Remove encfs and call directory data instead of decrypted

README.md

@@ -23,7 +23,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
 -   Spam fighting via [Rspamd](https://www.rspamd.com/).
 -   Mail server verification using [DKIM](http://www.dkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
--   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
 -   Webmail via [Roundcube](http://www.roundcube.net/).
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
@@ -76,7 +75,7 @@ If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com
 
 Create a new machine key for your server:
 
-    tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
+    tarsnap-keygen --keyfile roles/tarsnap/files/data_tarsnap.key --user me@example.com --machine example.com
 
 ### 3. Prep the server
 
@@ -196,14 +195,6 @@ Troubleshooting
 
 If you run into an errors, please check the [wiki page](https://github.com/sovereign/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/sovereign/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
 
-### Reboots
-
-You will need to manually enter the password for any encrypted volumes on reboot. This is not Sovereign-specific, but rather a function of how EncFS works. This will necessitate SSHing into your machine after reboot, or accessing it via a console interface if one is available to you. Once you're in, run this:
-
-    encfs /encrypted /decrypted --public
-
-It is possible that some daemons may need to be restarted after you enter your password for the encrypted volume(s). Some services may stall out while looking for resources that will only be available once the `/decrypted` volume is available and visible to daemon user accounts.
-
 IRC
 ===
 

roles/common/defaults/main.yml

@@ -4,12 +4,10 @@ main_user_shell: "/bin/bash"
 friendly_networks:
   - ""
 
-# encfs
+# pass
 secret_root: '{{ inventory_dir | realpath }}'
 secret_name: 'secret'
 secret: '{{ secret_root + "/" + secret_name }}'
-encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
-
 
 # let's encrypt
 letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"

roles/common/tasks/encfs.yml

@@ -1,28 +0,0 @@
-- name: Install encfs & fuse
-  apt: pkg={{ item }} state=present
-  with_items:
-    - encfs
-    - fuse
-    - libfuse-dev
-  tags:
-    - dependencies
-
-- name: Create encrypted directory
-  file: state=directory path=/encrypted
-
-- name: Check if the /encrypted directory is empty
-  shell: ls /encrypted/*
-  ignore_errors: True
-  changed_when: False  # never report as "changed"
-  register: encfs_check
-
-- name: If /encrypted is empty, create the encfs there
-  shell: printf "p\n{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
-  when: encfs_check.rc > 0
-
-- name: If /encrypted isn't empty, mount it (but only if /decrypted/test doesn't exist)
-  shell: command="printf '{{ encfs_password }}' | encfs /encrypted /decrypted --public --stdinpass" creates="/decrypted/test"
-  when: encfs_check.rc == 0
-
-- name: Set decrypted directory permissions
-  file: state=directory path=/decrypted group=mail mode=0775

roles/common/tasks/main.yml

@@ -53,18 +53,17 @@
 - name: Apticron email configuration
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
 
-- name: Create decrypted directory (even if encfs isn't used)
-  file: state=directory path=/decrypted
+- name: Create data directory
+  file: state=directory path=/data
 
-- name: Set decrypted directory permissions
-  file: state=directory path=/decrypted group=mail mode=0775
+- name: Set data directory permissions
+  file: state=directory path=/data group=mail mode=0775
 
 - name: Ensure locale en_US.UTF-8 locale is present
   locale_gen:
     name: en_US.UTF-8
     state: present
 
-- include: encfs.yml tags=encfs
 - include: users.yml tags=users
 - include: apache.yml tags=apache
 - include: ssl.yml tags=ssl

roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf

@@ -27,7 +27,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_location = maildir:/decrypted/%d/%n
+mail_location = maildir:/data/%d/%n
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.

roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext

@@ -18,7 +18,7 @@ passdb {
 
 userdb {
   driver = static
-  args = uid=vmail gid=vmail home=/decrypted/%d/%n
+  args = uid=vmail gid=vmail home=/data/%d/%n
 }
 
 # If you don't have any user-specific settings, you can avoid the user_query

roles/mailserver/files/etc_solr_conf_solrconfig.xml

@@ -114,7 +114,7 @@
        replication is in use, this should match the replication
        configuration.
     -->
-  <dataDir>/decrypted/solr</dataDir>
+  <dataDir>/data/solr</dataDir>
 
 
   <!-- The DirectoryFactory to use for indexes.

roles/mailserver/tasks/dovecot.yml

@@ -20,14 +20,14 @@
   group: name=vmail state=present gid=5000
 
 - name: Create vmail user
-  user: name=vmail group=vmail state=present uid=5000 home=/decrypted shell=/usr/sbin/nologin
+  user: name=vmail group=vmail state=present uid=5000 home=/data shell=/usr/sbin/nologin
 
 - name: Ensure mail domain directories are in place
-  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=0770
+  file: state=directory path=/data/{{ item.name }} owner=vmail group=dovecot mode=0770
   with_items: '{{ mail_virtual_domains }}'
 
 - name: Ensure mail directories are in place
-  file: state=directory path=/decrypted/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
+  file: state=directory path=/data/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
   with_items: '{{ mail_virtual_users }}'
 
