소스 검색

Remove Tarsnap stuff

Thomas Buck 5 년 전
부모
커밋
82a931b55d

+ 1
- 2
CONTRIBUTING.md 파일 보기

@@ -16,7 +16,7 @@ Sovereign is an Ansible playbook that uses the modules in this repository to con
16 16
 
17 17
 ### Naming
18 18
 
19
-Modules should be named after the software they add (as opposed to the functionality they provide). Soverign is currently inconsistent on this. For example, there are the `ircbouncer` and `blog` modules, but there are also the `owncloud` and `tarsnap` modules. Please name modules after the software used, though, so that it is possible to provide alternatives for functionality.
19
+Modules should be named after the software they add (as opposed to the functionality they provide). Soverign is currently inconsistent on this. For example, there are the `ircbouncer` and `blog` modules, but there is also the `owncloud` module. Please name modules after the software used, though, so that it is possible to provide alternatives for functionality.
20 20
 
21 21
 ### Making decisions
22 22
 
@@ -56,7 +56,6 @@ The design description should be succinct and to the point. Assume the reader is
56 56
 
57 57
 Consider the following checklist when reviewing a module's design.
58 58
 
59
-- Does the role create data on the server that is impossible or difficult to reproduce, e.g., private keys? If so, update the tarsnap role to include precious data in backups.
60 59
 - Does the role need an SSL certificate for a new subdomain?  If so, update the letsencrypt tasklist in the common role.
61 60
 - Does the role add an Apache virtual site?  If so, has somebody knowledgable in Apache configuration and security reviewed the configuration?
62 61
 - Does README.md need to be updated based on new or changed finalization instructions?

+ 1
- 11
README.md 파일 보기

@@ -38,7 +38,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
38 38
 -   Firewall management via [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall).
39 39
 -   Intrusion prevention via [fail2ban](http://www.fail2ban.org/) and rootkit detection via [rkhunter](http://rkhunter.sourceforge.net).
40 40
 -   SSH configuration preventing root login and insecure password authentication
41
--   Nightly backups to [Tarsnap](https://www.tarsnap.com/).
42 41
 -   Git hosting via [cgit](http://git.zx2c4.com/cgit/about/) and [gitolite](https://github.com/sitaramc/gitolite).
43 42
 -   Read-it-later via [Wallabag](https://www.wallabag.org/)
44 43
 -   A bunch of nice-to-have tools like [mosh](http://mosh.mit.edu) and [htop](http://htop.sourceforge.net) that make life with a server a little easier.
@@ -53,7 +52,6 @@ What You’ll Need
53 52
 
54 53
 1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
55 54
 2.  [64-bit Debian 8.3](http://www.debian.org/) or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
56
-3.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
57 55
 
58 56
 You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
59 57
 
@@ -69,15 +67,7 @@ The following steps are done on the remote server by `ssh`ing into it and runnin
69 67
 
70 68
     apt-get install sudo python
71 69
 
72
-### 2. Get a Tarsnap machine key
73
-
74
-If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com/download.html), or use `brew install tarsnap` if you use [Homebrew](http://brew.sh).
75
-
76
-Create a new machine key for your server:
77
-
78
-    tarsnap-keygen --keyfile roles/tarsnap/files/data_tarsnap.key --user me@example.com --machine example.com
79
-
80
-### 3. Prep the server
70
+### 2. Prep the server
81 71
 
82 72
 For goodness sake, change the root password:
83 73
 

+ 0
- 2
roles/common/DESIGN.md 파일 보기

@@ -12,8 +12,6 @@ A single certificate is created using Let's Encrypt with SANs used for the subdo
12 12
 
13 13
 Several packages need access to the private key. Not all are run as root. An example is Prosody (XMPP). Such users are added to the ssl-cert group, and /etc/letsencrypt is set up to allow keys to be read by ssl-cert.
14 14
 
15
-Certificates and private keys are backed up using tarsnap.
16
-
17 15
 Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
18 16
 
