diff --git a/inventory/host_vars/web1.dmz.mateu.be.yml b/inventory/host_vars/web1.dmz.mateu.be.yml
index d2f0872..6c03a67 100644
--- a/inventory/host_vars/web1.dmz.mateu.be.yml
+++ b/inventory/host_vars/web1.dmz.mateu.be.yml
@@ -6,8 +6,10 @@ web_hostname:
   - host: fav.libertus.eu
   - host: rss.libertus.eu
   - host: o.libertus.eu
+    type: nextcloud
   - host: blog.libertus.eu
   - host: mail.libertus.eu
+    type: roundcube
   - host: perso.nintendojo.fr
   - host: perso.libertus.eu
   - host: r.mateu.be
@@ -19,3 +21,20 @@ mariadb_root_pass: !vault |
           61363465343165366430323033373730356636356462623332616364323265613934383664393461
           6266393162633761340a613835393138353438656136643132353966646536316563646439336534
           3064
+
+roundcube_des_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38346466376538303431306433383463366561343233363866373638646265373361333835343234
+          6433383862336438633166616161393365343539663837630a303066376263343463303739643830
+          63656464316634306161643439323133613161303336333134353231326166393932363930666162
+          6436316631623039360a366362343939666262663130323761383436333164333166386364616336
+          64356532313233363461343535663564303465623732373661313161313539653864
+roundcube_pg_role: "admin_lbrc"
+roundcube_pg_database: "libertus_roundcube"
+roundcube_pg_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66623335306364306336643164313034383238373332666337326333383838323562323061386436
+          3934366362363732313335316565643131646164363332360a666130656165386166613534386531
+          61333435376364623464613330633532363935663231343162373061393032616466396431633938
+          3038663837653734640a353230346436643538343435313034306332343438396239653433356334
+          3862
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 214830f..8b37864 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -52,3 +52,5 @@
   import_playbook: gitea.yml
 - name: Run vaultwarden playbook
   import_playbook: vaultwarden.yml
+- name: Run webapps playbook
+  import_playbook: webapps.yml
diff --git a/playbooks/webapps.yml b/playbooks/webapps.yml
new file mode 100644
index 0000000..fee943c
--- /dev/null
+++ b/playbooks/webapps.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Install roundcube for libertus
+  hosts: web1.dmz.mateu.be
+  diff: true
+  roles:
+    - roundcube
diff --git a/roles/roundcube/tasks/db.yml b/roles/roundcube/tasks/db.yml
new file mode 100644
index 0000000..eb0f18b
--- /dev/null
+++ b/roles/roundcube/tasks/db.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Create roundcube db role
+  become_user: postgres
+  become: true
+  community.postgresql.postgresql_user:
+    name: "{{ roundcube_pg_role }}"
+    password: "{{ roundcube_pg_password }}"
+
+- name: Create roundcube db
+  become_user: postgres
+  become: true
+  community.postgresql.postgresql_db:
+    name: "{{ roundcube_pg_database }}"
+    owner: "{{ roundcube_pg_role }}"
diff --git a/roles/roundcube/tasks/main.yml b/roles/roundcube/tasks/main.yml
new file mode 100644
index 0000000..41ddc6d
--- /dev/null
+++ b/roles/roundcube/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Init DB
+  ansible.builtin.include_tasks: db.yml
+
+- name: Install roundcube
+  ansible.builtin.include_tasks: roundcube.yml
+
+- name: Install roundcube carddav plugin
+  ansible.builtin.include_tasks: roundcube_carddav.yml
diff --git a/roles/roundcube/tasks/roundcube.yml b/roles/roundcube/tasks/roundcube.yml
new file mode 100644
index 0000000..d4a8087
--- /dev/null
+++ b/roles/roundcube/tasks/roundcube.yml
@@ -0,0 +1,41 @@
+---
+
+- name: Create application directory
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ roundcube_local_path }}"
+    owner: "root"
+    group: "www-data"
+    mode: "0o750"
+
+- name: Unzip roundcube
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ roundcube_url }}"
+    dest: "{{ roundcube_local_path }}"
+    owner: root
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']
+    exclude:
+      - "{{ roundcube_config_path }}"
+
+- name: Put roundcube configuration
+  ansible.builtin.template:
+    src: "config.inc.php.j2"
+    dest: "{{ roundcube_config_path }}"
+    owner: root
+    group: www-data
+    mode: "0o640"
+
+- name: Check writable dir
