thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Remove encfs and call directory data instead of decrypted

Thomas Buck 5 years ago
parent
183b80da8d
commit
31afcaa7b9
21 changed files with 28 additions and 68 deletions
Unified View Show Diff Stats
  1. 1
    10
      README.md
  2. 1
    3
      roles/common/defaults/main.yml
  3. 0
    28
      roles/common/tasks/encfs.yml
  4. 4
    5
      roles/common/tasks/main.yml
  5. 1
    1
      roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf
  6. 1
    1
      roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext
  7. 1
    1
      roles/mailserver/files/etc_solr_conf_solrconfig.xml
  8. 3
    3
      roles/mailserver/tasks/dovecot.yml
  9. 1
    1
      roles/mailserver/tasks/solr.yml
  10. 1
    1
      roles/mailserver/tasks/z-push.yml
  11. 2
    2
      roles/mailserver/templates/usr_share_z-push_config.php.j2
  12. 3
    3
      roles/owncloud/tasks/owncloud.yml
  13. 0
    0
      roles/tarsnap/files/data_tarsnap.key
  14. 2
    2
      roles/tarsnap/files/tarsnap.sh
  15. 1
    1
      roles/tarsnap/files/tarsnaprc
  16. 1
    1
      roles/tarsnap/tasks/tarsnap.yml
  17. 1
    1
      roles/webmail/DESIGN.md
  18. 1
    1
      roles/webmail/tasks/roundcube.yml
  19. 1
    1
      roles/webmail/templates/var_www_roundcube_config_config.inc.j2
  20. 1
    1
      roles/xmpp/tasks/prosody.yml
  21. 1
    1
      roles/xmpp/templates/prosody.cfg.lua.j2

+ 1
- 10
README.md View File

23 
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
 23 
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
24 
 -   Spam fighting via [Rspamd](https://www.rspamd.com/).
 24 
 -   Spam fighting via [Rspamd](https://www.rspamd.com/).
25 
 -   Mail server verification using [DKIM](http://www.dkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
 25 
 -   Mail server verification using [DKIM](http://www.dkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
26 
--   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
27 
 -   Webmail via [Roundcube](http://www.roundcube.net/).
 26 
 -   Webmail via [Roundcube](http://www.roundcube.net/).
28 
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
 27 
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
29 
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
 28 
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
76
75
77 
 Create a new machine key for your server:
 76 
 Create a new machine key for your server:
78
77
79 
-    tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
78 
+    tarsnap-keygen --keyfile roles/tarsnap/files/data_tarsnap.key --user me@example.com --machine example.com
80
79
81 
 ### 3. Prep the server
 80 
 ### 3. Prep the server
82
81
196
195
197 
 If you run into an errors, please check the [wiki page](https://github.com/sovereign/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/sovereign/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
 196 
 If you run into an errors, please check the [wiki page](https://github.com/sovereign/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/sovereign/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
198
197
199 
-### Reboots
200 
-
201 
-You will need to manually enter the password for any encrypted volumes on reboot. This is not Sovereign-specific, but rather a function of how EncFS works. This will necessitate SSHing into your machine after reboot, or accessing it via a console interface if one is available to you. Once you're in, run this:
202 
-
203 
-    encfs /encrypted /decrypted --public
204 
-
205 
-It is possible that some daemons may need to be restarted after you enter your password for the encrypted volume(s). Some services may stall out while looking for resources that will only be available once the `/decrypted` volume is available and visible to daemon user accounts.
206 
-
207 
 IRC
 198 
 IRC
208 
 ===
 199 
 ===
209
200

+ 1
- 3
roles/common/defaults/main.yml View File

4 
 friendly_networks:
 4 
 friendly_networks:
5 
   - ""
 5 
   - ""
6
6
7 
-# encfs
7 
+# pass
8 
 secret_root: '{{ inventory_dir | realpath }}'
 8 
 secret_root: '{{ inventory_dir | realpath }}'
9 
 secret_name: 'secret'
 9 
 secret_name: 'secret'
10 
 secret: '{{ secret_root + "/" + secret_name }}'
 10 
 secret: '{{ secret_root + "/" + secret_name }}'
11 
-encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
12 
-
13
11
14 
 # let's encrypt
 12 
 # let's encrypt
15 
 letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
 13 
 letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"

