diff --git a/roles/rt5/defaults/main.yml b/roles/rt5/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d43f4d6812411a7c959fc519efde422a7177d9c9
--- /dev/null
+++ b/roles/rt5/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+
+# Value of the $rtname RT config.
+helpdesk_app_name: "{{ domain_public[0] }}"
+
+# Organization.
+helpdesk_organization: "{{ domain_public[0] }}"
+
+# Set to the default queue if you so desire.
+# helpdesk_default_queue: helpdesk
+
+
+
+
+# the following variables are superseded by those set in
+# ai3/prod/group_vars/all/config.yml
+
+# Set the following to true only once you've run 'in-container
+# helpdesk-rt5 rt-setup-fulltext-index'.
+helpdesk_fulltext_enabled: false
+
+# Set to true if you have a GPG keyring in
+# credentials_dir/gpg/helpdesk.
+helpdesk_gpg_enabled: false
+
+# Describe the queues and their associated email addresses.
+#helpdesk_queues:
+# - name: helpdesk
+# addr: help@autistici.org
+helpdesk_queues: []
diff --git a/roles/rt5/files/rt5.cron b/roles/rt5/files/rt5.cron
new file mode 100644
index 0000000000000000000000000000000000000000..0be2508cbb9a88c819a48baa3e4548d29a721ccc
--- /dev/null
+++ b/roles/rt5/files/rt5.cron
@@ -0,0 +1,13 @@
+# Disable unwanted notifications.
+MAILTO=""
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
+
+10 0 * * * root in-container helpdesk-rt5 rt-email-digest -m daily
+12 0 * * 0 root in-container helpdesk-rt5 rt-email-digest -m weekly
+14 * * * * root in-container helpdesk-rt5 rt-email-dashboards
+16 0 * * * root in-container helpdesk-rt5 rt-externalize-attachments
+33 * * * * root in-container helpdesk-rt5 rt-fulltext-indexer --quiet
+49 4 * * * root in-container helpdesk-rt5 rt-clean-sessions --older 3D --skip-user
+
+20 5 * * * root in-container helpdesk-rt5 rt-shredder --plugin "Tickets=query,LastUpdated < '30 days ago' AND ( Status = 'resolved' OR Status = 'rejected' OR Status = 'deleted');limit,20" --sqldump /tmp/deleted-tickets-`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql --force >/dev/null 2>&1 && rm /tmp/deleted-tickets*
+
diff --git a/roles/rt5/handlers/main.yml b/roles/rt5/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..234020b0273c8a501a60e6f3682a1728b0e5d3df
--- /dev/null
+++ b/roles/rt5/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- listen: restart rt5
+ systemd:
+ name: docker-helpdesk-rt5
+ state: restarted
+
diff --git a/roles/rt5/tasks/gpg.yml b/roles/rt5/tasks/gpg.yml
new file mode 100644
index 0000000000000000000000000000000000000000..11e1ca934cb7b3f126c40b65394d74611deb61d1
--- /dev/null
+++ b/roles/rt5/tasks/gpg.yml
@@ -0,0 +1,27 @@
+---
+
+- name: Create /etc/rt5/gnupg
+ file:
+ path: /etc/rt5/gnupg
+ state: directory
+ owner: docker-helpdesk
+ group: docker-helpdesk
+ mode: 0700
+
+# Only install a fresh keyring if it isn't already there: RT4
+# modifies it in place, and we don't have an easy way to say
+# add-a-key-if-it-isnt-there (yet).
+- stat:
+ path: /etc/rt5/gnupg/pubring.kbx
+ register: rt5_pubring
+
+- name: Copy public keyring
+ copy:
+ src: "{{ credentials_dir }}/gpg/helpdesk/"
+ dest: "/etc/rt5/gnupg/"
+ owner: docker-helpdesk
+ group: docker-helpdesk
+ mode: 0600
+ directory_mode: 0700
+ when: "not rt5_pubring.stat.exists"
+
diff --git a/roles/rt5/tasks/main.yml b/roles/rt5/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8a387c8a18070af67c41daf092260559fbc69762
--- /dev/null
+++ b/roles/rt5/tasks/main.yml
@@ -0,0 +1,71 @@
+---
+
+- file:
+ path: /etc/rt5
+ state: directory
+
+- file:
+ path: /var/lib/rt5
+ state: directory
+ owner: docker-helpdesk
+ group: docker-helpdesk
+ mode: 0700
+
+- template:
+ src: rt5.pm.j2
+ dest: /etc/rt5/rt5.pm
+ notify: restart rt5
+
+- template:
+ src: sendmail.json.j2
+ dest: /etc/rt5/sendmail.json
+
+# This is a tiny instance.
