As part of issue MAR-50, a number of deficiencies may be discovered that need fixing. These can be bugs in implementation as well as missing functionality. This issue serves to collect such (mostly minor) improvements that should be made.

The following bugs should be fixed:
* In mail_server role, once clamav-freshclam service is enabled, it takes some time for it to download virus definitions. During this time the clamav-daemon service will be inoperable, and has to be restarated once freshclam finished the initial run. Documentation should reflect this deficiency.
* Nested option '''public_key''' in option '''backup_clients''' in role '''backup_server''' is undocumented.
* Role '''backup_client''' fails to assemble the include pattern file used during backups.
* CA certificates deployed by role '''common''' should be put into directory '''/usr/local/share/ca-certificates/'''
* Privileges in role '''database''' have not been set correctly. The user was granted all privileges on all databases instead of its own only.
* Fix syntax error for default values for vars '''ldap_server_tls_certificate''' and '''ldap_sever_tls_key''' in role '''ldap_server'''.
* Fix syntax error for default values for vars '''imap_tls_certificate''', '''imap_tls_key''', '''smtp_tls_certificate''', and '''smtp_tls_key'''.
* Default to error 404 in role '''php_website''' if no match is made for a URL.
* Fix syntax error for default values for vars '''xmpp_tls_certificate''' and '''xmpp_tls_key''' in role '''xmpp_server'''.
* '''mod_auth_ldap''' module for Prosody has moved to new home. Update the download URL in '''xmpp_server''' role.
* Dependencies in meta/main.yml should be specified with a simple list instead of the '''- role: blah''' syntax (i.e. do it simply '''- blah'''. Otherwise the role may get invoked multiple times. Seems to have been fixed in Ansible 2.0.x, though.
* It should be made clear to the user of '''wsgi_website''' role that the base directory for specifying the application/paster ini file is '''USER_HOME/code''' directory. I.e. both the WSGI application and paster ini file path should be relative to this path.
* The '''wsgi_website''' role should fixate the Gunicorn virtualenv package, and also install '''futures''' package in order to make sure the default thread worker used by some apps (Kallithea) works correctly.
* In role '''wsgi_website''' the prompt for virtual environment is not properly set. It has to be done via '''--prompt '(FQDN)' ''' option (the brackets must be included).
* Role '''ldap_server''' should set-up the slapd daemon to listen on port 636 in addition to default 389.


The following enhancements should be made:
* Documentation for roles that involve interaction with LDAP server should be updated to contain LDIF templates relevant to LDAP use. This helps for future operations significantly.
* In role '''mail_server''', have the '''mail_ldap_tls_truststore''' parameter be an actual value of certificates to deploy, and hard-code the paths for that certificate deployment. This should reduce dependency on other params to be correctly filled-in ('''ca_certificates''' in '''common''' role). Similar should be done for role '''mail_forwarder''' and parameter '''smtp_relay_truststore'''.
* Introduce option '''additional_nginx_config''' to '''php_website''' and '''wsgi_website''' to allow for adding custom Nginx configuration directives to the Server section.
* Don't change passwords for users created by '''common''' role if users already exist.
* Split-out a role for deploying backup patterns, maybe call it simply '''backup'''. This way the '''backup_client''' role can be set to '''allow_duplicates: no''', which will reduce number of tasks executed during each run.