 'keyservers'
    comment: |
      List of HKP key servers for PGP public key lookups in Enigma/Mailvelope
      Default: array("keys.fedoraproject.org", "keybase.io")
    value: []
    section: 'ui'
    state: 'init'

    # [[[ addressbook
  - name: 'address_book_type'
    comment: |
      This indicates which type of address book to use. Possible choises:
      'sql' - built-in sql addressbook enabled (default),
      ''    - built-in sql addressbook disabled.
              Still LDAP or plugin-added addressbooks will be available.
              BC Note: The value can actually be anything except 'sql', it does not matter.
    value: 'sql'
    section: 'addressbook'
    state: 'init'

  - name: 'ldap_public'
    comment: |
      In order to enable public ldap search, configure an array like the Verisign
      example further below. if you would like to test, simply uncomment the example.
      Array key must contain only safe characters, ie. a-zA-Z0-9_
    value: []
    section: 'addressbook'
    state: 'init'

  - name: 'ldap_public_verisign'
    option: [ 'ldap_public', 'Verisign' ]
    comment: |
      If you are going to use LDAP for individual address books, you will need to
      set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.

      The recommended directory structure for LDAP is to store all the address book entries
      under the users main entry, e.g.:

       o=root
        ou=people
         uid=user@domain
       mail=contact@contactdomain

      So the base_dn would be uid=%fu,ou=people,o=root
      The bind_dn would be the same as based_dn or some super user login.
    array:
      - name: 'Verisign.com'
        # Replacement variables supported in host names:
        # %h - user's IMAP hostname
        # %n - hostname ($_SERVER['SERVER_NAME'])
        # %t - hostname without the first part
        # %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
        # %z - IMAP domain (IMAP hostname without the first part)
        # For example %n = mail.domain.tld, %t = domain.tld
        hosts: [ 'directory.verisign.com' ]
        port: 389
        use_tls: False
        ldap_version: 3  # using LDAPv3
        # The timeout (in seconds) for connect + bind arrempts. This is only
        # supported in PHP >= 5.3.0 with OpenLDAP 2.x
        network_timeout: 10
        # If true the base_dn, bind_dn and bind_pass default to the user's IMAP login.
        user_specific: False
        # When 'user_specific' is enabled following variables can be used in base_dn/bind_dn config:
        # %fu - The full username provided, assumes the username is an email
        #       address, uses the username_domain value if not an email address.
        # %u  - The username prior to the '@'.
        # %d  - The domain name after the '@'.
        # %dc - The domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
        # %dn - DN found by ldap search when search_filter/search_base_dn are used
        base_dn: ''
        bind_dn: ''
        bind_pass: ''
        # It's possible to bind for an individual address book
        # The login name is used to search for the DN to bind with
        search_base_dn: ''
        search_filter: ''  # e.g. '(& (objectClass=posixAccount) (uid=%u) )'
        # DN and password to bind as before searching for bind DN, if anonymous search is not allowed
        search_bind_dn: ''
        search_bind_pw: ''
        # Base DN and filter used for resolving the user's domain root DN which feeds the %dc variables
        # Leave empty to skip this lookup and derive the root DN from the username domain
        domain_base_dn: ''
        domain_filter: ''
        # Optional map of replacement strings => attributes used when binding for an individual address book
        search_bind_attrib: []  # e.g. array('%udc' => 'ou')
        # Default for %dn variable if search doesn't return DN value
        search_dn_default: ''
        # Optional authentication identifier to be used as SASL authorization proxy
        # bind_dn need to be empty
        auth_cid: ''
        # SASL authentication method (for proxy auth), e.g. DIGEST-MD5
        auth_method: ''
        # Indicates if the addressbook shall be hidden from the list.
        # With this option enabled you can still search/view contacts.
        hidden: False
        # Indicates if the addressbook shall not list contacts but only allows searching.
        searchonly: False
        # Indicates if we can write to the LDAP directory or not.
        # If writable is true then these fields need to be populated:
        # LDAP_Object_Classes, required_fields, LDAP_rdn
        writable: False
        # To create a new contact these are the object classes to specify
        # (or any other classes you wish to use).
        LDAP_Object_Classes: [ 'top', 'inetOrgPerson' ]
        # The RDN field that is used for new entries, this field needs
        # to be one of the search_fields, the base of base_dn is appended
        # to the RDN to insert into the LDAP directory.
        LDAP_rdn: 'cn'
        # The required fields needed to build a new contact as required by
        # the object classes (can include additional fields not required by the object classes).
        required_fields: [ 'cn', 'sn', 'mail' ]
        search_fields: [ 'mail', 'cn' ]  # Fields to search in
        # Mapping of contact fields to directory attributes
        #   1. for every attribute one can specify the number of values (limit) allowed.
        #      default is 1, a wildcard * means unlimited
        #   2. another possible parameter is separator character for composite fields
        #   3. it's possible to define field format for write operations, e.g. for date fields
        #      example: 'birthday:date[YmdHis\\Z]'
        fieldmap:
          # Roundcube        LDAP:limit
          - 'name':          'cn'
            'surname':       'sn'
            'firstname':     'givenName'
            'jobtitle':      'title'
            'email':         'mail:*'
            'phone:home':    'homePhone'
            'phone:work':    'telephoneNumber'
            'phone:mobile':  'mobile'
            'phone:pager':   'pager'
            'phone:workfax': 'facsimileTelephoneNumber'
            'street':        'street'
            'zipcode':       'postalCode'
            'region':        'st'
            'locality':      'l'
            # If you country is a complex object, you need to configure 'sub_fields' below
            'country':       'c'
            'organization':  'o'
            'department':    'ou'
            'notes':         'description'
            'photo':         'jpegPhoto'
            # These currently don't work
            #'manager':      'manager'
            #'assistant':    'secretary'
        # Map of contact sub-objects (attribute name => objectClass(es)), e.g. 'c' => 'country'
        sub_fields: []
        # Generate values for the following LDAP attributes automatically when creating a new record
        autovalues:
          - 'uid':  'md5(microtime())'               # You may specify PHP code snippets which are then eval'ed
            'mail': '{givenname}.{sn}@mydomain.com'  # or composite strings with placeholders for existing attributes
        sort: 'cn'    # The field to sort the listing by.
        scope: 'sub'  # Search mode sub|base|list
        # Used for basic listing (if not empty) and will be &'d with search queries. Example: status=act
        filter: '(objectClass=inetOrgPerson)'
        fuzzy_search: True  # Server allows wildcard search
        # Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
        vlv: False
        # Use Virtual List View functions for autocompletion searches (if server supports it)
        vlv_search: False
        # With VLV, we also use numSubOrdinates to query the total number of
        # records. Set this filter to get all numSubOrdinates attributes for
        # counting
        numsub_filter: '(objectClass=organizationalUnit)'
        # Root DN to search config entries (e.g. vlv indexes)
        config_root_dn: 'cn=config'
        # Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
        sizelimit: '0'
        # Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
        timelimit: '0'
        # Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
        referrals: False
        # Sets the LDAP_OPT_DEREF option. One of: LDAP_DEREF_NEVER, LDAP_DEREF_SEARCHING, LDAP_DEREF_FINDING, LDAP_DEREF_ALWAYS
        # Used where addressbook contains aliases to objects elsewhere in the LDAP tree.
        dereference: 0

        # Definition for contact groups (uncomment if no groups are supported)
        # for the groups base_dn, the user replacements %fu, %u, %d and %dc work as for base_dn (see above)
        # if the groups base_dn is empty, the contact base_dn is used for the groups as well
        # -> in this case, assure that groups and contacts are separated due to the concernig filters!
        groups:
          - 'base_dn': ''
            'scope': 'sub'  # Search mode: sub|base|list
            'filter': '(objectClass=groupOfNames)'
            'object_classes': [ 'top', 'groupOfNames' ]  # Object classes to be assigned to new groups
            'member_attr':   'member'           # Name of the default member attribute, e.g. uniqueMember
            'name_attr':     'cn'               # Attribute to be used as group name
            'email_attr':    'mail'             # Group email address attribute (e.g. for mailing lists)
            'member_filter': '(objectClass=*)'  # Optional filter to use when querying for group members
            'vlv': False                        # Use VLV controls to list groups
            'class_member_attr':                # Mapping of group object class to member attribute used in these objects
              - 'groupOfNames': 'member'
                'groupOfUniqueNames': 'uniqueMember'

        # This configuration replaces the regular groups listing in the directory tree with
        # a hard-conoded list of groups, each listing entries with the configured base DN and filter.
        # if the 'groups' option from above is set, it'll be shown as the first entry with the name 'Groups'
        group_filters:
          - departments:
              - 'name':      'Company Departments'
                'scope':     'list'
                'base_dn':   'ou=Groups,dc=mydomain,dc=com'
                'filter':    '(| (objectclass=groupOfUniqueNames) (objectclass=groupOfURLs) )'
                'name_attr': 'cn'
          - customers:
              - 'name':      'Customers'
                'scope':     'sub'
                'base_dn':   'ou=Customers,dc=mydomain,dc=com'
                'filter':    '(objectClass=inetOrgPerson)'
                'name_attr': 'sn'
    section: 'addressbook'
    state: 'init'