+- include_role:
+ name: float-util-mariadb
+ vars:
+ mariadb_instance: rt4
+ mariadb_port: 3337
+ mariadb_metrics_port: 9337
+ mariadb_settings:
+ key_buffer_size: "64M"
+ thread_stack: "192K"
+ sort_buffer_size: "8M"
+ tmp_table_size: "16M"
+ max_heap_table_size: "16M"
+ join_buffer_size: "256K"
+ query_cache_limit: 1048576
+ query_cache_size: "32M"
+ query_cache_type: 1
+ table_open_cache: 128
+ innodb_buffer_pool_size: "128M"
+
+- name: Create MySQL database
+ mysql_db:
+ name: rt4
+ login_unix_socket: "/var/run/mariadb-rt4/server.sock"
+
+- name: Setup rt5 MySQL user
+ mysql_user:
+ name: rt4
+ host: "{{ item }}"
+ password: "{{ rt4_mysql_password }}"
+ login_unix_socket: "/var/run/mariadb-rt4/server.sock"
+ priv: "rt4.*:ALL"
+ state: present
+ loop:
+ - localhost
+ - "%"
+
+- name: Create rt5 SSO session key
+ shell: "dd if=/dev/urandom of=/etc/rt5/sso_session_key bs=32 count=1"
+ args:
+ creates: /etc/rt5/sso_session_key
+
+- name: Install rt5 cron jobs
+ copy:
+ src: rt5.cron
+ dest: /etc/cron.d/rt5
+
+- import_tasks: gpg.yml
+ when: helpdesk_gpg_enabled
diff --git a/roles/rt5/templates/rt5.pm.j2 b/roles/rt5/templates/rt5.pm.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2c911edc7a748f0ba3d6141d1b0d37ee5d274a94
--- /dev/null
+++ b/roles/rt5/templates/rt5.pm.j2
@@ -0,0 +1,100 @@
+# Set the Organization name and our public URL.
+Set($rtname, '{{ helpdesk_app_name }}');
+Set($WebBaseURL , 'https://helpdesk.autistici.org');
+Set($Organization, '{{ helpdesk_organization }}');
+Set($WebDomain, 'helpdesk.{{ domain_public[0] }}');
+Set($WebPort, 443);
+Set($WebPath, '/rt');
+Set($CanonicalizeRedirectURLs, 1);
+Set($CanonicalizeURLsInFeeds, 1);
+
+# Queues.
+{% if helpdesk_default_queue is defined %}
+Set($DefaultQueue, '{{ helpdesk_default_queue }}');
+{% endif %}
+
+# Enable SSO authentication (tells RT to read the authenticated
+# username from the REMOTE_USER environment variable).
+Set($WebRemoteUserAuth, 1);
+Set($WebRemoteUserContinuous, 1);
+Set($WebRemoteUserAutocreate, 1);
+Set($WebFallbackToRTLogin, 0);
+
+# Security-related parameters that have bad default values.
+Set($RestrictReferrer, 0);
+#Set(%ReferrerComponents, ( '/' => 1, '/index.html' => 1 ));
+Set($WebSecureCookies, 1);
+Set($WebHttpOnlyCookies, 1);
+Set($RestrictLoginReferrer, 1);
+#Set($DisallowExecuteCode, 1);
+Set($Framebusting, 1);
+Set($MessageBoxRichText, undef);
+Set($MaxInlineBody, 10000000);
+Set($PreferRichText, undef);
+
+# Mailer configuration, with our public conversation and
+# comment addresses. VERP is experimentally enabled.
+Set($NotifyActor, 1);
+Set($CorrespondAddress, 'help@{{ domain_public[0] }}');
+Set($CommentAddress, 'help-comment@{{ domain_public[0] }}');
+Set($SetOutgoingMailFrom, 'help@{{ domain_public[0] }}');
+Set($VERPPrefix, 'help+');
+Set($VERPDomain, '{{ domain_public[0] }}');
+
+# Default timezone is UTC.
+Set($Timezone, 'UTC');
+
+# Store attachments on disk.
+Set(%ExternalStorage,
+ Type => 'Disk',
+ Path => '/data/attachments',
+);
+
+# Database connection parameters.
+Set($DatabaseType, 'mysql');
+Set($DatabaseHost, '127.0.0.1');
+Set($DatabaseRTHost, '127.0.0.1');
+Set($DatabasePort, 3337);
+Set($DatabaseUser, 'rt5');
+Set($DatabaseAdmin, 'rt5');
+Set($DatabasePassword, '{{ rt4_mysql_password }}');
+Set($DatabaseName, 'rt4');
+
+# Plugins.
+Plugin('RT::Extension::ExtractCustomFieldValues');
+Plugin('RT::Extension::CommandByMail');
+Set(@MailPlugins, qw(Auth::MailFrom Action::CommandByMail));
+Set($CommandByMailGroup, '111');
+
+
+
+{% if helpdesk_fulltext_enabled %}
+Set(%FullTextSearch,
+ Enable => 1,
+ Indexed => 1,
+ Table => 'AttachmentsIndex',
+);
+{% endif %}
+
+{% if helpdesk_gpg_enabled %}
+Set( %Crypt,
+ RejectOnMissingPrivateKey => 0,
+ RejectOnBadData => 0
+);
+Set(%GnuPG,
+ Enable => 1,
+ OutgoingMessageFormat => 'RFC',
+ GnuPG => '/usr/bin/gpg'
+);
+Set(%GnuPGOptions,
+ 'use-agent' => undef,
+ 'no-permission-warning' => undef,
+ 'homedir' => "/config/gnupg",
+ 'passphrase' => '',
+ 'trust-model' => 'always',
+ 'pinentry-mode' => 'loopback',
+ 'keyserver' => 'hkp://keys.openpgp.org',
+ 'auto-key-locate' => 'local,keyserver',
+ 'keyserver-options' => 'auto-key-retrieve'
+);
+{% endif %}
diff --git a/roles/rt5/templates/sendmail.json.j2 b/roles/rt5/templates/sendmail.json.j2
new file mode 100644
index 0000000000000000000000000000000000000000..8c4fbb9c97c02867dfb80259b3eaf2ae8263b234
--- /dev/null
+++ b/roles/rt5/templates/sendmail.json.j2
@@ -0,0 +1 @@
+{"smtp_server": "mail-frontend.{{ domain }}:10025"}