瀏覽代碼

Remove encfs and call directory data instead of decrypted

Thomas Buck 5 年之前
父節點
當前提交
31afcaa7b9

+ 1
- 10
README.md 查看文件

@@ -23,7 +23,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
23 23
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
24 24
 -   Spam fighting via [Rspamd](https://www.rspamd.com/).
25 25
 -   Mail server verification using [DKIM](http://www.dkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
26
--   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
27 26
 -   Webmail via [Roundcube](http://www.roundcube.net/).
28 27
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
29 28
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
@@ -76,7 +75,7 @@ If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com
76 75
 
77 76
 Create a new machine key for your server:
78 77
 
79
-    tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
78
+    tarsnap-keygen --keyfile roles/tarsnap/files/data_tarsnap.key --user me@example.com --machine example.com
80 79
 
81 80
 ### 3. Prep the server
82 81
 
@@ -196,14 +195,6 @@ Troubleshooting
196 195
 
197 196
 If you run into an errors, please check the [wiki page](https://github.com/sovereign/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/sovereign/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
198 197
 
199
-### Reboots
200
-
201
-You will need to manually enter the password for any encrypted volumes on reboot. This is not Sovereign-specific, but rather a function of how EncFS works. This will necessitate SSHing into your machine after reboot, or accessing it via a console interface if one is available to you. Once you're in, run this:
202
-
203
-    encfs /encrypted /decrypted --public
204
-
205
-It is possible that some daemons may need to be restarted after you enter your password for the encrypted volume(s). Some services may stall out while looking for resources that will only be available once the `/decrypted` volume is available and visible to daemon user accounts.
206
-
207 198
 IRC
208 199
 ===
209 200
 

+ 1
- 3
roles/common/defaults/main.yml 查看文件

@@ -4,12 +4,10 @@ main_user_shell: "/bin/bash"
4 4
 friendly_networks:
5 5
   - ""
6 6
 
7
-# encfs
7
+# pass
8 8
 secret_root: '{{ inventory_dir | realpath }}'
9 9
 secret_name: 'secret'
10 10
 secret: '{{ secret_root + "/" + secret_name }}'
11
-encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
12
-
13 11
 
14 12
 # let's encrypt
15 13
 letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"

+ 0
- 28
roles/common/tasks/encfs.yml 查看文件

@@ -1,28 +0,0 @@
1
-- name: Install encfs & fuse
2
-  apt: pkg={{ item }} state=present
3
-  with_items:
4
-    - encfs
5
-    - fuse
6
-    - libfuse-dev
7
-  tags:
8
-    - dependencies
9
-
10
-- name: Create encrypted directory
11
-  file: state=directory path=/encrypted
12
-
13
-- name: Check if the /encrypted directory is empty
14
-  shell: ls /encrypted/*
15
-  ignore_errors: True
16
-  changed_when: False  # never report as "changed"
17
-  register: encfs_check
18
-
19
-- name: If /encrypted is empty, create the encfs there
20
-  shell: printf "p\n{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
21
-  when: encfs_check.rc > 0
22
-
23
-- name: If /encrypted isn't empty, mount it (but only if /decrypted/test doesn't exist)
24
-  shell: command="printf '{{ encfs_password }}' | encfs /encrypted /decrypted --public --stdinpass" creates="/decrypted/test"
25
-  when: encfs_check.rc == 0
26
-
27
-- name: Set decrypted directory permissions
28
-  file: state=directory path=/decrypted group=mail mode=0775

+ 4
- 5
roles/common/tasks/main.yml 查看文件

@@ -53,18 +53,17 @@
53 53
 - name: Apticron email configuration
54 54
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
55 55
 
56
-- name: Create decrypted directory (even if encfs isn't used)
57
-  file: state=directory path=/decrypted
56
+- name: Create data directory
57
+  file: state=directory path=/data
58 58
 
59
-- name: Set decrypted directory permissions
60
-  file: state=directory path=/decrypted group=mail mode=0775
59
+- name: Set data directory permissions
60
+  file: state=directory path=/data group=mail mode=0775
61 61
 
62 62
 - name: Ensure locale en_US.UTF-8 locale is present
63 63
   locale_gen:
64 64
     name: en_US.UTF-8
65 65
     state: present
66 66
 
67
-- include: encfs.yml tags=encfs
68 67
 - include: users.yml tags=users
69 68
 - include: apache.yml tags=apache
70 69
 - include: ssl.yml tags=ssl

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf 查看文件

@@ -27,7 +27,7 @@
27 27
 #
28 28
 # <doc/wiki/MailLocation.txt>
29 29
 #
30
-mail_location = maildir:/decrypted/%d/%n
30
+mail_location = maildir:/data/%d/%n
31 31
 
32 32
 # If you need to set multiple mailbox locations or want to change default
33 33
 # namespace settings, you can do it by defining namespace sections.