  - name: 'autocomplete_addressbooks'
    comment: |
      An ordered array of the ids of the addressbooks that should be searched
      when populating address autocomplete fields server-side. ex: array('sql','Verisign');
    value: [ 'sql' ]
    section: 'addressbook'
    state: 'init'

  - name: 'autocomplete_min_length'
    comment: |
      The minimum number of characters required to be typed in an autocomplete field
      before address books will be searched. Most useful for LDAP directories that
      may need to do lengthy results building given overly-broad searches
    value: 1
    section: 'addressbook'
    state: 'init'

  - name: 'autocomplete_threads'
    comment: |
      Number of parallel autocomplete requests.
      If there's more than one address book, n parallel (async) requests will be created,
      where each request will search in one address book. By default (0), all address
      books are searched in one request.
    value: 0
    section: 'addressbook'
    state: 'init'

  - name: 'autocomplete_max'
    comment: 'Max. number of entries in autocomplete popup. Default: 15.'
    value: 15
    section: 'addressbook'
    state: 'init'

  - name: 'address_template'
    comment: |
      Show address fields in this order
      Available placeholders: {street}, {locality}, {zipcode}, {country}, {region}
    value: '{street}<br/>{locality} {zipcode}<br/>{country} {region}'
    section: 'addressbook'
    state: 'init'

  - name: 'addressbook_search_mode'
    comment: |
      Matching mode for addressbook search (including autocompletion)
      0 - partial (*abc*), default
      1 - strict (abc)
      2 - prefix (abc*)
      Note: For LDAP sources fuzzy_search must be enabled to use 'partial' or 'prefix' mode
    value: 0
    section: 'addressbook'
    state: 'init'

  - name: 'contactlist_fields'
    comment: |
      List of fields used on contacts list and for autocompletion searches
      Warning: These are field names not LDAP attributes (see 'fieldmap' setting)!
    value: [ 'name', 'firstname', 'surname', 'email' ]
    section: 'addressbook'
    state: 'init'

  - name: 'contact_search_name'
    comment: |
      Template of contact entry on the autocompletion list.
      You can use contact fields as: name, email, organization, department, etc.
      See program/steps/addressbook/func.inc for a list
    value: '{name} <{email}>'
    section: 'addressbook'
    state: 'init'

    # [[[ userprefs
  - name: 'default_charset'
    comment: 'Use this charset as fallback for message decoding'
    value: 'ISO-8859-1'
    section: 'userprefs'
    state: 'init'

  - name: 'skin'
    comment: 'Skin name: folder from skins/'
    value: 'elastic'
    section: 'userprefs'

  - name: 'skins_allowed'
    comment: 'Limit skins available/shown in the settings section'
    value: []
    section: 'userprefs'
    state: 'init'

  - name: 'standard_windows'
    comment: |
      Enables using standard browser windows (that can be handled as tabs)
      instead of popup windows
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'mail_pagesize'
    comment: 'Show up to X items in messages list view'
    value: 50
    section: 'userprefs'
    state: 'init'

  - name: 'addressbook_pagesize'
    comment: 'Show up to X items in contacts list view'
    value: 50
    section: 'userprefs'
    state: 'init'

  - name: 'addressbook_sort_col'
    comment: |
      Sort contacts by this col (preferably either one of name, firstname, surname)
    value: 'surname'
    section: 'userprefs'
    state: 'init'

  - name: 'addressbook_name_listing'
    comment: |
      The way how contact names are displayed in the list.
      0: prefix firstname middlename surname suffix (only if display name is not set)
      1: firstname middlename surname
      2: surname firstname middlename
      3: surname, firstname middlename
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'timezone'
    comment: |
      Use this timezone to display date/time
      Valid timezone identifiers are listed here: php.net/manual/en/timezones.php
      'auto' will use the browser's timezone settings
    value: 'auto'
    section: 'userprefs'
    state: 'init'

  - name: 'prefer_html'
    comment: 'Prefer displaying HTML messages'
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'show_images'
    comment: |
      Display remote resources (inline images, styles)
      0 - Never, always ask
      1 - Ask if sender is not in address book
      2 - Always allow
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'message_extwin'
    comment: 'Open messages in new window'
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'compose_extwin'
    comment: 'Open message compose form in new window'
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'htmleditor'
    comment: |
      Compose html formatted messages by default
       0 - never,
       1 - always,
       2 - on reply to HTML message,
       3 - on forward or reply to HTML message
       4 - always, except when replying to plain text message
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'compose_save_localstorage'
    comment: |
      Save copies of compose messages in the browser's local storage
      for recovery in case of browser crashes and session timeout.
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'prettydate'
    comment: 'Show pretty dates as standard'
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'draft_autosave'
    comment: 'Save compose message every 300 seconds (5min)'
    value: 300
    section: 'userprefs'
    state: 'init'

  - name: 'layout'
    comment: |
      Interface layout. Default: 'widescreen'.
       'widescreen' - three columns
       'desktop'    - two columns, preview on bottom
       'list'       - two columns, no preview
    value: 'widescreen'
    section: 'userprefs'
    state: 'init'

  - name: 'mail_read_time'
    comment: |
      Mark as read when viewing a message (delay in seconds)
      Set to -1 if messages should not be marked as read
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'logout_purge'
    comment: 'Clear Trash on logout'
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'logout_expunge'
    comment: 'Compact INBOX on logout'
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'inline_images'
    comment: 'Display attached images below the message body'
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'mime_param_folding'
    comment: |
      Encoding of long/non-ascii attachment names:
      0 - Full RFC 2231 compatible
      1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default)
      2 - Full 2047 compatible
    value: 1
    section: 'userprefs'
    state: 'init'

  - name: 'skip_deleted'
    comment: |
      Set true if deleted messages should not be displayed
      This will make the application run slower
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'read_when_deleted'
    comment: |
      Set true to Mark deleted messages as read as well as deleted
      False means that a message's read status is not affected by marking it as deleted
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'flag_for_deletion'
    comment: |
      Set to true to never delete messages immediately
      Use 'Purge' to remove messages marked as deleted
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'refresh_interval'
    comment: |
      Default interval for auto-refresh requests (in seconds)
      These are requests for system state updates e.g. checking for new messages, etc.
      Setting it to 0 disables the feature.
    value: 60
    section: 'userprefs'
    state: 'init'

  - name: 'check_all_folders'
    comment: 'If true all folders will be checked for recent messages'
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'display_next'
    comment: |
      If true, after message/contact delete/move, the next message/contact will be displayed
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'default_list_mode'
    comment: |
      Default messages listing mode. One of 'threads' or 'list'.
    value: 'list'
    section: 'userprefs'
    state: 'init'

  - name: 'autoexpand_threads'
    comment: |
      0 - Do not expand threads
      1 - Expand all threads automatically
      2 - Expand only threads with unread messages
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'reply_mode'
    comment: |
      When replying:
      -1 - don't cite the original message
      0  - place cursor below the original message
      1  - place cursor above original message (top posting)
      2  - place cursor above original message (top posting), but do not indent the quote
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'strip_existing_sig'
    comment: 'When replying strip original signature from message'
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'show_sig'
    comment: |
      Show signature:
      0 - Never
      1 - Always
      2 - New messages only
      3 - Forwards and Replies only
    value: 1
    section: 'userprefs'
    state: 'init'

  - name: 'sig_below'
    comment: |
      By default the signature is placed depending on cursor position (reply_mode).
      Sometimes it might be convenient to start the reply on top but keep
      the signature below the quoted text (sig_below = true).
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'sig_separator'
    comment: |
      Enables adding of standard separator to the signature
    value: True
    section: 'userprefs'
    state: 'init'

  - name: 'force_7bit'
    comment: |
      Use MIME encoding (quoted-printable) for 8bit characters in message body
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'search_mods'
    comment: |
      Defaults of the search field configuration.
      The array can contain a per-folder list of header fields which should be considered when searching
      The entry with key '*' stands for all folders which do not have a specific list set.
      Please note that folder names should to be in sync with $config['*_mbox'] options
      Example: array('*' => array('subject'=>1, 'from'=>1), 'Sent' => array('subject'=>1, 'to'=>1));
    value: null
    section: 'userprefs'
    state: 'init'

  - name: 'addressbook_search_mods'
    comment: |
      Defaults of the addressbook search field configuration.
      Example: array('name'=>1, 'firstname'=>1, 'surname'=>1, 'email'=>1, '*'=>1);
    value: null
    section: 'userprefs'
    state: 'init'

  - name: 'delete_junk'
    comment: 'Directly delete messages in Junk instead of moving to Trash'
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'mdn_requests'
    comment: |
      Behavior if a received message requests a message delivery notification (read receipt)
      0 = ask the user, 1 = send automatically, 2 = ignore (never send or ask)
      3 = send automatically if sender is in addressbook, otherwise ask the user
      4 = send automatically if sender is in addressbook, otherwise ignore
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'mdn_default'
    comment: 'Return receipt checkbox default state'
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'dsn_default'
    comment: |
      Delivery Status Notification checkbox default state
      Note: This can be used only if smtp_server is non-empty
    value: 0
    section: 'userprefs'
    state: 'init'

  - name: 'reply_same_folder'
    comment: |
      Place replies in the folder of the message being replied to
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'forward_attachment'
    comment: |
      Sets default mode of Forward feature to "forward as attachment"
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'default_addressbook'
    comment: |
      Defines address book (internal index) to which new contacts will be added
      By default it is the first writeable addressbook.
      Note: Use '0' for built-in address book.
    value: null
    section: 'userprefs'
    state: 'init'