 - name: Copy dovecot.conf into place

roles/mailserver/tasks/solr.yml

@@ -18,5 +18,5 @@
   notify: restart solr
 
 - name: Create Solr index directory
-  file: state=directory path=/decrypted/solr group=tomcat7 owner=tomcat7
+  file: state=directory path=/data/solr group=tomcat7 owner=tomcat7
   notify: restart solr

roles/mailserver/tasks/z-push.yml

@@ -46,7 +46,7 @@
 - name: Ensure z-push state and log directories are in place
   file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
   with_items:
-    - /decrypted/zpush-state
+    - /data/zpush-state
     - /var/log/z-push
   notify: restart apache
 

roles/mailserver/templates/usr_share_z-push_config.php.j2

@@ -63,7 +63,7 @@
 /**********************************************************************************
  *  Default FileStateMachine settings
  */
-    define('STATE_DIR', '/decrypted/zpush-state/');
+    define('STATE_DIR', '/data/zpush-state/');
 
 
 /**********************************************************************************
@@ -303,4 +303,4 @@
 */
     );
 
-?>
+?>

roles/owncloud/tasks/owncloud.yml

@@ -35,9 +35,9 @@
 - name: Ensure ownCloud directory is in place
   file: state=directory path=/var/www/owncloud
 
-- name: Move ownCloud data to encrypted filesystem
-  command: mv /var/www/owncloud/data /decrypted/owncloud-data creates=/decrypted/owncloud-data
-- file: src=/decrypted/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
+- name: Move ownCloud data to user-data filesystem
+  command: mv /var/www/owncloud/data /data/owncloud-data creates=/data/owncloud-data
+- file: src=/data/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
 
 - name: Configure Apache for ownCloud
   template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud.conf group=root

roles/tarsnap/files/tarsnap.sh

@@ -4,7 +4,7 @@
 # Written by Tim Bishop, 2009.
 
 # Directories to backup (relative to /)
-DIRS="home root decrypted var/www etc/letsencrypt"
+DIRS="home root data var/www etc/letsencrypt"
 
 # Number of daily backups to keep
 DAILY=7
@@ -59,7 +59,7 @@ cd /home/
 
 # Dump PostgreSQL to file
 umask 077
-sudo -u postgres pg_dumpall -c | gzip > /decrypted/postgresql-backup.sql.gz
+sudo -u postgres pg_dumpall -c | gzip > /data/postgresql-backup.sql.gz
 
 # Do backups
 for dir in $DIRS; do

roles/tarsnap/files/tarsnaprc

@@ -1,4 +1,4 @@
-keyfile /decrypted/tarsnap.key
+keyfile /data/tarsnap.key
 cachedir /usr/tarsnap-cache
 exclude /usr/tarsnap-cache
 humanize-numbers

roles/tarsnap/tasks/tarsnap.yml

@@ -70,7 +70,7 @@
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
 
 - name: Copy Tarsnap key file into place
-  copy: src=decrypted_tarsnap.key dest=/decrypted/tarsnap.key owner=root group=root mode="0600" force=no
+  copy: src=data_tarsnap.key dest=/data/tarsnap.key owner=root group=root mode="0600" force=no
 
 - name: Create Tarsnap cache directory
   file: state=directory path=/usr/tarsnap-cache

roles/webmail/DESIGN.md

@@ -8,7 +8,7 @@ Roundcube is stable and continues to be actively developed.
 
 The role installs roundcube from the source package released by the Roundcube team.  The version is pinned.  Old versions of this role installed Roundcube from apt packages, but the packages for Debian 8 do not install unattended correctly unless mysql is used at the backend.  We want to use only one database server (postgres) to save on RAM, so using packages is not an option for now.
 
-Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/decrypted` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
+Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
 
 PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
 

roles/webmail/tasks/roundcube.yml

@@ -70,7 +70,7 @@
   template: src=var_www_roundcube_config_config.inc.j2 dest=/var/www/roundcube/config/config.inc.php
 
 - name: Create db directory
-  file: path=/decrypted/roundcube group=www-data mode=0775 state=directory
+  file: path=/data/roundcube group=www-data mode=0775 state=directory
 
 - name: Make logs and temp directories writable by web server
   file: path=/var/www/roundcube/{{ item }} mode=0775 state=directory

roles/webmail/templates/var_www_roundcube_config_config.inc.j2

@@ -25,7 +25,7 @@ $config = array();
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
 // NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
 //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
-$config['db_dsnw'] = 'sqlite:////decrypted/roundcube/sqlite.db?mode=0664';
+$config['db_dsnw'] = 'sqlite:////data/roundcube/sqlite.db?mode=0664';
 
 // The mail host chosen to perform the log-in.
 // Leave blank to show a textbox at login, give a list of hosts

roles/xmpp/tasks/prosody.yml

@@ -23,7 +23,7 @@
   copy: src=etc_letsencrypt_postrenew_prosody.sh dest=/etc/letsencrypt/postrenew/prosody.sh mode=0755
 
 - name: Create Prosody data directory
-  file: state=directory path=/decrypted/prosody owner=prosody group=prosody
+  file: state=directory path=/data/prosody owner=prosody group=prosody
 
 - name: Configure Prosody
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody

roles/xmpp/templates/prosody.cfg.lua.j2

@@ -146,7 +146,7 @@ log = {
 	"*syslog";
 }
 
-data_path = "/decrypted/prosody"
+data_path = "/data/prosody"
 
 ----------- Virtual hosts -----------
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.