Merge pull request #476 from ariddell/feature/jessie-catchup-3b4f93-to-56f3d7

Include commits to master which were missing in jessie

CONTRIBUTING.md

@@ -1,10 +1,66 @@
 # Contributing to Sovereign
 
-_This document will be expanded upon._
-
-You'll want to set up a [local development environment](https://github.com/sovereign/sovereign/wiki/Development-Environment) so that you don’t have to test on a remote server.
+## Intellectual property
 
 Make sure you agree with the license (GPLv3). See [LICENSE.md](./LICENSE.md) for details.
 
-If you issue a pull request, please specify what distribution you used for testing (if any).
 Code that is committed to the master branch should work with both Debian 8 "Jessie" and Ubuntu 14.04 LTS "Trusty".
+
+## Development environment
+
+You'll want to set up a [local development environment](https://github.com/sovereign/sovereign/wiki/Development-Environment) so that you don't have to test on a remote server.
+
+## Module design principles
+
+Sovereign is an Ansible playbook that uses the modules in this repository to configure a server. Modules should conform to the following design principles.
+
+### Making decisions
+
+A module exists to make decisions about how a service should be installed and configured. Make these decisions and minimize or eliminate configuration options exposed to the user. When in doubt, make a decision, and if the community feedback is vocal enough, only then expose an option.
+
+### Idempotency
+
+A module must be idempotent. If it's run once or many times, the result should be the same. This means that in some cases the user will be left with post-installation finalization work to do. Post-install finalization should be reduced or eliminated if possible, but not at the cost of idempotency.
+
+### Databases
+
+A module that introduces a database-backed service must use PostgreSQL if possible.  In order to minimize server load of having two database servers running, MySQL should not be used unless absolutely necessary. Sqlite may be used if persistent data requirements are bounded for all users and are within Sqlite's design limits.
+
+### Registrations
+
+A module should configure the server in a way that minimizes the data posted to other services. This includes names, email addresses, and other personally-identifable information. 
+
+### Upgrades
+
+A module's design should anticipate upgrades to the services it provides. Configuration files that work for the current version of the service may become out of date on future versions of the service and lead to difficult-to-find bugs. This also introduces work for maintaining the module.  Whenever possible, design the module to use the service to handle initial configuration and upgrades.
+
+### Performance
+
+A module should be designed and implemented to run as quickly as possible in order to minimize the time to run an entire playbook or even the role itself. A small performance penalty here and a small penalty there eventually adds to a very slow deployment system. Performance is important.
+
+### Tests
+
+A module should have tests. TBD: more about this and what the expectation is.
+
+### Design document
+
+A module should have a design description explaining the approach to implementing a service and what tradeoffs were made when choosing the design that was implemented. Do not leave this for comments in a pull request as we want this close to the code for the sake of future maintainers.
+
+The design description should be succinct and to the point. Assume the reader is familiar with Sovereign but not your module. As a rule of thumb, 500-1000 words is about the right length for a module design description.
+
+## Design checklist
+
+Consider the following checklist when reviewing a module's design.
+
+- Does the role create data on the server that is impossible or difficult to reproduce, e.g., private keys? If so, update the tarsnap role to include precious data in backups.
+- Does the role need an SSL certificate for a new subdomain?  If so, update the letsencrypt tasklist in the common role.
+- Does the role add an Apache virtual site?  If so, has somebody knowledgable in Apache configuration and security reviewed the configuration?
+- Does README.md need to be updated based on new or changed finalization instructions?
+
+## Submitting pull requests
+
+Verify that your changes pass [ansible-lint](https://github.com/willthames/ansible-lint) before submitting a pull request.
+
+Use good commit practices to document your changes. Don't assume the developer reviewing your commits has access to GitHub. The developer could be a future maintainer in a different environment. Similarly, as you address feedback on the pull request, do not assume the reviewer has access to GitHub.
+
+When you issue a pull request, please specify what distribution you used for testing (if any).  Code that is committed to the master branch should work with both Debian 7 and Ubuntu 14.04 LTS.  Support for Debian 8 is coming.