  - name: 'spellcheck_before_send'
    comment: 'Enables spell checking before sending a message.'
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'autocomplete_single'
    comment: |
      Skip alternative email addresses in autocompletion (show one address per contact)
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'default_font'
    comment: |
      Default font for composed HTML message.
      Supported values: Andale Mono, Arial, Arial Black, Book Antiqua, Courier New,
      Georgia, Helvetica, Impact, Tahoma, Terminal, Times New Roman, Trebuchet MS, Verdana
    value: 'Verdana'
    section: 'userprefs'
    state: 'init'

  - name: 'default_font_size'
    comment: |
      Default font size for composed HTML message.
      Supported sizes: 8pt, 10pt, 12pt, 14pt, 18pt, 24pt, 36pt
    value: '10pt'
    section: 'userprefs'
    state: 'init'

  - name: 'message_show_email'
    comment: |
      Enables display of email address with name instead of a name (and address in title)
    value: False
    section: 'userprefs'
    state: 'init'

  - name: 'reply_all_mode'
    comment: |
      Default behavior of Reply-All button:
      0 - Reply-All always
      1 - Reply-List if mailing list is detected
    value: 0
    section: 'userprefs'
    state: 'init'
roundcube__default_configuration

This list defines Roundcube configuration options which are defined by the role and override the original configuration options.

roundcube__default_configuration:

  - name: 'db_dsnw'
    value: '{{ "sqlite:///" + roundcube__git_dest + "/"
                            + roundcube__database_map[roundcube__database].dbname|d()
                            + "?mode=640" }}'
    state: '{{ "present"
               if (roundcube__database_map[roundcube__database].dbtype == "sqlite")
               else "ignore" }}'

  - name: 'db_dsnw'
    value: '{{ "mysql://" + roundcube__database_map[roundcube__database].dbuser|d() + ":"
                          + roundcube__database_map[roundcube__database].dbpass|d() + "@"
                          + roundcube__database_map[roundcube__database].dbhost|d() + "/"
                          + roundcube__database_map[roundcube__database].dbname|d() }}'
    state: '{{ "present"
               if (roundcube__database_map[roundcube__database].dbtype == "mysql")
               else "ignore" }}'

  - name: 'db_dsnw'
    value: '{{ "pgsql://" + roundcube__database_map[roundcube__database].dbuser|d() + ":"
                          + roundcube__database_map[roundcube__database].dbpass|d() + "@"
                          + roundcube__database_map[roundcube__database].dbhost|d() + "/"
                          + roundcube__database_map[roundcube__database].dbname|d() }}'
    state: '{{ "present"
               if (roundcube__database_map[roundcube__database].dbtype == "postgresql")
               else "ignore" }}'

  - name: 'log_driver'
    comment: |
      Log driver: "syslog", "stdout" or "file"
    value: '{{ roundcube__log_driver }}'

  - name: 'default_host'
    value: '{{ roundcube__imap_server }}'

  - name: 'default_port'
    comment: 'TCP port used for IMAP connections'
    value: '{{ roundcube__imap_port }}'
    value_cast: 'int'

    # Enable use of memcached to cache IMAP indexes, if local memcached
    # instance is detected
  - name: 'imap_cache'
    value: 'memcached'
    state: '{{ "present" if roundcube__memcached_enabled|bool else "ignore" }}'

    # Enable message caching in the database if the IMAP server is remote
  - name: 'messages_cache'
    value: True
    state: '{{ "ignore"
               if (ansible_local|d() and ansible_local.dovecot|d() and
                   (ansible_local.dovecot.installed|d())|bool)
               else "present" }}'

  - name: 'smtp_server'
    value: '{{ roundcube__smtp_server }}'

  - name: 'smtp_port'
    value: '{{ roundcube__smtp_port }}'
    value_cast: 'int'

  - name: 'smtp_user'
    value: '{{ roundcube__smtp_user }}'

  - name: 'smtp_pass'
    value: '{{ roundcube__smtp_pass }}'

    # Enable use of memcached to cache LDAP data, if local memcached instance
    # is detected
  - name: 'ldap_cache'
    value: 'memcached'
    state: '{{ "present" if roundcube__memcached_enabled|bool else "ignore" }}'

    # Enable support for memcached on localhost if it's detected
  - name: 'memcache_hosts'
    value: '{{ roundcube__memcached_hosts }}'
    state: '{{ "present" if roundcube__memcached_enabled|bool else "ignore" }}'

    # Enable support for Redis on localhost if it's detected
  - name: 'redis_hosts'
    value: '{{ roundcube__redis_hosts }}'
    state: '{{ "present" if roundcube__redis_enabled|bool else "ignore" }}'

  - name: 'skin_logo'
    value: '{{ roundcube__skin_logo }}'

    # Ensure that all communication to the client is encrypted
  - name: 'force_https'
    value: True

    # Configure preferred session storage backend
  - name: 'session_storage'
    value: '{{ roundcube__session_storage }}'
    state: '{{ "present" if roundcube__session_storage|d() else "ignore" }}'

  - name: 'des_key'
    value: '{{ roundcube__des_key }}'

    # Roundcube developers consider this a better choice
  - name: 'cipher_method'
    value: 'AES-256-CBC'

  - name: 'username_domain'
    value: '{{ roundcube__username_domain }}'

    # Slow down potential bots
  - name: 'sendmail_delay'
    value: 5

  - name: 'product_name'
    value: '{{ roundcube__product_name }}'

    # Use the system-wide MIME database from the 'mime-support' APT package
  - name: 'mime_types'
    value: '/etc/mime.types'

    # Help mitigate mails to non-existent DNS domains
  - name: 'email_dns_check'
    value: True

  - name: 'plugins'
    value: '{{ roundcube__combined_plugins | parse_kv_items
               | selectattr("state", "equalto", "enabled")
               | map(attribute="name") | list | unique }}'

    # Create Special Folders automatically. This will ensure that the Junk
    # folder is present and selected in the preferences.
  - name: 'create_default_folders'
    value: True

    # Set minimum refresh interval available to users to 5 minutes, to lower
    # the IMAP server load.
  - name: 'min_refresh_interval'
    value: 300

    # Enable autocompletion for the LDAP address book.
  - name: 'autocomplete_addressbooks'
    value: '{{ ([ "sql" ] + ([ "People" ] if roundcube__ldap_enabled|bool else []))
               | flatten }}'
    state: '{{ "present" if roundcube__ldap_enabled|bool else "ignore" }}'

    # Set the default number of autocompletion characters for lower sever load.
  - name: 'autocomplete_min_length'
    value: 3

    # Configure the access to the default LDAP address book managed by DebOps.
    # Roundcube will use user credentials to login to the LDAP directory.
  - name: 'ldap_public_people'
    option: [ 'ldap_public', 'People' ]
    section: 'addressbook'
    state: '{{ "present" if roundcube__ldap_enabled|bool else "ignore" }}'
    array:
      - name: '{{ roundcube__ldap_addressbook_name }}'
        hosts: '{{ roundcube__ldap_hosts }}'
        port: '{{ roundcube__ldap_port }}'
        use_tls: '{{ roundcube__ldap_use_tls }}'
        ldap_version: 3
        user_specific: True
        base_dn: '{{ roundcube__ldap_people_dn | join(",") }}'
        bind_dn: '{{ "uid=%u," + roundcube__ldap_people_dn | join(",") }}'
        bind_pass: ''
        filter: '(objectClass=inetOrgPerson)'
        scope: 'sub'
        searchonly: True
        vlv: False
        sort: 'sn'
        search_fields: [ 'sn', 'cn', 'mail', 'telephoneNumber' ]
        hidden: '{{ roundcube__ldap_hidden }}'
        writable: False
        groups:
          - base_dn: '{{ roundcube__ldap_groups_dn | join(",") }}'
            filter: '(objectClass=groupOfNames)'
            object_classes: [ 'groupOfNames' ]
        fieldmap: [ '{{ roundcube__ldap_field_map }}' ]

    # Set the default mail charset to Unicode
  - name: 'default_charset'
    value: 'UTF-8'

  - name: 'skin'
    value: '{{ roundcube__skin_folder }}'

    # Don't prefer HTML message view by default
  - name: 'prefer_html'
    value: False

    # Refresh the mail status in longer intervals (15 minutes) by default, to
    # make the IMAP server load lower.
  - name: 'refresh_interval'
    value: 900

    # Delete spam messages without moving them to Trash first
  - name: 'delete_junk'
    value: True

    # Forward e-mails as attachments by default
  - name: 'forward_attachment'
    value: True

    # Display the sender e-mail address by default to help users detect forged
    # senders
  - name: 'message_show_email'
    value: True

    # Better support for mailing lists
  - name: 'reply_all_mode'
    value: 1

  - name: 'swipe_actions'
    comment: |
      Configuration for the 'swipe' Roundcube plugin
    array:
      - messagelist:
          - left:  'swipe-read'
            right: 'move'
            down:  'checkmail'
      - contactlist:
          - left:  'none'
            right: 'compose'
            down:  'none'

  - name: 'enable_spellcheck'
    value: True
    state: 'present'

