瀏覽代碼

Merge branch 'jessie'

This commit merges the jessie branch to master.  It's a recursive merge
with direction to take conflicting hunks from the jessie
branch (-Xours).
Mike Ashley 8 年之前
父節點
當前提交
95a0837fd3
共有 100 個文件被更改,包括 1100 次插入2137 次删除
  1. 3
    2
      .gitignore
  2. 1
    2
      .travis.yml
  3. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/db_admin_password
  4. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/encfs_password
  5. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/mail_db_opendmarc_password
  6. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/mail_db_password
  7. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/owncloud_db_password
  8. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/selfoss_db_password
  9. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/selfoss_password_hash
  10. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/wallabag_db_password
  11. 1
    0
      .vagrant/provisioners/ansible/inventory/secret/wallabag_salt
  12. 7
    0
      CONTRIBUTING.md
  13. 37
    52
      README.md
  14. 20
    38
      Vagrantfile
  15. 57
    0
      group_vars/sovereign
  16. 25
    41
      group_vars/testing
  17. 4
    2
      hosts
  18. 1
    1
      requirements.txt
  19. 1
    2
      roles/blog/templates/etc_apache2_sites-available_blog.j2
  20. 29
    0
      roles/common/DESIGN.md
  21. 34
    0
      roles/common/defaults/main.yml
  22. 8
    0
      roles/common/files/etc_cron-daily_letsencrypt-renew
  23. 13
    0
      roles/common/files/letsencrypt-gencert
  24. 18
    18
      roles/common/files/wildcard_ca.pem
  25. 28
    27
      roles/common/files/wildcard_private.key
  26. 18
    18
      roles/common/files/wildcard_public_cert.crt
  27. 17
    0
      roles/common/tasks/apache.yml
  28. 4
    13
      roles/common/tasks/encfs.yml
  29. 5
    19
      roles/common/tasks/google_auth.yml
  30. 0
    41
      roles/common/tasks/google_auth_mod.yml
  31. 104
    0
      roles/common/tasks/letsencrypt.yml
  32. 5
    36
      roles/common/tasks/main.yml
  33. 6
    2
      roles/common/tasks/ntp.yml
  34. 5
    49
      roles/common/tasks/ssl.yml
  35. 2
    7
      roles/common/tasks/ufw.yml
  36. 0
    5
      roles/common/templates/apt_sources.list.j2
  37. 9
    9
      roles/common/templates/etc_apache2_conf-available_ssl.conf.j2
  38. 0
    4
      roles/common/templates/etc_fail2ban_jail.local.j2
  39. 8
    0
      roles/common/templates/etc_letsencrypt_cli.conf.j2
  40. 5
    0
      roles/common/templates/etc_ssh_ssh_config.j2
  41. 4
    1
      roles/common/templates/sudoers.j2
  42. 3
    0
      roles/git/defaults/main.yml
  43. 1
    1
      roles/git/tasks/cgit.yml
  44. 4
    17
      roles/git/tasks/gitolite.yml
  45. 0
    31
      roles/git/tasks/gitolite_packaged.yml
  46. 0
    3
      roles/git/tasks/main.yml
  47. 2
    4
      roles/git/templates/etc_apache2_sites-available_cgit.j2
  48. 1
    0
      roles/ircbouncer/defaults/main.yml
  49. 0
    139
      roles/ircbouncer/files/etc_init.d_znc
  50. 11
    0
      roles/ircbouncer/files/etc_systemd_system_znc.service
  51. 33
    38
      roles/ircbouncer/tasks/znc.yml
  52. 7
    0
      roles/ircbouncer/templates/etc_letsencrypt_postrenew_znc.sh.j2
  53. 1
    1
      roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2
  54. 29
    0
      roles/mailserver/defaults/main.yml
  55. 0
    13
      roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf
  56. 0
    43
      roles/mailserver/files/etc_dspam_default.prefs
  57. 0
    699
      roles/mailserver/files/etc_dspam_dspam.conf
  58. 0
    80
      roles/mailserver/files/etc_opendmarc_import.sql
  59. 0
    1
      roles/mailserver/files/etc_postfix_dspam_filter_access
  60. 12
    14
      roles/mailserver/files/etc_postfix_master.cf
  61. 12
    0
      roles/mailserver/files/etc_rmilter.conf.common
  62. 25
    30
      roles/mailserver/files/etc_tomcat7_server.xml
  63. 8
    0
      roles/mailserver/files/lib_systemd_system_rmilter.socket
  64. 7
    1
      roles/mailserver/handlers/main.yml
  65. 17
    39
      roles/mailserver/tasks/dovecot.yml
  66. 0
    44
      roles/mailserver/tasks/dspam.yml
  67. 2
    2
      roles/mailserver/tasks/main.yml
  68. 1
    1
      roles/mailserver/tasks/opendkim.yml
  69. 7
    14
      roles/mailserver/tasks/opendmarc.yml
  70. 8
    18
      roles/mailserver/tasks/postfix.yml
  71. 36
    0
      roles/mailserver/tasks/rspamd.yml
  72. 3
    13
      roles/mailserver/tasks/solr.yml
  73. 3
    10
      roles/mailserver/tasks/z-push.yml
  74. 1
    2
      roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2
  75. 2
    2
      roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2
  76. 308
    31
      roles/mailserver/templates/etc_opendmarc.conf.j2
  77. 3
    0
      roles/mailserver/templates/etc_opendmarc_report.sh.j2
  78. 7
    9
      roles/mailserver/templates/etc_postfix_main.cf.j2
  79. 2
    2
      roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2
  80. 4
    0
      roles/monitoring/defaults/main.yml
  81. 1
    3
      roles/monitoring/files/etc_apache2_sites-available_00-status.conf
  82. 0
    206
      roles/monitoring/files/etc_init.d_collectd
  83. 4
    4
      roles/monitoring/files/etc_monit_conf.d_apache2
  84. 2
    2
      roles/monitoring/files/etc_monit_conf.d_dovecot
  85. 3
    3
      roles/monitoring/files/etc_monit_conf.d_pgsql
  86. 3
    3
      roles/monitoring/files/etc_monit_conf.d_postfix
  87. 3
    3
      roles/monitoring/files/etc_monit_conf.d_sshd
  88. 3
    3
      roles/monitoring/files/etc_monit_conf.d_tomcat
  89. 2
    2
      roles/monitoring/files/etc_monit_conf.d_znc
  90. 10
    63
      roles/monitoring/tasks/collectd.yml
  91. 9
    8
      roles/monitoring/tasks/monit.yml
  92. 13
    16
      roles/monitoring/templates/etc_collectd_collectd.conf.j2
  93. 0
    5
      roles/newebe/files/newebe.conf
  94. 0
    7
      roles/newebe/files/supervisor.conf
  95. 0
    3
      roles/newebe/handlers/main.yml
  96. 0
    1
      roles/newebe/tasks/main.yml
  97. 0
    87
      roles/newebe/tasks/newebe.yml
  98. 0
    20
      roles/newebe/templates/etc_apache2_sites-available_newebe.j2
  99. 0
    7
      roles/newebe/templates/usr_local_etc_newebe_config.j2
  100. 0
    0
      roles/news/defaults/main.yml

+ 3
- 2
.gitignore 查看文件

@@ -1,3 +1,4 @@
1
-.vagrant
2
-vagrant_ansible_inventory_default
1
+.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory
2
+.vagrant/machines
3 3
 tests.pyc
4
+secret

+ 1
- 2
.travis.yml 查看文件

@@ -4,8 +4,7 @@ cache:
4 4
   directories:
5 5
     - $HOME/.cache/pip
6 6
 install:
7
-  # TODO: use requirements.txt when ansible updated to >= 1.9
8
-  - pip install ansible
7
+  - pip install -r requirements.txt
9 8
   - pip install -r test-requirements.txt
10 9
 script:
11 10
   - ansible-playbook --syntax-check -i hosts site.yml

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/db_admin_password 查看文件

@@ -0,0 +1 @@
1
+postgres

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/encfs_password 查看文件

@@ -0,0 +1 @@
1
+testPassword

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/mail_db_opendmarc_password 查看文件

@@ -0,0 +1 @@
1
+testPassword

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/mail_db_password 查看文件

@@ -0,0 +1 @@
1
+testPassword

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/owncloud_db_password 查看文件

@@ -0,0 +1 @@
1
+testPassword

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/selfoss_db_password 查看文件

@@ -0,0 +1 @@
1
+testPassword

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/selfoss_password_hash 查看文件

@@ -0,0 +1 @@
1
+f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/wallabag_db_password 查看文件

@@ -0,0 +1 @@
1
+testPassword

+ 1
- 0
.vagrant/provisioners/ansible/inventory/secret/wallabag_salt 查看文件

@@ -0,0 +1 @@
1
+testing

+ 7
- 0
CONTRIBUTING.md 查看文件

@@ -4,6 +4,8 @@
4 4
 
5 5
 Make sure you agree with the license (GPLv3). See [LICENSE.md](./LICENSE.md) for details.
6 6
 
7
+Code that is committed to the master branch should work with both Debian 8 "Jessie" (and Ubuntu 16.04 LTS "Xenial" once it is available).
8
+
7 9
 ## Development environment
8 10
 
9 11
 You'll want to set up a [local development environment](https://github.com/sovereign/sovereign/wiki/Development-Environment) so that you don't have to test on a remote server.
@@ -12,6 +14,10 @@ You'll want to set up a [local development environment](https://github.com/sover
12 14
 
13 15
 Sovereign is an Ansible playbook that uses the modules in this repository to configure a server. Modules should conform to the following design principles.
14 16
 
17
+### Naming
18
+
19
+Modules should be named after the software they add (as opposed to the functionality they provide). Soverign is currently inconsistent on this. For example, there are the `ircbouncer` and `blog` modules, but there are also the `owncloud` and `tarsnap` modules. Please name modules after the software used, though, so that it is possible to provide alternatives for functionality.
20
+
15 21
 ### Making decisions
16 22
 
17 23
 A module exists to make decisions about how a service should be installed and configured. Make these decisions and minimize or eliminate configuration options exposed to the user. When in doubt, make a decision, and if the community feedback is vocal enough, only then expose an option.
@@ -51,6 +57,7 @@ The design description should be succinct and to the point. Assume the reader is
51 57
 Consider the following checklist when reviewing a module's design.
52 58
 
53 59
 - Does the role create data on the server that is impossible or difficult to reproduce, e.g., private keys? If so, update the tarsnap role to include precious data in backups.
60
+- Does the role need an SSL certificate for a new subdomain?  If so, update the letsencrypt tasklist in the common role.
54 61
 - Does the role add an Apache virtual site?  If so, has somebody knowledgable in Apache configuration and security reviewed the configuration?
55 62
 - Does README.md need to be updated based on new or changed finalization instructions?
56 63
 

+ 37
- 52
README.md 查看文件

@@ -3,7 +3,7 @@
3 3
 Introduction
4 4
 ============
5 5
 
6
-Sovereign is a set of [Ansible](http://www.ansible.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) based entirely on open source software, so you’re in control.
6
+Sovereign is a set of [Ansible](http://ansible.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) based entirely on open source software, so you’re in control.
7 7
 
8 8
 If you’ve never used Ansible before, you might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
9 9
 
@@ -19,17 +19,17 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
19 19
 -   [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) over SSL via [Dovecot](http://dovecot.org/), complete with full text search provided by [Solr](https://lucene.apache.org/solr/).
20 20
 -   [POP3](https://en.wikipedia.org/wiki/Post_Office_Protocol) over SSL, also via Dovecot
21 21
 -   [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) over SSL via Postfix, including a nice set of [DNSBLs](https://en.wikipedia.org/wiki/DNSBL) to discard spam before it ever hits your filters.
22
--   Webmail via [Roundcube](http://www.roundcube.net/).
22
+-   Webmail via [Roundcube](http://www.roundcube.net/). **NOTE:** currently unavailable.
23 23
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
24 24
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
25 25
 -   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
26 26
 -   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
27 27
 -   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
28 28
 -   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
29
--   Spam fighting via [DSPAM](http://dspam.sourceforge.net/) and [Postgrey](http://postgrey.schweikert.ch/).
30
--   Mail server verification via [OpenDKIM](http://www.opendkim.org/), so folks know you’re legit.
29
+-   Spam fighting via [Rspamd](https://www.rspamd.com/) and [Postgrey](http://postgrey.schweikert.ch/).
30
+-   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [OpenDMARC](http://www.trusteddomain.org/opendmarc/) so the Internet knows your mailserver is legit.
31 31
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [ownCloud](http://owncloud.org/).
32
--   Your own private [Dropbox](https://www.dropbox.com/), also via [ownCloud](http://owncloud.org/).
32
+-   Your own private storage cloud via [ownCloud](http://owncloud.org/).
33 33
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
34 34
 -   An IRC bouncer via [ZNC](http://wiki.znc.in/ZNC).
35 35
 -   [Monit](http://mmonit.com/monit/) to keep everything running smoothly (and alert you when it’s not).
@@ -41,7 +41,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
41 41
 -   [RFC6238](http://tools.ietf.org/html/rfc6238) two-factor authentication compatible with [Google Authenticator](http://en.wikipedia.org/wiki/Google_Authenticator) and various hardware tokens
42 42
 -   Nightly backups to [Tarsnap](https://www.tarsnap.com/).
43 43
 -   Git hosting via [cgit](http://git.zx2c4.com/cgit/about/) and [gitolite](https://github.com/sitaramc/gitolite).
44
--   [Newebe](http://newebe.org), a social network.
45 44
 -   Read-it-later via [Wallabag](https://www.wallabag.org/)
46 45
 -   A bunch of nice-to-have tools like [mosh](http://mosh.mit.edu) and [htop](http://htop.sourceforge.net) that make life with a server a little easier.
47 46
 
@@ -54,36 +53,18 @@ What You’ll Need
54 53
 ----------------
55 54
 
56 55
 1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
57
-2.  [64-bit Debian 7](http://www.debian.org/) or an equivalent Linux distribution such as Ubuntu 14.04 LTS. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.) Support for Debian 8 and Ubuntu 16.04 is underway in the "jessie" branch.
58
-3.  A wildcard SSL certificate. You can either buy one or self-sign if you want to save money.
59
-4.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
56
+2.  [64-bit Debian 8.3](http://www.debian.org/) or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
57
+3.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
60 58
 
61
-Installation
62
-------------
63
-
64
-### 1. Get a wildcard SSL certificate
65
-
66
-Generate a private key and a certificate signing request (CSR):
67
-
68
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
69
-
70
-Purchase a wildcard cert from a certificate authority, such as [Positive SSL](https://positivessl.com) or [AlphaSSL](https://www.alphassl.com). You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in `roles/common/files/wildcard_public_cert.crt`.
71
-
72
-Download your certificate authority’s combined cert to `roles/common/files/wildcard_ca.pem`. You can also download the intermediate and root certificates separately and concatenate them together in that order.
73
-
74
-Lastly, test your certificate:
75
-
76
-    openssl verify -verbose -CAfile roles/common/files/wildcard_ca.pem roles/common/files/wildcard_public_cert.crt
59
+You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
77 60
 
78
-#### Self-signed SSL certificate
79 61
 
80
-Purchasing SSL certs, and wildcard certs specifically, can be a significant financial burden. It is possible to generate a self-signed SSL certificate (i.e. one that isn’t signed by a Certificate Authority) that is free of charge by nature. However, since a self-signed cert has no CA chain that can confirm its authenticity, some services might behave erratically when using such a certificate.
62
+Installation
63
+------------
81 64
 
82
-To create a self-signed SSL cert, run the following commands:
65
+### 1. Install required packages
83 66
 
84
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
85
-    openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
86
-    cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
67
+    apt-get install sudo
87 68
 
88 69
 ### 2. Get a Tarsnap machine key
89 70
 
@@ -118,7 +99,8 @@ Your new account will be automatically set up for passwordless `sudo`.
118 99
 
119 100
 ### 4. Configure your installation
120 101
 
121
-Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
102
+Modify the settings in `group_vars/sovereign` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
103
+All of the variables in `group_vars/sovereign` must be set for sovereign to function.
122 104
 
123 105
 Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
124 106
 
@@ -166,11 +148,26 @@ For Git hosting, copy your public key into place:
166 148
 
167 149
 	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
168 150
 
169
-Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
151
+Finally, replace the `host.example.net` in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
152
+
153
+### 5. Set up DNS
154
+
155
+If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
156
+
157
+Create `A` or `CNAME` records which point to your server's IP address:
158
+
159
+* `example.com`
160
+* `mail.example.com`
161
+* `www.example.com` (for Web hosting)
162
+* `autoconfig.example.com` (for email client automatic configuration)
163
+* `read.example.com` (for Wallabag)
164
+* `news.example.com` (for Selfoss)
165
+* `cloud.example.com` (for ownCloud)
166
+* `git.example.com` (for cgit)
170 167
 
171
-### 5. Run the Ansible Playbooks
168
+### 6. Run the Ansible Playbooks
172 169
 
173
-First, make sure you’ve [got Ansible 1.6+ installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
170
+First, make sure you’ve [got Ansible 1.9.3+ installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
174 171
 
175 172
 To run the whole dang thing:
176 173
 
@@ -182,23 +179,11 @@ To run just one or more piece, use tags. I try to tag all my includes for easy i
182 179
 
183 180
 You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
184 181
 
185
-The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
186
-
187
-### 6. Set up DNS
188
-
189
-If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
182
+The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `group_vars/sovereign`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
190 183
 
191
-Create `A` records which point to your server's IP address:
192
-
193
-* `example.com`
194
-* `mail.example.com`
195
-* `autoconfig.example.com` (for email client automatic configuration)
196
-* `read.example.com` (for Wallabag)
197
-* `news.example.com` (for Selfoss)
198
-* `cloud.example.com` (for ownCloud)
199
-* `git.example.com` (for cgit)
184
+### 7. Finish DNS set-up
200 185
 
201
-Create a `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
186
+Create an `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
202 187
 
203 188
 To ensure your emails pass DKIM checks you need to add a `txt` record. The name field will be `default._domainkey.EXAMPLE.COM.` The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file `/etc/opendkim/keys/EXAMPLE.COM/default.txt` it’ll look something like this:
204 189
 
@@ -208,7 +193,7 @@ For DMARC you'll also need to add a `txt` record. The name field should be `_dma
208 193
 
209 194
 Set up SPF and reverse DNS [as per this post](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Make sure to validate that it’s all working, for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
210 195
 
211
-### 7. Miscellaneous Configuration
196
+### 8. Miscellaneous Configuration
212 197
 
213 198
 Sign in to the ZNC web interface and set things up to your liking. It isn’t exposed through the firewall, so you must first set up an SSH tunnel:
214 199
 
@@ -222,7 +207,7 @@ Similarly, to access the server monitoring page, use another SSH tunnel:
222 207
 
223 208
 Again proceeding to http://localhost:2812 in your web browser.
224 209
 
225
-Finally, sign into ownCloud to set it up. You should select PostgreSQL as the configuration backend.
210
+Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `group_vars/sovereign`.
226 211
 
227 212
 How To Use Your New Personal Cloud
228 213
 ----------------------------------

+ 20
- 38
Vagrantfile 查看文件

@@ -1,21 +1,20 @@
1 1
 # -*- mode: ruby -*-
2 2
 
3
-Vagrant.configure("2") do |config|
4
-  #
5
-  # Common Settings
6
-  #
7
-
8
-  config.vm.hostname = "sovereign.local"
9
-  config.vm.network "private_network", ip: "172.16.100.2"
3
+Vagrant.configure('2') do |config|
4
+  config.vm.hostname = 'sovereign.local'
5
+  config.vm.network 'private_network', ip: '172.16.100.2'
10 6
 
11 7
   config.vm.provision :ansible do |ansible|
12
-    ansible.playbook = "site.yml"
8
+    ansible.playbook = 'site.yml'
13 9
     ansible.host_key_checking = false
14
-    ansible.extra_vars = { ansible_ssh_user: "vagrant", testing: true }
15
-
16
-    # ansible.tags = ["blog"]
17
-    # ansible.skip_tags = ["openvpn"]
18
-    # ansible.verbose = "vvvv"
10
+    ansible.extra_vars = { ansible_ssh_user: 'vagrant', testing: true }
11
+    ansible.groups = {
12
+      "testing" => ["jessie"]
13
+    }
14
+
15
+    # ansible.tags = ['blog']
16
+    # ansible.skip_tags = ['openvpn']
17
+    # ansible.verbose = 'vvvv'
19 18
   end
20 19
 
21 20
   config.vm.provider :virtualbox do |v|
@@ -23,42 +22,25 @@ Vagrant.configure("2") do |config|
23 22
   end
24 23
 
25 24
   config.vm.provider :vmware_fusion do |v|
26
-    v.vmx["memsize"] = "512"
25
+    v.vmx['memsize'] = '512'
27 26
   end
28 27
 
29
-  #
30 28
   # vagrant-cachier
31 29
   #
32 30
   # Install the plugin by running: vagrant plugin install vagrant-cachier
33 31
   # More information: https://github.com/fgrehm/vagrant-cachier
34
-  #
35
-
36
-  if Vagrant.has_plugin? "vagrant-cachier"
32
+  if Vagrant.has_plugin? 'vagrant-cachier'
37 33
     config.cache.enable :apt
38 34
     config.cache.scope = :box
39 35
   end
40 36
 
41
-  #
42
-  # Debian 7 64-bit (officially supported)
43
-  #
44
-
45
-  config.vm.define "debian", primary: true do |debian|
46
-    debian.vm.box = "box-cutter/debian78"
47
-  end
48
-
49
-  #
50
-  # Ubuntu 12.04 64-bit
51
-  #
52
-
53
-  config.vm.define "precise", autostart: false do |precise|
54
-    precise.vm.box = "box-cutter/ubuntu1204"
37
+  # Debian 8 64-bit (officially supported)
38
+  config.vm.define 'jessie', primary: true do |jessie|
39
+    jessie.vm.box = 'box-cutter/debian81'
55 40
   end
56 41
 
57
-  #
58
-  # Ubuntu 14.04 64-bit
59
-  #
60
-
61
-  config.vm.define "trusty", autostart: false do |trusty|
62
-    trusty.vm.box = "box-cutter/ubuntu1404"
42
+  # Ubuntu 16.04 (LTS) 64-bit (currently unavailable)
43
+  config.vm.define 'xenial', autostart: false do |xenial|
44
+    xenial.vm.box = 'box-cutter/ubuntu1604'
63 45
   end
64 46
 end