+ 0
- 28
roles/common/tasks/encfs.yml View File

1 
-- name: Install encfs & fuse
2 
-  apt: pkg={{ item }} state=present
3 
-  with_items:
4 
-    - encfs
5 
-    - fuse
6 
-    - libfuse-dev
7 
-  tags:
8 
-    - dependencies
9 
-
10 
-- name: Create encrypted directory
11 
-  file: state=directory path=/encrypted
12 
-
13 
-- name: Check if the /encrypted directory is empty
14 
-  shell: ls /encrypted/*
15 
-  ignore_errors: True
16 
-  changed_when: False  # never report as "changed"
17 
-  register: encfs_check
18 
-
19 
-- name: If /encrypted is empty, create the encfs there
20 
-  shell: printf "p\n{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
21 
-  when: encfs_check.rc > 0
22 
-
23 
-- name: If /encrypted isn't empty, mount it (but only if /decrypted/test doesn't exist)
24 
-  shell: command="printf '{{ encfs_password }}' | encfs /encrypted /decrypted --public --stdinpass" creates="/decrypted/test"
25 
-  when: encfs_check.rc == 0
26 
-
27 
-- name: Set decrypted directory permissions
28 
-  file: state=directory path=/decrypted group=mail mode=0775

+ 4
- 5
roles/common/tasks/main.yml View File

53 
 - name: Apticron email configuration
 53 
 - name: Apticron email configuration
54 
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
 54 
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
55
55
56 
-- name: Create decrypted directory (even if encfs isn't used)
57 
-  file: state=directory path=/decrypted
56 
+- name: Create data directory
57 
+  file: state=directory path=/data
58
58
59 
-- name: Set decrypted directory permissions
60 
-  file: state=directory path=/decrypted group=mail mode=0775
59 
+- name: Set data directory permissions
60 
+  file: state=directory path=/data group=mail mode=0775
61
61
62 
 - name: Ensure locale en_US.UTF-8 locale is present
 62 
 - name: Ensure locale en_US.UTF-8 locale is present
63 
   locale_gen:
 63 
   locale_gen:
64 
     name: en_US.UTF-8
 64 
     name: en_US.UTF-8
65 
     state: present
 65 
     state: present
66
66
67 
-- include: encfs.yml tags=encfs
68 
 - include: users.yml tags=users
 67 
 - include: users.yml tags=users
69 
 - include: apache.yml tags=apache
 68 
 - include: apache.yml tags=apache
70 
 - include: ssl.yml tags=ssl
 69 
 - include: ssl.yml tags=ssl

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf View File

27 
 #
 27 
 #
28 
 # <doc/wiki/MailLocation.txt>
 28 
 # <doc/wiki/MailLocation.txt>
29 
 #
 29 
 #
30 
-mail_location = maildir:/decrypted/%d/%n
30 
+mail_location = maildir:/data/%d/%n
31
31
32 
 # If you need to set multiple mailbox locations or want to change default
 32 
 # If you need to set multiple mailbox locations or want to change default
33 
 # namespace settings, you can do it by defining namespace sections.
 33 
 # namespace settings, you can do it by defining namespace sections.

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext View File

18
18
19 
 userdb {
 19 
 userdb {
20 
   driver = static
 20 
   driver = static
21 
-  args = uid=vmail gid=vmail home=/decrypted/%d/%n
21 
+  args = uid=vmail gid=vmail home=/data/%d/%n
22 
 }
 22 
 }
23
23
24 
 # If you don't have any user-specific settings, you can avoid the user_query
 24 
 # If you don't have any user-specific settings, you can avoid the user_query

+ 1
- 1
roles/mailserver/files/etc_solr_conf_solrconfig.xml View File

114 
        replication is in use, this should match the replication
 114 
        replication is in use, this should match the replication
115 
        configuration.
 115 
        configuration.
116 
     -->
 116 
     -->
117 
-  <dataDir>/decrypted/solr</dataDir>
117 
+  <dataDir>/data/solr</dataDir>
118
118
119
119
120 
   <!-- The DirectoryFactory to use for indexes.
 120 
   <!-- The DirectoryFactory to use for indexes.

+ 3
- 3
roles/mailserver/tasks/dovecot.yml View File

20 
   group: name=vmail state=present gid=5000
 20 
   group: name=vmail state=present gid=5000
21
21
22 
 - name: Create vmail user
 22 
 - name: Create vmail user
23 
-  user: name=vmail group=vmail state=present uid=5000 home=/decrypted shell=/usr/sbin/nologin
23 
+  user: name=vmail group=vmail state=present uid=5000 home=/data shell=/usr/sbin/nologin
24
24
25 
 - name: Ensure mail domain directories are in place
 25 
 - name: Ensure mail domain directories are in place
26 
-  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=0770
26 
+  file: state=directory path=/data/{{ item.name }} owner=vmail group=dovecot mode=0770
27 
   with_items: '{{ mail_virtual_domains }}'
 27 
   with_items: '{{ mail_virtual_domains }}'
28
28
29 
 - name: Ensure mail directories are in place
 29 
 - name: Ensure mail directories are in place
30 
-  file: state=directory path=/decrypted/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
30 
+  file: state=directory path=/data/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
31 
   with_items: '{{ mail_virtual_users }}'
 31 
   with_items: '{{ mail_virtual_users }}'
32
32
33 
 - name: Copy dovecot.conf into place
 33 
 - name: Copy dovecot.conf into place