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext 查看文件

@@ -18,7 +18,7 @@ passdb {
18 18
 
19 19
 userdb {
20 20
   driver = static
21
-  args = uid=vmail gid=vmail home=/decrypted/%d/%n
21
+  args = uid=vmail gid=vmail home=/data/%d/%n
22 22
 }
23 23
 
24 24
 # If you don't have any user-specific settings, you can avoid the user_query

+ 1
- 1
roles/mailserver/files/etc_solr_conf_solrconfig.xml 查看文件

@@ -114,7 +114,7 @@
114 114
        replication is in use, this should match the replication
115 115
        configuration.
116 116
     -->
117
-  <dataDir>/decrypted/solr</dataDir>
117
+  <dataDir>/data/solr</dataDir>
118 118
 
119 119
 
120 120
   <!-- The DirectoryFactory to use for indexes.

+ 3
- 3
roles/mailserver/tasks/dovecot.yml 查看文件

@@ -20,14 +20,14 @@
20 20
   group: name=vmail state=present gid=5000
21 21
 
22 22
 - name: Create vmail user
23
-  user: name=vmail group=vmail state=present uid=5000 home=/decrypted shell=/usr/sbin/nologin
23
+  user: name=vmail group=vmail state=present uid=5000 home=/data shell=/usr/sbin/nologin
24 24
 
25 25
 - name: Ensure mail domain directories are in place
26
-  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=0770
26
+  file: state=directory path=/data/{{ item.name }} owner=vmail group=dovecot mode=0770
27 27
   with_items: '{{ mail_virtual_domains }}'
28 28
 
29 29
 - name: Ensure mail directories are in place
30
-  file: state=directory path=/decrypted/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
30
+  file: state=directory path=/data/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
31 31
   with_items: '{{ mail_virtual_users }}'
32 32
 
33 33
 - name: Copy dovecot.conf into place

+ 1
- 1
roles/mailserver/tasks/solr.yml 查看文件

@@ -18,5 +18,5 @@
18 18
   notify: restart solr
19 19
 
20 20
 - name: Create Solr index directory
21
-  file: state=directory path=/decrypted/solr group=tomcat7 owner=tomcat7
21
+  file: state=directory path=/data/solr group=tomcat7 owner=tomcat7
22 22
   notify: restart solr

+ 1
- 1
roles/mailserver/tasks/z-push.yml 查看文件

@@ -46,7 +46,7 @@
46 46
 - name: Ensure z-push state and log directories are in place
47 47
   file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
48 48
   with_items:
49
-    - /decrypted/zpush-state
49
+    - /data/zpush-state
50 50
     - /var/log/z-push
51 51
   notify: restart apache
52 52
 

+ 2
- 2
roles/mailserver/templates/usr_share_z-push_config.php.j2 查看文件

@@ -63,7 +63,7 @@
63 63
 /**********************************************************************************
64 64
  *  Default FileStateMachine settings
65 65
  */
66
-    define('STATE_DIR', '/decrypted/zpush-state/');
66
+    define('STATE_DIR', '/data/zpush-state/');
67 67
 
68 68
 
69 69
 /**********************************************************************************
@@ -303,4 +303,4 @@
303 303
 */
304 304
     );
305 305
 
306
-?>
306
+?>

+ 3
- 3
roles/owncloud/tasks/owncloud.yml 查看文件

@@ -35,9 +35,9 @@
35 35
 - name: Ensure ownCloud directory is in place
36 36
   file: state=directory path=/var/www/owncloud
37 37
 
38
-- name: Move ownCloud data to encrypted filesystem
39
-  command: mv /var/www/owncloud/data /decrypted/owncloud-data creates=/decrypted/owncloud-data
40
-- file: src=/decrypted/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
38
+- name: Move ownCloud data to user-data filesystem
39
+  command: mv /var/www/owncloud/data /data/owncloud-data creates=/data/owncloud-data
40
+- file: src=/data/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
41 41
 
42 42
 - name: Configure Apache for ownCloud
43 43
   template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud.conf group=root

roles/tarsnap/files/decrypted_tarsnap.key → roles/tarsnap/files/data_tarsnap.key 查看文件