+ 57
- 0
group_vars/sovereign 查看文件

@@ -0,0 +1,57 @@
1
+---
2
+################################################################################
3
+# Set your variables here.
4
+################################################################################
5
+
6
+# common
7
+domain: (required)
8
+main_user_name: (required)
9
+
10
+# admin email
11
+# fail2ban reports will be sent to this address
12
+admin_email: "{{ main_user_name }}@{{ domain }}"
13
+
14
+# mail
15
+mail_virtual_domains:
16
+  - name: "{{ domain }}"
17
+    pk_id: 1
18
+mail_virtual_users:
19
+  - account: "{{ main_user_name }}"
20
+    domain: "{{ domain }}"
21
+    password_hash: TODO
22
+    domain_pk_id: 1
23
+mail_virtual_aliases:
24
+  - source: "root@{{ domain }}"
25
+    destination: "{{ admin_email }}"
26
+    domain_pk_id: 1
27
+  - source: "postmaster@{{ domain }}"
28
+    destination: "{{ admin_email }}"
29
+    domain_pk_id: 1
30
+  - source: "webmaster@{{ domain }}"
31
+    destination: "{{ admin_email }}"
32
+    domain_pk_id: 1
33
+
34
+# timezone
35
+# common_timezone will be used in the common and mailserver roles
36
+common_timezone: 'Etc/UTC'
37
+
38
+# znc
39
+irc_nick: (required)
40
+irc_ident: (required)
41
+irc_realname: (required)
42
+irc_quitmsg: (required)
43
+irc_password_hash: (required)
44
+irc_password_salt: (required)
45
+
46
+# xmpp
47
+prosody_admin: "{{ admin_email }}"
48
+prosody_virtual_domain: "{{ domain }}"
49
+prosody_accounts:
50
+  - name: "{{ main_user_name }}"
51
+    password: TODO
52
+
53
+# openvpn
54
+openvpn_clients:
55
+  - laptop
56
+  - phone
57
+  - tablet

vars/testing.yml → group_vars/testing 查看文件

@@ -1,32 +1,24 @@
1 1
 ---
2 2
 ###############################################################################
3
-# Variables used when testing with Vagrant
4
-# For a complete reference look at the `vars/defaults.yml` file.
3
+# Variables used when testing with Vagrant.  Secrets are stored in
4
+# `.vagrant/provisioners/ansible/inventory/secret.
5
+#
6
+# selfoss_password_hash is the SHA512 hash of `foo`
7
+# 
5 8
 ###############################################################################
6 9
 
7 10
 # common
8 11
 common_timezone: 'Etc/UTC'
9 12
 domain: sovereign.local
10 13
 main_user_name: sovereign
11
-encfs_password: testPassword
12 14
 friendly_networks:
13 15
   - "172.16.100.0/24"
14 16
 
15
-db_admin_username: postgres
16
-db_admin_password: postgres
17
-
18
-# ircbouncer
19
-irc_nick: sovereign
20
-irc_ident: sovereign
21
-irc_realname: Mr. Sovereign
22
-irc_quitmsg: Bye
23
-irc_password_hash: "310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed" #foo
24
-irc_password_salt: "YdlPM5yjBmc/;JO6cfL5"
25
-irc_timezone: "America/New_York" #Example: "America/New_York"
17
+# admin email
18
+# fail2ban reports will be sent to this address
19
+admin_email: "{{ main_user_name }}@{{ domain }}"
26 20
 
27 21
 # mailserver
28
-mail_db_password: testPassword
29
-mail_db_opendmarc_password: testPassword
30 22
 mail_virtual_domains:
31 23
   - name: "{{ domain }}"
32 24
     pk_id: 1
@@ -45,15 +37,26 @@ mail_virtual_aliases:
45 37
   - source: "webmaster@{{ domain }}"
46 38
     destination: "{{ admin_email }}"
47 39
     domain_pk_id: 1
48
-mail_header_privacy: 1
49 40
 
50
-# z-push
51
-zpush_timezone: "America/New_York"  #Example: "America/New_York"
41
+# timezone
42
+# common_timezone will be used in the common and mailserver roles
43
+common_timezone: 'Etc/UTC'
52 44
 
53
-# owncloud
54
-owncloud_db_password: testPassword
45
+# znc
46
+irc_nick: sovereign
47
+irc_ident: sovereign
48
+irc_realname: Mr. Sovereign
49
+irc_quitmsg: Bye
50
+irc_password_hash: "310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed" #foo
51
+irc_password_salt: "YdlPM5yjBmc/;JO6cfL5"
52
+irc_timezone: "America/New_York" #Example: "America/New_York"
55 53
 
56
-# vpn
54
+# xmpp
55
+prosody_accounts:
56
+  - name: "{{ main_user_name }}"
57
+    password: foo
58
+
59
+# openvpn
57 60
 openvpn_key_country:  "US"
58 61
 openvpn_key_province: "California"
59 62
 openvpn_key_city: "Beverly Hills"
@@ -63,22 +66,3 @@ openvpn_clients:
63 66
   - laptop
64 67
   - phone
65 68
   - tablet
66
-
67
-# webmail
68
-webmail_db_password: testPassword
69
-
70
-# xmpp
71
-prosody_accounts:
72
-  - name: "{{ main_user_name }}"
73
-    password: foo
74
-
75
-# selfoss
76
-selfoss_db_password: testPassword
77
-selfoss_username: "{{ main_user_name }}"
78
-# this is the sha512 hash of the desired password
79
-selfoss_password_hash: "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7"
80
-# foo
81
-
82
-# wallabag
83
-wallabag_salt: testing
84
-wallabag_db_password: testPassword

+ 4
- 2
hosts 查看文件

@@ -1,2 +1,4 @@
1
-[TODO]
2
-TODO # put your host's IP here
1
+[sovereign]
2
+# hosts in the `sovereign` group  use vars defined in `group_vars/sovereign`
3
+# put your host's IP address or domain name below
4
+host.example.net

+ 1
- 1
requirements.txt 查看文件

@@ -1 +1 @@
1
-ansible==1.6.6
1
+ansible>=1.9.3,<2

+ 1
- 2
roles/blog/templates/etc_apache2_sites-available_blog.j2 查看文件

@@ -9,8 +9,7 @@
9 9
 <VirtualHost *:443>
10 10
     ServerName {{ domain }}
11 11
     ServerAlias www.{{ domain }}
12
-
13
-    Include /etc/apache2/ssl.conf
12
+    SSLEngine On
14 13
 
15 14
     DocumentRoot            "/var/www/{{ domain }}"
16 15
     DirectoryIndex          index.html

+ 29
- 0
roles/common/DESIGN.md 查看文件

@@ -0,0 +1,29 @@
1
+# Design Description for Common Role
2
+
3
+## Let's Encrypt Support
4
+
5
+[Let's Encrypt](https://letsencrypt.org) (LE) is an automated certificate authority that provides free SSL certificates that are trusted by all major browsers.  LE certificates are used by Sovereign instead of purchased certificates from authorities like RapidSSL in order to reduce the out-of-pocket cost of deploying Sovereign and avoid end-user problems with self-signed certificates.
6
+
7
+### Design approach
8
+
9
+The Let's Encrypt service uses DNS to look up domains being registered and then contact the client to verify. For this to work, DNS records must be configured before the playbook is run the first time.
10
+
11
+A single certificate is created using Let's Encrypt with SANs used for the subdomains.  At deploy-time, a script is used to query DNS for known subdomains, build a list of the subset that is registered, and use it when making the certificate request of Let's Encrypt.
12
+
13
+Several packages need access to the private key. Not all are run as root. An example is Prosody (XMPP). Such users are added to the ssl-cert group, and /etc/letsencrypt is set up to allow keys to be read by ssl-cert.
14
+
15
+Certificates and private keys are backed up using tarsnap.
16
+
17
+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
18
+
19
+### Testing support
20
+
21
+An isolated VM deployed with Vagrant is used for testing. The Let's Encrypt service cannot be used to get keys for it, since it is not bound with DNS. A self-signed wildcard key is therefore used for testing. The wildcard key, certificate, and chain are installed in the same way that Let's Encrypt keys are installed.
22
+
23
+### Alternative approaches
24
+
25
+Another way to generate certificates is to generate one certificate per domain and expect each module that uses a subdomain to generate its own certificate for the subdomain.
26
+
27
+This was prototyped. The common role included a parameterized task list that could be invoked by modules that needed to generate a key. The certificate renewal script run by cron could be modified to update all the certificates in the `live` directory.
28
+
29
+This approach was rejected due to complexity. This would have been the first time modules needed to invoke a task list from another module. Managing multiple certificates is also more complicated.

+ 34
- 0
roles/common/defaults/main.yml 查看文件

@@ -0,0 +1,34 @@
1
+common_timezone: 'Etc/UTC'
2
+admin_email: "{{ main_user_name }}@{{ domain }}"
3
+main_user_shell: "/bin/bash"
4
+friendly_networks:
5
+  - ""
6
+
7
+# encfs
8
+secret_root: '{{ inventory_dir | realpath }}'
9
+secret_name: 'secret'
10
+secret: '{{ secret_root + "/" + secret_name }}'
11
+encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
12
+
13
+
14
+# let's encrypt
15
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
16
+
17
+# ssh
18
+kex_algorithms: "diffie-hellman-group-exchange-sha256"
19
+ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
20
+macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
21
+
22
+# ntp
23
+ntp_servers:
24
+  # use nearby ntp servers by default
25
+  - 0.pool.ntp.org
26
+  - 1.pool.ntp.org
27
+  - 2.pool.ntp.org
28
+  - 3.pool.ntp.org
29
+  # use servers tailored to the server location
30
+  # See http://www.pool.ntp.org/en/use.html
31
+  # - 0.north-america.pool.ntp.org
32
+  # - 1.north-america.pool.ntp.org
33
+  # - 2.north-america.pool.ntp.org
34
+  # - 3.north-america.pool.ntp.org

+ 8
- 0
roles/common/files/etc_cron-daily_letsencrypt-renew 查看文件

@@ -0,0 +1,8 @@
1
+#!/bin/bash
2
+set -o errexit
3
+# Renew all live certificates with LetsEncrypt.  This needs to run at least
4
+# once every three months, but recommended frequency is once a day.
5
+
6
+/root/letsencrypt/letsencrypt-auto renew -q -c /etc/letsencrypt/cli.conf \
7
+--pre-hook="find /etc/letsencrypt/prerenew/ -maxdepth 1 -type f -executable -exec {} \;" \
8
+--post-hook="find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f -executable -exec {} \;"

+ 13
- 0
roles/common/files/letsencrypt-gencert 查看文件

@@ -0,0 +1,13 @@
1
+#!/bin/bash
2
+d="$1"
3
+for i in www mail autoconfig read news cloud git; do
4
+  if (getent hosts $i.$1 > /dev/null); then
5
+    d="$d,$i.$1";
6
+  fi
7
+done
8
+# We are using the "standalone" letsencrypt plugin, which runs its own
9
+# webserver, so we need to temporarily free up the HTTP(S) ports by stopping
10
+# our own Apache.
11
+service apache2 stop
12
+/root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains $d
13
+service apache2 start

+ 18
- 18
roles/common/files/wildcard_ca.pem 查看文件

@@ -1,20 +1,20 @@
1 1
 -----BEGIN CERTIFICATE-----
2
-MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
3
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
4
-cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
5
-OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
6
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
7
-BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
8
-MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
9
-6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
10
-yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
11
-C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
12
-yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
13
-xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
14
-AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
15
-9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
16
-AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
17
-aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
18
-Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
19
-+0vEpa88MmGGUdXZ4NWI2IYe
2
+MIIDPjCCAiYCCQCIBIL0qFYY5DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJB
3
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
4
+cyBQdHkgTHRkMRowGAYDVQQDDBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xNjAxMDkw
5
+OTU4MzNaFw0xNzAxMDgwOTU4MzNaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApT
6
+b21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
7
+BgNVBAMMESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
8
+MIIBCgKCAQEA1Z12KXbGOq70H9rxgH+uBF2MSil5xTcxQKFpUhFOu0kIVoQ7Sa2n
9
+FPKYDC5aTKE7ajgO4cER44WgtBnEXGs7MHQEJL2tT0ETiDfTqSEhTpsXSzCxl7bo
10
+AZIrw9ntJKvTm4Ot04MXsUqeZyr6gk5XMOilluZWTLzbunigKOJItyM3VBRnLWZi
11
+ScznIkbKLGt2WjGIaENOR4cw+wwzOmH0UVxGtGWo/jklGtBZG8mb+fF8rH6L6VBa
12
+nIYHBGlg8Gy0eK430jMD/y2zqlOzY4gE5/BlwaxEupuzL+jtiYGyr7G1tUksQ49v
13
+UNimlAzUINB6bYnIk0MwpIxB0xECj0nz2wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
14
+AQCEVVrT1ktgvA3CwuIr+/BWRfILIHyayy3FxIwF8wBymAwQiT/09JuNDsLuI2/t
15
+eOY9BZsaJ9BtGA7dajbwKDX83Z+WXcv2AwxbAhxUnpBCQF0MNT9Vh7ixE0rXbXeg
16
+bvy5D4n1MWTBaPK+MpuEEV5m/dRZOFIgf6AWDCB7QixWm7N2BGjqni5kr2EuqYw8
17
+JqxXXtTDTBA8BKMLxPRER+w39zD8fQouTn1pI8nVba/WdX1NlchzFrex6ByvKWQG
18
+joSPd39d68NNyytwmv5LWOQ2Shsk0d0UV9eoFrctPJh8cL4BPfNS7NQR12u55zn0
19
+NR+SN5v9/7fn+/KF1UZq5Jao
20 20
 -----END CERTIFICATE-----

+ 28
- 27
roles/common/files/wildcard_private.key 查看文件

@@ -1,27 +1,28 @@
1
------BEGIN RSA PRIVATE KEY-----
2
-MIIEpAIBAAKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPob
3
-ueyI6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4s
4
-CKrIyw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iap
5
-ngrrC6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx
6
-3oY6yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1
7
-BnmSxdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABAoIBADm/oYAavJ2nif+H
8
-CNgqDqDhW6CPegqenwbBaihAUzK00CdOM8mmMgt2SdFe3xvGqDssRpwtu3bEROnY
9
-r3WHreEIQ0gdc8MQhnvat32cLkWk+0MtQUeEpnJ0bzeRJOJEPxs+btu+1wIQvmFy
10
-uVOWqOq1a6xmwdemcfl0hRwFsdvO00MefOWgJpmBGBTBKuvhg1rUPP8xkHlD98ga
11
-+vpxG0vS5d2vHKa5FxcbbMaV9kxqjsc1Sm79zWlomwdmE5u0dUIIfNV1+VOmPqW2
12
-tjeD+JDieyX3uOKFpRTk7/5rOJd5hzHukIeUpl0n9mC/mY8lvoFAttszeTEwjkv0
13
-EhRBjaECgYEA3Rz8AoWJLDC63wfz3mUhtXzFxrxok85cNT35ohT9btnKyLKykvAE
14
-BCfHeYg8cwFFv0oUXpK9HWOqoJhsYN79+WYA1QE9n0XXAGl1K1/FlKsoAH3h5GAf
15
-CHGLsq6rEY3ixBmqEiKCWjNXgKeoMg9V/gjTNudWYqLvcsgMoD9vJbkCgYEAyiGi
16
-QZUa7pGFSa3+kPJo9wx6FylsAVnBluQETZpPdXSB43cTnfUlGj50OHAwFKwD4MP1
17
-Z+3mTW3+iedpEo3BWs47onanI9DSe6XcUUMXreP+aStJYOkQ3Sl5wr5A61NFF/yr
18
-+bdKEzXNXB5My5hbFLuSUtsXNVmVr6B7pz2wyfsCgYEAiXKyCVM/IPQtxeSoqM+O
19
-88VbIB4QmAjIcuRSoHmRzO2fy8ChlwuSQ48Cxb51bTwWQkHnhZ6L5pAFCg2WGWWk
20
-1Pqee8popvCAJSZpCoxfQvpeRGf8Gr3RrKsAnxNLDf94PlSBzwIaq72MoFIYEP5N
21
-gzuzKEcIAQqt9Fj82ER2cCkCgYEAnaEFC+ffjNRnAUJzF04zlRVh0NY4qAT691Ty
22
-FiKUfKBS+rRN1Azs1j6GG81BcZ2DmLC4nEfmJdP1gE26nwF1G/9geh3V0hRzUIHU
23
-Ansz6CO4rwNWwgB/ajmB/uCnd90EMOSWqLLLTZfTglcOxGcYAF8WiQ7aVnx6Qu//
24
-/jgZuikCgYB10Gf8Wl/TcWVBTwbDbA50VqZpUWXkcF+oo/w4FfI2f74TEQVkIs9m
25
-4SVhrtSAz3z2tuBEDB8SM2Uwe00/JSrbuOTvGcVTq64LDgH5fL38Hw8+7IvAZEOx
26
-26mAS685K1pq0HvvCuwzSIAjpo55tso3phG/YxC+DD11DglhL1SpBA==
27
------END RSA PRIVATE KEY-----
1
+-----BEGIN PRIVATE KEY-----
2
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVnXYpdsY6rvQf
3
+2vGAf64EXYxKKXnFNzFAoWlSEU67SQhWhDtJracU8pgMLlpMoTtqOA7hwRHjhaC0
4
+GcRcazswdAQkva1PQROIN9OpISFOmxdLMLGXtugBkivD2e0kq9Obg63TgxexSp5n
5
+KvqCTlcw6KWW5lZMvNu6eKAo4ki3IzdUFGctZmJJzOciRsosa3ZaMYhoQ05HhzD7
6
+DDM6YfRRXEa0Zaj+OSUa0FkbyZv58XysfovpUFqchgcEaWDwbLR4rjfSMwP/LbOq
7
+U7NjiATn8GXBrES6m7Mv6O2JgbKvsbW1SSxDj29Q2KaUDNQg0HpticiTQzCkjEHT
8
+EQKPSfPbAgMBAAECggEBAMcozbgO4vZnk3f3u13grK+pQFkMnll/Ac6OLxGyzULT
9
+7pArLNOesb5YB+ajeNElKa34ofdc+H62YYRI2ciIuWCNaiePKHxR4hIIarCvEMym
10
+0Grr9UfL4jdEvsUU84JTKTE+7dvbx0UmmtT5PyIqRCR3Y5tzGVbmZb5PJJO5la4X
11
+1Q8ZQHYvdFh52VXVpetp66yFpCu/EI8u9VSEBakvILpZ3yxjhskEXD18E304wn1e
12
+Ky+sBde6zUtXRc1rKxAzeQ/JyF1+1+xr8nI1kGryqXdNl/4S3JsdB5nL54U0pHaL
13
+XfLMZvRTVqKAsyjqLQzYE0bRnJz9sev85nu0J1sp/GECgYEA8Gi2izJmxpb3oDC7
14
+Eu388TeFOYrdg6AsXFkmKT5ssTRRT4ju03RrGWC8NlOJRhQxJloCICgmBWHLFWBG
15
+2OVGgOYhUr7/V12f/D2GICUcJ9SKkDbzKe0ACDPq9tzauVd9H8fY9gQfvhn0AA0v
16
+qG0+guGElxS+holIpbDP7VV0PykCgYEA43fp3VtneBHL4E4iZVBQaIBGMYOmE8v3
17
+cKSTCBgCU3jnbio85NHybI1Fw15cAXDOIsOlKescLyTw/IgRb3PbObNvpD8STS8d
18
+wVqen2Ir/mrsxWVn57jlSV5viGnIoI873YVJ9fl5pr/KbJ5A8//EnJwQLDq6MmQR
19
+zPMovp51L2MCgYEA0/rQ8t4HR5Z4VDSDz8YvYZaeD0YF2nkShH9LKdTUTFAgXiwU
20
+wjkF8oOckZ6JDVTinbmB5E7ib55yTq/s6HUJ/MBuo6KsTaHNXsH1EUUHlYtQfqcl
21
+NFO40oLM7M2CwyiEuNAj25F5V8tUnfMCkdV56DfoDLuK3+APQaItRU0zSjkCgYAW
22
+KGgvl+fMWm9xuiq/k8NBar1rtVdINmY0ItPvxeb0GqLwqEymPY1P5bMWBOsReNub
23
+p1M/checwAx5jQelw7NnO4N0jHBL9HsBisJI5FdEwUWvNOGaQPiU3Q4gS62vdkRu
24
+n71EqLig9a3SRtgs7I1KdClfJZldr0HMpSMi7myb4QKBgQDgeh5oDgypNBdMY4un
25
+Wpax1Mxse49T883Z3lIlVq+U7ZwnWLWfohSZK/kXUrolbdmo4z8yAlNKUO421sAF
26
+SWUWFAabEMnLq2ilv6WIG4i1ubFr4/DBV4fGcaYNMOxIENRDItn7RacddZ1EQVfC
27
+WBcstgic1QXyMJ+2LoC0LHdgCQ==
28
+-----END PRIVATE KEY-----

+ 18
- 18
roles/common/files/wildcard_public_cert.crt 查看文件

@@ -1,20 +1,20 @@
1 1
 -----BEGIN CERTIFICATE-----
2
-MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
3
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
4
-cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
5
-OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
6
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
7
-BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
8
-MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
9
-6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
10
-yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
11
-C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
12
-yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
13
-xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
14
-AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
15
-9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
16
-AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
17
-aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
18
-Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
19
-+0vEpa88MmGGUdXZ4NWI2IYe
2
+MIIDPjCCAiYCCQCIBIL0qFYY5DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJB
3
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
4
+cyBQdHkgTHRkMRowGAYDVQQDDBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xNjAxMDkw
5
+OTU4MzNaFw0xNzAxMDgwOTU4MzNaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApT
6
+b21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
7
+BgNVBAMMESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
8
+MIIBCgKCAQEA1Z12KXbGOq70H9rxgH+uBF2MSil5xTcxQKFpUhFOu0kIVoQ7Sa2n
9
+FPKYDC5aTKE7ajgO4cER44WgtBnEXGs7MHQEJL2tT0ETiDfTqSEhTpsXSzCxl7bo
10
+AZIrw9ntJKvTm4Ot04MXsUqeZyr6gk5XMOilluZWTLzbunigKOJItyM3VBRnLWZi
11
+ScznIkbKLGt2WjGIaENOR4cw+wwzOmH0UVxGtGWo/jklGtBZG8mb+fF8rH6L6VBa
12
+nIYHBGlg8Gy0eK430jMD/y2zqlOzY4gE5/BlwaxEupuzL+jtiYGyr7G1tUksQ49v
13
+UNimlAzUINB6bYnIk0MwpIxB0xECj0nz2wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
14
+AQCEVVrT1ktgvA3CwuIr+/BWRfILIHyayy3FxIwF8wBymAwQiT/09JuNDsLuI2/t
15
+eOY9BZsaJ9BtGA7dajbwKDX83Z+WXcv2AwxbAhxUnpBCQF0MNT9Vh7ixE0rXbXeg
16
+bvy5D4n1MWTBaPK+MpuEEV5m/dRZOFIgf6AWDCB7QixWm7N2BGjqni5kr2EuqYw8
17
+JqxXXtTDTBA8BKMLxPRER+w39zD8fQouTn1pI8nVba/WdX1NlchzFrex6ByvKWQG
18
+joSPd39d68NNyytwmv5LWOQ2Shsk0d0UV9eoFrctPJh8cL4BPfNS7NQR12u55zn0
19
+NR+SN5v9/7fn+/KF1UZq5Jao
20 20
 -----END CERTIFICATE-----