  - name: 'spellcheck_engine'
    value: 'enchant'
    state: 'present'

  - name: 'spellcheck_ignore_caps'
    value: True
    state: 'present'

  - name: 'spellcheck_ignore_nums'
    value: True
    state: 'present'

  - name: 'spellcheck_ignore_syms'
    value: True
    state: 'present'
roundcube__configuration

This list defines Roundcube configuration options which should be present on all hosts in the Ansible inventory.

roundcube__configuration: []
roundcube__group_configuration

This list defines Roundcube configuration options which should be present on hosts in a specific Ansible inventory group.

roundcube__group_configuration: []
roundcube__host_configuration

This list defines Roundcube configuration options which should be present on specific hosts in the Ansible inventory.

roundcube__host_configuration: []
roundcube__combined_configuration

This variable combines all Roundcube configuration lists and is used in role tasks and templates.

roundcube__combined_configuration: '{{ roundcube__original_configuration
                                       + roundcube__default_configuration
                                       + roundcube__configuration
                                       + roundcube__group_configuration
                                       + roundcube__host_configuration }}'

Configuration file sections

These variables define the sections in the Roundcube config/config.inc.php configuration file. See roundcube__configuration_sections for more details.

roundcube__default_configuration_sections

The list of the default configuration sections defined by the role.

roundcube__default_configuration_sections:

  - name: 'init'
    state: 'hidden'

  - name: 'sql'
    title: 'SQL DATABASE'

  - name: 'logging'
    title: 'LOGGING/DEBUGGING'

  - name: 'imap'

  - name: 'smtp'

  - name: 'ldap'

  - name: 'cache'
    title: 'CACHE(S)'

  - name: 'system'

  - name: 'plugins'

  - name: 'ui'
    title: 'USER INTERFACE'

  - name: 'addressbook'
    title: 'ADDRESSBOOK SETTINGS'

  - name: 'userprefs'
    title: 'USER PREFERENCES'

  - name: 'unknown'
    title: 'OTHER OPTIONS'
roundcube__configuration_sections

List of configuration sections defined by the user.

roundcube__configuration_sections: []
roundcube__combined_configuration_sections

Variable which combines all of the configuration section lists and is used in role tasks and templates.

roundcube__combined_configuration_sections: '{{ roundcube__default_configuration_sections
                                                + roundcube__configuration_sections }}'

Roundcube plugins

The variables below contain configuration of Roundcube plugins installed using PHP Composer. See roundcube__plugins for more details.

roundcube__default_plugins

List of Roundcube plugins configured by the role.

roundcube__default_plugins:

    # Plugin that adds a new button to the toolbar to move messages to a (user
    # selectable) archive folder.
  - name: 'archive'
    state: 'enabled'

    # This is a core plugin which provides supprt for handling attachments
    # through the filesystem. It might be required by other plugins.
  - name: 'filesystem_attachments'
    state: 'enabled'

    # This plugin provides jQuery library and features for other plugins.
  - name: 'jqueryui'
    state: 'enabled'

    # This plugin adds an option to download all attachments to a message in
    # one zip file, when a message has multiple attachments. The plugin also
    # allows the download of a selection of messages in 1 zip file.
  - name: 'zipdownload'
    state: 'enabled'
    options:

      - name: 'zipdownload_attachments'
        comment: |
          Zip attachments
          Only show the link when there are more than this many attachments
          -1 to prevent downloading of attachments as zip
        value: 1

      - name: 'zipdownload_selection'
        comment: |
          Zip selection of mail messages
          This option enables downloading of multiple messages as one zip archive.
          The number or string value specifies maximum total size of all messages
          in the archive (not the size of the archive itself).
        value: '50MB'

      - name: 'zipdownload_charset'
        comment: |
          Charset to use for filenames inside the zip
        value: 'UTF-8'

    # This entry installs the libraries required for LDAP support in Roundcube.
    # It's not a real plugin.
  - name: 'ldap_support'
    package: 'kolab/net_ldap3'
    state: '{{ "present" if roundcube__ldap_enabled|bool else "ignore" }}'

    # This plugin adds right-click context menus to various parts of the
    # Roundcube interface.
  - name: 'contextmenu'
    package: 'johndoh/contextmenu'
    state: 'enabled'

    # This plugin provides a toolbar button annd folder menu option which
    # calculates and displays the sizes of the message folders.
  - name: 'show_folder_size'
    package: 'jfcherng/show-folder-size'
    state: 'enabled'
    options:

      - name: 'auto_show_folder_size'
        comment: |
          Automatically show the folder size without clicking on the toolbar button.
          This could be a serious performance penalty if there are many users
        value: False

      - name: 'show_mailboxoptions_button'
        comment: 'Show mailbox options button'
        value: True

      - name: 'show_toolbar_button'
        comment: 'Show the toolbar button'
        value: False

    # This plugin adds a button on the main toolbar which opens the
    # Nextcloud/ownCloud instance at specified URL.
  - name: 'cloud_button'
    package: 'san4op/cloud_button'
    state: 'enabled'
    options:

      - name: 'cloud_button_url'
        comment: 'URL to cloud storage'
        value: '{{ "https://cloud." + ansible_domain + "/" }}'

    # This plugin uses the LDAP directory to create the user identity at login.
    # Currently it's disabled by default due to not working correctly during development.
  - name: 'new_user_identity'
    state: '{{ "ignore" if roundcube__ldap_enabled|bool else "ignore" }}'
    options:

      - name: 'new_user_identity_addressbook'
        comment: |
          The id of the address book to use to automatically set a
          user's full name in their new identity. (This should be an
          string, which refers to the $config['ldap_public'] array.)
        value: 'People'

      - name: 'new_user_identity_match'
        comment: |
          When automatically setting a user's full name in their
          new identity, match the user's login name against this field.
        value: 'cn'

      - name: 'new_user_identity_onlogin'
        comment: |
          Determine whether to import user's identities on each login.
          New user identity will be created for each e-mail address
          present in address book, but not assigned to any identity.
        value: True

  - name: 'password'
    state: '{{ "enabled" if roundcube__ldap_password_enabled|bool else "absent" }}'
    options:

      - name: 'password_driver'
        comment: |
          Password Plugin options
          -----------------------
          A driver to use for password change. Default: "sql".
          See README file for list of supported driver names.
        value: '{{ "ldap_exop" if roundcube__ldap_password_enabled|bool else "sql" }}'

      - name: 'password_strength_driver'
        comment: |
          A driver to use for checking password strength. Default: null (disabled).
          See README file for list of supported driver names.
        value: null

      - name: 'password_confirm_current'
        comment: |
          Determine whether current password is required to change password.
          Default: false.
        value: True

      - name: 'password_minimum_length'
        comment: |
          Require the new password to be a certain length.
          set to blank to allow passwords of any length
        value: 0

      - name: 'password_minimum_score'
        comment: |
          Require the new password to have at least the specified strength score.
          Note: Password strength is scored from 1 (week) to 5 (strong).
        value: 0

      - name: 'password_log'
        comment: |
          Enables logging of password changes into logs/password
        value: False

      - name: 'password_login_exceptions'
        comment: |
          Comma-separated list of login exceptions for which password change
          will be not available (no Password tab in Settings)
        value: null

      - name: 'password_hosts'
        comment: |
          Array of hosts that support password changing.
          Listed hosts will feature a Password option in Settings; others will not.
          Example: array('mail.example.com', 'mail2.example.org');
          Default is NULL (all hosts supported).
        value: null

      - name: 'password_force_save'
        comment: |
          Enables saving the new password even if it matches the old password. Useful
          for upgrading the stored passwords after the encryption scheme has changed.
        value: False

      - name: 'password_force_new_user'
        comment: |
          Enables forcing new users to change their password at their first login.
        value: False

      - name: 'password_algorithm'
        comment: |
          Default password hashing/crypting algorithm.
          Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
          sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, ssha512, samba, ad, dovecot, clear.
          For details see password::hash_password() method.
        value: 'clear'

      - name: 'password_algorithm_prefix'
        comment: |
          Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
          using password_algorithm above. Default: empty.
        value: ''

      - name: 'password_dovecotpw'
        comment: |
          Path for dovecotpw/doveadm-pw (if not in the $PATH).
          Used for password_algorithm = 'dovecot'.
          $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x
        value: '/usr/bin/doveadm pw'  # for dovecot-2.x

      - name: 'password_dovecotpw_method'
        comment: |
          Dovecot password scheme.
          Used for password_algorithm = 'dovecot'.
        value: 'CRAM-MD5'

      - name: 'password_dovecotpw_with_method'
        comment: |
          Enables use of password with method prefix, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
          when using password_algorithm=dovecot
        value: False

      - name: 'password_blowfish_cost'
        comment: |
          Iteration count parameter for Blowfish-based hashing algo.
          It must be between 4 and 31. Default: 12.
          Be aware, the higher the value, the longer it takes to generate the password hashes.
        value: 12

      - name: 'password_crypt_rounds'
        comment: |
          Number of rounds for the sha256 and sha512 crypt hashing algorithms.
          Must be at least 1000. If not set, then the number of rounds is left up
          to the crypt() implementation. On glibc this defaults to 5000.
          Be aware, the higher the value, the longer it takes to generate the password hashes.
        value: 50000