19 17
 ### Testing support

+ 0
- 1
roles/tarsnap/defaults/main.yml 파일 보기

@@ -1 +0,0 @@
1
-tarsnap_version: 1.0.36.1

+ 0
- 3
roles/tarsnap/files/data_tarsnap.key 파일 보기

@@ -1,3 +0,0 @@
1
-# START OF TARSNAP KEY FILE
2
-TODO
3
-# END OF TARSNAP KEY FILE

+ 0
- 96
roles/tarsnap/files/tarsnap.sh 파일 보기

@@ -1,96 +0,0 @@
1
-#!/bin/sh
2
-
3
-# Tarsnap backup script
4
-# Written by Tim Bishop, 2009.
5
-
6
-# Directories to backup (relative to /)
7
-DIRS="home root data var/www etc/letsencrypt"
8
-
9
-# Number of daily backups to keep
10
-DAILY=7
11
-
12
-# Number of weekly backups to keep
13
-WEEKLY=3
14
-# Which day to do weekly backups on
15
-# 1-7, Monday = 1
16
-WEEKLY_DAY=5
17
-
18
-# Number of monthly backups to keep
19
-MONTHLY=1
20
-# Which day to do monthly backups on
21
-# 01-31 (leading 0 is important)
22
-MONTHLY_DAY=01
23
-
24
-# Path to tarsnap
25
-TARSNAP="/usr/local/bin/tarsnap"
26
-
27
-# Extra flags to pass to tarsnap
28
-EXTRA_FLAGS="-L -C /"
29
-
30
-# end of config
31
-
32
-set -e
33
-
34
-# day of week: 1-7, monday = 1
35
-DOW=`date +%u`
36
-# day of month: 01-31
37
-DOM=`date +%d`
38
-# month of year: 01-12
39
-MOY=`date +%m`
40
-# year
41
-YEAR=`date +%Y`
42
-# time
43
-TIME=`date +%H%M%S`
44
-
45
-# Backup name
46
-if [ X"$DOM" = X"$MONTHLY_DAY" ]; then
47
-	# monthly backup
48
-	BACKUP="$YEAR$MOY$DOM-$TIME-monthly"
49
-elif [ X"$DOW" = X"$WEEKLY_DAY" ]; then
50
-	# weekly backup
51
-	BACKUP="$YEAR$MOY$DOM-$TIME-weekly"
52
-else
53
-	# daily backup
54
-	BACKUP="$YEAR$MOY$DOM-$TIME-daily"
55
-fi
56
-
57
-# Below command complains to stderr if postgres user cannot write to CWD
58
-cd /home/
59
-
60
-# Dump PostgreSQL to file
61
-umask 077
62
-sudo -u postgres pg_dumpall -c | gzip > /data/postgresql-backup.sql.gz
63
-
64
-# Do backups
65
-for dir in $DIRS; do
66
-	echo "==> create $BACKUP-$dir"
67
-	$TARSNAP $EXTRA_FLAGS -c -f $BACKUP-$dir $dir
68
-done
69
-
70
-# Backups done, time for cleaning up old archives
71
-
72
-# using tail to find archives to delete, but its
73
-# +n syntax is out by one from what we want to do
74
-# (also +0 == +1, so we're safe :-)
75
-DAILY=`expr $DAILY + 1`
76
-WEEKLY=`expr $WEEKLY + 1`
77
-MONTHLY=`expr $MONTHLY + 1`
78
-
79
-# Do deletes
80
-TMPFILE=/tmp/tarsnap.archives.$$
81
-$TARSNAP --list-archives > $TMPFILE
82
-for dir in $DIRS; do
83
-	for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-daily-$dir" $TMPFILE | sort -rn | tail -n +$DAILY`; do
84
-		echo "==> delete $i"
85
-		$TARSNAP -d -f $i
86
-	done
87
-	for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-weekly-$dir" $TMPFILE | sort -rn | tail -n +$WEEKLY`; do
88
-		echo "==> delete $i"
89
-		$TARSNAP -d -f $i
90
-	done
91
-	for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-monthly-$dir" $TMPFILE | sort -rn | tail -n +$MONTHLY`; do
92
-		echo "==> delete $i"
93
-		$TARSNAP -d -f $i
94
-	done
95
-done
96
-rm $TMPFILE

+ 0
- 4
roles/tarsnap/files/tarsnaprc 파일 보기

@@ -1,4 +0,0 @@
1
-keyfile /data/tarsnap.key
2
-cachedir /usr/tarsnap-cache
3
-exclude /usr/tarsnap-cache
4
-humanize-numbers