+ 17
- 0
roles/common/tasks/apache.yml 查看文件

@@ -0,0 +1,17 @@
1
+---
2
+# Configures the Apache HTTP server with sane defaults.
3
+
4
+- name: Disable default Apache site
5
+  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
6
+  notify: restart apache
7
+
8
+- name: Enable Apache headers module
9
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
10
+  notify: restart apache
11
+
12
+- name: Create ServerName configuration file for Apache
13
+  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
14
+
15
+- name: Set ServerName for Apache
16
+  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
17
+  notify: restart apache

+ 4
- 13
roles/common/tasks/encfs.yml 查看文件

@@ -10,28 +10,19 @@
10 10
 - name: Create encrypted directory
11 11
   file: state=directory path=/encrypted
12 12
 
13
-- name: Add mail user to fuse group
14
-  user: name=mail append=yes groups=fuse
15
-
16
-- name: Add main user to fuse group
17
-  user: name={{ main_user_name }} append=yes groups=fuse
18
-
19
-# Check if the /encrypted directory is empty
20
-- name: Check for existing encfs
13
+- name: Check if the /encrypted directory is empty
21 14
   shell: ls /encrypted/*
22 15
   ignore_errors: True
23 16
   changed_when: False  # never report as "changed"
24 17
   register: encfs_check
25 18
 
26
-# If it is empty, we need to create the encfs
27
-- name: Create encfs
19
+- name: If /encrypted is empty, create the encfs there
28 20
   shell: printf "p\n{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
29 21
   when: encfs_check.rc > 0
30 22
 
31
-# If it isn't empty, we simply need to mount it (but only if /decrypted/test doesn't exist)
32
-- name: Mount encfs
23
+- name: If /encrypted isn't empty, mount it (but only if /decrypted/test doesn't exist)
33 24
   shell: printf "{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass creates="/decrypted/test"
34 25
   when: encfs_check.rc == 0
35 26
 
36 27
 - name: Set decrypted directory permissions
37
-  file: state=directory path=/decrypted group=mail mode=775
28
+  file: state=directory path=/decrypted group=mail mode=0775

+ 5
- 19
roles/common/tasks/google_auth.yml 查看文件

@@ -1,29 +1,15 @@
1 1
 ---
2
-# Defines tasks applicable for Google Authenticator
2
+# Defines tasks applicable for Google Authenticator.
3 3
 
4 4
 - name: Ensure required packages are installed
5 5
   apt: pkg={{ item }} state=present
6 6
   with_items:
7
-    #- libpam-google-authenticator    wasn't available in wheezy
7
+    - libpam-google-authenticator
8 8
     - libpam0g-dev
9 9
     - libqrencode3
10 10
   tags:
11 11
     - dependencies
12 12
 
13
-- name: Download Google authenticator pam module
14
-  get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
15
-           dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
16
-
17
-- name: Extract Google authenticator
18
-  unarchive: src=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
19
-             creates=/root/libpam-google-authenticator-{{ google_auth_version }}
20
-             dest=/root copy=no
21
-
22
-- name: Install Google authenticator
23
-  command: make install
24
-           chdir=/root/libpam-google-authenticator-{{ google_auth_version }}
25
-           creates=/usr/local/bin/google-authenticator
26
-
27 13
 - name: Update sshd config to enable challenge responses
28 14
   lineinfile: dest=/etc/ssh/sshd_config
29 15
               regexp=^ChallengeResponseAuthentication
@@ -38,10 +24,10 @@
38 24
               state=present
39 25
 
40 26
 - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
41
-  command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
27
+  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
42 28
            creates=/home/{{ main_user_name }}/.google_authenticator
43
-  sudo: yes
44
-  sudo_user: "{{ main_user_name }}"
29
+  become: yes
30
+  become_user: "{{ main_user_name }}"
45 31
   when: ansible_ssh_user != "vagrant"
46 32
 
47 33
 - name: Retrieve generated keys from server

+ 0
- 41
roles/common/tasks/google_auth_mod.yml 查看文件

@@ -1,41 +0,0 @@
1
----
2
-# Defines tasks applicable for Google Authenticator
3
-# Ubuntu trusty version, uses standard libpam-google-authenticator package
4
-
5
-- name: Ensure required packages are installed
6
-  apt: pkg={{ item }} state=present
7
-  with_items:
8
-    - libpam-google-authenticator
9
-    - libpam0g-dev
10
-    - libqrencode3
11
-  tags:
12
-    - dependencies
13
-
14
-- name: Update sshd config to enable challenge responses
15
-  lineinfile: dest=/etc/ssh/sshd_config
16
-              regexp=^ChallengeResponseAuthentication
17
-              line="ChallengeResponseAuthentication yes"
18
-              state=present
19
-  notify: restart ssh
20
-
21
-- name: Add Google authenticator to PAM
22
-  lineinfile: dest=/etc/pam.d/sshd
23
-              line="auth required pam_google_authenticator.so"
24
-              insertbefore=BOF
25
-              state=present
26
-
27
-- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
28
-  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
29
-           creates=/home/{{ main_user_name }}/.google_authenticator
30
-  sudo: yes
31
-  sudo_user: "{{ main_user_name }}"
32
-  when: ansible_ssh_user != "vagrant"
33
-
34
-- name: Retrieve generated keys from server
35
-  fetch: src=/home/{{ main_user_name }}/.google_authenticator
36
-         dest=/tmp/sovereign-google-auth-files
37
-  when: ansible_ssh_user != "vagrant"
38
-
39
-- pause: seconds=5
40
-         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
41
-  when: ansible_ssh_user != "vagrant"

+ 104
- 0
roles/common/tasks/letsencrypt.yml 查看文件

@@ -0,0 +1,104 @@
1
+- name: Download LetsEncrypt release
2
+  git: repo=https://github.com/letsencrypt/letsencrypt
3
+       dest=/root/letsencrypt
4
+       version=master
5
+       force=yes
6
+
7
+- name: Create directory for LetsEncrypt configuration and certificates
8
+  file: state=directory path=/etc/letsencrypt group=root owner=root
9
+
10
+- name: Configure LetsEncrypt
11
+  template:
12
+    src=etc_letsencrypt_cli.conf.j2
13
+    dest=/etc/letsencrypt/cli.conf
14
+    owner=root
15
+    group=root
16
+
17
+- name: Install LetsEncrypt package dependencies
18
+  command: /root/letsencrypt/letsencrypt-auto --help
19
+  register: le_deps_result
20
+  changed_when: "'Bootstrapping dependencies' in le_deps_result.stdout"
21
+
22
+- name: Create directory for pre-renewal scripts
23
+  file: state=directory path=/etc/letsencrypt/prerenew group=root owner=root
24
+
25
+- name: Create directory for post-renewal scripts
26
+  file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root
27
+
28
+- name: Create pre-renew hook to stop apache
29
+  copy:
30
+    content: "#!/bin/bash\n\nservice apache2 stop\n"
31
+    dest: /etc/letsencrypt/prerenew/apache
32
+    owner: root
33
+    group: root
34
+    mode: 0755
35
+
36
+- name: Create post-renew hook to start apache
37
+  copy:
38
+    content: "#!/bin/bash\n\nservice apache2 start\n"
39
+    dest: /etc/letsencrypt/postrenew/apache
40
+    owner: root
41
+    group: root
42
+    mode: 0755
43
+
44
+- name: Install crontab entry for LetsEncrypt
45
+  copy:
46
+    src: etc_cron-daily_letsencrypt-renew
47
+    dest: /etc/cron.daily/letsencrypt-renew
48
+    owner: root
49
+    group: root
50
+    mode: 0755
51
+
52
+- name: Create live directory for LetsEncrypt cron job
53
+  file: state=directory path=/etc/letsencrypt/live group=root owner=root
54
+
55
+- name: Get an SSL certificate for {{ domain }} from Let's Encrypt
56
+  script: letsencrypt-gencert {{ domain }} creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem
57
+  when: ansible_ssh_user != "vagrant"
58
+
59
+- name: Modify permissions to allow ssl-cert group access
60
+  file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=0750
61
+  when: ansible_ssh_user != "vagrant"
62
+
63
+### Several steps to install a self-signed wildcard key to support offline testing
64
+
65
+- name: Create live directory for testing keys
66
+  file: dest=/etc/letsencrypt/live/{{ domain }} state=directory
67
+    owner=root group=root mode=0755
68
+  when: ansible_ssh_user == "vagrant"
69
+
70
+- name: Copy SSL wildcard private key for testing
71
+  copy: src=wildcard_private.key
72
+    dest=/etc/letsencrypt/live/{{ domain }}/privkey.pem
73
+    owner=root group=ssl-cert mode=0640
74
+  register: private_key
75
+  when: ansible_ssh_user == "vagrant"
76
+
77
+- name: Copy SSL public certificate into place for testing
78
+  copy: src=wildcard_public_cert.crt
79
+    dest=/etc/letsencrypt/live/{{ domain }}/cert.pem
80
+    group=root owner=root mode=0644
81
+  register: certificate
82
+  notify: restart apache
83
+  when: ansible_ssh_user == "vagrant"
84
+
85
+- name: Copy SSL CA combined certificate into place for testing
86
+  copy: src=wildcard_ca.pem
87
+    dest=/etc/letsencrypt/live/{{ domain }}/chain.pem
88
+    group=root owner=root mode=0644
89
+  register: ca_certificate
90
+  notify: restart apache
91
+  when: ansible_ssh_user == "vagrant"
92
+
93
+- name: Create a combined SSL cert for testing
94
+  shell: cat /etc/letsencrypt/live/{{ domain }}/cert.pem
95
+    /etc/letsencrypt/live/{{ domain }}/chain.pem >
96
+    /etc/letsencrypt/live/{{ domain }}/fullchain.pem
97
+  when: (private_key.changed or certificate.changed or ca_certificate.changed) and ansible_ssh_user == "vagrant"
98
+
99
+- name: Set permissions on combined SSL public cert
100
+  file: name=/etc/letsencrypt/live/{{ domain }}/fullchain.pem mode=0644
101
+  notify: restart apache
102
+  when: ansible_ssh_user == "vagrant"
103
+
104
+### Back to normal

+ 5
- 36
roles/common/tasks/main.yml 查看文件

@@ -1,11 +1,4 @@
1 1
 ---
2
-# Defines tasks applicable across all machines in the infrastructure.
3
-- name: Set up closest mirror autoselect (ubuntu-only)
4
-  template: src=apt_sources.list.j2 dest=/etc/apt/sources.list
5
-  when: ansible_distribution == 'Ubuntu'
6
-  tags:
7
-    - dependencies
8
-
9 2
 - name: Update apt cache
10 3
   apt: update_cache=yes
11 4
   tags:
@@ -28,14 +21,13 @@
28 21
     - htop
29 22
     - iftop
30 23
     - iotop
24
+    - molly-guard
31 25
     - mosh
32 26
     - python-software-properties
33
-    - ruby1.9.3
27
+    - ruby
34 28
     - screen
35 29
     - sudo
36
-    - update-notifier-common
37 30
     - unattended-upgrades
38
-    - molly-guard
39 31
     - vim
40 32
     - zsh
41 33
   tags:
@@ -61,41 +53,18 @@
61 53
 - name: Apticron email configuration
62 54
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
63 55
 
64
-- name: Disable default Apache site
65
-  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
66
-  notify: restart apache
67
-
68
-- name: Enable Apache headers module
69
-  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
70
-  notify: restart apache
71
-
72
-- name: Set ServerName for Apache
73
-  template: src=fqdn.j2 dest=/etc/apache2/conf.d/fqdn
74
-  notify: restart apache
75
-  when: ansible_distribution_release != 'trusty'
76
-
77
-- name: Create ServerName configuration file for Apache for Ubuntu Trusty
78
-  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
79
-  when: ansible_distribution_release == 'trusty'
80
-
81
-- name: Set ServerName for Apache for Ubuntu Trusty
82
-  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
83
-  notify: restart apache
84
-  when: ansible_distribution_release == 'trusty'
85
-
86 56
 - name: Create decrypted directory (even if encfs isn't used)
87 57
   file: state=directory path=/decrypted
88 58
 
89 59
 - name: Set decrypted directory permissions
90
-  file: state=directory path=/decrypted group=mail mode=775
60
+  file: state=directory path=/decrypted group=mail mode=0775
91 61
 
92 62
 - include: encfs.yml tags=encfs
93 63
 - include: users.yml tags=users
64
+- include: apache.yml tags=apache
94 65
 - include: ssl.yml tags=ssl
66
+- include: letsencrypt.yml tags=letsencrypt
95 67
 - include: ufw.yml tags=ufw
96 68
 - include: security.yml tags=security
97 69
 - include: ntp.yml tags=ntp
98 70
 - include: google_auth.yml tags=google_auth
99
-  when: ansible_distribution_release != 'trusty'
100
-- include: google_auth_mod.yml tags=google_auth
101
-  when: ansible_distribution_release == 'trusty'

+ 6
- 2
roles/common/tasks/ntp.yml 查看文件

@@ -11,6 +11,10 @@
11 11
   notify:
12 12
     - restart ntp
13 13
 
14
-- name: Ensure ntpd is running and enabled
15
-  service: name=ntp state=started enabled=yes
14
+- name: Ensure ntpd is running
15
+  service: name=ntp state=started
16 16
 
17
+# Work around https://github.com/ansible/ansible-modules-core/issues/915
18
+# otherwise we'd use enabled=yes in previous task
19
+- name: Ensure ntp is enabled
20
+  command: update-rc.d ntp enable creates=/etc/rc3.d/S03ntp

+ 5
- 49
roles/common/tasks/ssl.yml 查看文件

@@ -1,27 +1,3 @@
1
-- name: Copy SSL private key into place
2
-  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
3
-  register: private_key
4
-  notify: restart apache
5
-
6
-- name: Copy SSL public certificate into place
7
-  copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
8
-  register: certificate
9
-  notify: restart apache
10
-
11
-- name: Copy CA combined certificate into place
12
-  copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
13
-  register: ca_certificate
14
-  notify: restart apache
15
-
16
-- name: Create a combined version of the public cert with intermediate and root CAs
17
-  shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
18
-    /etc/ssl/certs/wildcard_combined.pem
19
-  when: private_key.changed or certificate.changed or ca_certificate.changed
20
-
21
-- name: Set permissions on combined public cert
22
-  file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
23
-  notify: restart apache
24
-
25 1
 - name: Create strong Diffie-Hellman group
26 2
   command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
27 3
     creates=/etc/ssl/private/dhparam2048.pem
@@ -30,38 +6,18 @@
30 6
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
31 7
   notify: restart apache
32 8
 
33
-- name: Enable NameVirtualHost for HTTPS
34
-  lineinfile:
35
-    dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443'
36
-    insertafter='^<IfModule mod_ssl.c>'
37
-    line='    NameVirtualHost *:443'
38
-  notify: restart apache
39
-
40 9
 - name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache
41 10
   command: a2enmod socache_shmcb
42 11
     creates=/etc/apache2/mods-enabled/socache_shmcb.load
43 12
   notify: restart apache
44
-  when: ansible_distribution_release != 'wheezy'
45 13
 
46
-- name: Add Apache SSL stapling cache configuration
47
-  copy:
48
-    src=etc_apache2_conf-available_ssl-stapling-cache.conf
49
-    dest=/etc/apache2/conf-available/ssl-stapling-cache.conf
14
+- name: Add common Apache SSL config
15
+  template: src=etc_apache2_conf-available_ssl.conf.j2
16
+    dest=/etc/apache2/conf-available/ssl.conf
50 17
     owner=root
51 18
     group=root
52
-  when: ansible_distribution_release != 'wheezy'
53
-  notify: restart apache
54
-
55
-- name: Enable Apache SSL stapling cache configuration
56
-  command: a2enconf ssl-stapling-cache
57
-    creates=/etc/apache2/conf-enabled/ssl-stapling-cache.conf
58
-  when: ansible_distribution_release != 'wheezy'
59 19
   notify: restart apache
60 20
 
61
-- name: Add common Apache SSL config
62
-  template:
63
-    src=etc_apache2_ssl.conf.j2
64
-    dest=/etc/apache2/ssl.conf
65
-    owner=root
66
-    group=root
21
+- name: Enable Apache SSL config
22
+  command: a2enconf ssl creates=/etc/apache2/conf-enabled/ssl.conf
67 23
   notify: restart apache

+ 2
- 7
roles/common/tasks/ufw.yml 查看文件

@@ -1,7 +1,7 @@
1 1
 ---
2
-# Installs and configures ufw, which in turn uses iptables for firewall management
2
+# Installs and configures ufw, which in turn uses iptables for firewall management.
3
+# ufw includes sensible ICMP defaults.
3 4
 
4
-# ufw includes sensible icmp defaults
5 5
 - name: Install ufw
6 6
   apt: pkg=ufw state=present
7 7
   tags:
@@ -37,8 +37,3 @@
37 37
   register: ufw_config
38 38
   changed_when: False  # never report as "changed"
39 39
   tags: ufw
40
-
41
-- name: Disable logging (workaround for known bug in Debian 7)
42
-  ufw: logging=off
43
-  when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
44
-  tags: ufw

+ 0
- 5
roles/common/templates/apt_sources.list.j2 查看文件

@@ -1,5 +0,0 @@
1
-# This file is generated by Sovereign
2
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }} main restricted universe multiverse
3
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }}-updates main restricted universe multiverse
4
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }}-backports main restricted universe multiverse
5
-deb mirror://mirrors.ubuntu.com/mirrors.txt {{ ansible_distribution_release }}-security main restricted universe multiverse

roles/common/templates/etc_apache2_ssl.conf.j2 → roles/common/templates/etc_apache2_conf-available_ssl.conf.j2 查看文件

@@ -1,14 +1,14 @@
1
-SSLEngine on
2 1
 SSLProtocol ALL -SSLv2 -SSLv3
3 2
 SSLHonorCipherOrder On
4 3
 SSLCompression off
5
-{% if ansible_distribution_release != 'wheezy' %}
6
-    SSLUseStapling On
7
-    SSLStaplingResponderTimeout 5
8
-    SSLStaplingReturnResponderErrors off
9
-{% endif %}
4
+SSLUseStapling On
5
+SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
6
+SSLStaplingResponderTimeout 5
7
+SSLStaplingReturnResponderErrors off
8
+
9
+SSLCertificateKeyFile	/etc/letsencrypt/live/{{ domain }}/privkey.pem
10
+SSLCertificateFile	/etc/letsencrypt/live/{{ domain }}/fullchain.pem
11
+
10 12
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
11
-SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
12
-SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
13
-SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
13
+
14 14
 Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

+ 0
- 4
roles/common/templates/etc_fail2ban_jail.local.j2 查看文件

@@ -28,11 +28,7 @@ maxretry = 1
28 28
 enabled = true
29 29
 filter = dovecot-pop3imap
30 30
 action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,993,995", protocol=tcp]
31
-{% if ansible_distribution == 'Ubuntu' %}
32 31
 logpath = /var/log/mail.log
33
-{% else %}
34
-logpath = /var/log/maillog
35
-{% endif %}
36 32
 maxretry = 20
37 33
 findtime = 1200
38 34
 bantime = 1200

+ 8
- 0
roles/common/templates/etc_letsencrypt_cli.conf.j2 查看文件

@@ -0,0 +1,8 @@
1
+rsa-key-size = 4096
2
+server = {{ letsencrypt_server }}
3
+authenticator = standalone
4
+register-unsafely-without-email = True
5
+keep = True
6
+expand = True
7
+agree-tos = True
8
+non-interactive = True

+ 5
- 0
roles/common/templates/etc_ssh_ssh_config.j2 查看文件

@@ -1,3 +1,8 @@
1
+# Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.
2
+Host github.com
3
+    KexAlgorithms {{ kex_algorithms }},diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
4
+
5
+Host *
1 6
     Ciphers {{ ciphers }}
2 7
     KexAlgorithms {{ kex_algorithms }}
3 8
     SendEnv LANG LC_*

+ 4
- 1
roles/common/templates/sudoers.j2 查看文件

@@ -1 +1,4 @@
1
-+{{ main_user_name }} ALL=(ALL) NOPASSWD: ALL
1
+{{ main_user_name }} ALL=(ALL) NOPASSWD: ALL
2
+
3
+# Allow SSH agent forwarding when using sudo
4
+Defaults    env_keep+=SSH_AUTH_SOCK

+ 3
- 0
roles/git/defaults/main.yml 查看文件

@@ -0,0 +1,3 @@
1
+cgit_version: 0.12
2
+cgit_domain: "git.{{ domain }}"
3
+gitolite_version: 3.6.4

+ 1
- 1
roles/git/tasks/cgit.yml 查看文件

@@ -46,7 +46,7 @@
46 46
             group=root
47 47
             owner=root
48 48
 
49
-- name: Enable Apache cgi module
49
+- name: Enable Apache CGI module
50 50
   command: a2enmod cgi creates=/etc/apache2/mods-enabled/cgi.load
51 51
   notify: restart apache
52 52
 

+ 4
- 17
roles/git/tasks/gitolite.yml 查看文件

@@ -7,23 +7,10 @@
7 7
 - name: Add www-data to the git group
8 8
   user: name=www-data groups=git append=yes
9 9
 
10
-- name: Download gitolite release
11
-  git: repo=git://github.com/sitaramc/gitolite
12
-       dest=/home/git/gitolite
13
-       version=v{{ gitolite_version }}
14
-       accept_hostkey=yes
15
-
16
-- name: Give git user file permissions
17
-  file: path=/home/git/gitolite
18
-        state=directory
19
-        recurse=yes
20
-        owner=git
21
-        group=git
22
-
23
-- name: Install gitolite
24
-  command: ./gitolite/install -ln /usr/local/bin
25
-           chdir=/home/git
26
-           creates=/usr/local/bin/gitolite
10
+- name: Install gitolite3 package
11
+  apt: pkg=gitolite3 state=installed
12
+  tags:
13
+    - dependencies
27 14
 
28 15
 - name: Copy .gitolite.rc file
29 16
   copy: src=home_git_.gitolite.rc

+ 0
- 31
roles/git/tasks/gitolite_packaged.yml 查看文件

@@ -1,31 +0,0 @@
1
-- name: Create gitolite group
2
-  group: name=git state=present
3
-
4
-- name: Create gitolite user
5
-  user: name=git state=present home=/home/git system=yes group=git
6
-
7
-- name: Add www-data to the git group
8
-  user: name=www-data groups=git append=yes
9
-
10
-- name: Install gitolite3 package
11
-  apt: pkg=gitolite3 state=installed
12
-  tags:
13
-    - dependencies
14
-
15
-- name: Copy .gitolite.rc file
16
-  copy: src=home_git_.gitolite.rc
17
-        dest=/home/git/.gitolite.rc
18
-        group=git
19
-        owner=git
20
-        mode=0644
21
-
22
-- name: Copy SSH public key to server
23
-  copy: src=gitolite.pub
24
-        dest=/home/git/{{ main_user_name }}.pub
25
-        group=git
26
-        owner=git
27
-        mode=0644
28
-
29
-- name: Setup gitolite
30
-  command: su - git -c 'gitolite setup -pk {{ main_user_name }}.pub'
31
-           chdir=/home/git