+  ansible.builtin.file:
+    state: directory
+    recurse: true
+    dest: "{{ roundcube_local_path }}/{{ item }}"
+    owner: root
+    group: www-data
+    mode: "g+w"
+  loop:
+    - "logs"
+    - "temp"
diff --git a/roles/roundcube/tasks/roundcube_carddav.yml b/roles/roundcube/tasks/roundcube_carddav.yml
new file mode 100644
index 0000000..0bd46c6
--- /dev/null
+++ b/roles/roundcube/tasks/roundcube_carddav.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Unzip carddav plugin
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ roundcube_carddav_url }}"
+    dest: "{{ roundcube_local_path }}/plugins"
+    owner: root
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+
+- name: Put carddav config file
+  ansible.builtin.template:
+    src: "carddav.config.inc.php.j2"
+    dest: "{{ roundcube_local_path }}/plugins/carddav/config.inc.php"
+    owner: root
+    group: www-data
+    mode: "0o640"
diff --git a/roles/roundcube/templates/carddav.config.inc.php.j2 b/roles/roundcube/templates/carddav.config.inc.php.j2
new file mode 100644
index 0000000..c4b1f87
--- /dev/null
+++ b/roles/roundcube/templates/carddav.config.inc.php.j2
@@ -0,0 +1,25 @@
+<?php
+
+$prefs['_GLOBAL']['fixed'] = true;
+$prefs['_GLOBAL']['loglevel'] = \Psr\Log\LogLevel::WARNING;
+$prefs['_GLOBAL']['loglevel_http'] = \Psr\Log\LogLevel::ERROR;
+$prefs['_GLOBAL']['default_addressbook'] = [
+    'preset'  => 'Personal',
+];
+
+$prefs['Personal'] = [
+    'accountname'         =>  'Nextcloud',
+    'username'     =>  '%u',
+    'password'     =>  '%p',
+    'discovery_url' =>  'https://{{ roundcube_carddav_discovery_url }}:443/remote.php/carddav/addressbooks/%u/',
+    'rediscover_time' => '24:00',
+    'hide' => false,
+    'preemptive_basic_auth' => false,
+    'ssl_noverify' => false,
+    'active'       =>  true,
+    'readonly'     =>  true,
+    'refresh_time' => '24:00',
+    'use_categories' => true,
+    'fixed'        =>  [],
+    'require_always_email' => false,
+];
diff --git a/roles/roundcube/templates/config.inc.php.j2 b/roles/roundcube/templates/config.inc.php.j2
new file mode 100644
index 0000000..f322483
--- /dev/null
+++ b/roles/roundcube/templates/config.inc.php.j2
@@ -0,0 +1,26 @@
+<?php
+
+$config['imap_host'] = 'tls://imap.libertus.eu';
+$config['smtp_host'] = 'tls://smtp.libertus.eu';
+$config['smtp_log'] = true;
+$config['db_dsnw'] = 'pgsql://{{ roundcube_pg_role }}:{{ roundcube_pg_password }}@localhost/{{ roundcube_pg_database }}';
+$config['support_url'] = '';
+$config['auto_create_user'] = true;
+$config['log_dir'] = 'logs/';
+$config['temp_dir'] = 'temp/';
+$config['login_lc'] = false;
+$config['des_key'] = 'ec+yITr6hLz+&00O_9SPa%Je';
+$config['mail_domain'] = '%d';
+$config['plugins'] = ['carddav'];
+$config['message_sort_col'] = 'date';
+$config['list_cols'] = ['subject', 'from', 'date', 'size', 'flag', 'attachment'];
+$config['language'] = 'fr_FR';
+$config['date_formats'] = ['Y-m-d', 'd-m-Y', 'Y/m/d', 'm/d/Y', 'd/m/Y', 'd.m.Y', 'j.n.Y'];
+$config['date_long'] = 'd.m.Y H:i';
+$config['skin'] = 'default';
+$config['mail_pagesize'] = 40;
+$config['prefer_html'] = false;
+$config['mime_param_folding'] = 0;
+$config['display_next'] = false;
+$config['default_font'] = '';
+$config['message_cache_lifetime'] = '10d';
diff --git a/roles/roundcube/vars/main.yml b/roles/roundcube/vars/main.yml
new file mode 100644
index 0000000..784c4e3
--- /dev/null
+++ b/roles/roundcube/vars/main.yml
@@ -0,0 +1,15 @@
+---
+
+roundcube_version: "1.6.10"
+roundcube_url: "https://github.com/roundcube/roundcubemail/releases/download/{{ roundcube_version }}/roundcubemail-{{ roundcube_version }}-complete.tar.gz"
+
+# calculate the roundcube access URL given the `web_hostname` list
+# only the first occurence is supported
+roundcube_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'roundcube') | map(attribute='host') | first }}"
+
+roundcube_local_path: "/srv/http/{{ roundcube_access_url }}"
+roundcube_config_path: "{{ roundcube_local_path }}/config/config.inc.php"
+
+roundcube_carddav_version: "5.1.0"
+roundcube_carddav_url: "https://github.com/mstilkerich/rcmcarddav/releases/download/v{{ roundcube_carddav_version }}/carddav-v{{ roundcube_carddav_version }}.tar.gz"
+roundcube_carddav_discovery_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}"