+ 0
- 1
roles/tarsnap/tasks/main.yml 파일 보기

@@ -1 +0,0 @@
1
-- include: tarsnap.yml tags=tarsnap

+ 0
- 85
roles/tarsnap/tasks/tarsnap.yml 파일 보기

@@ -1,85 +0,0 @@
1
-- name: Check if Tarsnap {{ tarsnap_version }} is installed
2
-  shell: tarsnap --version | grep {{ tarsnap_version }} --color=never
3
-  register: tarsnap_installed
4
-  changed_when: "tarsnap_installed.stderr != ''"
5
-  ignore_errors: yes
6
-  tags:
7
-    - dependencies
8
-
9
-- name: Install dependencies for Tarsnap
10
-  when: tarsnap_installed|failed
11
-  apt: pkg={{ item }} state=present
12
-  with_items:
13
-    - e2fslibs-dev
14
-    - libssl-dev
15
-    - zlib1g-dev
16
-  tags:
17
-    - dependencies
18
-
19
-- name: Download the current tarsnap code signing key
20
-  when: tarsnap_installed|failed
21
-  get_url:
22
-    url=https://www.tarsnap.com/tarsnap-signing-key.asc
23
-    dest=/root/tarsnap-signing-key.asc
24
-
25
-- name: Add the tarsnap code signing key to your list of keys
26
-  when: tarsnap_installed|failed
27
-  command:
28
-    gpg --import tarsnap-signing-key.asc
29
-    chdir=/root/
30
-
31
-- name: Download tarsnap SHA file
32
-  when: tarsnap_installed|failed
33
-  get_url:
34
-    url="https://www.tarsnap.com/download/tarsnap-sigs-{{ tarsnap_version }}.asc"
35
-    dest="/root/tarsnap-sigs-{{ tarsnap_version }}.asc"
36
-
37
-- name: Make the command that gets the current SHA
38
-  when: tarsnap_installed|failed
39
-  template:
40
-    src=getSha.sh
41
-    dest=/root/getSha.sh
42
-    mode=0755
43
-
44
-- name: Get the SHA256sum for this tarsnap release
45
-  when: tarsnap_installed|failed
46
-  command:
47
-    ./getSha.sh
48
-    chdir=/root
49
-  register: tarsnap_sha
50
-
51
-- name: Download Tarsnap source
52
-  when: tarsnap_installed|failed
53
-  get_url:
54
-    url="https://www.tarsnap.com/download/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
55
-    dest="/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
56
-    sha256sum={{ tarsnap_sha.stdout_lines[0] }}
57
-
58
-- name: Decompress Tarsnap source
59
-  when: tarsnap_installed|failed
60
-  unarchive: src=/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz
61
-             dest=/root copy=no
62
-             creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/COPYING
63
-
64
-- name: Configure Tarsnap for local build
65
-  when: tarsnap_installed|failed
66
-  command: ./configure chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/Makefile
67
-
68
-- name: Build and install Tarsnap
69
-  when: tarsnap_installed|failed
70
-  command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
71
-
72
-- name: Copy Tarsnap key file into place
73
-  copy: src=data_tarsnap.key dest=/data/tarsnap.key owner=root group=root mode="0600" force=no
74
-
75
-- name: Create Tarsnap cache directory
76
-  file: state=directory path=/usr/tarsnap-cache
77
-
78
-- name: Install Tarsnap configuration file
79
-  copy: src=tarsnaprc dest=/root/.tarsnaprc mode="0644"
80
-
81
-- name: Install Tarsnap backup handler script
82
-  copy: src=tarsnap.sh dest=/root/tarsnap.sh mode="0755"
83
-
84
-- name: Install nightly Tarsnap-generations cronjob
85
-  cron: name="Tarsnap backup" hour="3" minute="0" job="sh /root/tarsnap.sh >> /var/log/tarsnap.log"

+ 0
- 5
roles/tarsnap/templates/getSha.sh 파일 보기

@@ -1,5 +0,0 @@
1
-#!/bin/bash
2
-gpgResult=`gpg --decrypt tarsnap-sigs-{{ tarsnap_version }}.asc`
3
-sha=${gpgResult#*=}
4
-echo $sha > /root/tarsnapSha
5
-echo $sha

+ 1
- 1
roles/webmail/DESIGN.md 파일 보기

@@ -8,7 +8,7 @@ Roundcube is stable and continues to be actively developed.
8 8
 
9 9
 The role installs roundcube from the source package released by the Roundcube team.  The version is pinned.  Old versions of this role installed Roundcube from apt packages, but the packages for Debian 8 do not install unattended correctly unless mysql is used at the backend.  We want to use only one database server (postgres) to save on RAM, so using packages is not an option for now.
10 10
 
11
-Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
11
+Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/data` since it contains user data.
12 12
 
13 13
 PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
14 14
 

+ 0
- 1
site.yml 파일 보기

@@ -15,7 +15,6 @@
15 15
     - xmpp
16 16
     - owncloud
17 17
     - vpn
18
-    - tarsnap
19 18
     - news
20 19
     - git
21 20
     - readlater

Loading…
취소
저장