+ 0
- 3
roles/git/tasks/main.yml 查看文件

@@ -1,5 +1,2 @@
1 1
 - include: gitolite.yml tags=gitolite
2
-  when: ansible_distribution_release != 'trusty'
3
-- include: gitolite_packaged.yml tags=gitolite
4
-  when: ansible_distribution_release == 'trusty'
5 2
 - include: cgit.yml tags=cgit

+ 2
- 4
roles/git/templates/etc_apache2_sites-available_cgit.j2 查看文件

@@ -6,15 +6,13 @@
6 6
 
7 7
 <VirtualHost *:443>
8 8
     ServerName {{ cgit_domain }}
9
+    SSLEngine On
9 10
 
10
-    Include /etc/apache2/ssl.conf
11 11
     DocumentRoot /var/www/htdocs/cgit/
12
-
13 12
     <Directory "/var/www/htdocs/cgit/">
14 13
         AllowOverride None
15 14
         Options +ExecCGI
16
-        Order allow,deny
17
-        Allow from all
15
+        Require all granted
18 16
     </Directory>
19 17
 
20 18
     Alias /cgit.png         /var/www/htdocs/cgit/cgit.png

+ 1
- 0
roles/ircbouncer/defaults/main.yml 查看文件

@@ -0,0 +1 @@
1
+irc_timezone: "{{ common_timezone|default('Etc/UTC') }}"

+ 0
- 139
roles/ircbouncer/files/etc_init.d_znc 查看文件

@@ -1,139 +0,0 @@
1
-#! /bin/sh
2
-### BEGIN INIT INFO
3
-# Provides:          znc
4
-# Required-Start:    $remote_fs $syslog
5
-# Required-Stop:     $remote_fs $syslog
6
-# Default-Start:     2 3 4 5
7
-# Default-Stop:      0 1 6
8
-# Short-Description: ZNC IRC bouncer
9
-# Description:       ZNC is an IRC bouncer
10
-### END INIT INFO
11
- 
12
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
13
-DESC="ZNC daemon"
14
-NAME=znc
15
-DAEMON=/usr/local/bin/$NAME
16
-DATADIR=/var/lib/znc
17
-DAEMON_ARGS="--datadir=$DATADIR"
18
-PIDDIR=/var/run/znc
19
-PIDFILE=$PIDDIR/$NAME.pid
20
-SCRIPTNAME=/etc/init.d/$NAME
21
-USER=znc
22
-GROUP=znc
23
-
24
-# Exit if the package is not installed
25
-[ -x "$DAEMON" ] || exit 0
26
-
27
-# Read configuration variable file if it is present
28
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
29
-
30
-# Load the VERBOSE setting and other rcS variables
31
-. /lib/init/vars.sh
32
-
33
-# Define LSB log_* functions.
34
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
35
-# and status_of_proc is working.
36
-. /lib/lsb/init-functions
37
-
38
-#
39
-# Function that starts the daemon/service
40
-#
41
-do_start()
42
-{
43
-  # Return
44
-  #   0 if daemon has been started
45
-  #   1 if daemon was already running
46
-  #   2 if daemon could not be started
47
-  if [ ! -d $PIDDIR ]
48
-  then
49
-    mkdir $PIDDIR
50
-  fi
51
-  chown $USER:$GROUP $PIDDIR
52
-  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1
53
-  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2
54
-}
55
-
56
-#
57
-# Function that stops the daemon/service
58
-#
59
-do_stop()
60
-{
61
-  # Return
62
-  #   0 if daemon has been stopped
63
-  #   1 if daemon was already stopped
64
-  #   2 if daemon could not be stopped
65
-  #   other if a failure occurred
66
-  start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER
67
-  RETVAL="$?"
68
-  [ "$RETVAL" = 2 ] && return 2
69
-  # Wait for children to finish too if this is a daemon that forks
70
-  # and if the daemon is only ever run from this initscript.
71
-  # If the above conditions are not satisfied then add some other code
72
-  # that waits for the process to drop all resources that could be
73
-  # needed by services started subsequently.  A last resort is to
74
-  # sleep for some time.
75
-  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER
76
-  [ "$?" = 2 ] && return 2
77
-  # Many daemons don't delete their pidfiles when they exit.
78
-  rm -f $PIDFILE
79
-  return "$RETVAL"
80
-}
81
-
82
-#
83
-# Function that sends a SIGHUP to the daemon/service
84
-#
85
-do_reload() {
86
-  start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER
87
-  return 0
88
-}
89
-
90
-case "$1" in
91
-  start)
92
-  [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
93
-  do_start
94
-  case "$?" in
95
-    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
96
-    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
97
-  esac
98
-  ;;
99
-  stop)
100
-  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
101
-  do_stop
102
-  case "$?" in
103
-    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
104
-    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
105
-  esac
106
-  ;;
107
-  status)
108
-  status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
109
-  ;;
110
-  reload)
111
-  log_daemon_msg "Reloading $DESC" "$NAME"
112
-  do_reload
113
-  log_end_msg $?
114
-  ;;
115
-  restart)
116
-  log_daemon_msg "Restarting $DESC" "$NAME"
117
-  do_stop
118
-  case "$?" in
119
-    0|1)
120
-    do_start
121
-    case "$?" in
122
-      0) log_end_msg 0 ;;
123
-      1) log_end_msg 1 ;; # Old process is still running
124
-      *) log_end_msg 1 ;; # Failed to start
125
-    esac
126
-    ;;
127
-    *)
128
-    # Failed to stop
129
-    log_end_msg 1
130
-    ;;
131
-  esac
132
-  ;;
133
-  *)
134
-  echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2
135
-  exit 3
136
-  ;;
137
-esac
138
-
139
-:

+ 11
- 0
roles/ircbouncer/files/etc_systemd_system_znc.service 查看文件

@@ -0,0 +1,11 @@
1
+[Unit]
2
+Description=ZNC, an IRC bouncer
3
+After=network.target
4
+
5
+[Service]
6
+ExecStart=/usr/bin/znc --datadir=/usr/lib/znc
7
+PIDFile=/var/run/znc/znc.pid
8
+User=znc
9
+
10
+[Install]
11
+WantedBy=multi-user.target

+ 33
- 38
roles/ircbouncer/tasks/znc.yml 查看文件

@@ -1,64 +1,59 @@
1 1
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
2 2
 
3
-- name: Install znc dependencies
3
+- name: Install znc
4 4
   apt: pkg={{ item }} state=installed
5 5
   with_items:
6
-    - automake
7
-    - build-essential
8
-    - checkinstall
9
-    - g++
10
-    - libperl-dev
11
-    - libsasl2-dev
12
-    - libssl-dev
13
-    - libtool
14
-    - openssl
15
-    - pkg-config
16
-    - python3-dev
17
-    - swig
18
-  tags:
19
-    - dependencies
20
-
21
-- name: Download znc release
22
-  get_url: url=http://znc.in/releases/archive/znc-{{ znc_version }}.tar.gz dest=/root/znc-{{ znc_version }}.tar.gz
23
-
24
-- name: Decompress znc source
25
-  unarchive: src=/root/znc-{{ znc_version }}.tar.gz
26
-             dest=/root copy=no
27
-             creates=/root/znc-{{ znc_version }}/configure
28
-
29
-- name: Build and install znc
30
-  shell: ./configure --enable-python && make && make install executable=/bin/bash chdir=/root/znc-{{ znc_version }} creates=/usr/local/bin/znc
31
-  notify: restart znc
6
+    - znc
32 7
 
33 8
 - name: Create znc group
34 9
   group: name=znc state=present
35 10
 
36 11
 - name: Create znc user
37
-  user: name=znc state=present home=/var/lib/znc system=yes group=znc shell=/usr/sbin/nologin
12
+  user: name=znc state=present home=/usr/lib/znc system=yes group=znc shell=/usr/sbin/nologin
38 13
 
39
-- name: Copy znc init file into place
40
-  copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755
14
+- name: Ensure pid directory exists
15
+  file: state=directory path=/var/run/znc group=znc owner=znc
41 16
 
42
-- name: Create a combined version of the private key with public cert and intermediate + root CAs
43
-  shell: cat /etc/ssl/private/wildcard_private.key /etc/ssl/certs/wildcard_combined.pem >
44
-    /var/lib/znc/znc.pem creates=/var/lib/znc/znc.pem
17
+- name: Ensure configuration folders exist
18
+  file: state=directory path=/usr/lib/znc/{{ item }} group=znc owner=znc
19
+  with_items:
20
+    - moddata
21
+    - modules
22
+    - users
23
+
24
+- name: Copy znc service file into place
25
+  copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
26
+
27
+- name: Create a combined version of the SSL private key and full certificate chain
28
+  shell: cat /etc/letsencrypt/live/{{ domain }}/privkey.pem
29
+    /etc/letsencrypt/live/{{ domain }}/fullchain.pem >
30
+    /usr/lib/znc/znc.pem
31
+    creates=/usr/lib/znc/znc.pem
45 32
   notify: restart znc
46 33
 
34
+- name: Update post-certificate-renewal task
35
+  template:
36
+    src: etc_letsencrypt_postrenew_znc.sh.j2
37
+    dest: /etc/letsencrypt/postrenew/znc.sh
38
+    owner: root
39
+    group: root
40
+    mode: 0755
41
+
47 42
 - name: Ensure znc user and group can read cert
48
-  file: path=/var/lib/znc/znc.pem group=znc owner=znc mode=640
43
+  file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=0640
49 44
   notify: restart znc
50 45
 
51 46
 - name: Check for existing config file
52
-  command: cat /var/lib/znc/configs/znc.conf
47
+  command: cat /usr/lib/znc/configs/znc.conf
53 48
   register: znc_config
54 49
   ignore_errors: True
55 50
   changed_when: False  # never report as "changed"
56 51
 
57 52
 - name: Create znc config directory
58
-  file: state=directory path=/var/lib/znc/configs group=znc owner=znc
53
+  file: state=directory path=/usr/lib/znc/configs group=znc owner=znc
59 54
 
60 55
 - name: Copy znc configuration file into place
61
-  template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
56
+  template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
62 57
   when: znc_config.rc != 0
63 58
   notify: restart znc
64 59
 
@@ -67,4 +62,4 @@
67 62
   tags: ufw
68 63
 
69 64
 - name: Ensure znc is a system service
70
-  service: name=znc state=started enabled=true
65
+  service: name=znc state=restarted enabled=true

+ 7
- 0
roles/ircbouncer/templates/etc_letsencrypt_postrenew_znc.sh.j2 查看文件

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+# Executed by /etc/cron.daily/letsencrypt-renew
3
+
4
+cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem
5
+chown znc.znc /usr/lib/znc/znc.pem
6
+chmod 640 /usr/lib/znc/znc.pem
7
+service znc restart

roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2 → roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2 查看文件

@@ -16,7 +16,7 @@ MaxBufferSize = 500
16 16
 Motd = Connected to ZNC
17 17
 PidFile = /var/run/znc/znc.pid
18 18
 ProtectWebSessions = true
19
-SSLCertFile = /var/lib/znc/znc.pem
19
+SSLCertFile = /usr/lib/znc/znc.pem
20 20
 ServerThrottle = 30
21 21
 Skin = _default_
22 22
 StatusPrefix = *

+ 29
- 0
roles/mailserver/defaults/main.yml 查看文件

@@ -0,0 +1,29 @@
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+db_admin_username: 'postgres'
6
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"
7
+
8
+mail_db_username: 'mailuser'
9
+mail_db_password: "{{ lookup('password', secret + '/' + 'mail_db_password', length=32) }}"
10
+mail_db_database: 'mailserver'
11
+
12
+mail_server_hostname: "mail.{{ domain }}"
13
+mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
14
+mail_header_privacy: 1
15
+
16
+# virtual domains
17
+mail_virtual_domains: []
18
+mail_virtual_users: []
19
+mail_virtual_aliases: []
20
+
21
+# opendmarc
22
+mail_db_opendmarc_username: opendmarc
23
+mail_db_opendmarc_database: opendmarc
24
+mail_db_opendmarc_password: "{{ lookup('password', secret + '/' + 'mail_db_opendmarc_password', length=32) }}"
25
+
26
+# zpush
27
+zpush_version: 2.1.1-1788
28
+# common_timezone is a sovereign variable
29
+zpush_timezone: "{{ common_timezone|default('Etc/UTC') }}"

+ 0
- 13
roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf 查看文件

@@ -7,19 +7,6 @@
7 7
 # their configuration. Note that %variable expansion is done for all values.
8 8
 
9 9
 plugin {
10
-  # Antispam (DSPAM)
11
-  antispam_backend = dspam
12
-  antispam_allow_append_to_spam = YES
13
-  antispam_spam = Spam;Junk
14
-  antispam_trash = trash;Trash
15
-  antispam_signature = X-DSPAM-Signature
16
-  antispam_signature_missing = error
17
-  antispam_dspam_binary = /usr/bin/dspam
18
-  antispam_dspam_args = --user;%u;--deliver=;--source=error
19
-  antispam_dspam_spam = --class=spam
20
-  antispam_dspam_notspam = --class=innocent
21
-  antispam_dspam_result_header = X-DSPAM-Result
22
-
23 10
   # FTS (full text search with Solr)
24 11
   fts = solr
25 12
   fts_solr = break-imap-search url=http://localhost:8080/solr/

+ 0
- 43
roles/mailserver/files/etc_dspam_default.prefs 查看文件

@@ -1,43 +0,0 @@
1
-# $Id: default.prefs,v 1.2 2011/04/19 07:17:03 sbajic Exp $
2
-# default.prefs v3.2
3
-# Default preferences for DSPAM
4
-
5
-# This file serves two purposes. First, it sets the default preferences each
6
-# user will see when using the preferences section of the DSPAM Control
7
-# Center. Second, it may be symbolically linked (or copied) into DSPAM_HOME to
8
-# set the system-wide default preferences, overriding any commandline or
9
-# dspam.conf parameters. If symlinked, an administrator can edit these options 
10
-# in the DSPAM Administrative Suite.
11
-
12
-# Training Mode: TEFT, TOE, TUM, NOTRAIN
13
-trainingMode=TEFT
14
-
15
-# Spam Action: quarantine, tag, deliver
16
-spamAction=deliver         # { quarantine | tag | deliver } -> default:quarantine
17
-
18
-# Spam Subject: the text to be prepended onto the subject line of tagged spams
19
-spamSubject=[SPAM]
20
-
21
-# Bayesian Noise Reduction: on/off
22
-enableBNR=on
23
-
24
-# Automatic Whitelisting: on/off
25
-enableWhitelist=on
26
-
27
-# Statistical Sedation: 0-10
28
-statisticalSedation=5
29
-
30
-# Signature Location: message, headers, attachment
31
-signatureLocation=headers
32
-
33
-# Whitelist Threshold: the minimum number of innocent hits from a recipient to
34
-# be automatically whitelisted. Do not set this value too low!
35
-whitelistThreshold=10
36
-
37
-# showFactors: when set to on, the determining factors for each message will
38
-# be added to a X-DSPAM-Factors message header.
39
-showFactors=on
40
-
41
-# optIn/optOut: Depending on the opt mode set, you can also use one of these.
42
-#optIn=on
43
-#optOut=off