      - name: 'password_disabled'
        comment: |
          This option temporarily disables the password change functionality.
          Use it when the users database server is in maintenance mode or sth like that.
          You can set it to TRUE/FALSE or a text describing the reason
          which will replace the default.
        value: False

      - name: 'password_username_format'
        comment: |
          Various drivers/setups use different format of the username.
          This option allows you to force specified format use. Default: '%u'.
          Supported variables:
              %u - full username,
              %l - the local part of the username (in case the username is an email address)
              %d - the domain part of the username (in case the username is an email address)
          Note: This may no apply to some drivers implementing their own rules, e.g. sql.
        value: '%u'

      - name: 'password_db_dsn'
        comment: |
          SQL Driver options
          ------------------
          PEAR database DSN for performing the query. By default
          Roundcube DB settings are used.
          Supported replacement variables:
          %h - user's IMAP hostname
          %n - hostname ($_SERVER['SERVER_NAME'])
          %t - hostname without the first part
          %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
          %z - IMAP domain (IMAP hostname without the first part)
        value: ''

      - name: 'password_query'
        comment: |
          The SQL query used to change the password.
          The query can contain the following macros that will be expanded as follows:
               %p is replaced with the plaintext new password
               %P is replaced with the crypted/hashed new password
                  according to configured password_method
               %o is replaced with the old (current) password
               %O is replaced with the crypted/hashed old (current) password
                  according to configured password_method
               %h is replaced with the imap host (from the session info)
               %u is replaced with the username (from the session info)
               %l is replaced with the local part of the username
                  (in case the username is an email address)
               %d is replaced with the domain part of the username
                  (in case the username is an email address)
          Deprecated macros:
               %c is replaced with the crypt version of the new password, MD5 if available
                  otherwise DES. More hash function can be enabled using the password_crypt_hash
                  configuration parameter.
               %D is replaced with the dovecotpw-crypted version of the new password
               %n is replaced with the hashed version of the new password
               %q is replaced with the hashed password before the change
          Escaping of macros is handled by this module.
          Default: "SELECT update_passwd(%c, %u)"
        value: 'SELECT update_passwd(%c, %u)'

      - name: 'password_crypt_hash'
        comment: |
          By default the crypt() function which is used to create the %c
          parameter uses the md5 algorithm (deprecated, use %P).
          You can choose between: des, md5, blowfish, sha256, sha512.
        value: 'md5'

      - name: 'password_idn_ascii'
        comment: |
          By default domains in variables are using unicode.
          Enable this option to use punycoded names
        value: False

      - name: 'password_hash_algorithm'
        comment: |
          Using a password hash for %n and %q variables (deprecated, use %P).
          Determine which hashing algorithm should be used to generate
          the hashed new and current password for using them within the
          SQL query. Requires PHP's 'hash' extension.
        value: 'sha1'

      - name: 'password_hash_base64'
        comment: |
          You can also decide whether the hash should be provided
          as hex string or in base64 encoded format.
        value: False

      - name: 'password_pop_host'
        comment: |
          Poppassd Driver options
          -----------------------
          The host which changes the password (default: localhost)
          Supported replacement variables:
            %n - hostname ($_SERVER['SERVER_NAME'])
            %t - hostname without the first part
            %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
            %h - IMAP host
            %z - IMAP domain without first part
            %s - domain name after the '@' from e-mail address provided at login screen
        value: 'localhost'

      - name: 'password_pop_port'
        comment: |
          TCP port used for poppassd connections (default: 106)
        value: 106

      - name: 'password_saslpasswd_args'
        comment: |
          SASL Driver options
          -------------------
          Additional arguments for the saslpasswd2 call
        value: ''

      - name: 'password_ldap_host'
        comment: |
          LDAP, LDAP_SIMPLE and LDAP_EXOP Driver options
          -----------------------------------
          LDAP server name to connect to.
          You can provide one or several hosts in an array in which case the hosts are tried from left to right.
          Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
          Default: 'localhost'
        value: '{{ (roundcube__ldap_hosts | first)
                   if roundcube__ldap_hosts|d()
                   else "" }}'

      - name: 'password_ldap_port'
        comment: |
          LDAP server port to connect to
          Default: '389'
        value: '{{ roundcube__ldap_port }}'

      - name: 'password_ldap_starttls'
        comment: |
          TLS is started after connecting
          Using TLS for password modification is recommended.
          Default: false
        value: '{{ roundcube__ldap_use_tls | bool }}'

      - name: 'password_ldap_version'
        comment: |
          LDAP version
          Default: '3'
        value: '3'

      - name: 'password_ldap_basedn'
        comment: |
          LDAP base name (root directory)
          Exemple: 'dc=exemple,dc=com'
        value: '{{ roundcube__ldap_base_dn | join(",") }}'

      - name: 'password_ldap_method'
        comment: |
          LDAP connection method
          There are two connection methods for changing a user's LDAP password.
          'user': use user credential (recommended, require password_confirm_current=true)
          'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW)
          Default: 'user'
        value: 'user'

      - name: 'password_ldap_adminDN'
        comment: |
          LDAP Admin DN
          Used only in admin connection mode
          Default: null
        value: null

      - name: 'password_ldap_adminPW'
        comment: |
          LDAP Admin Password
          Used only in admin connection mode
          Default: null
        value: null

      - name: 'password_ldap_userDN_mask'
        comment: |
          LDAP user DN mask
          The user's DN is mandatory and as we only have his login,
          we need to re-create his DN using a mask
          '%login' will be replaced by the current roundcube user's login
          '%name' will be replaced by the current roundcube user's name part
          '%domain' will be replaced by the current roundcube user's domain part
          '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
          Exemple: 'uid=%login,ou=people,dc=exemple,dc=com'
        value: 'uid=%login,ou=people,dc=exemple,dc=com'
        state: 'comment'  # use searches instead

      - name: 'password_ldap_searchDN'
        comment: |
          LDAP search DN
          The DN roundcube should bind with to find out user's DN
          based on his login. Note that you should comment out the default
          password_ldap_userDN_mask setting for this to take effect.
          Use this if you cannot specify a general template for user DN with
          password_ldap_userDN_mask. You need to perform a search based on
          users login to find his DN instead. A common reason might be that
          your users are placed under different ou's like engineering or
          sales which cannot be derived from their login only.
        value: '{{ roundcube__ldap_binddn }}'

      - name: 'password_ldap_searchPW'
        comment: |
          LDAP search password
          If password_ldap_searchDN is set, the password to use for
          binding to search for user's DN. Note that you should comment out the default
          password_ldap_userDN_mask setting for this to take effect.
          Warning: Be sure to set approperiate permissions on this file so this password
          is only accesible to roundcube and don't forget to restrict roundcube's access to
          your directory as much as possible using ACLs. Should this password be compromised
          you want to minimize the damage.
        value: '{{ roundcube__ldap_bindpw }}'

      - name: 'password_ldap_search_base'
        comment: |
          LDAP search base
          If password_ldap_searchDN is set, the base to search in using the filter below.
          Note that you should comment out the default password_ldap_userDN_mask setting
          for this to take effect.
        value: '{{ roundcube__ldap_base_dn | join(",") }}'

      - name: 'password_ldap_search_filter'
        comment: |
          LDAP search filter
          If password_ldap_searchDN is set, the filter to use when
          searching for user's DN. Note that you should comment out the default
          password_ldap_userDN_mask setting for this to take effect.
          '%login' will be replaced by the current roundcube user's login
          '%name' will be replaced by the current roundcube user's name part
          '%domain' will be replaced by the current roundcube user's domain part
          '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
          Example: '(uid=%login)'
          Example: '(&(objectClass=posixAccount)(uid=%login))'
        value: '(&
                  (objectClass=mailRecipient)
                  (|
                    (uid=%name)
                    (mail=%login)
                  )
                )'

      - name: 'password_ldap_encodage'
        comment: |
          LDAP password hash type
          Standard LDAP encryption type which must be one of: crypt,
          ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear.
          Set to 'default' if you want to use method specified in password_algorithm option above.
          Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt'
          Default: 'crypt'.
        value: 'clear'  # default: crypt

      - name: 'password_ldap_pwattr'
        comment: |
          LDAP password attribute
          Name of the ldap's attribute used for storing user password
          Default: 'userPassword'
        value: 'userPassword'

      - name: 'password_ldap_force_replace'
        comment: |
          LDAP password force replace
          Force LDAP replace in cases where ACL allows only replace not read
          See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace
          Default: true
        value: True

      - name: 'password_ldap_lchattr'
        comment: |
          LDAP Password Last Change Date
          Some places use an attribute to store the date of the last password change
          The date is meassured in "days since epoch" (an integer value)
          Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange)
        value: ''

      - name: 'password_ldap_samba_pwattr'
        comment: |
          LDAP Samba password attribute, e.g. sambaNTPassword
          Name of the LDAP's Samba attribute used for storing user password
        value: ''

      - name: 'password_ldap_samba_lchattr'
        comment: |
          LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet
          Some places use an attribute to store the date of the last password change
          The date is meassured in "seconds since epoch" (an integer value)
          Whenever the password is changed, the attribute will be updated if set
        value: ''

      - name: 'password_ldap_ppolicy_cmd'
        comment: |
          LDAP PPolicy Driver options
          -----------------------------------
          LDAP Change password command - filename of the perl script
          Example: 'change_ldap_pass.pl'
        value: 'change_ldap_pass.pl'