+ 2
- 2
roles/tarsnap/files/tarsnap.sh 查看文件

@@ -4,7 +4,7 @@
4 4
 # Written by Tim Bishop, 2009.
5 5
 
6 6
 # Directories to backup (relative to /)
7
-DIRS="home root decrypted var/www etc/letsencrypt"
7
+DIRS="home root data var/www etc/letsencrypt"
8 8
 
9 9
 # Number of daily backups to keep
10 10
 DAILY=7
@@ -59,7 +59,7 @@ cd /home/
59 59
 
60 60
 # Dump PostgreSQL to file
61 61
 umask 077
62
-sudo -u postgres pg_dumpall -c | gzip > /decrypted/postgresql-backup.sql.gz
62
+sudo -u postgres pg_dumpall -c | gzip > /data/postgresql-backup.sql.gz
63 63
 
64 64
 # Do backups
65 65
 for dir in $DIRS; do

+ 1
- 1
roles/tarsnap/files/tarsnaprc 查看文件

@@ -1,4 +1,4 @@
1
-keyfile /decrypted/tarsnap.key
1
+keyfile /data/tarsnap.key
2 2
 cachedir /usr/tarsnap-cache
3 3
 exclude /usr/tarsnap-cache
4 4
 humanize-numbers

+ 1
- 1
roles/tarsnap/tasks/tarsnap.yml 查看文件

@@ -70,7 +70,7 @@
70 70
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
71 71
 
72 72
 - name: Copy Tarsnap key file into place
73
-  copy: src=decrypted_tarsnap.key dest=/decrypted/tarsnap.key owner=root group=root mode="0600" force=no
73
+  copy: src=data_tarsnap.key dest=/data/tarsnap.key owner=root group=root mode="0600" force=no
74 74
 
75 75
 - name: Create Tarsnap cache directory
76 76
   file: state=directory path=/usr/tarsnap-cache

+ 1
- 1
roles/webmail/DESIGN.md 查看文件

@@ -8,7 +8,7 @@ Roundcube is stable and continues to be actively developed.
8 8
 
9 9
 The role installs roundcube from the source package released by the Roundcube team.  The version is pinned.  Old versions of this role installed Roundcube from apt packages, but the packages for Debian 8 do not install unattended correctly unless mysql is used at the backend.  We want to use only one database server (postgres) to save on RAM, so using packages is not an option for now.
10 10
 
11
-Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/decrypted` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
11
+Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
12 12
 
13 13
 PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
14 14
 

+ 1
- 1
roles/webmail/tasks/roundcube.yml 查看文件

@@ -70,7 +70,7 @@
70 70
   template: src=var_www_roundcube_config_config.inc.j2 dest=/var/www/roundcube/config/config.inc.php
71 71
 
72 72
 - name: Create db directory
73
-  file: path=/decrypted/roundcube group=www-data mode=0775 state=directory
73
+  file: path=/data/roundcube group=www-data mode=0775 state=directory
74 74
 
75 75
 - name: Make logs and temp directories writable by web server
76 76
   file: path=/var/www/roundcube/{{ item }} mode=0775 state=directory

+ 1
- 1
roles/webmail/templates/var_www_roundcube_config_config.inc.j2 查看文件

@@ -25,7 +25,7 @@ $config = array();
25 25
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
26 26
 // NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
27 27
 //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
28
-$config['db_dsnw'] = 'sqlite:////decrypted/roundcube/sqlite.db?mode=0664';
28
+$config['db_dsnw'] = 'sqlite:////data/roundcube/sqlite.db?mode=0664';
29 29
 
30 30
 // The mail host chosen to perform the log-in.
31 31
 // Leave blank to show a textbox at login, give a list of hosts

+ 1
- 1
roles/xmpp/tasks/prosody.yml 查看文件

@@ -23,7 +23,7 @@
23 23
   copy: src=etc_letsencrypt_postrenew_prosody.sh dest=/etc/letsencrypt/postrenew/prosody.sh mode=0755
24 24
 
25 25
 - name: Create Prosody data directory
26
-  file: state=directory path=/decrypted/prosody owner=prosody group=prosody
26
+  file: state=directory path=/data/prosody owner=prosody group=prosody
27 27
 
28 28
 - name: Configure Prosody
29 29
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody

+ 1
- 1
roles/xmpp/templates/prosody.cfg.lua.j2 查看文件

@@ -146,7 +146,7 @@ log = {
146 146
 	"*syslog";
147 147
 }
148 148
 
149
-data_path = "/decrypted/prosody"
149
+data_path = "/data/prosody"
150 150
 
151 151
 ----------- Virtual hosts -----------
152 152
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.

Loading…
取消
儲存