+ 0
- 699
roles/mailserver/files/etc_dspam_dspam.conf 查看文件

@@ -1,699 +0,0 @@
1
-## $Id: dspam.conf.in,v 1.100 2011/07/09 00:00:52 sbajic Exp $
2
-## dspam.conf -- DSPAM configuration file
3
-##
4
-
5
-#
6
-# DSPAM Home: Specifies the base directory to be used for DSPAM storage
7
-#
8
-Home /decrypted/dspam
9
-
10
-#
11
-# StorageDriver: Specifies the storage driver backend (library) to use.
12
-# You'll only need to set this if you are using dynamic storage driver plugins
13
-# from a binary distribution. The default build statically links the storage
14
-# driver (when only one is specified at configure time), overriding this
15
-# setting, which only comes into play if multiple storage drivers are specified
16
-# at configure time. When using dynamic linking, be sure to include the path
17
-# to the library if necessary, and some systems may use an extension other
18
-# than .so (e.g. OSX uses .dylib).
19
-#
20
-# Options include:
21
-#
22
-#   libmysql_drv.so     libpgsql_drv.so
23
-#   libsqlite3_drv.so   libhash_drv.so
24
-#
25
-# IMPORTANT: Switching storage drivers requires more than merely changing
26
-# this option. If you do not wish to lose all of your data, you will need to
27
-# migrate it to the new backend before making this change.
28
-#
29
-StorageDriver /usr/lib/x86_64-linux-gnu/dspam/libhash_drv.so
30
-
31
-#
32
-# Trusted Delivery Agent: Specifies the local delivery agent DSPAM should call
33
-# when delivering mail as a trusted user. Use %u to specify the user DSPAM is
34
-# processing mail for. It is generally a good idea to allow the MTA to specify
35
-# the pass-through arguments at run-time, but they may also be specified here.
36
-#
37
-# Most operating system defaults:
38
-#TrustedDeliveryAgent "/usr/bin/procmail"       # Linux
39
-#TrustedDeliveryAgent "/usr/bin/mail"           # Solaris
40
-#TrustedDeliveryAgent "/usr/libexec/mail.local" # FreeBSD
41
-#TrustedDeliveryAgent "/usr/bin/procmail"       # Cygwin
42
-#
43
-# Other popular configurations:
44
-#TrustedDeliveryAgent "/usr/cyrus/bin/deliver"	# Cyrus
45
-#TrustedDeliveryAgent "/bin/maildrop"		# Maildrop
46
-#TrustedDeliveryAgent "/usr/local/sbin/exim -oMr spam-scanned -oi" # Exim
47
-#
48
-TrustedDeliveryAgent "/usr/sbin/sendmail"
49
-
50
-#
51
-# Untrusted Delivery Agent: Specifies the local delivery agent and arguments
52
-# DSPAM should use when delivering mail and running in untrusted user mode.
53
-# Because DSPAM will not allow pass-through arguments to be specified to
54
-# untrusted users, all arguments should be specified here. Use %u to specify
55
-# the user DSPAM is processing mail for. This configuration parameter is only
56
-# necessary if you plan on allowing untrusted processing.
57
-#
58
-UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u"
59
-
60
-#
61
-# SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP
62
-# delivery to deliver your message to the mail server instead of using a
63
-# delivery agent. You will need to configure with --enable-daemon to use host
64
-# delivery, however you do not need to operate in daemon mode. Specify an IP
65
-# address or UNIX path to a domain socket below as a host.
66
-#
67
-# If you would like to set up DeliveryHost's on a per-domain basis, use
68
-# the syntax: DeliveryHost.domain.com 1.2.3.4
69
-#
70
-#DeliveryHost		127.0.0.1
71
-#DeliveryPort		2424
72
-#DeliveryIdent		localhost
73
-#DeliveryProto		LMTP
74
-
75
-#
76
-# FallbackDomains: If you want to specify certain domains as fallback domains,
77
-# enable this option. For example, you could create a user @domain.com, and
78
-# if bob@domain.com does not resolve to a known user on the system, the user
79
-# could default to your @domain.com user. NOTE: This also requires designating
80
-# fallbackDomain for the domain name;
81
-# e.g. dspam_admin ch pref domain.com fallbackDomain on
82
-#
83
-#FallbackDomains on
84
-
85
-#
86
-# Quarantine Agent: DSPAM's default behavior is to quarantine all mail it
87
-# thinks is spam. If you wish to override this behavior, you may specify
88
-# a quarantine agent which will be called with all messages DSPAM thinks is
89
-# spam. Use %u to specify the user DSPAM is processing mail for.
90
-#
91
-#QuarantineAgent	"/usr/bin/procmail -d spam"
92
-
93
-#
94
-# DSPAM can optionally process "plused users" (addresses in the user+detail
95
-# form) by truncating the username just before the "+", so all internal
96
-# processing occurs for "user", but delivery will be performed for
97
-# "user+detail". This is only useful if the LDA can handle "plused users"
98
-# (for example Cyrus IMAP) and when configured for LMTP delivery above
99
-#
100
-#EnablePlusedDetail	on
101
-
102
-#
103
-# Character to use as seperator between user names and address extensions.
104
-# If you change this value then please adjust QuarantineMailbox to use the
105
-# new specified character. The default is '+'.
106
-#
107
-#PlusedCharacter	+
108
-
109
-#
110
-# Turn this feature on if you want to force DSPAM to lowercase the "plused
111
-# users" username.
112
-#
113
-#PlusedUserLowercase	on
114
-
115
-#
116
-# Quarantine Mailbox: DSPAM's LMTP code can send spam mail using LMTP to a
117
-# "plused" mailbox (such as user+quarantine) leaving quarantine processing
118
-# for retraining or deletion to be performed by the LDA and the mail client.
119
-# "plused" mailboxes are supported by Cyrus IMAP and possibly other LDAs. If
120
-# you don't set/change PlusedCharacter then the mailbox name must have the +
121
-# since the + is the default used character.
122
-#
123
-#QuarantineMailbox	+quarantine
124
-
125
-#
126
-# OnFail: What to do if local delivery or quarantine should fail. If set
127
-# to "unlearn", DSPAM will unlearn the message prior to exiting with an
128
-# un successful return code. The default option, "error" will not unlearn
129
-# the message but return the appropriate error code. The unlearn option
130
-# is use-ful on some systems where local delivery failures will cause the
131
-# message to be requeued for delivery, and could result in the message
132
-# being processed multiple times. During a very large failure, however,
133
-# this could cause a significant load increase.
134
-#
135
-OnFail error
136
-
137
-#
138
-# Trusted Users: Only the users specified below will be allowed to perform
139
-# administrative functions in DSPAM such as setting the active user and
140
-# accessing tools. All other users attempting to run DSPAM will be restricted;
141
-# their uids will be forced to match the active username and they will not be
142
-# able to specify delivery agent privileges or use tools.
143
-#
144
-Trust root
145
-Trust dspam
146
-Trust www-data
147
-Trust mail
148
-Trust daemon
149
-Trust amavis
150
-Trust vmail
151
-#Trust nobody
152
-#Trust majordomo
153
-
154
-#
155
-# Debugging: Enables debugging for some or all users. IMPORTANT: DSPAM must
156
-# be compiled with debug support in order to use this option. DSPAM should
157
-# never be running in production with debug active unless you are
158
-# troubleshooting problems.
159
-#
160
-# DebugOpt: One or more of: process, classify, spam, fp, inoculation, corpus
161
-#   process     standard message processing
162
-#   classify    message classification using --classify
163
-#   spam        error correction of missed spam
164
-#   fp          error correction of false positives
165
-#   inoculation message inoculations (source=inoculation)
166
-#   corpus      corpusfed messages (source=corpus)
167
-#
168
-#Debug *
169
-#Debug bob bill
170
-#
171
-#DebugOpt process spam fp
172
-
173
-#
174
-# ClassAlias: Alias a particular class to spam/nonspam. This is useful if
175
-# classifying things other than spam.
176
-#
177
-#ClassAliasSpam badstuff
178
-#ClassAliasNonspam goodstuff
179
-
180
-#
181
-# Training Mode: The default training mode to use for all operations, when
182
-# one has not been specified on the commandline or in the user's preferences.
183
-# Acceptable values are:
184
-#     toe     Train on Error (Only)
185
-#     teft    Train Everything (Trains on every message)
186
-#     tum     Train Until Mature (Train only tokens without enough data)
187
-#     notrain Do not train or store signatures (large ISP systems, post-train)
188
-#
189
-TrainingMode teft
190
-
191
-#
192
-# TestConditionalTraining: By default, dspam will retrain certain errors
193
-# until the condition is no longer met. This usually accelerates learning.
194
-# Some people argue that this can increase the risk of errors, however.
195
-#
196
-TestConditionalTraining on
197
-
198
-#
199
-# Features: Specify features to activate by default; can also be specified
200
-# on the commandline. See the documentation for a list of available features.
201
-# If _any_ features are specified on the commandline, these are ignored.
202
-#
203
-#Feature noise
204
-Feature whitelist
205
-
206
-# Training Buffer: The training buffer waters down statistics during training.
207
-# It is designed to prevent false positives, but can also dramatically reduce
208
-# dspam's catch rate during initial training. This can be a number from 0
209
-# (no buffering) to 10 (maximum buffering). If you are paranoid about false
210
-# positives, you should probably enable this option.
211
-#
212
-#Feature tb=5
213
-
214
-#
215
-# Algorithms: Specify the statistical algorithms to use, overriding any
216
-# defaults configured in the build. The options are:
217
-#    naive       Naive-Bayesian (All Tokens)
218
-#    graham      Graham-Bayesian ("A Plan for Spam")
219
-#    burton      Burton-Bayesian (SpamProbe)
220
-#    robinson    Robinson's Geometric Mean Test (Obsolete)
221
-#    chi-square  Fisher-Robinson's Chi-Square Algorithm
222
-#
223
-# You may have multiple algorithms active simultaneously, but it is strongly
224
-# recommended that you group Bayesian algorithms with other Bayesian
225
-# algorithms, and any use of Chi-Square remain exclusive.
226
-#
227
-# NOTE: For standard "CRM114" Markovian weighting, use 'naive', or consider
228
-#       using 'burton' for slightly better accuracy
229
-#
230
-# Don't mess with this unless you know what you're doing
231
-#
232
-#Algorithm chi-square
233
-#Algorithm naive
234
-Algorithm graham burton
235
-
236
-#
237
-# Tokenizer: Specify the tokenizer to use. The tokenizer is the piece
238
-# responsible for parsing the message into individual tokens. Depending on
239
-# how many resources you are willing to trade off vs. accuracy, you may
240
-# choose to use a less or more detailed tokenizer:
241
-#   word    uniGram (single word) tokenizer
242
-#           Tokenizes message into single individual words/tokens
243
-#           example: "free" and "viagra"
244
-#   chain   biGram (chained tokens) tokenizer (default)
245
-#           Single words + chains adjacent tokens together
246
-#           example: "free" and "viagra" and "free viagra"
247
-#   sbph    Sparse Binary Polynomial Hashing tokenizer
248
-#           Creates sparse token patterns across sliding window of 5-tokens
249
-#           example: "the quick * fox jumped" and "the * * fox jumped"
250
-#   osb     Orthogonal Sparse biGram tokenizer
251
-#           Similar to SBPH, but only uses the biGrams
252
-#           example: "the * * fox" and "the * * * jumped"
253
-#
254
-# In general the reccomendation is to use 'osb' for new installations.
255
-# The default value of 'chain' remains here as not to surprise anyone upgrading
256
-# that has not changed from the default value.
257
-#
258
-Tokenizer chain
259
-
260
-#
261
-# PValue: Specify the technique used for calculating Probability Values,
262
-# overriding any defaults configured in the build. These options are:
263
-#    bcr         Bayesian Chain Rule (Graham's Technique - "A Plan for Spam")
264
-#    robinson    Robinson's Technique (used in Chi-Square)
265
-#    markov      Markovian Weighted Technique (for Markovian discrimination)
266
-#
267
-# Unlike the "Algorithms" property, you may only have one of these defined.
268
-# Use of the chi-square algorithm automatically changes this to robinson.
269
-#
270
-# Don't mess with this unless you know what you're doing.
271
-#
272
-#PValue robinson
273
-#PValue markov
274
-PValue bcr
275
-
276
-#
277
-# WebStats: Enable this if you are using the CGI, which writes .stats files
278
-WebStats on
279
-
280
-#
281
-# ImprobabilityDrive: Calculate odds-ratios for ham/spam, and add to
282
-# X-DSPAM-Improbability headers
283
-#
284
-#ImprobabilityDrive on
285
-
286
-#
287
-# Preferences: Specify any preferences to set by default, unless otherwise
288
-# overridden by the user (see next section) or a default.prefs file.
289
-# If user or default.prefs are found, the user's preferences will override any
290
-# defaults.
291
-#
292
-Preference "trainingMode=TEFT"		# { TOE | TUM | TEFT | NOTRAIN } -> default:teft
293
-Preference "spamAction=tag"		# { quarantine | tag | deliver } -> default:quarantine
294
-Preference "spamSubject=[SPAM]"		# { string } -> default:[SPAM]
295
-Preference "statisticalSedation=5"	# { 0 - 10 } -> default:0
296
-Preference "enableBNR=on"		# { on | off } -> default:off
297
-Preference "enableWhitelist=on"		# { on | off } -> default:on
298
-Preference "signatureLocation=headers"	# { message | headers } -> default:message
299
-Preference "tagSpam=off"		# { on | off }
300
-Preference "tagNonspam=off"		# { on | off }
301
-Preference "showFactors=off"		# { on | off } -> default:off
302
-Preference "optIn=off"			# { on | off }
303
-Preference "optOut=off"			# { on | off }
304
-Preference "whitelistThreshold=10"	# { Integer } -> default:10
305
-Preference "makeCorpus=off"		# { on | off } -> default:off
306
-Preference "storeFragments=off"		# { on | off } -> default:off
307
-Preference "localStore="		# { on | off } -> default:username
308
-Preference "processorBias=on"		# { on | off } -> default:on
309
-Preference "fallbackDomain=off"		# { on | off } -> default:off
310
-Preference "trainPristine=off"		# { on | off } -> default:off
311
-Preference "optOutClamAV=off"		# { on | off } -> default:off
312
-Preference "ignoreRBLLookups=off"	# { on | off } -> default:off
313
-Preference "RBLInoculate=off"		# { on | off } -> default:off
314
-Preference "notifications=off"		# { on | off } -> default:off
315
-
316
-#
317
-# Overrides: Specifies the user preferences which may override configuration
318
-# and commandline defaults. Any other preferences supplied by an untrusted user
319
-# will be ignored.
320
-#
321
-AllowOverride enableBNR
322
-AllowOverride enableWhitelist
323
-AllowOverride fallbackDomain
324
-AllowOverride ignoreGroups
325
-AllowOverride ignoreRBLLookups
326
-AllowOverride localStore
327
-AllowOverride makeCorpus
328
-AllowOverride optIn
329
-AllowOverride optOut
330
-AllowOverride optOutClamAV
331
-AllowOverride processorBias
332
-AllowOverride RBLInoculate
333
-AllowOverride showFactors
334
-AllowOverride signatureLocation
335
-AllowOverride spamAction
336
-AllowOverride spamSubject
337
-AllowOverride statisticalSedation
338
-AllowOverride storeFragments
339
-AllowOverride tagNonspam
340
-AllowOverride tagSpam
341
-AllowOverride trainPristine
342
-AllowOverride trainingMode
343
-AllowOverride whitelistThreshold
344
-AllowOverride dailyQuarantineSummary
345
-AllowOverride notifications
346
-
347
-# --- Profiles ---
348
-
349
-#
350
-# You can specify multiple storage profiles, and specify the server to
351
-# use on the commandline with --profile. For example:
352
-#
353
-#Profile DECAlpha
354
-#MySQLServer.DECAlpha	10.0.0.1
355
-#MySQLPort.DECAlpha	3306
356
-#MySQLUser.DECAlpha	dspam
357
-#MySQLPass.DECAlpha	changeme
358
-#MySQLDb.DECAlpha	dspam
359
-#MySQLCompress.DECAlpha	true
360
-#MySQLReconnect.DECAlpha	true
361
-#
362
-#Profile Sun420R
363
-#MySQLServer.Sun420R	10.0.0.2
364
-#MySQLPort.Sun420R	3306
365
-#MySQLUser.Sun420R	dspam
366
-#MySQLPass.Sun420R	changeme
367
-#MySQLDb.Sun420R	dspam
368
-#MySQLCompress.Sun420R	false
369
-#MySQLReconnect.Sun420R	true
370
-#
371
-#DefaultProfile	DECAlpha
372
-
373
-#
374
-# If you're using storage profiles, you can set failovers for each profile.
375
-# Of course, if you'll be failing over to another database, that database
376
-# must have the same information as the first. If you're using a global
377
-# database with no training, this should be relatively simple. If you're
378
-# configuring per-user data, however, you'll need to set up some type of
379
-# replication between databases.
380
-#
381
-#Failover.DECAlpha	SUN420R
382
-#Failover.Sun420R	DECAlpha
383
-
384
-# If the storage fails, the agent will follow each profile's failover up to
385
-# a maximum number of failover attempts. This should be set to a maximum of
386
-# the number of profiles you have, otherwise the agent could loop and try
387
-# the same profile multiple times (unless this is your desired behavior).
388
-#
389
-#FailoverAttempts	1
390
-
391
-#
392
-# Ignored headers: If DSPAM is behind other tools which may add a header to
393
-# incoming emails, it may be beneficial to ignore these headers - especially
394
-# if they are coming from another spam filter. If you are _not_ using one of
395
-# these tools, however, leaving the appropriate headers commented out will
396
-# allow DSPAM to use them as telltale signs of forged email.
397
-#
398
-#IgnoreHeader X-Spam-Status
399
-#IgnoreHeader X-Spam-Scanned
400
-#IgnoreHeader X-Virus-Scanner-Result
401
-
402
-#
403
-# Lookup: Perform lookups on streamlined blackhole list servers (see
404
-# http://www.nuclearelephant.com/projects/sbl/). The streamlined blacklist
405
-# server is machine-automated, unsupervised blacklisting system designed to
406
-# provide real-time and highly accurate blacklisting based on network spread.
407
-# When performing a lookup, DSPAM will automatically learn the inbound message
408
-# as spam if the source IP is listed. Until an official public RABL server is
409
-# available, this feature is only useful if you are running your own
410
-# streamlined blackhole list server for internal reporting among multiple mail
411
-# servers. Provide the name of the lookup zone below to use.
412
-#
413
-# This function performs standard reverse-octet.domain lookups, and while it
414
-# will function with many RBLs, it's strongly discouraged to use those
415
-# maintained by humans as they're often inaccurate and could hurt filter
416
-# learning and accuracy.
417
-#
418
-#Lookup		"sbl.yourdomain.com"
419
-
420
-#
421
-# RBLInoculate: If you want to inoculate the user from RBL'd messages it would
422
-# have otherwise missed, set this to on.
423
-#
424
-#RBLInoculate	off
425
-
426
-#
427
-# Notifications: Enable the sending of notification emails to users (first
428
-# message, quarantine full, etc.)
429
-#
430
-Notifications	off
431
-
432
-#
433
-# QuarantineWarnSize: You may specify a size when DSPAM should send a "Quarantine
434
-# Full" message to each user. This is only working if you enable notifications
435
-# (see above). Value is in bytes. Default is 2097152 -> 2MB.
436
-#
437
-#QuarantineWarnSize 2097152
438
-
439
-#
440
-# Purge configuration: Set dspam_clean purge default options, if not otherwise
441
-# specified on the commandline
442
-#
443
-PurgeSignatures 14	# Stale signatures
444
-PurgeNeutral	90	# Tokens with neutralish probabilities
445
-PurgeUnused	90	# Unused tokens
446
-PurgeHapaxes	30	# Tokens with less than 5 hits (hapaxes)
447
-PurgeHits1S	15	# Tokens with only 1 spam hit
448
-PurgeHits1I	15	# Tokens with only 1 innocent hit
449
-
450
-#
451
-# Purge configuration for SQL-based installations using purge.sql
452
-#
453
-#PurgeSignature	off	# Specified in purge.sql
454
-#PurgeNeutral	90
455
-#PurgeUnused	off	# Specified in purge.sql
456
-#PurgeHapaxes	off	# Specified in purge.sql
457
-#PurgeHits1S	off	# Specified in purge.sql
458
-#PurgeHits1I	off	# Specified in purge.sql
459
-
460
-#
461
-# Local Mail Exchangers: Used for source address tracking, tells DSPAM which
462
-# mail exchangers are local and therefore should be ignored in the Received:
463
-# header when tracking the source of an email. Note: you should use the address
464
-# of the host as appears between brackets [ ] in the Received header.
465
-# By default DSPAM is considering the following IPs always as LocalMX:
466
-#	10.0.0.0/8	- Private IP addresses (RFC 1918)
467
-#	127.0.0.0/8	- Localhost Loopback Address (RFC 1700)
468
-#	169.254.0.0/16	- Zeroconf / APIPA (RFC 3330)
469
-#	172.16.0.0/12	- Private IP addresses (RFC 1918)
470
-#	192.168.0.0/16	- Private IP addresses (RFC 1918)
471
-#
472
-LocalMX 127.0.0.1
473
-
474
-#
475
-# Logging: Disabling logging for users will make usage graphs unavailable to
476
-# them. Disabling system logging will make admin graphs unavailable.
477
-#
478
-SystemLog	on
479
-UserLog		on
480
-
481
-#
482
-# TrainPristine: for systems where the original message remains server side
483
-# and can therefore be presented in pristine format for retraining. This option
484
-# will cause DSPAM to cease all writing of signatures and DSPAM headers to the
485
-# message, and deliver the message in as pristine format as possible. This mode
486
-# REQUIRES that the original message in its pristine format (as of delivery)
487
-# be presented for retraining, as in the case of webmail, imap, or other
488
-# applications where the message is actually kept server-side during reading,
489
-# and is preserved. DO NOT use this switch unless the original message can be
490
-# presented for retraining with the ORIGINAL HEADERS and NO MODIFICATIONS.
491
-#
492
-# NOTE: You can't use this setting with dspam_trian; if you're going to use it,
493
-#       wait until after you train any corpora.
494
-#
495
-#TrainPristine on
496
-
497
-#
498
-# Opt: in or out; determines DSPAM's default filtering behavior. If this value
499
-# is set to in, users must opt-in to filtering by dropping a .dspam file in
500
-# /var/dspam/opt-in/user.dspam (or if you have homedirs configured, a .dspam
501
-# folder in their home directory).  The default is opt-out, which means all
502
-# users will be filtered unless a .nodspam file is dropped in
503
-# /var/dspam/opt-out/user.nodspam
504
-#
505
-Opt out
506
-
507
-#
508
-# TrackSources: specify which (if any) source addresses to track and report
509
-# them to syslog (mail.info). This is useful if you're running a firewall or
510
-# blacklist and would like to use this information. Spam reporting also drops
511
-# RABL blacklist files (see http://www.nuclearelephant.com/projects/rabl/).
512
-#
513
-#TrackSources spam nonspam virus
514
-
515
-#
516
-# ParseToHeaders: In lieu of setting up individual aliases for each user,
517
-# DSPAM can be configured to automatically parse the To: address for spam and
518
-# false positive forwards. From there, it can be configured to either set the
519
-# DSPAM user based on the username specified in the header and/or change the
520
-# training class and source accordingly. The options below can be used to
521
-# customize most common types of header parsing behavior to avoid the need for
522
-# multiple aliases, or if using LMTP, aliases entirely..
523
-#
524
-# ParseToHeader: Parse the To: headers of an incoming message. This must be
525
-#                set to 'on' to use either of the following features.
526
-#
527
-# ChangeModeOnParse: Automatically change the class (to spam or innocent)
528
-#   depending on whether spam- or notspam- was specified, and change the source
529
-#   to 'error'. This is convenient if you're not using aliases at all, but
530
-#   are delivering via LMTP.
531
-#
532
-# ChangeUserOnParse: Automatically change the username to match that specified
533
-#   in the To: header. For example, spam-bob@domain.tld will set the username
534
-#   to bob, ignoring any --user passed in. This may not always be desirable if
535
-#   you are using virtual email addresses as usernames. Options:
536
-#     on or user	take the portion before the @ sign only
537
-#     full		take everything after the initial {spam,notspam}-.
538
-#
539
-#ParseToHeaders on
540
-#ChangeModeOnParse on
541
-#ChangeUserOnParse on
542
-
543
-#
544
-# Broken MTA Options: Some MTAs don't support the proper functionality
545
-# necessary. In these cases you can activate certain features in DSPAM to
546
-# compensate. 'returnCodes' causes DSPAM to return an exit code of 99 if
547
-# the message is spam, 0 if not, or a negative code if an error has occured.
548
-# Specifying 'case' causes DSPAM to force the input usernames to lowercase.
549
-# Specifying 'lineStripping' causes DSPAM to strip ^M's from messages passed
550
-# in.
551
-#
552
-#Broken returnCodes
553
-#Broken case
554
-#Broken lineStripping
555
-
556
-#
557
-# MaxMessageSize: You may specify a maximum message size for DSPAM to process.
558
-# If the message is larger than the maximum size, it will be delivered
559
-# without processing. Value is in bytes.
560
-#
561
-#MaxMessageSize 4194304
562
-
563
-# --- ClamAV ---
564
-
565
-#
566
-# Virus Checking: If you are running clamd, DSPAM can perform stream-based
567
-# virus checking using TCP. Uncomment the values below to enable virus
568
-# checking.
569
-#
570
-# ClamAVResponse: reject (reject or drop the message with a permanent failure)
571
-#                 accept (accept the message and quietly drop the message)
572
-#                 spam   (treat as spam and quarantine/tag/whatever)
573
-#
574
-#ClamAVPort		3310
575
-#ClamAVHost		127.0.0.1
576
-#ClamAVResponse		accept
577
-
578
-# --- CLIENT / SERVER ---
579
-
580
-#
581
-# Daemonized Server: If you are running DSPAM as a daemonized server using
582
-# --daemon, the following parameters will override the default. Use the
583
-# ServerPass option to set up accounts for each client machine. The DSPAM
584
-# server will process and deliver the message based on the parameters
585
-# specified. If you want the client machine to perform delivery, use
586
-# the --stdout option in conjunction with a local setup.
587
-#
588
-# ServerHost: Not enabling ServerHost will bind DSPAM server to all available
589
-# interfaces.
590
-#
591
-# ServerPort: Default upstream configuration is to run dspam daemon on port
592
-# 24. On Debian, dspam being run as a unprivileged user, default port is
593
-# set to 2424.
594
-#
595
-#ServerHost		127.0.0.1
596
-#ServerPort		2424
597
-#ServerQueueSize	32
598
-#ServerPID		/var/run/dspam/dspam.pid
599
-
600
-#
601
-# ServerMode specifies the type of LMTP server to start. This can be one of:
602
-#     dspam: DSPAM-proprietary DLMTP server, for communicating with dspamc
603
-#  standard: Standard LMTP server, for communicating with Postfix or other MTA
604
-#      auto: Speak both DLMTP and LMTP; auto-detect by ServerPass.IDENT
605
-#
606
-#ServerMode dspam
607
-
608
-# If supporting DLMTP (dspam) mode, dspam clients will require authentication
609
-# as they will be passing in parameters. The idents below will be used to
610
-# determine which clients will be speaking DLMTP, so if you will be using
611
-# both LMTP and DLMTP from the same host, be sure to use something other
612
-# than the server's hostname below (which will be sent by the MTA during a
613
-# standard LMTP LHLO).
614
-#
615
-#ServerPass.Relay1	"secret"
616
-#ServerPass.Relay2	"password"
617
-
618
-# If supporting standard LMTP mode, server parameters will need to be specified
619
-# here, as they will not be passed in by the mail server. The ServerIdent
620
-# specifies the 250 response code ident sent back to connecting clients and
621
-# should be set to the hostname of your server, or an alias.
622
-#
623
-# NOTE: If you specify --user in ServerParameters, the RCPT TO will be
624
-#       used only for delivery, and not set as the active user for processing.
625
-#
626
-#ServerParameters	"--deliver=innocent -d %u"
627
-#ServerIdent		"localhost.localdomain"
628
-
629
-# If you wish to use a local domain socket instead of a TCP socket, uncomment
630
-# the following. It is strongly recommended you use local domain sockets if
631
-# you are running the client and server on the same machine, as it eliminates
632
-# much of the bandwidth overhead.
633
-#
634
-ServerDomainSocketPath	"/var/run/dspam/dspam.sock"
635
-
636
-#
637
-# Client Mode: If you are running DSPAM in client/server mode, uncomment and
638
-# set these variables. A ClientHost beginning with a / will be treated as
639
-# a domain socket.
640
-#
641
-#ClientHost	/var/run/dspam/dspam.sock
642
-#ClientIdent	"secret@Relay1"
643
-#
644
-#ClientHost	127.0.0.1
645
-#ClientPort	2424
646
-#ClientIdent	"secret@Relay1"
647
-
648
-# --- RABL ---
649
-
650
-# RABLQueue: Touch files in the RABL queue
651
-# If you are a reporting streamlined blackhole list participant, you can
652
-# touch ip addresses within the directory the rabl_client process is watching.
653
-#
654
-#RABLQueue	/var/spool/rabl
655
-
656
-# ---  ---
657
-
658
-# DataSource: If you are using any type of data source that does not include
659
-# email-like headers (such as documents), uncomment the line below. This
660
-# will cause the entire input to be treated like a message "body"
661
-#
662
-#DataSource document
663
-
664
-# ProcessorWordFrequency: By default, words are only counted once per message.
665
-# If you are classifying large documents, however, you may wish to count once
666
-# per occurrence instead.
667
-#
668
-#ProcessorWordFrequency occurrence
669
-
670
-# ProcessorURLContext: By default, a URL context is generated for URLs, which
671
-# records their tokens as separate from words found in documents. To use
672
-# URL tokens in the same context as words, turn this feature off.
673
-#
674
-ProcessorURLContext on
675
-
676
-# ProcessorBias: Bias causes the filter to lean more toward 'innocent', and
677
-# usually greatly reduces false positives. It is the default behavior of
678
-# most Bayesian filters (including dspam).
679
-#
680
-# NOTE: You probably DONT want this if you're using Markovian Weighting, unless
681
-# you are paranoid about false positives.
682
-#
683
-ProcessorBias on
684
-
685
-# StripRcptDomain: Cut the domain (including the at sign) from recipients.
686
-# This is particularly useful if the recipient name is equal to real user
687
-# accounts as recipients with domains tend to cause permission issues with
688
-# dspam-web.
689
-#
690
-StripRcptDomain off
691
-
692
-# --- Split Configuration File Support ---
693
-
694
-# Include a directory with configuration items.
695
-Include /etc/dspam/dspam.d/
696
-
697
-# ---  ---
698
-
699
-## EOF

