Remove Tarsnap stuff

CONTRIBUTING.md

@@ -16,7 +16,7 @@ Sovereign is an Ansible playbook that uses the modules in this repository to con
 
 ### Naming
 
-Modules should be named after the software they add (as opposed to the functionality they provide). Soverign is currently inconsistent on this. For example, there are the `ircbouncer` and `blog` modules, but there are also the `owncloud` and `tarsnap` modules. Please name modules after the software used, though, so that it is possible to provide alternatives for functionality.
+Modules should be named after the software they add (as opposed to the functionality they provide). Soverign is currently inconsistent on this. For example, there are the `ircbouncer` and `blog` modules, but there is also the `owncloud` module. Please name modules after the software used, though, so that it is possible to provide alternatives for functionality.
 
 ### Making decisions
 
@@ -56,7 +56,6 @@ The design description should be succinct and to the point. Assume the reader is
 
 Consider the following checklist when reviewing a module's design.
 
-- Does the role create data on the server that is impossible or difficult to reproduce, e.g., private keys? If so, update the tarsnap role to include precious data in backups.
 - Does the role need an SSL certificate for a new subdomain?  If so, update the letsencrypt tasklist in the common role.
 - Does the role add an Apache virtual site?  If so, has somebody knowledgable in Apache configuration and security reviewed the configuration?
 - Does README.md need to be updated based on new or changed finalization instructions?

README.md

@@ -38,7 +38,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   Firewall management via [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall).
 -   Intrusion prevention via [fail2ban](http://www.fail2ban.org/) and rootkit detection via [rkhunter](http://rkhunter.sourceforge.net).
 -   SSH configuration preventing root login and insecure password authentication
--   Nightly backups to [Tarsnap](https://www.tarsnap.com/).
 -   Git hosting via [cgit](http://git.zx2c4.com/cgit/about/) and [gitolite](https://github.com/sitaramc/gitolite).
 -   Read-it-later via [Wallabag](https://www.wallabag.org/)
 -   A bunch of nice-to-have tools like [mosh](http://mosh.mit.edu) and [htop](http://htop.sourceforge.net) that make life with a server a little easier.
@@ -53,7 +52,6 @@ What You’ll Need
 
 1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
 2.  [64-bit Debian 8.3](http://www.debian.org/) or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
-3.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
 
 You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
 
@@ -69,15 +67,7 @@ The following steps are done on the remote server by `ssh`ing into it and runnin
 
     apt-get install sudo python
 
-### 2. Get a Tarsnap machine key
-
-If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com/download.html), or use `brew install tarsnap` if you use [Homebrew](http://brew.sh).
-
-Create a new machine key for your server:
-
-    tarsnap-keygen --keyfile roles/tarsnap/files/data_tarsnap.key --user me@example.com --machine example.com
-
-### 3. Prep the server
+### 2. Prep the server
 
 For goodness sake, change the root password:
 

roles/common/DESIGN.md

@@ -12,8 +12,6 @@ A single certificate is created using Let's Encrypt with SANs used for the subdo
 
 Several packages need access to the private key. Not all are run as root. An example is Prosody (XMPP). Such users are added to the ssl-cert group, and /etc/letsencrypt is set up to allow keys to be read by ssl-cert.
 
-Certificates and private keys are backed up using tarsnap.
-
 Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
 
 ### Testing support

roles/tarsnap/defaults/main.yml

@@ -1 +0,0 @@
-tarsnap_version: 1.0.36.1

roles/tarsnap/files/data_tarsnap.key

@@ -1,3 +0,0 @@
-# START OF TARSNAP KEY FILE
-TODO
-# END OF TARSNAP KEY FILE

roles/tarsnap/files/tarsnap.sh

@@ -1,96 +0,0 @@
-#!/bin/sh
-
-# Tarsnap backup script
-# Written by Tim Bishop, 2009.
-
-# Directories to backup (relative to /)
-DIRS="home root data var/www etc/letsencrypt"
-
-# Number of daily backups to keep
-DAILY=7
-
-# Number of weekly backups to keep
-WEEKLY=3
-# Which day to do weekly backups on
-# 1-7, Monday = 1
-WEEKLY_DAY=5
-
-# Number of monthly backups to keep
-MONTHLY=1
-# Which day to do monthly backups on
-# 01-31 (leading 0 is important)
-MONTHLY_DAY=01
-
-# Path to tarsnap
-TARSNAP="/usr/local/bin/tarsnap"
-
-# Extra flags to pass to tarsnap
-EXTRA_FLAGS="-L -C /"
-
-# end of config
-
-set -e
-
-# day of week: 1-7, monday = 1
-DOW=`date +%u`
-# day of month: 01-31
-DOM=`date +%d`
-# month of year: 01-12
-MOY=`date +%m`
-# year
-YEAR=`date +%Y`
-# time
-TIME=`date +%H%M%S`
-
-# Backup name
-if [ X"$DOM" = X"$MONTHLY_DAY" ]; then
-	# monthly backup
-	BACKUP="$YEAR$MOY$DOM-$TIME-monthly"
-elif [ X"$DOW" = X"$WEEKLY_DAY" ]; then
-	# weekly backup
-	BACKUP="$YEAR$MOY$DOM-$TIME-weekly"
-else
-	# daily backup
-	BACKUP="$YEAR$MOY$DOM-$TIME-daily"
-fi
-
-# Below command complains to stderr if postgres user cannot write to CWD
-cd /home/
-
-# Dump PostgreSQL to file
-umask 077
-sudo -u postgres pg_dumpall -c | gzip > /data/postgresql-backup.sql.gz
-
-# Do backups
-for dir in $DIRS; do
-	echo "==> create $BACKUP-$dir"
-	$TARSNAP $EXTRA_FLAGS -c -f $BACKUP-$dir $dir
-done
-
-# Backups done, time for cleaning up old archives
-
-# using tail to find archives to delete, but its
-# +n syntax is out by one from what we want to do
-# (also +0 == +1, so we're safe :-)
-DAILY=`expr $DAILY + 1`
-WEEKLY=`expr $WEEKLY + 1`
-MONTHLY=`expr $MONTHLY + 1`
-
-# Do deletes
-TMPFILE=/tmp/tarsnap.archives.$$
-$TARSNAP --list-archives > $TMPFILE
-for dir in $DIRS; do
-	for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-daily-$dir" $TMPFILE | sort -rn | tail -n +$DAILY`; do
-		echo "==> delete $i"
-		$TARSNAP -d -f $i
-	done
-	for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-weekly-$dir" $TMPFILE | sort -rn | tail -n +$WEEKLY`; do
-		echo "==> delete $i"
-		$TARSNAP -d -f $i
-	done
-	for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-monthly-$dir" $TMPFILE | sort -rn | tail -n +$MONTHLY`; do
-		echo "==> delete $i"
-		$TARSNAP -d -f $i
-	done
-done
-rm $TMPFILE