+ 1
- 1
roles/mailserver/tasks/solr.yml View File

18 
   notify: restart solr
 18 
   notify: restart solr
19
19
20 
 - name: Create Solr index directory
 20 
 - name: Create Solr index directory
21 
-  file: state=directory path=/decrypted/solr group=tomcat7 owner=tomcat7
21 
+  file: state=directory path=/data/solr group=tomcat7 owner=tomcat7
22 
   notify: restart solr
 22 
   notify: restart solr

+ 1
- 1
roles/mailserver/tasks/z-push.yml View File

46 
 - name: Ensure z-push state and log directories are in place
 46 
 - name: Ensure z-push state and log directories are in place
47 
   file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
 47 
   file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
48 
   with_items:
 48 
   with_items:
49 
-    - /decrypted/zpush-state
49 
+    - /data/zpush-state
50 
     - /var/log/z-push
 50 
     - /var/log/z-push
51 
   notify: restart apache
 51 
   notify: restart apache
52
52

+ 2
- 2
roles/mailserver/templates/usr_share_z-push_config.php.j2 View File

63 
 /**********************************************************************************
 63 
 /**********************************************************************************
64 
  *  Default FileStateMachine settings
 64 
  *  Default FileStateMachine settings
65 
  */
 65 
  */
66 
-    define('STATE_DIR', '/decrypted/zpush-state/');
66 
+    define('STATE_DIR', '/data/zpush-state/');
67
67
68
68
69 
 /**********************************************************************************
 69 
 /**********************************************************************************
303 
 */
 303 
 */
304 
     );
 304 
     );
305
305
306 
-?>
306 
+?>

+ 3
- 3
roles/owncloud/tasks/owncloud.yml View File

35 
 - name: Ensure ownCloud directory is in place
 35 
 - name: Ensure ownCloud directory is in place
36 
   file: state=directory path=/var/www/owncloud
 36 
   file: state=directory path=/var/www/owncloud
37
37
38 
-- name: Move ownCloud data to encrypted filesystem
39 
-  command: mv /var/www/owncloud/data /decrypted/owncloud-data creates=/decrypted/owncloud-data
40 
-- file: src=/decrypted/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
38 
+- name: Move ownCloud data to user-data filesystem
39 
+  command: mv /var/www/owncloud/data /data/owncloud-data creates=/data/owncloud-data
40 
+- file: src=/data/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
41
41
42 
 - name: Configure Apache for ownCloud
 42 
 - name: Configure Apache for ownCloud
43 
   template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud.conf group=root
 43 
   template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud.conf group=root

roles/tarsnap/files/decrypted_tarsnap.key → roles/tarsnap/files/data_tarsnap.key View File


+ 2
- 2
roles/tarsnap/files/tarsnap.sh View File

4 
 # Written by Tim Bishop, 2009.
 4 
 # Written by Tim Bishop, 2009.
5
5
6 
 # Directories to backup (relative to /)
 6 
 # Directories to backup (relative to /)
7 
-DIRS="home root decrypted var/www etc/letsencrypt"
7 
+DIRS="home root data var/www etc/letsencrypt"
8
8
9 
 # Number of daily backups to keep
 9 
 # Number of daily backups to keep
10 
 DAILY=7
 10 
 DAILY=7
59
59
60 
 # Dump PostgreSQL to file
 60 
 # Dump PostgreSQL to file
61 
 umask 077
 61 
 umask 077
62 
-sudo -u postgres pg_dumpall -c | gzip > /decrypted/postgresql-backup.sql.gz
62 
+sudo -u postgres pg_dumpall -c | gzip > /data/postgresql-backup.sql.gz
63
63
64 
 # Do backups
 64 
 # Do backups
65 
 for dir in $DIRS; do
 65 
 for dir in $DIRS; do