+ 0
- 80
roles/mailserver/files/etc_opendmarc_import.sql 查看文件

@@ -1,89 +0,0 @@
1
---
2
-
3
-USE opendmarc;
4
-
5
-CREATE TABLE IF NOT EXISTS domains (
6
-        id INT NOT NULL AUTO_INCREMENT,
7
-        name VARCHAR(255) NOT NULL,
8
-        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
9
-
10
-        PRIMARY KEY(id),
11
-        UNIQUE KEY(name)
12
-);
13
-
14
-CREATE TABLE IF NOT EXISTS requests (
15
-        id INT NOT NULL AUTO_INCREMENT,
16
-        domain INT NOT NULL,
17
-        repuri VARCHAR(255) NOT NULL,
18
-        adkim TINYINT NOT NULL,
19
-        aspf TINYINT NOT NULL,
20
-        policy TINYINT NOT NULL,
21
-        spolicy TINYINT NOT NULL,
22
-        pct TINYINT NOT NULL,
23
-        locked TINYINT NOT NULL,
24
-        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
25
-        lastsent TIMESTAMP NOT NULL DEFAULT '0000-00-00 00:00:00',
26
-
27
-        PRIMARY KEY(id),
28
-        KEY(lastsent),
29
-        UNIQUE KEY(domain)
30
-);
31
-
32
-CREATE TABLE IF NOT EXISTS reporters (
33
-        id INT NOT NULL AUTO_INCREMENT,
34
-        name VARCHAR(255) NOT NULL,
35
-        firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
36
-
37
-        PRIMARY KEY(id),
38
-        UNIQUE KEY(name)
39
-);
40
-
41
-CREATE TABLE IF NOT EXISTS ipaddr (
42
-	id INT NOT NULL AUTO_INCREMENT,
43
-	addr VARCHAR(64) NOT NULL,
44
-	firstseen TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
45
-
46
-	PRIMARY KEY(id),
47
-	UNIQUE KEY(addr)
48
-);
49
-
50
-CREATE TABLE IF NOT EXISTS messages (
51
-        id INT NOT NULL AUTO_INCREMENT,
52
-        date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
53
-        jobid VARCHAR(128) NOT NULL,
54
-        reporter INT UNSIGNED NOT NULL,
55
-        policy TINYINT UNSIGNED NOT NULL,
56
-        disp TINYINT UNSIGNED NOT NULL,
57
-        ip INT UNSIGNED NOT NULL,
58
-        env_domain INT UNSIGNED NOT NULL,
59
-        from_domain INT UNSIGNED NOT NULL,
60
-        policy_domain INT UNSIGNED NOT NULL,
61
-        spf TINYINT UNSIGNED NOT NULL,
62
-        align_dkim TINYINT UNSIGNED NOT NULL,
63
-        align_spf TINYINT UNSIGNED NOT NULL,
64
-        sigcount TINYINT UNSIGNED NOT NULL,
65
-
66
-        PRIMARY KEY(id),
67
-        KEY(date),
68
-        UNIQUE KEY(reporter, date, jobid)
69
-);
70
-
71
-CREATE TABLE IF NOT EXISTS signatures (
72
-        id INT NOT NULL AUTO_INCREMENT,
73
-        message INT NOT NULL,
74
-        domain INT NOT NULL,
75
-        pass TINYINT NOT NULL,
76
-        error TINYINT NOT NULL,
77
-
78
-        PRIMARY KEY(id),
79
-        KEY(message)
80
-);

+ 0
- 1
roles/mailserver/files/etc_postfix_dspam_filter_access 查看文件

@@ -1 +0,0 @@
1
-/./   FILTER dspam:dspam

+ 12
- 14
roles/mailserver/files/etc_postfix_master.cf 查看文件

@@ -13,21 +13,22 @@ smtp       inet  n       -       -       -       1       postscreen
13 13
 smtpd      pass  -       -       -       -       -       smtpd
14 14
 dnsblog    unix  -       -       -       -       0       dnsblog
15 15
 tlsproxy   unix  -       -       -       -       0       tlsproxy
16
-#submission inet  n       -       -       -       -       smtpd
17
-#  -o syslog_name=postfix/submission
18
-#  -o smtpd_tls_security_level=encrypt
19
-#  -o smtpd_etrn_restrictions=reject
20
-#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
21
-#  -o milter_macro_daemon_name=ORIGINATING
22
-
23
-# SMTP over SSL/TLS on port 465.
24
-smtps     inet  n       -       -       -       -       smtpd
25
-  -o syslog_name=postfix/smtps
26
-  -o smtpd_tls_wrappermode=yes
16
+submission inet  n       -       -       -       -       smtpd
17
+  -o syslog_name=postfix/submission
18
+  -o smtpd_tls_security_level=encrypt
19
+  -o smtpd_etrn_restrictions=reject
27 20
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
28 21
   -o smtpd_sasl_security_options=noanonymous,noplaintext
29 22
   -o smtpd_sasl_tls_security_options=noanonymous
30 23
 
24
+# SMTP over SSL/TLS on port 465.
25
+#smtps     inet  n       -       -       -       -       smtpd
26
+#  -o syslog_name=postfix/smtps
27
+#  -o smtpd_tls_wrappermode=yes
28
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
29
+#  -o smtpd_sasl_security_options=noanonymous,noplaintext
30
+#  -o smtpd_sasl_tls_security_options=noanonymous
31
+
31 32
 #628       inet  n       -       -       -       -       qmqpd
32 33
 pickup    fifo  n       -       -       60      1       pickup
33 34
 cleanup   unix  n       -       -       -       0       cleanup
@@ -113,8 +114,5 @@ scalemail-backend unix	-	n	n	-	2	pipe
113 114
 mailman   unix  -       n       n       -       -       pipe
114 115
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
115 116
   ${nexthop} ${user}
116
-# spam protection
117
-dspam     unix  -       n       n       -       10      pipe
118
-  flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user ${user}@${domain} -i -f $sender -- $recipient
119 117
 dovecot   unix  -       n       n       -       -       pipe
120 118
   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/lmtp -f ${sender} -d ${user}@${nexthop}

+ 12
- 0
roles/mailserver/files/etc_rmilter.conf.common 查看文件

@@ -0,0 +1,12 @@
1
+spamd {
2
+	servers = r:localhost:11333;
3
+	whitelist = 127.0.0.1/32, 192.168.0.0/16, [::1]/128;
4
+};
5
+
6
+redis {
7
+	servers_id = localhost;
8
+	id_prefix = "message_id.";
9
+};
10
+
11
+tempdir = /tmp;
12
+max_size = 10M;

roles/mailserver/files/etc_tomcat6_server.xml → roles/mailserver/files/etc_tomcat7_server.xml 查看文件

@@ -20,7 +20,9 @@
20 20
      Documentation at /docs/config/server.html
21 21
  -->
22 22
 <Server port="8005" shutdown="SHUTDOWN">
23
-
23
+  <!-- Security listener. Documentation at /docs/config/listeners.html
24
+  <Listener className="org.apache.catalina.security.SecurityListener" />
25
+  -->
24 26
   <!--APR library loader. Documentation at /docs/apr.html -->
25 27
   <!--
26 28
   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
@@ -29,9 +31,8 @@
29 31
   <Listener className="org.apache.catalina.core.JasperListener" />
30 32
   <!-- Prevent memory leaks due to use of particular java/javax APIs-->
31 33
   <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
32
-  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
33
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
34 34
   <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
35
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
35 36
 
36 37
   <!-- Global JNDI resources
37 38
        Documentation at /docs/jndi-resources-howto.html
@@ -80,12 +81,13 @@
80 81
                redirectPort="8443" />
81 82
     -->
82 83
     <!-- Define a SSL HTTP/1.1 Connector on port 8443
83
-         This connector uses the JSSE configuration, when using APR, the
84
-         connector should be using the OpenSSL style configuration
85
-         described in the APR documentation -->
84
+         This connector uses the BIO implementation that requires the JSSE
85
+         style configuration. When using the APR/native implementation, the
86
+         OpenSSL style configuration is required as described in the APR/native
87
+         documentation -->
86 88
     <!--
87
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
88
-               maxThreads="150" scheme="https" secure="true"
89
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
90
+               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
89 91
                clientAuth="false" sslProtocol="TLS" />
90 92
     -->
91 93
 
@@ -113,26 +115,19 @@
113 115
       <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
114 116
       -->
115 117
 
116
-      <!-- The request dumper valve dumps useful debugging information about
117
-           the request and response data received and sent by Tomcat.
118
-           Documentation at: /docs/config/valve.html -->
119
-      <!--
120
-      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
121
-      -->
122
-
123
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
124
-           resources under the key "UserDatabase".  Any edits
125
-           that are performed against this UserDatabase are immediately
126
-           available for use by the Realm.  -->
127
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
128
-             resourceName="UserDatabase"/>
118
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
119
+           via a brute-force attack -->
120
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
121
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
122
+             resources under the key "UserDatabase".  Any edits
123
+             that are performed against this UserDatabase are immediately
124
+             available for use by the Realm.  -->
125
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
126
+               resourceName="UserDatabase"/>
127
+      </Realm>
129 128
 
130
-      <!-- Define the default virtual host
131
-           Note: XML Schema validation will not work with Xerces 2.2.
132
-       -->
133 129
       <Host name="localhost"  appBase="webapps"
134
-            unpackWARs="true" autoDeploy="true"
135
-            xmlValidation="false" xmlNamespaceAware="false">
130
+            unpackWARs="true" autoDeploy="true">
136 131
 
137 132
         <!-- SingleSignOn valve, share authentication between web applications
138 133
              Documentation at: /docs/config/valve.html -->
@@ -141,11 +136,11 @@
141 136
         -->
142 137
 
143 138
         <!-- Access log processes all example.
144
-             Documentation at: /docs/config/valve.html -->
145
-        <!--
139
+             Documentation at: /docs/config/valve.html
140
+             Note: The pattern used is equivalent to using pattern="common" -->
146 141
         <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
147
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
148
-        -->
142
+               prefix="localhost_access_log." suffix=".txt"
143
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
149 144
 
150 145
       </Host>
151 146
     </Engine>

+ 8
- 0
roles/mailserver/files/lib_systemd_system_rmilter.socket 查看文件

@@ -0,0 +1,8 @@
1
+[Unit]
2
+Description=Another sendmail milter for different mail checks
3
+
4
+[Socket]
5
+ListenStream=9900
6
+
7
+[Install]
8
+WantedBy=sockets.target

+ 7
- 1
roles/mailserver/handlers/main.yml 查看文件

@@ -8,7 +8,7 @@
8 8
   service: name=opendkim state=restarted
9 9
 
10 10
 - name: restart solr
11
-  service: name=tomcat6 state=restarted
11
+  service: name=tomcat7 state=restarted
12 12
 
13 13
 - name: import sql postfix
14 14
   action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
@@ -16,3 +16,9 @@
16 16
 
17 17
 - name: restart opendmarc
18 18
   service: name=opendmarc state=restarted
19
+
20
+- name: restart rspamd
21
+  service: name=rspamd state=restarted
22
+
23
+- name: import opendmarc schema
24
+  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/usr/share/doc/opendmarc/schema.mysql

+ 17
- 39
roles/mailserver/tasks/dovecot.yml 查看文件

@@ -1,23 +1,4 @@
1
-- name: Add wheezy-backports to get a reasonably current Dovecot on Debian 7
2
-  apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main'
3
-  when: ansible_distribution_release == 'wheezy'
4
-  tags:
5
-    - dependencies
6
-
7
-- name: Install Dovecot and related packages on Debian 7
8
-  apt: pkg={{ item }} update_cache=yes state=latest default_release=wheezy-backports
9
-  with_items:
10
-    - dovecot-core
11
-    - dovecot-imapd
12
-    - dovecot-lmtpd
13
-    - dovecot-managesieved
14
-    - dovecot-pgsql
15
-    - dovecot-pop3d
16
-  when: ansible_distribution_release == 'wheezy'
17
-  tags:
18
-    - dependencies
19
-
20
-- name: Install Dovecot and related packages on distributions other than Debian 7
1
+- name: Install Dovecot and related packages
21 2
   apt: pkg={{ item }} update_cache=yes state=installed
22 3
   with_items:
23 4
     - dovecot-core
@@ -26,25 +7,11 @@
26 7
     - dovecot-managesieved
27 8
     - dovecot-pgsql
28 9
     - dovecot-pop3d
29
-  when: ansible_distribution_release != 'wheezy'
30
-  tags:
31
-    - dependencies
32
-
33
-- name: Install Postgres 9.1 for Dovecot on older distributions
34
-  apt: pkg=postgresql-9.1 state=present
35
-  when: ansible_distribution_release != 'trusty' and ansible_distribution_release != 'jessie'
36 10
   tags:
37 11
     - dependencies
38 12
 
39
-- name: Install Postgres 9.3 for Dovecot on Ubuntu Trusty
40
-  apt: pkg=postgresql-9.3 state=present
41
-  when: ansible_distribution_release == 'trusty'
42
-  tags:
43
-    - dependencies
44
-
45
-- name: Install Postgres 9.4 for Dovecot on Debian Jessie
46
-  apt: pkg=postgresql-9.4 state=present
47
-  when: ansible_distribution_release == 'jessie'
13
+- name: Install Postgres for Dovecot
14
+  apt: pkg=postgresql state=present
48 15
   tags:
49 16
     - dependencies
50 17
 
@@ -55,7 +22,7 @@
55 22
   user: name=vmail group=vmail state=present uid=5000 home=/decrypted shell=/usr/sbin/nologin
56 23
 
57 24
 - name: Ensure mail domain directories are in place
58
-  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=770
25
+  file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=0770
59 26
   with_items: mail_virtual_domains
60 27
 
61 28
 - name: Ensure mail directories are in place
@@ -71,10 +38,13 @@
71 38
     - 10-auth.conf
72 39
     - 10-mail.conf
73 40
     - 10-master.conf
74
-    - 10-ssl.conf
75 41
     - auth-sql.conf.ext
76 42
   notify: restart dovecot
77 43
 
44
+- name: Template 10-ssl.conf
45
+  template: src=etc_dovecot_conf.d_10-ssl.conf.j2 dest=/etc/dovecot/conf.d/10-ssl.conf
46
+  notify: restart dovecot
47
+
78 48
 - name: Template 15-lda.conf
79 49
   template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
80 50
   notify: restart dovecot
@@ -85,7 +55,7 @@
85 55
 
86 56
 - name: Ensure correct permissions on Dovecot config directory
87 57
   file: state=directory path=/etc/dovecot
88
-          group=dovecot owner=vmail mode=770 recurse=yes
58
+          group=dovecot owner=vmail mode=0770 recurse=yes
89 59
   notify: restart dovecot
90 60
 
91 61
 - name: Set firewall rules for dovecot
@@ -94,3 +64,11 @@
94 64
     - imaps
95 65
     - pop3s
96 66
   tags: ufw
67
+
68
+- name: Update post-certificate-renewal task
69
+  copy:
70
+    content: "#!/bin/bash\n\nservice dovecot restart\n"
71
+    dest: /etc/letsencrypt/postrenew/dovecot.sh
72
+    mode: 0755
73
+    owner: root
74
+    group: root

+ 0
- 44
roles/mailserver/tasks/dspam.yml 查看文件

@@ -1,44 +0,0 @@
1
-- name: Install dspam and related packages on wheezy
2
-  apt: pkg={{ item }} state=installed default_release=wheezy-backports
3
-  with_items:
4
-    - dovecot-antispam
5
-    - dovecot-sieve
6
-    - dspam
7
-    - postfix-pcre
8
-  when: ansible_distribution_release == 'wheezy'
9
-  tags:
10
-    - dependencies
11
-
12
-- name: Install dspam and related packages on distributions other than wheezy
13
-  apt: pkg={{ item }} state=installed
14
-  with_items:
15
-    - dovecot-antispam
16
-    - dovecot-sieve
17
-    - dspam
18
-    - postfix-pcre
19
-  when: ansible_distribution_release != 'wheezy'
20
-  tags:
21
-    - dependencies
22
-
23
-- name: Create dspam directory
24
-  file: state=directory path=/decrypted/dspam group=dspam owner=dspam
25
-
26
-- name: Put dspam configuration files in place
27
-  copy: src=etc_dspam_{{ item }} dest=/etc/dspam/{{ item }} owner=dspam group=dspam
28
-  with_items:
29
-    - default.prefs
30
-    - dspam.conf
31
-  notify:
32
-    - restart postfix
33
-    - restart dovecot
34
-
35
-- name: Put dspam postfix configuration in place
36
-  copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
37
-  notify: restart postfix
38
-
39
-- name: Put dspam dovecot configuration in place
40
-  copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }} owner=vmail group=dovecot
41
-  with_items:
42
-    - 20-imap.conf
43
-    - 90-plugin.conf
44
-  notify: restart dovecot

+ 2
- 2
roles/mailserver/tasks/main.yml 查看文件

@@ -1,8 +1,8 @@
1 1
 - include: postfix.yml tags=postfix
2 2
 - include: dovecot.yml tags=dovecot
3 3
 - include: opendkim.yml tags=opendkim
4
-- include: dmarc.yml tags=dmarc
5
-- include: dspam.yml tags=dspam
4
+- include: opendmarc.yml tags=dmarc
5
+- include: rspamd.yml tags=rspamd
6 6
 - include: solr.yml tags=solr
7 7
 - include: checkrbl.yml tags=checkrbl
8 8
 - include: z-push.yml tags=zpush

+ 1
- 1
roles/mailserver/tasks/opendkim.yml 查看文件

@@ -38,7 +38,7 @@
38 38
 
39 39
 - name: Set OpenDKIM config directory permissions
40 40
   file: state=directory path=/etc/opendkim
41
-          group=opendkim owner=opendkim mode=700 recurse=yes
41
+          group=opendkim owner=opendkim mode=0700 recurse=yes
42 42
   notify:
43 43
     - restart opendkim
44 44
     - restart postfix

roles/mailserver/tasks/dmarc.yml → roles/mailserver/tasks/opendmarc.yml 查看文件

@@ -1,9 +1,9 @@
1 1
 - name: Install OpenDMARC milter and related packages
2 2
   apt: pkg={{ item }} state=installed update_cache=yes cache_valid_time=3600
3 3
   with_items:
4
-      - mysql-server
5
-      - python-mysqldb
6
-      - opendmarc
4
+    - mysql-server
5
+    - python-mysqldb
6
+    - opendmarc
7 7
 
8 8
 - name: Patch opendmarc scripts (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742447)
9 9
   lineinfile: dest=/usr/sbin/{{ item }} regexp='^require DBD::' line='require DBD::mysql;'
@@ -34,25 +34,18 @@
34 34
     - restart opendmarc
35 35
     - restart postfix
36 36
 
37
-- name: Copy OpenDMARC database schema file into place
38
-  copy: src=etc_opendmarc_import.sql dest=/etc/opendmarc/import.sql owner=root group=root
39
-
40 37
 - name: Create database user for OpenDMARC reports
41 38
   mysql_user: user={{ mail_db_opendmarc_username }} password={{ mail_db_opendmarc_password }} state=present priv="opendmarc.*:ALL"
42 39
 
43 40
 - name: Create database for OpenDMARC reports
44 41
   mysql_db: name={{ mail_db_opendmarc_database }} state=present
45
-
46
-- name: Import database schema for OpenDMARC reports
47
-  mysql_db: name={{ mail_db_opendmarc_database }} state=import target=/etc/opendmarc/import.sql
48
-  tags: import_mysql_postfix
42
+  notify: import opendmarc schema
49 43
 
50 44
 - name: Copy nightly OpenDMARC report generation script into place
51 45
   template: src=etc_opendmarc_report.sh.j2 dest=/etc/opendmarc/report.sh owner=root group=root mode="755"
52 46
 
53
-- name: Touch initial report dat file with correct permissions
54
-  file: path=/var/run/opendmarc/opendmarc.dat state=touch owner=opendmarc group=opendmarc
47
+- name: Ensure initial report dat file exists with correct permissions
48
+  copy: content="" dest=/var/run/opendmarc/opendmarc.dat owner=opendmarc group=opendmarc
55 49
 
56 50
 - name: Activate OpenDMARC report cronjob
57
-  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log"
58
-
51
+  cron: name="OpenDMARC report" hour="2" minute="0" job="/bin/bash /etc/opendmarc/report.sh >> /var/log/opendmarc_report.log 2>&1 || tail /var/log/opendmarc_report.log"

+ 8
- 18
roles/mailserver/tasks/postfix.yml 查看文件

@@ -1,18 +1,5 @@
1
-- name: Install Postgres 9.1 on older distributions
2
-  apt: pkg=postgresql-9.1 state=present
3
-  when: ansible_distribution_release != 'trusty' and ansible_distribution_release != 'jessie'
4
-  tags:
5
-    - dependencies
6
-
7
-- name: Install Postgres 9.3 on Ubuntu Trusty
8
-  apt: pkg=postgresql-9.3 state=present
9
-  when: ansible_distribution_release == 'trusty'
10
-  tags:
11
-    - dependencies
12
-
13
-- name: Install Postgres 9.4 on Debian Jessie
14
-  apt: pkg=postgresql-9.4 state=present
15
-  when: ansible_distribution_release == 'jessie'
1
+- name: Install Postgres
2
+  apt: pkg=postgresql state=present
16 3
   tags:
17 4
     - dependencies
18 5
 
@@ -29,12 +16,14 @@
29 16
   tags:
30 17
     - dependencies
31 18
 
32
-- name: Set postgres password
33
-  command: sudo -u {{ db_admin_username }} psql -d {{ db_admin_username }} -c "ALTER USER postgres with  password '{{ db_admin_password }}';"
19
+- name: Set password for PostgreSQL admin user
20
+  become: true
21
+  become_user: postgres
22
+  postgresql_user: name={{ db_admin_username }} password={{ db_admin_password }} encrypted=yes
34 23
   notify: import sql postfix
35 24
 
36 25
 - name: Create database user for mail server
37
-  postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_username }} password="{{ mail_db_password }}" state=present
26
+  postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_username }} password="{{ mail_db_password }}" encrypted=yes state=present
38 27
   notify: import sql postfix
39 28
 
40 29
 - name: Create database for mail server
@@ -74,4 +63,5 @@
74 63
   with_items:
75 64
     - smtp
76 65
     - ssmtp
66
+    - submission
77 67
   tags: ufw

+ 36
- 0
roles/mailserver/tasks/rspamd.yml 查看文件

@@ -0,0 +1,36 @@
1
+---
2
+# Installs and configures the Rspamd spam filtering system.
3
+
4
+- name: Ensure repository key for Rspamd is in place
5
+  apt_key: url=https://rspamd.com/apt-stable/gpg.key state=present
6
+  tags:
7
+    - dependencies
8
+
9
+- name: Add Rspamd repository
10
+  apt_repository: repo="deb https://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main"
11
+  tags:
12
+    - dependencies
13
+
14
+- name: Install Rspamd, Rmilter, and Redis
15
+  apt: pkg={{ item }} state=installed update_cache=yes
16
+  with_items:
17
+    - rspamd
18
+    - rmilter
19
+    - redis-server
20
+  tags:
21
+    - dependencies
22
+
23
+- name: Configure rmilter
24
+  copy: src=etc_rmilter.conf.common dest=/etc/rmilter.conf.common
25
+
26
+- name: Configure rmilter service
27
+  copy: src=lib_systemd_system_rmilter.socket dest=/lib/systemd/system/rmilter.socket
28
+
29
+- name: Start redis
30
+  service: name=redis-server state=started
31
+
32
+- name: Start rspamd systemd listener
33
+  service: name=rspamd state=started
34
+
35
+- name: Start rmilter systemd listener
36
+  service: name=rmilter state=started