roles/tarsnap/files/tarsnaprc

@@ -1,4 +0,0 @@
-keyfile /data/tarsnap.key
-cachedir /usr/tarsnap-cache
-exclude /usr/tarsnap-cache
-humanize-numbers

roles/tarsnap/tasks/main.yml

@@ -1 +0,0 @@
-- include: tarsnap.yml tags=tarsnap

roles/tarsnap/tasks/tarsnap.yml

@@ -1,85 +0,0 @@
-- name: Check if Tarsnap {{ tarsnap_version }} is installed
-  shell: tarsnap --version | grep {{ tarsnap_version }} --color=never
-  register: tarsnap_installed
-  changed_when: "tarsnap_installed.stderr != ''"
-  ignore_errors: yes
-  tags:
-    - dependencies
-
-- name: Install dependencies for Tarsnap
-  when: tarsnap_installed|failed
-  apt: pkg={{ item }} state=present
-  with_items:
-    - e2fslibs-dev
-    - libssl-dev
-    - zlib1g-dev
-  tags:
-    - dependencies
-
-- name: Download the current tarsnap code signing key
-  when: tarsnap_installed|failed
-  get_url:
-    url=https://www.tarsnap.com/tarsnap-signing-key.asc
-    dest=/root/tarsnap-signing-key.asc
-
-- name: Add the tarsnap code signing key to your list of keys
-  when: tarsnap_installed|failed
-  command:
-    gpg --import tarsnap-signing-key.asc
-    chdir=/root/
-
-- name: Download tarsnap SHA file
-  when: tarsnap_installed|failed
-  get_url:
-    url="https://www.tarsnap.com/download/tarsnap-sigs-{{ tarsnap_version }}.asc"
-    dest="/root/tarsnap-sigs-{{ tarsnap_version }}.asc"
-
-- name: Make the command that gets the current SHA
-  when: tarsnap_installed|failed
-  template:
-    src=getSha.sh
-    dest=/root/getSha.sh
-    mode=0755
-
-- name: Get the SHA256sum for this tarsnap release
-  when: tarsnap_installed|failed
-  command:
-    ./getSha.sh
-    chdir=/root
-  register: tarsnap_sha
-
-- name: Download Tarsnap source
-  when: tarsnap_installed|failed
-  get_url:
-    url="https://www.tarsnap.com/download/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
-    dest="/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
-    sha256sum={{ tarsnap_sha.stdout_lines[0] }}
-
-- name: Decompress Tarsnap source
-  when: tarsnap_installed|failed
-  unarchive: src=/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz
-             dest=/root copy=no
-             creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/COPYING
-
-- name: Configure Tarsnap for local build
-  when: tarsnap_installed|failed
-  command: ./configure chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/Makefile
-
-- name: Build and install Tarsnap
-  when: tarsnap_installed|failed
-  command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
-
-- name: Copy Tarsnap key file into place
-  copy: src=data_tarsnap.key dest=/data/tarsnap.key owner=root group=root mode="0600" force=no
-
-- name: Create Tarsnap cache directory
-  file: state=directory path=/usr/tarsnap-cache
-
-- name: Install Tarsnap configuration file
-  copy: src=tarsnaprc dest=/root/.tarsnaprc mode="0644"
-
-- name: Install Tarsnap backup handler script
-  copy: src=tarsnap.sh dest=/root/tarsnap.sh mode="0755"
-
-- name: Install nightly Tarsnap-generations cronjob
-  cron: name="Tarsnap backup" hour="3" minute="0" job="sh /root/tarsnap.sh >> /var/log/tarsnap.log"

roles/tarsnap/templates/getSha.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-gpgResult=`gpg --decrypt tarsnap-sigs-{{ tarsnap_version }}.asc`
-sha=${gpgResult#*=}
-echo $sha > /root/tarsnapSha
-echo $sha

roles/webmail/DESIGN.md

@@ -8,7 +8,7 @@ Roundcube is stable and continues to be actively developed.
 
 The role installs roundcube from the source package released by the Roundcube team.  The version is pinned.  Old versions of this role installed Roundcube from apt packages, but the packages for Debian 8 do not install unattended correctly unless mysql is used at the backend.  We want to use only one database server (postgres) to save on RAM, so using packages is not an option for now.
 
-Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
+Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data.
 
 PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
 

site.yml

@@ -15,7 +15,6 @@
     - xmpp
     - owncloud
     - vpn
-    - tarsnap
     - news
     - git
     - readlater