      - name: 'password_ldap_ppolicy_uri'
        comment: |
          LDAP URI
          Example: 'ldap://ldap.example.com/ ldaps://ldap2.example.com:636/'
        value: 'ldap://localhost/'

      - name: 'password_ldap_ppolicy_basedn'
        comment: |
          LDAP base name (root directory)
          Exemple: 'dc=exemple,dc=com'
        value: 'dc=example,dc=com'

      - name: 'password_ldap_ppolicy_searchDN'
        value: 'cn=someuser,dc=example,dc=com'

      - name: 'password_ldap_ppolicy_searchPW'
        value: 'secret'

      - name: 'password_ldap_policy_search_filter'
        comment: |
          LDAP search filter
          Example: '(uid=%login)'
          Example: '(&(objectClass=posixAccount)(uid=%login))'
        value: '(uid=%login)'

      - name: 'password_ldap_ppolicy_cafile'
        comment: |
          CA Certificate file if in URI is LDAPS connection
        value: '/etc/ssl/certs/ca-certificates.crt'

      - name: 'password_directadmin_host'
        comment: |
          DirectAdmin Driver options
          --------------------------
          The host which changes the password
          Use 'ssl://host' instead of 'tcp://host' when running DirectAdmin over SSL.
          The host can contain the following macros that will be expanded as follows:
              %h is replaced with the imap host (from the session info)
              %d is replaced with the domain part of the username (if the username is an email)
        value: 'tcp://localhost'

      - name: 'password_directadmin_port'
        comment: |
          TCP port used for DirectAdmin connections
        value: 2222

      - name: 'password_vpopmaild_host'
        comment: |
          vpopmaild Driver options
          -----------------------
          The host which changes the password
        value: 'localhost'

      - name: 'password_vpopmaild_port'
        comment: |
          TCP port used for vpopmaild connections
        value: 89

      - name: 'password_vpopmaild_timeout'
        comment: |
          Timeout used for the connection to vpopmaild (in seconds)
        value: 10

      - name: 'password_cpanel_host'
        comment: |
          cPanel Driver options
          --------------------------
          The cPanel Host name
        value: 'host.domain.com'

      - name: 'password_cpanel_username'
        comment: |
          The cPanel admin username
        value: 'username'

      - name: 'password_cpanel_password'
        comment: |
          The cPanel admin password
        value: 'password'

      - name: 'password_cpanel_hash'
        comment: |
          The cPanel admin hash
          If you prefer to use a hash (Remote Access Key) instead of plain password, enter it below.
          Hash takes precedence over password auth.
          You can generate a Remote Access Key in WHM -> Clusters -> Remote Access Key
        value: ''

      - name: 'password_cpanel_port'
        comment: |
          The cPanel port to use
        value: 2087

      - name: 'password_cpanel_webmail_host'
        comment: |
          cPanel Webmail Driver options
          -----------------------------
          The cPanel Host name
        value: 'host.domain.com'

      - name: 'password_cpanel_webmail_port'
        comment: |
          The cPanel port to use
        value: 2096

      - name: 'password_ximss_host'
        comment: |
          XIMSS (Communigate server) Driver options
          -----------------------------------------
          Host name of the Communigate server
        value: 'mail.example.com'

      - name: 'password_ximss_port'
        comment: |
          XIMSS port on Communigate server
        value: 11024

      - name: 'password_chpasswd_cmd'
        comment: |
          chpasswd Driver options
          ---------------------
          Command to use (see "Sudo setup" in README)
        value: 'sudo /usr/sbin/chpasswd 2> /dev/null'

      - name: 'xmail_host'
        comment: |
          XMail Driver options
          ---------------------
        value: 'localhost'

      - name: 'xmail_user'
        value: 'YourXmailControlUser'

      - name: 'xmail_pass'
        value: 'YourXmailControlPass'

      - name: 'xmail_port'
        value: 6017

      - name: 'hmailserver_remote_dcom'
        comment: |
          hMail Driver options
          -----------------------
          Remote hMailServer configuration
          true:  HMailserver is on a remote box (php.ini: com.allow_dcom = true)
          false: Hmailserver is on same box as PHP
        value: False

      - name: 'hmailserver_server'
        comment: 'Windows credentials'
        array:
          - Server: 'localhost'
          - Username: 'administrator'
          - Password: 'password'

      - name: 'password_pw_usermod_cmd'
        comment: |
          pw_usermod Driver options
          --------------------------
          Use comma delimited exlist to disable password change for users.
          See "Sudo setup" in README file.
        value: 'sudo /usr/sbin/pw usermod -h 0 -n'

      - name: 'password_dbmail_args'
        comment: |
          DBMail Driver options
          -------------------
          Additional arguments for the dbmail-users call
        value: '-p sha512'

      - name: 'password_expect_bin'
        comment: |
          Expect Driver options
          ---------------------
          Location of expect binary
        value: '/usr/bin/expect'

      - name: 'password_expect_script'
        comment: |
          Location of expect script (see helpers/passwd-expect)
        value: ''

      - name: 'password_expect_params'
        comment: |
          Arguments for the expect script. See the helpers/passwd-expect file for details.
          This is probably a good starting default:
            -telent -host localhost -output /tmp/passwd.log -log /tmp/passwd.log
        value: ''

      - name: 'password_smb_host'
        comment: |
          smb Driver options
          ---------------------
          Samba host (default: localhost)
          Supported replacement variables:
          %n - hostname ($_SERVER['SERVER_NAME'])
          %t - hostname without the first part
          %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
        value: 'localhost'

      - name: 'password_smb_cmd'
        comment: |
          Location of smbpasswd binary (default: /usr/bin/smbpasswd)
        value: '/usr/bin/smbpasswd'

      - name: 'password_gearman_host'
        comment: |
          gearman driver options
          ---------------------
          Gearman host (default: localhost)
        value: 'localhost'

      - name: 'password_plesk_host'
        comment: |
          Plesk/PPA Driver options
          --------------------
          You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel

          Plesk RCP Host
        value: '10.0.0.5'

      - name: 'password_plesk_user'
        comment: 'Plesk RPC Username'
        value: 'admin'

      - name: 'password_plesk_pass'
        comment: 'Plesk RPC Password'
        value: 'password'

      - name: 'password_plesk_rpc_port'
        comment: 'Plesk RPC Port'
        value: '8443'

      - name: 'password_plesk_rpc_path'
        comment: 'Plesk RPC Path'
        value: 'enterprise/control/agent.php'

      - name: 'password_kpasswd_cmd'
        comment: |
          kasswd Driver options
          ---------------------
          Command to use
        value: '/usr/bin/kpasswd'

      - name: 'password_modoboa_api_token'
        comment: |
          Modoboa Driver options
          ---------------------
          put token number from Modoboa server
        value: ''

  - name: 'help'
    state: 'enabled'
    options:

      - name: 'help_source'
        comment: |
          Help content iframe source
          %l will be replaced by the language code resolved using the 'help_language_map' option
          If you are serving roundcube via https, then change this URL to https also.
        value: 'https://docs.roundcube.net/doc/help/1.1/%l/'

      - name: 'help_index_map'
        comment: |
          Map task/action combinations to deep-links
          Use '<task>/<action>' or only '<task>' strings as keys
          The values will be appended to the 'help_source' URL
        array:
          - 'login':                'login.html'
            'mail':                 'mail/index.html'
            'mail/compose':         'mail/compose.html'
            'addressbook':          'addressbook/index.html'
            'settings':             'settings/index.html'
            'settings/preferences': 'settings/preferences.html'
            'settings/folders':     'settings/folders.html'
            'settings/identities':  'settings/identities.html'

      - name: 'help_language_map'
        comment: |
          Map to translate Roundcube language codes into help document languages
          The '*' entry will be used as default
        array:
          - '*': 'en_US'

      - name: 'help_about_url'
        comment: |
          Enter an absolute URL to a page displaying information about this webmail
          Alternatively, create a HTML file under <this-plugin-dir>/content/about.html
        value: null

      - name: 'help_license_url'
        comment: |
          Enter an absolute URL to a page displaying information about this webmail
          Alternatively, put your license text to <this-plugin-dir>/content/license.html
        value: null

      - name: 'help_open_extwin'
        comment: 'Determine whether to open the elp in a new window'
        value: False

      - name: 'help_csrf_info'
        comment: 'URL to additional information about CSRF protection'
        value: null

  - name: 'markasjunk'
    state: 'enabled'
    options:

      - name: 'markasjunk_learning_driver'
        comment: |
          Learning driver
          Use an external process such as sa-learn to learn from spam/ham messages. Default: null.
          Please see the README for more information
        value: null

      - name: 'markasjunk_ham_mbox'
        comment: |
          Ham mailbox
          Mailbox messages should be moved to when they are marked as ham. null = INBOX
          set to FALSE to disable message moving
        value: null

      - name: 'markasjunk_spam_mbox'
        comment: |
          Spam mailbox
          Mailbox messages should be moved to when they are marked as spam.
          null = the mailbox assigned as the spam folder in Roundcube settings
          set to FALSE to disable message moving
        value: null

      - name: 'markasjunk_read_spam'
        comment: 'Mark messages as read when reporting them as spam'
        value: True  # original: False