+ 3
- 13
roles/mailserver/tasks/solr.yml 查看文件

@@ -1,18 +1,8 @@
1
-- name: Install Solr and related packages on wheezy from backports
2
-  apt: pkg={{ item }} state=installed default_release=wheezy-backports
3
-  with_items:
4
-    - dovecot-solr
5
-    - solr-tomcat
6
-  when: ansible_distribution_release == 'wheezy'
7
-  tags:
8
-    - dependencies
9
-
10
-- name: Install Solr and related packages on distributions other than wheezy
1
+- name: Install Solr and related packages
11 2
   apt: pkg={{ item }} state=installed
12 3
   with_items:
13 4
     - dovecot-solr
14 5
     - solr-tomcat
15
-  when: ansible_distribution_release != 'wheezy'
16 6
   tags:
17 7
     - dependencies
18 8
 
@@ -20,7 +10,7 @@
20 10
   copy: src=solr-schema.xml dest=/etc/solr/conf/schema.xml group=root owner=root
21 11
 
22 12
 - name: Copy tweaked Tomcat config file into place
23
-  copy: src=etc_tomcat6_server.xml dest=/etc/tomcat6/server.xml group=tomcat6 owner=root
13
+  copy: src=etc_tomcat7_server.xml dest=/etc/tomcat7/server.xml group=tomcat7 owner=root
24 14
   notify: restart solr
25 15
 
26 16
 - name: Copy tweaked Solr config file into place
@@ -28,5 +18,5 @@
28 18
   notify: restart solr
29 19
 
30 20
 - name: Create Solr index directory
31
-  file: state=directory path=/decrypted/solr group=tomcat6 owner=tomcat6
21
+  file: state=directory path=/decrypted/solr group=tomcat7 owner=tomcat7
32 22
   notify: restart solr

+ 3
- 10
roles/mailserver/tasks/z-push.yml 查看文件

@@ -36,7 +36,7 @@
36 36
     - skip_ansible_lint
37 37
 
38 38
 - name: Ensure z-push state and log directories are in place
39
-  file: state=directory path={{ item }} owner=www-data group=www-data mode=755
39
+  file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
40 40
   with_items:
41 41
     - /decrypted/zpush-state
42 42
     - /var/log/z-push
@@ -45,19 +45,12 @@
45 45
 - name: Copy z-push's config.php into place
46 46
   template: src=usr_share_z-push_config.php.j2 dest=/usr/share/z-push/config.php
47 47
 
48
-- name: Configure z-push apache alias and php settings
49
-  copy: src=etc_apache2_conf.d_z-push.conf dest=/etc/apache2/conf.d/z-push.conf
50
-  notify: restart apache
51
-  when: ansible_distribution_release != 'trusty'
52
-
53
-- name: Create z-push apache alias and php configuration file for Ubuntu Trusty
48
+- name: Create z-push apache alias and php configuration file
54 49
   copy: src=etc_apache2_conf.d_z-push.conf dest=/etc/apache2/conf-available/z-push.conf
55
-  when: ansible_distribution_release == 'trusty'
56 50
 
57
-- name: Enable z-push Apache alias and PHP configuration file for Ubuntu Trusty
51
+- name: Enable z-push Apache alias and PHP configuration file
58 52
   command: a2enconf z-push creates=/etc/apache2/conf-enabled/z-push.conf
59 53
   notify: restart apache
60
-  when: ansible_distribution_release == 'trusty'
61 54
 
62 55
 - name: Configure z-push logrotate
63 56
   copy: src=etc_logrotate_z-push dest=/etc/logrotate.d/z-push owner=root group=root mode=0644

+ 1
- 2
roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 查看文件

@@ -17,8 +17,7 @@
17 17
 
18 18
 <VirtualHost *:443>
19 19
     ServerName {{ mail_server_autoconfig_hostname }}
20
-
21
-    Include /etc/apache2/ssl.conf
20
+    SSLEngine On
22 21
 
23 22
     DocumentRoot            "/var/www/autoconfig"
24 23
     Options                 -Indexes

roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf → roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2 查看文件

@@ -9,8 +9,8 @@ ssl = required
9 9
 # dropping root privileges, so keep the key file unreadable by anyone but
10 10
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
11 11
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
12
-ssl_cert = </etc/ssl/certs/wildcard_combined.pem
13
-ssl_key = </etc/ssl/private/wildcard_private.key
12
+ssl_cert = </etc/letsencrypt/live/{{ domain }}/fullchain.pem
13
+ssl_key = </etc/letsencrypt/live/{{ domain }}/privkey.pem
14 14
 
15 15
 # If key file is password protected, give the password here. Alternatively
16 16
 # give it when starting dovecot with -p parameter. Since this file is often

+ 308
- 31
roles/mailserver/templates/etc_opendmarc.conf.j2 查看文件

@@ -1,41 +1,336 @@
1
-# This is a basic configuration that can easily be adapted to suit a standard
2
-# installation. For more advanced options, see opendkim.conf(5) and/or
3
-# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
1
+##
2
+## opendmarc.conf -- configuration file for OpenDMARC filter
3
+##
4
+## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
5
+##
4 6
 
5 7
 ##  AuthservID (string)
6
-##      defaults to MTA name
8
+##  	defaults to MTA name
9
+##
10
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
11
+##  header field after verifying a message.  If the string "HOSTNAME" is
12
+##  provided, the name of the host running the filter (as returned by the
13
+##  gethostname(3) function) will be used.  
7 14
 #
8 15
 AuthservID {{ mail_server_hostname }}
9 16
 
10
-##  ForensicReports { true | false }
11
-##      default "false"
17
+##  AuthservIDWithJobID { true | false }
18
+##  	default "false"
19
+##
20
+##  If "true", requests that the authserv-id portion of the added
21
+##  Authentication-Results header fields contain the job ID of the message
22
+##  being evaluated.
23
+#
24
+# AuthservIDWithJobID false
25
+
26
+##  AutoRestart { true | false }
27
+##  	default "false"
28
+##
29
+##  Automatically re-start on failures. Use with caution; if the filter fails
30
+##  instantly after it starts, this can cause a tight fork(2) loop.
31
+#
32
+# AutoRestart false
33
+
34
+##  AutoRestartCount n
35
+##  	default 0
36
+##
37
+##  Sets the maximum automatic restart count.  After this number of automatic
38
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
39
+##  limit.
40
+#
41
+# AutoRestartCount 0
42
+
43
+##  AutoRestartRate n/t[u]
44
+##  	default (no limit)
45
+##
46
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
47
+##  faster than the rate defined here, it will give up and terminate.  This
48
+##  is a string of the form n/t[u] where n is an integer limiting the count
49
+##  of restarts in the given interval and t[u] defines the time interval
50
+##  through which the rate is calculated; t is an integer and u defines the
51
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
52
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
53
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
54
+##  default, meaning restart rate is not limited.
55
+#
56
+# AutoRestartRate n/t[u]
57
+
58
+##  Background { true | false }
59
+##  	default "true"
60
+##
61
+##  Causes opendmarc to fork and exits immediately, leaving the service
62
+##  running in the background.
63
+#
64
+# Background true
65
+
66
+##  BaseDirectory (string)
67
+##  	default (none)
68
+##
69
+##  If set, instructs the filter to change to the specified directory using
70
+##  chdir(2) before doing anything else.  This means any files referenced
71
+##  elsewhere in the configuration file can be specified relative to this
72
+##  directory.  It's also useful for arranging that any crash dumps will be
73
+##  saved to a specific location.
74
+#
75
+# BaseDirectory /var/run/opendmarc
76
+
77
+##  ChangeRootDirectory (string)
78
+##  	default (none)
79
+##
80
+##  Requests that the operating system change the effective root directory of
81
+##  the process to the one specified here prior to beginning execution.
82
+##  chroot(2) requires superuser access.  A warning will be generated if
83
+##  UserID is not also set.
84
+# 
85
+# ChangeRootDirectory /var/chroot/opendmarc
86
+
87
+##  CopyFailuresTo (string)
88
+##  	default (none)
89
+##
90
+##  Requests addition of the specified email address to the envelope of
91
+##  any message that fails the DMARC evaluation.
92
+#
93
+# CopyFailuresTo postmaster@localhost
94
+
95
+##  DNSTimeout (integer)
96
+##  	default 5
97
+## 
98
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
99
+##  (NOT YET IMPLEMENTED)
100
+#
101
+# DNSTimeout 5
102
+
103
+##  EnableCoredumps { true | false }
104
+##  	default "false"
105
+##
106
+##  On systems that have such support, make an explicit request to the kernel
107
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
108
+##  systems suppress core dumps during crashes for security reasons if the
109
+##  user ID has changed during the lifetime of the process.  Currently only
110
+##  supported on Linux.
111
+#
112
+# EnableCoreDumps false
113
+
114
+##  FailureReports { true | false }
115
+##  	default "false"
116
+##
117
+##  Enables generation of failure reports when the DMARC test fails and the
118
+##  purported sender of the message has requested such reports.  Reports are
119
+##  formatted per RFC6591.
120
+# 
121
+# FailureReports false
122
+
123
+##  FailureReportsBcc (string)
124
+##  	default (none)
125
+##
126
+##  When failure reports are enabled and one is to be generated, always
127
+##  send one to the address(es) specified here.  If a failure report is
128
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
129
+##  If no request is made, they address(es) are used in a To: field.  There
130
+##  is no default.
131
+# 
132
+# FailureReportsBcc postmaster@example.coom
133
+
134
+##  FailureReportsOnNone { true | false }
135
+##  	default "false"
136
+##
137
+##  Supplements the "FailureReports" setting by generating reports for
138
+##  domains that advertise "none" policies.  By default, reports are only
139
+##  generated (when enabled) for sending domains advertising a "quarantine"
140
+##  or "reject" policy.
141
+# 
142
+# FailureReportsOnNone false
143
+
144
+##  FailureReportsSentBy string
145
+##  	default "USER@HOSTNAME"
146
+##
147
+##  Specifies the email address to use in the From: field of failure
148
+##  reports generated by the filter.  The default is to use the userid of
149
+##  the user running the filter and the local hostname to construct an
150
+##  email address.  "postmaster" is used in place of the userid if a name
151
+##  could not be determined.
152
+# 
153
+# FailureReportsSentBy USER@HOSTNAME
154
+
155
+##  HistoryFile path
156
+##  	default (none)
157
+##
158
+##  If set, specifies the location of a text file to which records are written
159
+##  that can be used to generate DMARC aggregate reports.  Records are groups
160
+##  of rows containing information about a single received message, and
161
+##  include all relevant information needed to generate a DMARC aggregate
162
+##  report.  It is expected that this will not be used in its raw form, but
163
+##  rather periodically imported into a relational database from which the
164
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
165
+#
166
+HistoryFile /var/run/opendmarc/opendmarc.dat
167
+
168
+##  IgnoreAuthenticatedClients { true | false }
169
+##  	default "false"
170
+##
171
+##  If set, causes mail from authenticated clients (i.e., those that used
172
+##  SMTP UATH) to be ignored by the filter.
173
+#
174
+# IgnoreAuthenticatedClients false
175
+
176
+##  IgnoreHosts path
177
+##  	default (internal)
178
+##
179
+##  Specifies the path to a file that contains a list of hostnames, IP
180
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
181
+##  connections are to be ignored by the filter.  If not specified, defaults
182
+##  to "127.0.0.1" only.
183
+#
184
+IgnoreHosts /etc/opendmarc/ignore.hosts
185
+
186
+##  IgnoreMailFrom domain[,...]
187
+##  	default (none)
12 188
 ##
13
-# ForensicReports false
189
+##  Gives a list of domain names whose mail (based on the From: domain) is to
190
+##  be ignored by the filter.  The list should be comma-separated.  Matching
191
+##  against this list is case-insensitive.  The default is an empty list,
192
+##  meaning no mail is ignored.
193
+#
194
+# IgnoreMailFrom example.com
14 195
 
196
+##  MilterDebug (integer)
197
+##  	default 0
198
+##
199
+##  Sets the debug level to be requested from the milter library.
200
+#
201
+# MilterDebug 0
202
+
203
+##  PidFile path
204
+##  	default (none)
205
+##
206
+##  Specifies the path to a file that should be created at process start
207
+##  containing the process ID.
208
+##
209
+#
15 210
 PidFile /var/run/opendmarc.pid
16 211
 
212
+##  PublicSuffixList path
213
+##  	default (none)
214
+##
215
+##  Specifies the path to a file that contains top-level domains (TLDs) that
216
+##  will be used to compute the Organizational Domain for a given domain name,
217
+##  as described in the DMARC specification.  If not provided, the filter will
218
+##  not be able to determine the Organizational Domain and only the presented
219
+##  domain will be evaluated.
220
+#
221
+# PublicSuffixList path
222
+
223
+##  RecordAllMessages { true | false }
224
+##  	default "false"
225
+##
226
+##  If set and "HistoryFile" is in use, all received messages are recorded
227
+##  to the history file.  If not set (the default), only messages for which
228
+##  the From: domain published a DMARC record will be recorded in the
229
+##  history file.
230
+#
231
+# RecordAllMessages false
232
+
17 233
 ##  RejectFailures { true | false }
18
-##      default "false"
234
+##  	default "false"
19 235
 ##
236
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
237
+##  temp-failed if evaluation could not be completed.  By default, no message
238
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
239
+##  evaluation of the message.  Instead, an Authentication-Results header
240
+##  field will be added.
241
+#
20 242
 RejectFailures false
21 243
 
244
+##  ReportCommand string
245
+##  	default "/usr/sbin/sendmail -t"
246
+##
247
+##  Indicates the shell command to which failure reports should be passed for
248
+##  delivery when "FailureReports" is enabled.
249
+#
250
+# ReportCommand /usr/sbin/sendmail -t
251
+
252
+##  RequiredHeaders { true | false }
253
+##  	default "false"
254
+##
255
+##  If set, the filter will ensure the header of the message conforms to the
256
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
257
+##  Messages failing this test are rejected without further processing.  A
258
+##  From: field from which no domain name could be extracted will also be
259
+##  rejected.
260
+#
261
+# RequiredHeaders false
262
+
263
+##  Socket socketspec
264
+##  	default (none)
265
+##
266
+##  Specifies the socket that should be established by the filter to receive
267
+##  connections from sendmail(8) in order to provide service.  socketspec is
268
+##  in one of two forms: local:path, which creates a UNIX domain socket at
269
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
270
+##  a TCP socket on the specified port for the appropriate protocol family.
271
+##  If the host is not given as either a hostname or an IP address, the
272
+##  socket will be listening on all interfaces.  This option is mandatory
273
+##  either in the configuration file or on the command line.  If an IP
274
+##  address is used, it must be enclosed in square brackets.
275
+#
276
+# Socket inet:8893@localhost
277
+
278
+##  SoftwareHeader { true | false }
279
+##  	default "false"
280
+##
281
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
282
+##  presence of this filter in the path of the message from injection to
283
+##  delivery.  The product's name, version, and the job ID are included in
284
+##  the header field's contents.
285
+#
286
+SoftwareHeader true
287
+
288
+##  SPFIgnoreResults { true | false }
289
+##	default "false"
290
+##
291
+##  Causes the filter to ignore any SPF results in the header of the
292
+##  message.  This is useful if you want the filter to perfrom SPF checks
293
+##  itself, or because you don't trust the arriving header.
294
+#
295
+# SPFIgnoreResults false
296
+
297
+##  SPFSelfValidate { true | false }
298
+##	default false
299
+##
300
+##  Enable internal spf checking with --with-spf
301
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
302
+##
303
+##  Causes the filter to perform a fallback SPF check itself when
304
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
305
+##  is also set, it never looks for SPF results in headers and
306
+##  always performs the SPF check itself when this is set.
307
+#
308
+# SPFSelfValidate false
309
+
22 310
 ##  Syslog { true | false }
23
-##      default "false"
311
+##  	default "false"
24 312
 ##
25 313
 ##  Log via calls to syslog(3) any interesting activity.
26 314
 #
27 315
 Syslog true
28 316
 
29 317
 ##  SyslogFacility facility-name
30
-##      default "mail"
318
+##  	default "mail"
31 319
 ##
32 320
 ##  Log via calls to syslog(3) using the named facility.  The facility names
33 321
 ##  are the same as the ones allowed in syslog.conf(5).
34 322
 #
35 323
 # SyslogFacility mail
36 324
 
325
+##  TemporaryDirectory path
326
+##  	default /var/tmp
327
+##
328
+##  Specifies the directory in which temporary files should be written.
329
+#
330
+# TemporaryDirectory /var/tmp
331
+
37 332
 ##  TrustedAuthservIDs string
38
-##      default HOSTNAME
333
+##  	default HOSTNAME
39 334
 ##
40 335
 ##  Specifies one or more "authserv-id" values to trust as relaying true
41 336
 ##  upstream DKIM and SPF results.  The default is to use the name of
@@ -45,9 +340,8 @@ Syslog true
45 340
 #
46 341
 TrustedAuthservIDs {{ mail_server_hostname }}
47 342
 
48
-
49 343
 ##  UMask mask
50
-##      default (none)
344
+##  	default (none)
51 345
 ##
52 346
 ##  Requests a specific permissions mask to be used for file creation.  This
53 347
 ##  only really applies to creation of the socket when Socket specifies a
@@ -59,27 +353,10 @@ TrustedAuthservIDs {{ mail_server_hostname }}
59 353
 UMask 0002
60 354
 
61 355
 ##  UserID user[:group]
62
-##      default (none)
356
+##  	default (none)
63 357
 ##
64 358
 ##  Attempts to become the specified userid before starting operations.
65 359
 ##  The process will be assigned all of the groups and primary group ID of
66 360
 ##  the named userid unless an alternate group is specified.
67 361
 #
68 362
 UserID opendmarc:opendmarc
69
-
70
-## The path to the Ignored Hosts list. This file should contain a list of
71
-## networks and hosts that you trust. Their mail will not be checked by
72
-## OpenDMARC.
73
-#
74
-IgnoreHosts /etc/opendmarc/ignore.hosts
75
-
76
-## The path under which the History file should be created.
77
-## This file is necessary if you want to be able to create aggregate
78
-## reports to send out to other organizations
79
-#
80
-HistoryFile /var/run/opendmarc/opendmarc.dat
81
-
82
-## Adds a “Dmarc-Filter” header with the opendmarc version in every processed mail.
83
-## This is good to have during testing.
84
-#
85
-SoftwareHeader true

+ 3
- 0
roles/mailserver/templates/etc_opendmarc_report.sh.j2 查看文件

@@ -1,5 +1,8 @@
1 1
 #!/bin/bash
2 2
 
3
+# ensure this script errors out if any of its steps do
4
+set -e
5
+
3 6
 DB_SERVER='localhost'
4 7
 DB_USER='{{ mail_db_opendmarc_username }}'
5 8
 DB_PASS='{{ mail_db_opendmarc_password }}'

+ 7
- 9
roles/mailserver/templates/etc_postfix_main.cf.j2 查看文件

@@ -40,8 +40,8 @@ smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
40 40
 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
41 41
 smtp_tls_protocols = !SSLv2,!SSLv3
42 42
 smtpd_tls_protocols = !SSLv2,!SSLv3
43
-smtpd_tls_cert_file=/etc/ssl/certs/wildcard_combined.pem
44
-smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
43
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ domain }}/fullchain.pem
44
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ domain }}/privkey.pem
45 45
 smtpd_use_tls=yes
46 46
 smtpd_tls_auth_only = yes
47 47
 smtp_tls_security_level = may
@@ -100,16 +100,14 @@ virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
100 100
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
101 101
 local_recipient_maps = $virtual_mailbox_maps
102 102
 
103
-# OpenDKIM and OpenDMARC
104
-smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
103
+# Milters: OpenDKIM, OpenDMARC, Rspamd
104
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321,inet:127.0.0.1:9900
105 105
 non_smtpd_milters = $smtpd_milters
106
+milter_protocol = 6
107
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
106 108
 milter_default_action = accept
107 109
 
108
-# new settings for dspam: only scan one mail at a time, localhost doesn't get scanned, everything else does
109
-dspam_destination_recipient_limit = 1
110
-smtpd_client_restrictions =
111
-  permit_sasl_authenticated
112
-  check_client_access pcre:/etc/postfix/dspam_filter_access
110
+smtpd_client_restrictions = permit_sasl_authenticated
113 111
 
114 112
 # Postscreen
115 113
 postscreen_access_list = permit_mynetworks

+ 2
- 2
roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2 查看文件

@@ -20,8 +20,8 @@
20 20
         </incomingServer>
21 21
         <outgoingServer type="smtp">
22 22
             <hostname>{{ mail_server_hostname }}</hostname>
23
-            <port>465</port>
24
-            <socketType>SSL</socketType>
23
+            <port>587</port>
24
+            <socketType>STARTTLS</socketType>
25 25
             <authentication>password-cleartext</authentication>
26 26
             <username>%EMAILADDRESS%</username>
27 27
         </outgoingServer>

+ 4
- 0
roles/monitoring/defaults/main.yml 查看文件

@@ -0,0 +1,4 @@
1
+collectd_version: 5.4.1
2
+collectd_librato_version: 0.0.10
3
+collectd_librato_email: "" # (optional)
4
+collectd_librato_api_token: "" # (optional)

+ 1
- 3
roles/monitoring/files/etc_apache2_sites-available_00-status.conf 查看文件

@@ -3,8 +3,6 @@
3 3
 <VirtualHost *:80>
4 4
   <Location />
5 5
     SetHandler server-status
6
-    Order deny,allow
7
-    Deny from all
8
-    Allow from 127.0.0.1
6
+    Require ip 127.0.0.1
9 7
   </Location>
10 8
 </VirtualHost>

