Browse Source

Remove encfs and call directory data instead of decrypted

Thomas Buck 5 years ago
parent
commit
31afcaa7b9

+ 1
- 10
README.md View File

@@ -23,7 +23,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
23 23
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
24 24
 -   Spam fighting via [Rspamd](https://www.rspamd.com/).
25 25
 -   Mail server verification using [DKIM](http://www.dkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
26
--   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
27 26
 -   Webmail via [Roundcube](http://www.roundcube.net/).
28 27
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
29 28
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
@@ -76,7 +75,7 @@ If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com
76 75
 
77 76
 Create a new machine key for your server:
78 77
 
79
-    tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
78
+    tarsnap-keygen --keyfile roles/tarsnap/files/data_tarsnap.key --user me@example.com --machine example.com
80 79
 
81 80
 ### 3. Prep the server
82 81
 
@@ -196,14 +195,6 @@ Troubleshooting
196 195
 
197 196
 If you run into an errors, please check the [wiki page](https://github.com/sovereign/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/sovereign/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
198 197
 
199
-### Reboots
200
-
201
-You will need to manually enter the password for any encrypted volumes on reboot. This is not Sovereign-specific, but rather a function of how EncFS works. This will necessitate SSHing into your machine after reboot, or accessing it via a console interface if one is available to you. Once you're in, run this:
202
-
203
-    encfs /encrypted /decrypted --public
204
-
205
-It is possible that some daemons may need to be restarted after you enter your password for the encrypted volume(s). Some services may stall out while looking for resources that will only be available once the `/decrypted` volume is available and visible to daemon user accounts.
206
-
207 198
 IRC
208 199
 ===
209 200
 

+ 1
- 3
roles/common/defaults/main.yml View File

@@ -4,12 +4,10 @@ main_user_shell: "/bin/bash"
4 4
 friendly_networks:
5 5
   - ""
6 6
 
7
-# encfs
7
+# pass
8 8
 secret_root: '{{ inventory_dir | realpath }}'
9 9
 secret_name: 'secret'
10 10
 secret: '{{ secret_root + "/" + secret_name }}'
11
-encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
12
-
13 11
 
14 12
 # let's encrypt
15 13
 letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"

+ 0
- 28
roles/common/tasks/encfs.yml View File

@@ -1,28 +0,0 @@
1
-- name: Install encfs & fuse
2
-  apt: pkg={{ item }} state=present
3
-  with_items:
4
-    - encfs
5
-    - fuse
6
-    - libfuse-dev
7
-  tags:
8
-    - dependencies
9
-
10
-- name: Create encrypted directory
11
-  file: state=directory path=/encrypted
12
-
13
-- name: Check if the /encrypted directory is empty
14
-  shell: ls /encrypted/*
15
-  ignore_errors: True
16
-  changed_when: False  # never report as "changed"
17
-  register: encfs_check
18
-
19
-- name: If /encrypted is empty, create the encfs there
20
-  shell: printf "p\n{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
21
-  when: encfs_check.rc > 0
22
-
23
-- name: If /encrypted isn't empty, mount it (but only if /decrypted/test doesn't exist)
24
-  shell: command="printf '{{ encfs_password }}' | encfs /encrypted /decrypted --public --stdinpass" creates="/decrypted/test"
25
-  when: encfs_check.rc == 0
26
-
27
-- name: Set decrypted directory permissions
28
-  file: state=directory path=/decrypted group=mail mode=0775

+ 4
- 5
roles/common/tasks/main.yml View File

@@ -53,18 +53,17 @@
53 53
 - name: Apticron email configuration
54 54
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
55 55
 
56
-- name: Create decrypted directory (even if encfs isn't used)
57
-  file: state=directory path=/decrypted
56
+- name: Create data directory
57
+  file: state=directory path=/data
58 58
 
59
-- name: Set decrypted directory permissions
60
-  file: state=directory path=/decrypted group=mail mode=0775
59
+- name: Set data directory permissions
60
+  file: state=directory path=/data group=mail mode=0775
61 61
 
62 62
 - name: Ensure locale en_US.UTF-8 locale is present
63 63
   locale_gen:
64 64
     name: en_US.UTF-8
65 65
     state: present
66 66
 
67
-- include: encfs.yml tags=encfs
68 67
 - include: users.yml tags=users
69 68
 - include: apache.yml tags=apache
70 69
 - include: ssl.yml tags=ssl

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf View File

@@ -27,7 +27,7 @@
27 27
 #
28 28
 # <doc/wiki/MailLocation.txt>
29 29
 #
30
-mail_location = maildir:/decrypted/%d/%n
30
+mail_location = maildir:/data/%d/%n
31 31
 
32 32
 # If you need to set multiple mailbox locations or want to change default
33 33
 # namespace settings, you can do it by defining namespace sections.