README.md

@@ -203,6 +203,8 @@ To ensure your emails pass DKIM checks you need to add a `txt` record. The name
 
     v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKKAQfMwKVx+oJripQI+Ag4uTwYnsXKjgBGtl7Tk6UMTUwhMqnitqbR/ZQEZjcNolTkNDtyKZY2Z6LqvM4KsrITpiMbkV1eX6GKczT8Lws5KXn+6BHCKULGdireTAUr3Id7mtjLrbi/E3248Pq0Zs39hkDxsDcve12WccjafJVwIDAQAB
 
+For DMARC you'll also need to add a `txt` record. The name field should be `_dmarc.EXAMPLE.COM` and the value should be `v=DMARC1; p=none`. More info on DMARC can be found [here](https://dmarc.org)
+
 Set up SPF and reverse DNS [as per this post](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Make sure to validate that it’s all working, for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
 
 ### 7. Miscellaneous Configuration
@@ -213,6 +215,12 @@ Sign in to the ZNC web interface and set things up to your liking. It isn’t ex
 
 Then proceed to http://localhost:6643 in your web browser.
 
+Similarly, to access the server monitoring page, use another SSH tunnel:
+
+    ssh deploy@example.com -L 2812:localhost:2812
+
+Again proceeding to http://localhost:2812 in your web browser.
+
 Finally, sign into ownCloud to set it up. You should select PostgreSQL as the configuration backend.
 
 How To Use Your New Personal Cloud

roles/common/files/etc_apache2_conf-available_ssl-stapling-cache.conf

@@ -0,0 +1 @@
+SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)

roles/common/tasks/main.yml

@@ -40,14 +40,22 @@
   tags:
     - dependencies
 
-- name: Set timezone to UTC
-  action: shell echo Etc/UTC > /etc/timezone
+- name: timezone - configure /etc/timezone
+  copy:
+    content: "{{ common_timezone | regex_replace('$', '\n') }}"
+    dest: /etc/timezone
+    owner: root
+    group: root
+    mode: 0644
+  register: common_timezone_config
 
-- name: Set localtime to UTC
+- name: timezone - Set localtime to UTC
   file: src=/usr/share/zoneinfo/Etc/UTC dest=/etc/localtime
+  when: common_timezone_config.changed
 
-- name: Reconfigure tzdata
-  action: command dpkg-reconfigure -f noninteractive tzdata
+- name: timezone - reconfigure tzdata
+  command: dpkg-reconfigure --frontend noninteractive tzdata
+  when: common_timezone_config.changed
 
 - name: Apticron email configuration
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf

roles/common/tasks/ssl.yml

@@ -1,24 +1,62 @@
 - name: Copy SSL private key into place
   copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
+  register: private_key
+  notify: restart apache
 
 - name: Copy SSL public certificate into place
   copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
+  register: certificate
+  notify: restart apache
 
 - name: Copy CA combined certificate into place
   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
+  register: ca_certificate
+  notify: restart apache
 
 - name: Create a combined version of the public cert with intermediate and root CAs
   shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
-    /etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
+    /etc/ssl/certs/wildcard_combined.pem
+  when: private_key.changed or certificate.changed or ca_certificate.changed
 
 - name: Set permissions on combined public cert
   file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
+  notify: restart apache
+
+- name: Create strong Diffie-Hellman group
+  command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
+    creates=/etc/ssl/private/dhparam2048.pem
 
 - name: Enable Apache SSL module
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
+  notify: restart apache
 