+ 0
- 206
roles/monitoring/files/etc_init.d_collectd 查看文件

@@ -1,206 +0,0 @@
1
-#! /bin/bash
2
-#
3
-# collectd - start and stop the statistics collection daemon
4
-# http://collectd.org/
5
-#
6
-# Copyright (C) 2005-2006 Florian Forster <octo@verplant.org>
7
-# Copyright (C) 2006-2009 Sebastian Harl <tokkee@debian.org>
8
-#
9
-
10
-### BEGIN INIT INFO
11
-# Provides:          collectd
12
-# Required-Start:    $local_fs $remote_fs
13
-# Required-Stop:     $local_fs $remote_fs
14
-# Should-Start:      $network $named $syslog $time cpufrequtils
15
-# Should-Stop:       $network $named $syslog
16
-# Default-Start:     2 3 4 5
17
-# Default-Stop:      0 1 6
18
-# Short-Description: manage the statistics collection daemon
19
-# Description:       collectd is the statistics collection daemon.
20
-#                    It is a small daemon which collects system information
21
-#                    periodically and provides mechanisms to monitor and store
22
-#                    the values in a variety of ways.
23
-### END INIT INFO
24
-
25
-. /lib/lsb/init-functions
26
-
27
-export PATH=/opt/collectd/sbin:/opt/collectd/bin:/sbin:/bin:/usr/sbin:/usr/bin
28
-
29
-DISABLE=0
30
-
31
-DESC="statistics collection and monitoring daemon"
32
-NAME=collectd
33
-DAEMON=/opt/collectd/sbin/collectd
34
-
35
-CONFIGFILE=/opt/collectd/etc/collectd.conf
36
-PIDFILE=/opt/collectd/var/run/collectd.pid
37
-
38
-USE_COLLECTDMON=1
39
-COLLECTDMON_DAEMON=/opt/collectd/sbin/collectdmon
40
-COLLECTDMON_PIDFILE=/opt/collectd/var/run/collectdmon.pid
41
-
42
-MAXWAIT=30
43
-
44
-# Gracefully exit if the package has been removed.
45
-test -x $DAEMON || exit 0
46
-
47
-if [ -r /etc/default/$NAME ]; then
48
-	. /etc/default/$NAME
49
-fi
50
-
51
-if test "$ENABLE_COREFILES" == 1; then
52
-	ulimit -c unlimited
53
-fi
54
-
55
-if test "$USE_COLLECTDMON" == 1; then
56
-	_PIDFILE="$COLLECTDMON_PIDFILE"
57
-else
58
-	_PIDFILE="$PIDFILE"
59
-fi
60
-
61
-# return:
62
-#   0 if config is fine
63
-#   1 if there is a syntax error
64
-#   2 if there is no configuration
65
-check_config() {
66
-	if test ! -e "$CONFIGFILE"; then
67
-		return 2
68
-	fi
69
-	if ! $DAEMON -t -C "$CONFIGFILE"; then
70
-		return 1
71
-	fi
72
-	return 0
73
-}
74
-
75
-# return:
76
-#   0 if the daemon has been started
77
-#   1 if the daemon was already running
78
-#   2 if the daemon could not be started
79
-#   3 if the daemon was not supposed to be started
80
-d_start() {
81
-	if test "$DISABLE" != 0; then
82
-		# we get here during restart
83
-		log_progress_msg "disabled by /etc/default/$NAME"
84
-		return 3
85
-	fi
86
-
87
-	if test ! -e "$CONFIGFILE"; then
88
-		# we get here during restart
89
-		log_progress_msg "disabled, no configuration ($CONFIGFILE) found"
90
-		return 3
91
-	fi
92
-
93
-	check_config
94
-	rc="$?"
95
-	if test "$rc" -ne 0; then
96
-		log_progress_msg "not starting, configuration error"
97
-		return 2
98
-	fi
99
-
100
-	if test "$USE_COLLECTDMON" == 1; then
101
-		start-stop-daemon --start --quiet --oknodo --pidfile "$_PIDFILE" \
102
-			--exec $COLLECTDMON_DAEMON -- -P "$_PIDFILE" -- -C "$CONFIGFILE" \
103
-			|| return 2
104
-	else
105
-		start-stop-daemon --start --quiet --oknodo --pidfile "$_PIDFILE" \
106
-			--exec $DAEMON -- -C "$CONFIGFILE" -P "$_PIDFILE" \
107
-			|| return 2
108
-	fi
109
-	return 0
110
-}
111
-
112
-still_running_warning="
113
-WARNING: $NAME might still be running.
114
-In large setups it might take some time to write all pending data to
115
-the disk. You can adjust the waiting time in /etc/default/collectd."
116
-
117
-# return:
118
-#   0 if the daemon has been stopped
119
-#   1 if the daemon was already stopped
120
-#   2 if daemon could not be stopped
121
-d_stop() {
122
-	PID=$( cat "$_PIDFILE" 2> /dev/null ) || true
123
-
124
-	start-stop-daemon --stop --quiet --oknodo --pidfile "$_PIDFILE"
125
-	rc="$?"
126
-
127
-	if test "$rc" -eq 2; then
128
-		return 2
129
-	fi
130
-
131
-	sleep 1
132
-	if test -n "$PID" && kill -0 $PID 2> /dev/null; then
133
-		i=0
134
-		while kill -0 $PID 2> /dev/null; do
135
-			i=$(( $i + 2 ))
136
-			echo -n " ."
137
-
138
-			if test $i -gt $MAXWAIT; then
139
-				log_progress_msg "$still_running_warning"
140
-				return 2
141
-			fi
142
-
143
-			sleep 2
144
-		done
145
-		return "$rc"
146
-	fi
147
-	return "$rc"
148
-}
149
-
150
-case "$1" in
151
-	start)
152
-		log_daemon_msg "Starting $DESC" "$NAME"
153
-		d_start
154
-		case "$?" in
155
-			0|1) log_end_msg 0 ;;
156
-			2) log_end_msg 1 ;;
157
-			3) log_end_msg 255; true ;;
158
-			*) log_end_msg 1 ;;
159
-		esac
160
-		;;
161
-	stop)
162
-		log_daemon_msg "Stopping $DESC" "$NAME"
163
-		d_stop
164
-		case "$?" in
165
-			0|1) log_end_msg 0 ;;
166
-			2) log_end_msg 1 ;;
167
-		esac
168
-		;;
169
-	status)
170
-		status_of_proc -p "$_PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $?
171
-		;;
172
-	restart|force-reload)
173
-		log_daemon_msg "Restarting $DESC" "$NAME"
174
-		check_config
175
-		rc="$?"
176
-		if test "$rc" -eq 1; then
177
-			log_progress_msg "not restarting, configuration error"
178
-			log_end_msg 1
179
-			exit 1
180
-		fi
181
-		d_stop
182
-		rc="$?"
183
-		case "$rc" in
184
-			0|1)
185
-				sleep 1
186
-				d_start
187
-				rc2="$?"
188
-				case "$rc2" in
189
-					0|1) log_end_msg 0 ;;
190
-					2) log_end_msg 1 ;;
191
-					3) log_end_msg 255; true ;;
192
-					*) log_end_msg 1 ;;
193
-				esac
194
-				;;
195
-			*)
196
-				log_end_msg 1
197
-				;;
198
-		esac
199
-		;;
200
-	*)
201
-		echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
202
-		exit 3
203
-		;;
204
-esac
205
-
206
-# vim: syntax=sh noexpandtab sw=4 ts=4 :

+ 4
- 4
roles/monitoring/files/etc_monit_conf.d_apache2 查看文件

@@ -1,8 +1,8 @@
1
-check process apache2 with pidfile /var/run/apache2.pid
1
+check process apache2 with pidfile /var/run/apache2/apache2.pid
2 2
   group www
3
-  start program = "/etc/init.d/apache2 start"
4
-  stop program = "/etc/init.d/apache2 stop"
3
+  start program = "systemctl start apache2"
4
+  stop program = "systemctl stop apache2"
5 5
   if failed host localhost port 80 protocol http
6 6
     with timeout 10 seconds
7 7
     then restart
8
-  if 5 restarts within 5 cycles then timeout
8
+  if 5 restarts within 5 cycles then timeout

+ 2
- 2
roles/monitoring/files/etc_monit_conf.d_dovecot 查看文件

@@ -1,7 +1,7 @@
1 1
 check process dovecot with pidfile /var/run/dovecot/master.pid
2 2
   group mail
3
-  start program = "/etc/init.d/dovecot start"
4
-  stop program = "/etc/init.d/dovecot stop"
3
+  start program = "systemctl start dovecot"
4
+  stop program = "systemctl stop dovecot"
5 5
   if failed port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
6 6
   if failed port 995 type tcpssl sslauto protocol pop for 5 cycles then restart
7 7
   if 3 restarts within 5 cycles then timeout

+ 3
- 3
roles/monitoring/files/etc_monit_conf.d_pgsql 查看文件

@@ -1,6 +1,6 @@
1
-check process postgres with pidfile /var/run/postgresql/9.1-main.pid
1
+check process postgres with pidfile /var/run/postgresql/9.4-main.pid
2 2
   group database
3
-  start program = "/etc/init.d/postgresql start"
4
-  stop program = "/etc/init.d/postgresql stop"
3
+  start program = "systemctl start postgresql"
4
+  stop program = "systemctl stop postgresql"
5 5
   if failed host localhost port 5432 protocol pgsql then restart
6 6
   if 5 restarts within 5 cycles then timeout

+ 3
- 3
roles/monitoring/files/etc_monit_conf.d_postfix 查看文件

@@ -1,6 +1,6 @@
1 1
 check process postfix with pidfile /var/spool/postfix/pid/master.pid
2 2
   group mail
3
-  start program = "/etc/init.d/postfix start"
4
-  stop  program = "/etc/init.d/postfix stop"
3
+  start program = "systemctl start postfix"
4
+  stop  program = "systemctl stop postfix"
5 5
   if failed port 25 protocol smtp then restart
6
-  if 5 restarts within 5 cycles then timeout
6
+  if 5 restarts within 5 cycles then timeout

+ 3
- 3
roles/monitoring/files/etc_monit_conf.d_sshd 查看文件

@@ -1,5 +1,5 @@
1 1
 check process sshd with pidfile /var/run/sshd.pid
2
-  start program "/etc/init.d/ssh start"
3
-  stop program "/etc/init.d/ssh stop"
2
+  start program "systemctl start ssh"
3
+  stop program  "systemctl stop ssh"
4 4
   if failed host 127.0.0.1 port 22 protocol ssh then restart
5
-  if 5 restarts within 5 cycles then timeout
5
+  if 5 restarts within 5 cycles then timeout

+ 3
- 3
roles/monitoring/files/etc_monit_conf.d_tomcat 查看文件

@@ -1,6 +1,6 @@
1
-check process tomcat with pidfile "/var/run/tomcat6.pid"
1
+check process tomcat with pidfile "/var/run/tomcat7.pid"
2 2
   group mail
3
-  start program = "/etc/init.d/tomcat6 start"
4
-  stop program = "/etc/init.d/tomcat6 stop"
3
+  start program = "systemctl start tomcat7"
4
+  stop program = "systemctl stop tomcat7"
5 5
   if failed port 8080 then alert
6 6
   if failed port 8080 for 5 cycles then restart

+ 2
- 2
roles/monitoring/files/etc_monit_conf.d_znc 查看文件

@@ -1,7 +1,7 @@
1 1
 check process znc with pidfile /var/run/znc/znc.pid
2 2
   group irc
3
-  start program = "/etc/init.d/znc start"
4
-  stop program = "/etc/init.d/znc stop"
3
+  start program = "systemctl start znc"
4
+  stop program = "systemctl stop znc"
5 5
   if failed host localhost port 6643 protocol http
6 6
     with timeout 10 seconds
7 7
     then restart

+ 10
- 63
roles/monitoring/tasks/collectd.yml 查看文件

@@ -1,67 +1,14 @@
1
-- name: Add wheezy-backports to be compatible with Dovecot packages on Debian 7
2
-  apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main'
3
-  when: ansible_distribution_release == 'wheezy'
4
-  tags:
5
-    - dependencies
6
-
7
-- name: Install collectd dependencies on wheezy from backports
8
-  apt: pkg={{ item }} state=installed default_release=wheezy-backports
9
-  with_items:
10
-    - libcurl4-openssl-dev
11
-    - librrd2-dev
12
-    - python-dev
13
-  when: ansible_distribution_release == 'wheezy'
14
-  tags:
15
-    - dependencies
16
-
17
-- name: Install collectd dependencies on distributions other than wheezy
18
-  apt: pkg={{ item }} state=installed
19
-  with_items:
20
-    - libcurl4-openssl-dev
21
-    - librrd2-dev
22
-    - python-dev
23
-  when: ansible_distribution_release != 'wheezy'
24
-  tags:
25
-    - dependencies
26
-
27
-- name: Download collectd
28
-  get_url: url=http://collectd.org/files/collectd-{{collectd_version}}.tar.gz
29
-           dest=/root/collectd-{{collectd_version}}.tar.gz
30
-
31
-- name: Extract collectd
32
-  unarchive: src=/root/collectd-{{collectd_version}}.tar.gz
33
-             dest=/root copy=no
34
-             creates=/root/collectd-{{collectd_version}}
35
-
36
-- name: Build and install collectd
37
-  shell: ./configure ; make all ; make install
38
-         executable=/bin/bash
39
-         chdir=/root/collectd-{{collectd_version}}
40
-         creates=/opt/collectd/sbin/collectdmon
41
-
42
-- name: Copy collectd init file into place
43
-  copy: src=etc_init.d_collectd dest=/etc/init.d/collectd mode=0755
44
-
45
-- name: Download collectd-librato plugin
46
-  get_url: url=https://github.com/librato/collectd-librato/archive/v{{collectd_librato_version}}.tar.gz
47
-           dest=/root/collectd-librato-{{collectd_librato_version}}.tar.gz
48
-  when: collectd_librato_email|length > 0
49
-
50
-- name: Extract collectd-librato plugin
51
-  unarchive: src=/root/collectd-librato-{{collectd_librato_version}}.tar.gz
52
-             dest=/root copy=no
53
-             creates=/root/collectd-librato-{{collectd_librato_version}}
54
-  when: collectd_librato_email|length > 0
55
-
56
-- name: Install collectd-librato plugin
57
-  command: make install
58
-           chdir=/root/collectd-librato-{{collectd_librato_version}}
59
-           creates=/opt/collectd-librato-{{collectd_librato_version}}
60
-  when: collectd_librato_email|length > 0
1
+- name: Install collectd
2
+  apt: pkg=collectd state=installed
61 3
 
62 4
 - name: Copy collectd configuration file into place
63
-  template: src=opt_etc_collectd.conf.j2 dest=/opt/collectd/etc/collectd.conf
5
+  template: src=etc_collectd_collectd.conf.j2 dest=/etc/collectd/collectd.conf
64 6
   notify: restart collectd
65 7
 
66
-- name: Ensure collectd is a system service
67
-  service: name=collectd state=started enabled=true
8
+- name: Ensure collectd is started
9
+  service: name=collectd state=started
10
+
11
+# Work around https://github.com/ansible/ansible-modules-core/issues/915
12
+# otherwise we'd use enabled=yes in previous task
13
+- name: Ensure collectd is enabled
14
+  command: update-rc.d collectd enable creates=/etc/rc3.d/S03collectd

+ 9
- 8
roles/monitoring/tasks/monit.yml 查看文件

@@ -14,6 +14,15 @@
14 14
   copy: src=etc_monit_monitrc dest=/etc/monit/monitrc
15 15
   notify: restart monit
16 16
 
17
+- name: Determine if ZNC is installed
18
+  stat: path=/usr/lib/znc/configs/znc.conf
19
+  register: znc_config_file
20
+
21
+- name: Copy ZNC monit service config files into place
22
+  copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
23
+  notify: restart monit
24
+  when: znc_config_file.stat.exists == True
25
+
17 26
 - name: Copy monit service config files into place
18 27
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
19 28
   with_items:
@@ -25,11 +34,3 @@
25 34
     - tomcat
26 35
   notify: restart monit
27 36
 
28
-- name: Determine if ZNC is installed
29
-  stat: path=/var/lib/znc/configs/znc.conf
30
-  register: znc_config_file
31
-
32
-- name: Copy ZNC monit service config files into place
33
-  copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
34
-  notify: restart monit
35
-  when: znc_config_file.stat.exists == True

roles/monitoring/templates/opt_etc_collectd.conf.j2 → roles/monitoring/templates/etc_collectd_collectd.conf.j2 查看文件

@@ -1,4 +1,4 @@
1
-BaseDir     "/opt/collectd"
1
+BaseDir "/etc/collectd"
2 2
 
3 3
 LoadPlugin syslog
4 4
 LoadPlugin cpu
@@ -7,26 +7,23 @@ LoadPlugin load
7 7
 LoadPlugin memory
8 8
 LoadPlugin disk
9 9
 LoadPlugin df
10
+LoadPlugin rrdtool
11
+
12
+<Plugin rrdtool>
13
+  DataDir "/opt/collectd/var/lib/collectd/rrd"
14
+</Plugin>
10 15
 
11 16
 {% if (collectd_librato_email|length and collectd_librato_api_token|length) %}
12 17
 <LoadPlugin python>
13 18
   Globals true
14 19
 </LoadPlugin>
15 20
 
16
-<Plugin python>
17
-  ModulePath "/opt/collectd-librato-{{ collectd_librato_version }}/lib"
18
-  Import "collectd-librato"
19
-
20
-  <Module "collectd-librato">
21
-    Email    "{{ collectd_librato_email }}"
22
-    APIToken "{{ collectd_librato_api_token }}"
23
-    TypesDB  "/opt/collectd/share/collectd/types.db"
24
-  </Module>
25
-</Plugin>
26
-{% else %}
27
-LoadPlugin rrdtool
28
-
29
-<Plugin rrdtool>
30
-  DataDir "/opt/collectd/var/lib/collectd/rrd"
21
+<Plugin write_http>
22
+  <URL "https://collectd.librato.com/v1/measurements">
23
+    User "{{ collectd_librato_email }}"
24
+    Password "{{ collectd_librato_api_token }}"
25
+    Format "JSON"
26
+  </URL>
31 27
 </Plugin>
32 28
 {% endif %}
29
+

+ 0
- 5
roles/newebe/files/newebe.conf 查看文件

@@ -1,5 +0,0 @@
1
-[program:newebe]
2
-autorestart=false
3
-command=newebe_server.py --configfile=/usr/local/etc/newebe/config.yaml
4
-redirect_stderr=true
5
-user=newebe

+ 0
- 7
roles/newebe/files/supervisor.conf 查看文件

@@ -1,7 +0,0 @@
1
-; supervisor config file
2
-
3
-[supervisord]
4
-nodaemon=true
5
-
6
-[include]
7
-files = /etc/supervisor/conf.d/*.conf

+ 0
- 3
roles/newebe/handlers/main.yml 查看文件

@@ -1,3 +0,0 @@
1
----
2
-- name: restart supervisor
3
-  service: name=supervisor state=restarted

+ 0
- 1
roles/newebe/tasks/main.yml 查看文件

@@ -1 +0,0 @@
1
-- include: newebe.yml tags=newebe

+ 0
- 87
roles/newebe/tasks/newebe.yml 查看文件

@@ -1,87 +0,0 @@
1
-- name: Install Dependencies
2
-  apt: pkg={{ item }}
3
-  with_items:
4
-    - build-essential
5
-    - couchdb
6
-    - git
7
-    - libxml2-dev
8
-    - libxslt-dev
9
-    - python
10
-    - python-dev
11
-    - python-imaging
12
-    - python-imaging
13
-    - python-pip
14
-    - python-pycurl
15
-    - python-setuptools
16
-    - python-lxml
17
-    - supervisor
18
-  tags:
19
-    - dependencies
20
-
21
-- name: Install Newebe
22
-  pip: name='git+https://github.com/gelnior/newebe.git#egg=newebe'
23
-
24
-- name: Add group Newebe
25
-  group: name=newebe
26
-
27
-- name: Add user Newebe
28
-  user: name=newebe groups=newebe shell=/usr/sbin/nologin
29
-
30
-- name: Create Newebe Config folder
31
-  file: path=/usr/local/etc/newebe/
32
-        owner=newebe
33
-        group=newebe
34
-        state=directory
35
-
36
-- name: Create Newebe folder
37
-  file: path=/usr/local/var/newebe/
38
-        owner=newebe
39
-        group=newebe
40
-        state=directory
41
-
42
-- name: Create Newebe log folder
43
-  file: path=/usr/local/var/log/newebe/
44
-        owner=newebe
45
-        group=newebe
46
-        state=directory
47
-
48
-- name: Set Newebe config file
49
-  template: src=usr_local_etc_newebe_config.j2
50
-            dest=/usr/local/etc/newebe/config.yaml
51
-            owner=newebe
52
-            group=newebe
53
-
54
-- name: Set Supervisor config file
55
-  copy: src=newebe.conf dest=/etc/supervisor/conf.d/newebe.conf
56
-
57
-- name: Set Newebe Supervisor config file
58
-  copy: src=supervisor.conf dest=/etc/supervisor/supervisor.conf
59
-  notify: restart supervisor
60
-
61
-- name: Ensure Supervisor is running
62
-  service: name=supervisor state=running
63
-
64
-- name: Ensure that newebe is started
65
-  supervisorctl: name=newebe state=started
66
-
67
-- name: Add mod_proxy module to Apache
68
-  apache2_module: state=present name=proxy
69
-
70
-- name: Add proxy_http module to Apache
71
-  apache2_module: state=present name=proxy_http
72
-
73
-- name: Rename existing Apache newebe virtualhost
74
-  command: mv /etc/apache2/sites-available/newebe /etc/apache2/sites-available/newebe.conf removes=/etc/apache2/sites-available/newebe
75
-
76
-- name: Remove old sites-enabled/newebe symlink (new one will be created by a2ensite)
77
-  file: path=/etc/apache2/sites-enabled/newebe state=absent
78
-
79
-- name: Configure the Apache HTTP server for Newebe
80
-  template: src=etc_apache2_sites-available_newebe.j2
81
-            dest=/etc/apache2/sites-available/newebe.conf
82
-            group=root
83
-            owner=root
84
-
85
-- name: Enable the site
86
-  command: a2ensite newebe.conf creates=/etc/apache2/sites-enabled/newebe.conf
87
-  notify: restart apache

+ 0
- 20
roles/newebe/templates/etc_apache2_sites-available_newebe.j2 查看文件

@@ -1,20 +0,0 @@
1
-<VirtualHost *:80>
2
-    ServerName {{ newebe_domain }}
3
-
4
-    Redirect permanent / https://{{ newebe_domain }}/
5
-</VirtualHost>
6
-
7
-<VirtualHost *:443>
8
-
9
-    ServerName {{ newebe_domain }}
10
-
11
-    Include /etc/apache2/ssl.conf
12
-
13
-    ErrorLog /var/log/apache2/newebe.info-error_log
14
-    CustomLog /var/log/apache2/newebe.info-access_log common
15
-
16
-
17
-    ProxyPass / http://127.0.0.1:8282/
18
-    ProxyPassReverse / http://127.0.0.1:8282/
19
-
20
-</VirtualHost>

+ 0
- 7
roles/newebe/templates/usr_local_etc_newebe_config.j2 查看文件

@@ -1,7 +0,0 @@
1
-main:
2
-    port: 8282
3
-    debug: False
4
-    ssl: False
5
-    path: "/usr/local/var/newebe/"
6
-    logpath: "/usr/local/var/log/newebe"
7
-    timezone: {{ zpush_timezone }}

+ 0
- 0
roles/news/defaults/main.yml 查看文件


部分文件因文件數量過多而無法顯示

Loading…
取消
儲存