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext View File

@@ -18,7 +18,7 @@ passdb {
18 18
 
19 19
 userdb {
20 20
   driver = static
21
-  args = uid=vmail gid=vmail home=/decrypted/%d/%n
21
+  args = uid=vmail gid=vmail home=/data/%d/%n
22 22
 }
23 23
 
24 24
 # If you don't have any user-specific settings, you can avoid the user_query

+ 1
- 1
roles/mailserver/files/etc_solr_conf_solrconfig.xml View File

@@ -114,7 +114,7 @@
114 114
        replication is in use, this should match the replication
115 115
        configuration.
116 116
     -->
117
-  <dataDir>/decrypted/solr</dataDir>
117
+  <dataDir>/data/solr</dataDir>
118 118
 
119 119
 
120 120
   <!-- The DirectoryFactory to use for indexes.

+ 3
- 3
roles/mailserver/tasks/dovecot.yml View File

@@ -20,14 +20,14 @@
20 20
   group: name=vmail state=present gid=5000
21 21
 
22 22
 - name: Create vmail user
23
-  user: name=vmail group=vmail state=present uid=5000 home=/decrypted shell=/usr/sbin/nologin
23
+  user: name=vmail group=vmail state=present uid=5000 home=/data shell=/usr/sbin/nologin
24 24
 
25 25
 - name: Ensure mail domain directories are in place
26
-  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=0770
26
+  file: state=directory path=/data/{{ item.name }} owner=vmail group=dovecot mode=0770
27 27
   with_items: '{{ mail_virtual_domains }}'
28 28
 
29 29
 - name: Ensure mail directories are in place
30
-  file: state=directory path=/decrypted/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
30
+  file: state=directory path=/data/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
31 31
   with_items: '{{ mail_virtual_users }}'
32 32
 
33 33
 - name: Copy dovecot.conf into place

+ 1
- 1
roles/mailserver/tasks/solr.yml View File

@@ -18,5 +18,5 @@
18 18
   notify: restart solr
19 19
 
20 20
 - name: Create Solr index directory
21
-  file: state=directory path=/decrypted/solr group=tomcat7 owner=tomcat7
21
+  file: state=directory path=/data/solr group=tomcat7 owner=tomcat7
22 22
   notify: restart solr

+ 1
- 1
roles/mailserver/tasks/z-push.yml View File

@@ -46,7 +46,7 @@
46 46
 - name: Ensure z-push state and log directories are in place
47 47
   file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
48 48
   with_items:
49
-    - /decrypted/zpush-state
49
+    - /data/zpush-state
50 50
     - /var/log/z-push
51 51
   notify: restart apache
52 52
 

+ 2
- 2
roles/mailserver/templates/usr_share_z-push_config.php.j2 View File

@@ -63,7 +63,7 @@
63 63
 /**********************************************************************************
64 64
  *  Default FileStateMachine settings
65 65
  */
66
-    define('STATE_DIR', '/decrypted/zpush-state/');
66
+    define('STATE_DIR', '/data/zpush-state/');
67 67
 
68 68
 
69 69
 /**********************************************************************************
@@ -303,4 +303,4 @@
303 303
 */
304 304
     );
305 305
 
306
-?>
306
+?>

+ 3
- 3
roles/owncloud/tasks/owncloud.yml View File

@@ -35,9 +35,9 @@
35 35
 - name: Ensure ownCloud directory is in place
36 36
   file: state=directory path=/var/www/owncloud
37 37
 
38
-- name: Move ownCloud data to encrypted filesystem
39
-  command: mv /var/www/owncloud/data /decrypted/owncloud-data creates=/decrypted/owncloud-data
40
-- file: src=/decrypted/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
38
+- name: Move ownCloud data to user-data filesystem
39
+  command: mv /var/www/owncloud/data /data/owncloud-data creates=/data/owncloud-data
40
+- file: src=/data/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
41 41
 
42 42
 - name: Configure Apache for ownCloud
43 43
   template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud.conf group=root

roles/tarsnap/files/decrypted_tarsnap.key → roles/tarsnap/files/data_tarsnap.key View File