 - name: Enable NameVirtualHost for HTTPS
-  lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
+  lineinfile:
+    dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443'
+    insertafter='^<IfModule mod_ssl.c>'
+    line='    NameVirtualHost *:443'
+  notify: restart apache
+
+- name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache
+  command: a2enmod socache_shmcb
+    creates=/etc/apache2/mods-enabled/socache_shmcb.load
+  notify: restart apache
+  when: ansible_distribution_release != 'wheezy'
+
+- name: Add Apache SSL stapling cache configuration
+  copy:
+    src=etc_apache2_conf-available_ssl-stapling-cache.conf
+    dest=/etc/apache2/conf-available/ssl-stapling-cache.conf
+    owner=root
+    group=root
+  when: ansible_distribution_release != 'wheezy'
+  notify: restart apache
+
+- name: Enable Apache SSL stapling cache configuration
+  command: a2enconf ssl-stapling-cache
+    creates=/etc/apache2/conf-enabled/ssl-stapling-cache.conf
+  when: ansible_distribution_release != 'wheezy'
+  notify: restart apache
 
 - name: Add common Apache SSL config
   template:
@@ -26,3 +64,4 @@
     dest=/etc/apache2/ssl.conf
     owner=root
     group=root
+  notify: restart apache

roles/common/tasks/ufw.yml

@@ -6,15 +6,19 @@
   apt: pkg=ufw state=present
   tags:
     - dependencies
+    - ufw
 
 - name: Deny everything
   ufw: policy=deny
+  tags: ufw
 
 - name: Set firewall rule for DNS
   ufw: rule=allow port=domain
+  tags: ufw
 
 - name: Set firewall rule for mosh
   ufw: rule=allow port=60000:61000 proto=udp
+  tags: ufw
 
 - name: Set firewall rules for web traffic and SSH
   ufw: rule=allow port={{ item }} proto=tcp
@@ -22,12 +26,14 @@
     - http
     - https
     - ssh
+  tags: ufw
 
 - name: Enable UFW
   ufw: state=enabled
+  tags: ufw
 
 - name: Check config of ufw
   command: cat /etc/ufw/ufw.conf
   register: ufw_config
   changed_when: False  # never report as "changed"
-
+  tags: ufw

roles/common/templates/etc_ssh_ssh_config.j2

@@ -6,4 +6,5 @@
     GSSAPIDelegateCredentials no
     MACs {{ macs }}
     PasswordAuthentication no
+    UseRoaming no
 

roles/ircbouncer/tasks/znc.yml

@@ -30,6 +30,7 @@
 
 - name: Set firewall rule for znc
   ufw: rule=allow port=6697 proto=tcp
+  tags: ufw
 
 - name: Ensure znc is a system service
   service: name=znc state=started enabled=true

roles/mailserver/tasks/dovecot.yml

@@ -67,3 +67,4 @@
   with_items:
     - imaps
     - pop3s
+  tags: ufw

roles/mailserver/tasks/postfix.yml

@@ -68,3 +68,4 @@
   with_items:
     - smtp
     - ssmtp
+  tags: ufw

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -51,7 +51,7 @@ smtp_tls_note_starttls_offer = yes
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 # http://www.postfix.org/FORWARD_SECRECY_README.html
 smtp_tls_ciphers = medium
-
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparam2048.pem
 
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth

roles/news/files/etc_logrotate_selfoss

@@ -4,5 +4,5 @@
         rotate 5
         compress
         notifempty
-        create 0644 www-data www-data
+	su www-data www-data
 }

roles/news/tasks/selfoss.yml

@@ -34,7 +34,7 @@
   postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_database }} state=present owner={{ selfoss_db_username }}
 
 - name: Install selfoss config.ini
-  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=root
+  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=root mode=0640
 
 - name: Enable Apache rewrite module
   command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load

roles/vpn/tasks/openvpn.yml

@@ -135,6 +135,7 @@
 
 - name: Allow OpenVPN through ufw
   ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
+  tags: ufw
 