      - name: 'markasjunk_unread_ham'
        comment: 'Mark messages as unread when reporting them as ham'
        value: True  # original: False

      - name: 'markasjunk_spam_flag'
        comment: |
          Add flag to messages marked as spam (flag will be removed when marking as ham)
          If you do not want to use message flags set this to false
        value: 'Junk'

      - name: 'markasjunk_ham_flag'
        comment: |
          Add flag to messages marked as ham (flag will be removed when marking as spam)
          If you do not want to use message flags set this to false
        value: 'NonJunk'

      - name: 'markasjunk_debug'
        comment: 'Write output from spam/ham commands to the log for debug'
        value: False

      - name: 'markasjunk_toolbar'
        comment: |
          The mark as spam/ham icon can either be displayed on the toolbar or as part of the mark messages menu.
          Set to False to use Mark menu instead of the toolbar. Default: true.
        value: True

      - name: 'markasjunk_move_spam'
        comment: |
          Learn any message moved to the spam mailbox as spam (not just when the button is pressed)
        value: True  # original: False

      - name: 'markasjunk_move_ham'
        comment: |
          Learn any message moved from the spam mailbox to the ham mailbox as ham (not just when the button is pressed)
        value: True  # original: False

      - name: 'markasjunk_permanently_remove'
        comment: |
          Some drivers create new copies of the target message(s), in this case the original message(s) will be deleted
          Rather than deleting the message(s) (moving to Trash) setting this option true will cause the original message(s) to be permanently removed
        value: False

      - name: 'markasjunk_spam_only'
        comment: 'Display only a mark as spam button'
        value: False

      - name: 'markasjunk_allowed_hosts'
        comment: |
          Activate markasjunk for selected mail hosts only. If this is not set all mail hosts are allowed.
          Example: $config['markasjunk_allowed_hosts'] = array('mail1.domain.tld', 'mail2.domain.tld');
        value: null

      - name: 'markasjunk_host_config'
        comment: |
          Load specific config for different mail hosts
          Example: $config['markasjunk_host_config'] = array(
             'mail1.domain.tld' => 'mail1_config.inc.php',
             'mail2.domain.tld' => 'mail2_config.inc.php',
          );
        value: null

      - name: 'markasjunk_spam_cmd'
        comment: |
          cmd_learn Driver options
          ------------------------
          The command used to learn that a message is spam
          The command can contain the following macros that will be expanded as follows:
               %u is replaced with the username (from the session info)
               %l is replaced with the local part of the username (if the username is an email address)
               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
               %i is replaced with the email address from the user's default identity
               %s is replaced with the email address the message is from
               %f is replaced with the path to the message file
               %h:<header name> is replaced with the content of that header from the message (lower case) eg: %h:x-dspam-signature
          If you do not want to run the command set this to null
        value: null

      - name: 'markasjunk_ham_cmd'
        comment: |
          The command used to learn that a message is ham
          The command can contain the following macros that will be expanded as follows:
               %u is replaced with the username (from the session info)
               %l is replaced with the local part of the username (if the username is an email address)
               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
               %i is replaced with the email address from the user's default identity
               %s is replaced with the email address the message is from
               %f is replaced with the path to the message file
               %h:<header name> is replaced with the content of that header from the message (lower case) eg: %h:x-dspam-signature
          If you do not want to run the command set this to null
        value: null

      - name: 'markasjunk_spam_dir'
        comment: |
          dir_learn Driver options
          ------------------------
          The full path of the directory used to store spam (must be writable by webserver)
        value: null

      - name: 'markasjunk_ham_dir'
        comment: |
          The full path of the directory used to store ham (must be writable by webserver)
        value: null

      - name: 'markasjunk_filename'
        comment: |
          The filename prefix
          The filename can contain the following macros that will be expanded as follows:
               %u is replaced with the username (from the session info)
               %l is replaced with the local part of the username (if the username is an email address)
               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
               %t is replaced with the type of message (spam/ham)
        value: null

      - name: 'markasjunk_email_spam'
        comment: |
          email_learn Driver options
          --------------------------
          The email address that spam messages will be sent to
          The address can contain the following macros that will be expanded as follows:
               %u is replaced with the username (from the session info)
               %l is replaced with the local part of the username (if the username is an email address)
               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
               %i is replaced with the email address from the user's default identity
          If you do not want to send an email set this to null
        value: null

      - name: 'markasjunk_email_ham'
        comment: |
          The email address that ham messages will be sent to
          The address can contain the following macros that will be expanded as follows:
               %u is replaced with the username (from the session info)
               %l is replaced with the local part of the username (if the username is an email address)
               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
               %i is replaced with the email address from the user's default identity
          If you do not want to send an email set this to null
        value: null

      - name: 'markasjunk_email_attach'
        comment: 'Should the spam/ham message be sent as an attachment'
        value: True

      - name: 'markasjunk_email_subject'
        comment: |
          The email subject (when sending as attachment)
          The subject can contain the following macros that will be expanded as follows:
               %u is replaced with the username (from the session info)
               %l is replaced with the local part of the username (if the username is an email address)
               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
               %t is replaced with the type of message (spam/ham)
        value: 'learn this message as %t'

      - name: 'markasjunk_sauserprefs_config'
        comment: |
          sa_blacklist Driver options
          ---------------------------
          Path to SAUserPrefs config file
        value: '../sauserprefs/config.inc.php'

      - name: 'markasjunk_amacube_config'
        comment: |
          amavis_blacklist Driver options
          ---------------------------
          Path to amacube config file
        value: '../amacube/config.inc.php'

      - name: 'markasjunk_spam_patterns'
        comment: |
          edit_headers Driver options
          ---------------------------
          Patterns to match and replace headers for spam messages
          Replacement method uses preg_replace - http://www.php.net/manual/function.preg-replace.php
          WARNING: Be sure to match the entire header line, including the name of the header, also use ^ and $ and the 'm' flag
          see the README for an example
          TEST CAREFULLY BEFORE USE ON REAL MESSAGES
        array:
          - patterns:     []
            replacements: []

      - name: 'markasjunk_ham_patterns'
        comment: |
          Patterns to match and replace headers for spam messages
          Replacement method uses preg_replace - http://www.php.net/manual/function.preg-replace.php
          WARNING: Be sure to match the entire header line, including the name of the header, also use ^ and $ and the 'm' flag
          see the README for an example
          TEST CAREFULLY BEFORE USE ON REAL MESSAGES
        array:
          - patterns:     []
            replacements: []

    # This plugin adds additional commands in the header of the message if
    # Roundcube detects it's a mailing list message.
  - name: 'listcommands'
    package: 'cor/listcommands'
    state: 'enabled'

    # This plugin provides support for swipe gestures on mobile devices in the
    # Elastic skin.
  - name: 'swipe'
    package: 'johndoh/swipe:0.1.0'
    state: 'enabled'

    # This plugin includes additional information in Dovecot connections to
    # provide better logging capabilities.
  - name: 'dovecot_ident'
    package: 'cor/dovecot-ident'
    state: 'enabled'

    # This plugin adds support for parsing vCard attachments in e-mail
    # messages.
  - name: 'vcard_attachments'
    state: 'enabled'

    # This plugin adds support for generating Identicon avatars for contacts
    # without images.
  - name: 'identicon'
    state: 'enabled'

  - name: 'managesieve'
    state: 'enabled'
    options:

      - name: 'managesieve_port'
        comment: |
          managesieve server port. When empty the port will be determined automatically
          using getservbyname() function, with 4190 as a fallback.
        value: null

      - name: 'managesieve_host'
        comment: |
          managesieve server address, default is localhost.
          Replacement variables supported in host name:
          %h - user's IMAP hostname
          %n - http hostname ($_SERVER['SERVER_NAME'])
          %d - domain (http hostname without the first part)
          For example %n = mail.domain.tld, %d = domain.tld
        value: '{{ roundcube__sieve_server }}'

      - name: 'managesieve_auth_type'
        comment: |
          Authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
          or none. Optional, defaults to best method supported by server.
        value: null

      - name: 'managesieve_auth_cid'
        comment: |
          Optional managesieve authentication identifier to be used as authorization proxy.
          Authenticate as a different user but act on behalf of the logged in user.
          Works with PLAIN and DIGEST-MD5 auth.
        value: null

      - name: 'managesieve_auth_pw'
        comment: |
          Optional managesieve authentication password to be used for imap_auth_cid
        value: null

      - name: 'managesieve_usetls'
        comment: |
          Use or not TLS for managesieve server connection
          Note: tls:// prefix in managesieve_host is also supported
        value: False

      - name: 'managesieve_conn_options'
        comment: |
          Connection scket context options
          See http://php.net/manual/en/context.ssl.php
          The example below enables server certificate validation
        array:
          - ssl:
              - verify_peer: True
                verify_depth: 3
                cafile: '/etc/ssl/certs/ca-certificates.crt'
        state: 'comment'

      - name: 'managesieve_default'
        comment: |
          A file with default script content (eg. spam filter)
        value: '/etc/dovecot/sieve/global'

      - name: 'managesieve_script_name'
        comment: |
          The name of the script which will be used when there's no user script
        value: 'managesieve'

      - name: 'managesieve_mbox_encoding'
        comment: |
          Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
          but some implementations does not covert UTF-8 to modified UTF-7.
          Defaults to UTF7-IMAP
        value: 'UTF-8'