+ 2
- 2
roles/tarsnap/files/tarsnap.sh View File

@@ -4,7 +4,7 @@
4 4
 # Written by Tim Bishop, 2009.
5 5
 
6 6
 # Directories to backup (relative to /)
7
-DIRS="home root decrypted var/www etc/letsencrypt"
7
+DIRS="home root data var/www etc/letsencrypt"
8 8
 
9 9
 # Number of daily backups to keep
10 10
 DAILY=7
@@ -59,7 +59,7 @@ cd /home/
59 59
 
60 60
 # Dump PostgreSQL to file
61 61
 umask 077
62
-sudo -u postgres pg_dumpall -c | gzip > /decrypted/postgresql-backup.sql.gz
62
+sudo -u postgres pg_dumpall -c | gzip > /data/postgresql-backup.sql.gz
63 63
 
64 64
 # Do backups
65 65
 for dir in $DIRS; do

+ 1
- 1
roles/tarsnap/files/tarsnaprc View File

@@ -1,4 +1,4 @@
1
-keyfile /decrypted/tarsnap.key
1
+keyfile /data/tarsnap.key
2 2
 cachedir /usr/tarsnap-cache
3 3
 exclude /usr/tarsnap-cache
4 4
 humanize-numbers

+ 1
- 1
roles/tarsnap/tasks/tarsnap.yml View File

@@ -70,7 +70,7 @@
70 70
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
71 71
 
72 72
 - name: Copy Tarsnap key file into place
73
-  copy: src=decrypted_tarsnap.key dest=/decrypted/tarsnap.key owner=root group=root mode="0600" force=no
73
+  copy: src=data_tarsnap.key dest=/data/tarsnap.key owner=root group=root mode="0600" force=no
74 74
 
75 75
 - name: Create Tarsnap cache directory
76 76
   file: state=directory path=/usr/tarsnap-cache

+ 1
- 1
roles/webmail/DESIGN.md View File

@@ -8,7 +8,7 @@ Roundcube is stable and continues to be actively developed.
8 8
 
9 9
 The role installs roundcube from the source package released by the Roundcube team.  The version is pinned.  Old versions of this role installed Roundcube from apt packages, but the packages for Debian 8 do not install unattended correctly unless mysql is used at the backend.  We want to use only one database server (postgres) to save on RAM, so using packages is not an option for now.
10 10
 
11
-Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/decrypted` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
11
+Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
12 12
 
13 13
 PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
14 14
 

+ 1
- 1
roles/webmail/tasks/roundcube.yml View File

@@ -70,7 +70,7 @@
70 70
   template: src=var_www_roundcube_config_config.inc.j2 dest=/var/www/roundcube/config/config.inc.php
71 71
 
72 72
 - name: Create db directory
73
-  file: path=/decrypted/roundcube group=www-data mode=0775 state=directory
73
+  file: path=/data/roundcube group=www-data mode=0775 state=directory
74 74
 
75 75
 - name: Make logs and temp directories writable by web server
76 76
   file: path=/var/www/roundcube/{{ item }} mode=0775 state=directory

+ 1
- 1
roles/webmail/templates/var_www_roundcube_config_config.inc.j2 View File

@@ -25,7 +25,7 @@ $config = array();
25 25
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
26 26
 // NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
27 27
 //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
28
-$config['db_dsnw'] = 'sqlite:////decrypted/roundcube/sqlite.db?mode=0664';
28
+$config['db_dsnw'] = 'sqlite:////data/roundcube/sqlite.db?mode=0664';
29 29
 
30 30
 // The mail host chosen to perform the log-in.
31 31
 // Leave blank to show a textbox at login, give a list of hosts

+ 1
- 1
roles/xmpp/tasks/prosody.yml View File

@@ -23,7 +23,7 @@
23 23
   copy: src=etc_letsencrypt_postrenew_prosody.sh dest=/etc/letsencrypt/postrenew/prosody.sh mode=0755
24 24
 
25 25
 - name: Create Prosody data directory
26
-  file: state=directory path=/decrypted/prosody owner=prosody group=prosody
26
+  file: state=directory path=/data/prosody owner=prosody group=prosody
27 27
 
28 28
 - name: Configure Prosody
29 29
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody

+ 1
- 1
roles/xmpp/templates/prosody.cfg.lua.j2 View File

@@ -146,7 +146,7 @@ log = {
146 146
 	"*syslog";
147 147
 }
148 148
 
149
-data_path = "/decrypted/prosody"
149
+data_path = "/data/prosody"
150 150
 
151 151
 ----------- Virtual hosts -----------
152 152
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.

Loading…
Cancel
Save