+ 1
- 1
roles/tarsnap/files/tarsnaprc View File

1 
-keyfile /decrypted/tarsnap.key
1 
+keyfile /data/tarsnap.key
2 
 cachedir /usr/tarsnap-cache
 2 
 cachedir /usr/tarsnap-cache
3 
 exclude /usr/tarsnap-cache
 3 
 exclude /usr/tarsnap-cache
4 
 humanize-numbers
 4 
 humanize-numbers

+ 1
- 1
roles/tarsnap/tasks/tarsnap.yml View File

70 
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
 70 
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
71
71
72 
 - name: Copy Tarsnap key file into place
 72 
 - name: Copy Tarsnap key file into place
73 
-  copy: src=decrypted_tarsnap.key dest=/decrypted/tarsnap.key owner=root group=root mode="0600" force=no
73 
+  copy: src=data_tarsnap.key dest=/data/tarsnap.key owner=root group=root mode="0600" force=no
74
74
75 
 - name: Create Tarsnap cache directory
 75 
 - name: Create Tarsnap cache directory
76 
   file: state=directory path=/usr/tarsnap-cache
 76 
   file: state=directory path=/usr/tarsnap-cache

+ 1
- 1
roles/webmail/DESIGN.md View File

8
8
9 
 The role installs roundcube from the source package released by the Roundcube team.  The version is pinned.  Old versions of this role installed Roundcube from apt packages, but the packages for Debian 8 do not install unattended correctly unless mysql is used at the backend.  We want to use only one database server (postgres) to save on RAM, so using packages is not an option for now.
 9 
 The role installs roundcube from the source package released by the Roundcube team.  The version is pinned.  Old versions of this role installed Roundcube from apt packages, but the packages for Debian 8 do not install unattended correctly unless mysql is used at the backend.  We want to use only one database server (postgres) to save on RAM, so using packages is not an option for now.
10
10
11 
-Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/decrypted` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
11 
+Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
12
12
13 
 PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
 13 
 PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
14
14

+ 1
- 1
roles/webmail/tasks/roundcube.yml View File

70 
   template: src=var_www_roundcube_config_config.inc.j2 dest=/var/www/roundcube/config/config.inc.php
 70 
   template: src=var_www_roundcube_config_config.inc.j2 dest=/var/www/roundcube/config/config.inc.php
71
71
72 
 - name: Create db directory
 72 
 - name: Create db directory
73 
-  file: path=/decrypted/roundcube group=www-data mode=0775 state=directory
73 
+  file: path=/data/roundcube group=www-data mode=0775 state=directory
74
74
75 
 - name: Make logs and temp directories writable by web server
 75 
 - name: Make logs and temp directories writable by web server
76 
   file: path=/var/www/roundcube/{{ item }} mode=0775 state=directory
 76 
   file: path=/var/www/roundcube/{{ item }} mode=0775 state=directory

+ 1
- 1
roles/webmail/templates/var_www_roundcube_config_config.inc.j2 View File

25 
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
 25 
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
26 
 // NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
 26 
 // NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
27 
 //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
 27 
 //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
28 
-$config['db_dsnw'] = 'sqlite:////decrypted/roundcube/sqlite.db?mode=0664';
28 
+$config['db_dsnw'] = 'sqlite:////data/roundcube/sqlite.db?mode=0664';
29
29
30 
 // The mail host chosen to perform the log-in.
 30 
 // The mail host chosen to perform the log-in.
31 
 // Leave blank to show a textbox at login, give a list of hosts
 31 
 // Leave blank to show a textbox at login, give a list of hosts

+ 1
- 1
roles/xmpp/tasks/prosody.yml View File

23 
   copy: src=etc_letsencrypt_postrenew_prosody.sh dest=/etc/letsencrypt/postrenew/prosody.sh mode=0755
 23 
   copy: src=etc_letsencrypt_postrenew_prosody.sh dest=/etc/letsencrypt/postrenew/prosody.sh mode=0755
24
24
25 
 - name: Create Prosody data directory
 25 
 - name: Create Prosody data directory
26 
-  file: state=directory path=/decrypted/prosody owner=prosody group=prosody
26 
+  file: state=directory path=/data/prosody owner=prosody group=prosody
27
27
28 
 - name: Configure Prosody
 28 
 - name: Configure Prosody
29 
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody
 29 
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody

+ 1
- 1
roles/xmpp/templates/prosody.cfg.lua.j2 View File

146 
 	"*syslog";
 146 
 	"*syslog";
147 
 }
 147 
 }
148
148
149 
-data_path = "/decrypted/prosody"
149 
+data_path = "/data/prosody"
150
150
151 
 ----------- Virtual hosts -----------
 151 
 ----------- Virtual hosts -----------
152 
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
 152 
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.

Write Preview
Loading…
Cancel
Save