      - name: 'managesieve_replace_delimiter'
        comment: |
          I need this because my dovecot (with listescape plugin) uses
          ':' delimiter, but creates folders with dot delimiter
        value: ''

      - name: 'managesieve_disabled_extensions'
        comment: |
          Disabled sieve extensions (body, copy, date, editheader, encoded-character,
          envelope, environment, ereject, fileinto, ihave, imap4flags, index,
          mailbox, mboxmetadata, regex, reject, relational, servermetadata,
          spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
          Note: not all extensions are implemented
        value: []

      - name: 'managesieve_debug'
        comment: |
          Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
        value: False

      - name: 'managesieve_kolab_master'
        comment: |
          Enables features described in http://wiki.kolab.org/KEP:14
        value: False

      - name: 'managesieve_filename_extension'
        comment: |
          Script name extension used for scripts including. Dovecot uses '.sieve',
          Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
        value: '.sieve'

      - name: 'managesieve_filename_exceptions'
        comment: |
          List of reserved script names (without extension).
          Scripts listed here will be not presented to the user.
        value: []

      - name: 'managesieve_domains'
        comment: |
          List of domains limiting destination emails in redirect action
          If not empty, user will need to select domain from a list
        value: []

      - name: 'managesieve_default_headers'
        comment: |
          Default list of entries in header selector
        value: [ 'Subject', 'From', 'To' ]

      - name: 'managesieve_vacation'
        comment: |
          Enables separate management interface for vacation responses (out-of-office)
          0 - no separate section (default),
          1 - add Vacation section,
          2 - add Vacation section, but hide Filters section
        value: 1

      - name: 'managesieve_forward'
        comment: |
          Enables separate management interface for setting forwards (redirect to and copy to)
          0 - no separate section (default),
          1 - add Forward section,
          2 - add Forward section, but hide Filters section
        value: 1

      - name: 'managesieve_vacation_interval'
        comment: |
          Default vacation interval (in days).
          Note: If server supports vacation-seconds extension it is possible
          to define interval in seconds here (as a string), e.g. "3600s".
        value: 0

      - name: 'managesieve_vacation_addresses_init'
        comment: |
          Some servers require vacation :addresses to be filled with all
          user addresses (aliases). This option enables automatic filling
          of these on initial vacation form creation.
        value: True

      - name: 'managesieve_vacation_from_init'
        comment: |
          Sometimes you want to always reply with mail email address
          This option enables automatic filling of :from field on initial
          vacation form creation.
        value: True

      - name: 'managesieve_notify_methods'
        comment: |
          Supported methods of notify extension. Default: 'mailto'
        value: [ 'mailto' ]

      - name: 'managesieve_raw_editor'
        comment: 'Enables scripts RAW editor feature'
        value: True

      - name: 'managesieve_disabled_actions'
        comment: |
          Disabled actions
          Prevent user from performing specific actions:
          list_sets, enable_disable_set, delete_set, new_set, download_set, new_rule, delete_rule
          Note: disabling list_sets removes the Filter sets widget from the UI and means
                the set defined in managesieve_script_name will always be used (and activated)
        value: []

      - name: 'managesieve_allowed_hosts'
        comment: |
          List of hosts that support managesieve.
          Activate managesieve for selected hosts only. If this is not set all hosts are allowed.
          Example: $config['managesieve_allowed_hosts'] = array('host1.mydomain.com','host2.mydomain.com');
        value: null
roundcube__plugins

List of Roundcube plugins configured on all hosts in the Ansible inventory.

roundcube__plugins: []
roundcube__group_plugins

List of Roundcube plugins configured on hosts in a specific Ansible inventory group.

roundcube__group_plugins: []
roundcube__host_plugins

List of Roundcube plugins configured on specific hosts in the Ansible inventory.

roundcube__host_plugins: []
roundcube__combined_plugins

Varlabie which combines all Roundcube plugin lists and is used in role tasks and templates.

roundcube__combined_plugins: '{{ roundcube__default_plugins
                                 + roundcube__plugins
                                 + roundcube__group_plugins
                                 + roundcube__host_plugins }}'

Skins

roundcube__skin_folder

skin name: folder from /skins Currently available:

  • classic
  • elastic [default] (mobile-ready, requires nodejs dependency, due to CSS-LESS syntax)
  • larry
roundcube__skin_folder: 'elastic'

Logo image replacement. Specifies location of the image as:

  • URL relative to the document root of this Roundcube installation
  • full URL with http:// or https:// prefix
  • URL relative to the current skin folder (when starts with a '/')
roundcube__skin_logo: null

Other variables

roundcube__max_file_size

Maximum upload size, in MB.

roundcube__max_file_size: '30'

Role-dependent configuration

roundcube__keyring__dependent_gpg_user

The UNIX account which will be used to install additional GPG keys by the debops.keyring role.

roundcube__keyring__dependent_gpg_user: '{{ roundcube__user }}'
roundcube__keyring__dependent_gpg_keys

GPG key configuration for the debops.keyring Ansible role.

roundcube__keyring__dependent_gpg_keys:

  - user: '{{ roundcube__user }}'
    group: '{{ roundcube__group }}'
    home: '{{ roundcube__home }}'
    id: '{{ roundcube__git_gpg_key }}'

  - '{{ roundcube__git_additional_gpg_keys }}'
roundcube__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

roundcube__ldap__dependent_tasks:

  - name: 'Create roundcube account for {{ roundcube__ldap_device_dn | join(",") }}'
    dn: '{{ roundcube__ldap_binddn }}'
    objectClass: '{{ roundcube__ldap_self_object_classes }}'
    attributes: '{{ roundcube__ldap_self_attributes }}'
    no_log: True
    state: '{{ "present" if roundcube__ldap_password_enabled and
                            roundcube__ldap_device_dn|d() else "ignore" }}'
roundcube__nginx__dependent_servers

nginx server configuration managed by the debops.nginx role.

roundcube__nginx__dependent_servers:

  - name: '{{ roundcube__fqdn }}'
    filename: 'debops.roundcube'
    by_role: 'debops.roundcube'
    type: 'php'
    root: '{{ roundcube__git_dest }}'
    webroot_create: False
    access_policy: '{{ roundcube__nginx_access_policy }}'
    index: 'index.php'

    options: |
      autoindex off;
      client_max_body_size {{ roundcube__max_file_size }}M;
      client_body_buffer_size 128k;

    location_list:
      - pattern: '/'
        options: |
          try_files $uri $uri/ @roundcube;

      - pattern: '@roundcube'
        options: |
          rewrite ^/favicon\.ico$ skins/{{ roundcube__skin_folder }}/images/favicon.ico last;

      - pattern: '~ ^/?(installer|[A-Z0-9]+$)'
        options: |
          deny all;

      - pattern: '~ ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))'
        options: |
          deny all;

      - pattern: '~ /(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$'
        options: |
          deny all;

    php_options: |
      fastcgi_intercept_errors        on;
      fastcgi_ignore_client_abort     off;
      fastcgi_connect_timeout         60;
      fastcgi_send_timeout            180;
      fastcgi_read_timeout            180;
      fastcgi_buffer_size             128k;
      fastcgi_buffers               4 256k;
      fastcgi_busy_buffers_size       256k;
      fastcgi_temp_file_write_size    256k;

    php_upstream: 'php_roundcube'
roundcube__nginx_access_policy

Name of the "nginx access policy" for Roundcube webpage. See debops.nginx Ansible role for more details.

roundcube__nginx_access_policy: ''
roundcube__nginx__dependent_upstreams

PHP upstream server configuration managed by the debops.nginx role.

roundcube__nginx__dependent_upstreams:

  - name: 'php_roundcube'
    by_role: 'debops.roundcube'
    enabled: True
    type: 'php'
    php_pool: 'roundcube'
roundcube__php__dependent_packages

List of PHP packages to install using the debops.php role.

roundcube__php__dependent_packages:
  - '{{ roundcube__base_php_packages }}'
  - '{{ roundcube__optional_php_packages }}'
  - '{{ roundcube__custom_php_packages }}'
roundcube__php__dependent_pools

PHP pools managed by the debops.php role.

roundcube__php__dependent_pools:
  name: 'roundcube'
  by_role: 'debops.roundcube'
  user: '{{ roundcube__user }}'
  group: '{{ roundcube__group }}'

  php_values:
    ## https://secure.php.net/manual/en/info.configuration.php#ini.upload-max-filesize
    upload_max_filesize:        '{{ roundcube__max_file_size }}M'

    ## https://secure.php.net/manual/en/ini.core.php#ini.post-max-size
    post_max_size:              '{{ roundcube__max_file_size }}M'

    ## https://github.com/roundcube/roundcubemail/wiki/Install-Requirements
    file_uploads:               'on'
    mbstring.func_overload:     'off'
    memory_limit:               '64M'
    magic_quotes_runtime:       'off'
    magic_quotes_sybase:        'off'
    session.auto_start:         'off'
    suhosin.session.encrypt:    'off'
roundcube__nodejs__npm_dependent_packages

Configuration for the debops.nodejs Ansible role.

roundcube__nodejs__npm_dependent_packages:
  # Dependency for the 'elastic' skin to compile the CSS files
  - 'less'
  - 'tslib'