database_password = repo.vault.password_for(f'{node.name} postgresql roundcube')

defaults = {
    'apt': {
        'packages': {
            'php': {},
            'php-auth-sasl': {},
            'php-cli': {},
            'php-fpm': {},
            'php-imagick': {},
            'php-intl': {},
            'php-mail-mime': {},
            'php-mbstring': {},
            # FIXME: not available in bullseye?
            # 'php-net-idna2': {}, 
            'php-net-smtp': {},
            'php-net-socket': {},
            'php-pear': {},
            'php-pgsql': {},
            'php-xml': {},
            'php-zip': {},
            'php-curl': {},
            'php-gd': {},
            'composer': {},
            'php-ldap': {},
        },
    },
    'roundcube': {
        'database': {
            'provider': 'pgsql',
            'host': 'localhost',
            'name': 'roundcube',
            'user': 'roundcube',
            'password': database_password,
        },
        'plugins': [
            'managesieve',
            'password',
        ],
        'des_key': repo.vault.password_for(f'{node.name} roundcube des_key', length=24),
    },
    'postgresql': {
        'roles': {
            'roundcube': {
                'password': database_password,
            },
        },
        'databases': {
            'roundcube': {
                'owner': 'roundcube',
            },
        },
    },
    'sudoers': {
        'www-data': ['/usr/bin/doveadm pw -s ARGON2ID'],
    },
}

@metadata_reactor.provides(
    'nginx/vhosts'
)
def vhost(metadata):
    return {
        'nginx': {
            'vhosts': {
                metadata.get('mailserver/hostname'): {
                    'content': 'roundcube/vhost.conf',
                    'context': {
                        'root': '/opt/roundcube',
                    },
                },
            },
        },
    }