 - name: Copy OpenVPN configuration file into place
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf

roles/vpn/templates/etc_openvpn_server.conf.j2

@@ -187,7 +187,6 @@ ifconfig-pool-persist ipp.txt
 # (The OpenVPN server machine may need to NAT
 # or bridge the TUN/TAP interface to the internet
 # in order for this to work properly).
-;push "redirect-gateway def1 bypass-dhcp"
 push "redirect-gateway def1"
 push "dhcp-option DNS 10.8.0.1"
 
@@ -298,9 +297,29 @@ status openvpn-status.log
 # 4 is reasonable for general usage
 # 5 and 6 can help to debug connection problems
 # 9 is extremely verbose
-verb 3
+verb {{ openvpn_verb }}
 
 # Silence repeating messages.  At most 20
 # sequential messages of the same message
 # category will be output to the log.
 ;mute 20
+
+# Openvpn changes length of network packets
+# in a way which depends on cipher and hash-sum
+# algorithms. This can be used for fingerprinting.
+# Mask your settings by using a lower mtu.
+# Check your settings here: witch.valdikss.org.ru
+tun-mtu {{ openvpn_mtu }}
+
+# Set TLS settings
+# Only for openvpn 2.3.3 and >2.3.4
+{{ openvpn_tls_version_min }}
+{{ openvpn_tls_cipher }}
+
+# Change default network buffer size
+# Should increase tcp tunnel speed for openvpn < 2.3.9
+# https://community.openvpn.net/openvpn/ticket/461
+sndbuf 0
+rcvbuf 0
+push "sndbuf 393216"
+push "rcvbuf 393216"

roles/xmpp/tasks/prosody.yml

@@ -35,3 +35,4 @@
   with_items:
     - 5222  # xmpp c2s
     - 5269  # xmpp s2s
+  tags: ufw

roles/xmpp/templates/prosody.cfg.lua.j2

@@ -124,7 +124,7 @@ pidfile = "/var/run/prosody/prosody.pid"
 -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
 -- for information about using the hashed backend.
 
-authentication = "internal_plain"
+authentication = "internal_hashed"
 
 -- Select the storage backend to use. By default Prosody uses flat files
 -- in its configured data directory, but it also supports more backends

vars/defaults.yml

@@ -5,6 +5,7 @@
 ###############################################################################
 
 # # common
+common_timezone: 'Etc/UTC'
 # domain: (required)
 # main_user_name: (required)
 admin_email: "{{ main_user_name }}@{{ domain }}"
@@ -80,6 +81,8 @@ owncloud_db_database: owncloud
 tarsnap_version: 1.0.36.1
 
 # vpn
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
+# Check privacy: http://witch.valdikss.org.ru/
 # openvpn_key_country: (required)
 # openvpn_key_province: (required)
 # openvpn_key_city: (required)
@@ -88,8 +91,8 @@ tarsnap_version: 1.0.36.1
 openvpn_days_valid: "1825"
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
 openvpn_key_size: "2048"
-openvpn_cipher: "BF-CBC"
-openvpn_auth_digest: "SHA1"
+openvpn_cipher: "AES-256-CBC"
+openvpn_auth_digest: "SHA512"
 openvpn_path: "/etc/openvpn"
 openvpn_ca: "{{ openvpn_path }}/ca"
 openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
@@ -97,6 +100,11 @@ openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
 openvpn_server: "{{ domain }}"
 openvpn_port: "1194"
 openvpn_protocol: "udp"
+openvpn_mtu: "1300"
+openvpn_verb: "3" # "0" for anonymity
+# uncomment for openvpn 2.3.3 and >2.3.4
+openvpn_tls_version_min: "" # "tls-version-min 1.2"
+openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 # openvpn_clients: (required)
 
 # webmail

vars/testing.yml

@@ -5,6 +5,7 @@
 ###############################################################################
 
 # common
+common_timezone: 'Etc/UTC'
 domain: sovereign.local
 main_user_name: sovereign
 encfs_password: testPassword