浏览代码

Merge pull request #476 from ariddell/feature/jessie-catchup-3b4f93-to-56f3d7

Include commits to master which were missing in jessie
Sven Neuhaus 8 年前
父节点
当前提交
bd0176e003

+ 60
- 4
CONTRIBUTING.md 查看文件

@@ -1,10 +1,66 @@
1 1
 # Contributing to Sovereign
2 2
 
3
-_This document will be expanded upon._
4
-
5
-You'll want to set up a [local development environment](https://github.com/sovereign/sovereign/wiki/Development-Environment) so that you don’t have to test on a remote server.
3
+## Intellectual property
6 4
 
7 5
 Make sure you agree with the license (GPLv3). See [LICENSE.md](./LICENSE.md) for details.
8 6
 
9
-If you issue a pull request, please specify what distribution you used for testing (if any).
10 7
 Code that is committed to the master branch should work with both Debian 8 "Jessie" and Ubuntu 14.04 LTS "Trusty".
8
+
9
+## Development environment
10
+
11
+You'll want to set up a [local development environment](https://github.com/sovereign/sovereign/wiki/Development-Environment) so that you don't have to test on a remote server.
12
+
13
+## Module design principles
14
+
15
+Sovereign is an Ansible playbook that uses the modules in this repository to configure a server. Modules should conform to the following design principles.
16
+
17
+### Making decisions
18
+
19
+A module exists to make decisions about how a service should be installed and configured. Make these decisions and minimize or eliminate configuration options exposed to the user. When in doubt, make a decision, and if the community feedback is vocal enough, only then expose an option.
20
+
21
+### Idempotency
22
+
23
+A module must be idempotent. If it's run once or many times, the result should be the same. This means that in some cases the user will be left with post-installation finalization work to do. Post-install finalization should be reduced or eliminated if possible, but not at the cost of idempotency.
24
+
25
+### Databases
26
+
27
+A module that introduces a database-backed service must use PostgreSQL if possible.  In order to minimize server load of having two database servers running, MySQL should not be used unless absolutely necessary. Sqlite may be used if persistent data requirements are bounded for all users and are within Sqlite's design limits.
28
+
29
+### Registrations
30
+
31
+A module should configure the server in a way that minimizes the data posted to other services. This includes names, email addresses, and other personally-identifable information. 
32
+
33
+### Upgrades
34
+
35
+A module's design should anticipate upgrades to the services it provides. Configuration files that work for the current version of the service may become out of date on future versions of the service and lead to difficult-to-find bugs. This also introduces work for maintaining the module.  Whenever possible, design the module to use the service to handle initial configuration and upgrades.
36
+
37
+### Performance
38
+
39
+A module should be designed and implemented to run as quickly as possible in order to minimize the time to run an entire playbook or even the role itself. A small performance penalty here and a small penalty there eventually adds to a very slow deployment system. Performance is important.
40
+
41
+### Tests
42
+
43
+A module should have tests. TBD: more about this and what the expectation is.
44
+
45
+### Design document
46
+
47
+A module should have a design description explaining the approach to implementing a service and what tradeoffs were made when choosing the design that was implemented. Do not leave this for comments in a pull request as we want this close to the code for the sake of future maintainers.
48
+
49
+The design description should be succinct and to the point. Assume the reader is familiar with Sovereign but not your module. As a rule of thumb, 500-1000 words is about the right length for a module design description.
50
+
51
+## Design checklist
52
+
53
+Consider the following checklist when reviewing a module's design.
54
+
55
+- Does the role create data on the server that is impossible or difficult to reproduce, e.g., private keys? If so, update the tarsnap role to include precious data in backups.
56
+- Does the role need an SSL certificate for a new subdomain?  If so, update the letsencrypt tasklist in the common role.
57
+- Does the role add an Apache virtual site?  If so, has somebody knowledgable in Apache configuration and security reviewed the configuration?
58
+- Does README.md need to be updated based on new or changed finalization instructions?
59
+
60
+## Submitting pull requests
61
+
62
+Verify that your changes pass [ansible-lint](https://github.com/willthames/ansible-lint) before submitting a pull request.
63
+
64
+Use good commit practices to document your changes. Don't assume the developer reviewing your commits has access to GitHub. The developer could be a future maintainer in a different environment. Similarly, as you address feedback on the pull request, do not assume the reviewer has access to GitHub.
65
+
66
+When you issue a pull request, please specify what distribution you used for testing (if any).  Code that is committed to the master branch should work with both Debian 7 and Ubuntu 14.04 LTS.  Support for Debian 8 is coming.

+ 8
- 0
README.md 查看文件

@@ -203,6 +203,8 @@ To ensure your emails pass DKIM checks you need to add a `txt` record. The name
203 203
 
204 204
     v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKKAQfMwKVx+oJripQI+Ag4uTwYnsXKjgBGtl7Tk6UMTUwhMqnitqbR/ZQEZjcNolTkNDtyKZY2Z6LqvM4KsrITpiMbkV1eX6GKczT8Lws5KXn+6BHCKULGdireTAUr3Id7mtjLrbi/E3248Pq0Zs39hkDxsDcve12WccjafJVwIDAQAB
205 205
 
206
+For DMARC you'll also need to add a `txt` record. The name field should be `_dmarc.EXAMPLE.COM` and the value should be `v=DMARC1; p=none`. More info on DMARC can be found [here](https://dmarc.org)
207
+
206 208
 Set up SPF and reverse DNS [as per this post](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Make sure to validate that it’s all working, for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
207 209
 
208 210
 ### 7. Miscellaneous Configuration
@@ -213,6 +215,12 @@ Sign in to the ZNC web interface and set things up to your liking. It isn’t ex
213 215
 
214 216
 Then proceed to http://localhost:6643 in your web browser.
215 217
 
218
+Similarly, to access the server monitoring page, use another SSH tunnel:
219
+
220
+    ssh deploy@example.com -L 2812:localhost:2812
221
+
222
+Again proceeding to http://localhost:2812 in your web browser.
223
+
216 224
 Finally, sign into ownCloud to set it up. You should select PostgreSQL as the configuration backend.
217 225
 
218 226
 How To Use Your New Personal Cloud

+ 1
- 0
roles/common/files/etc_apache2_conf-available_ssl-stapling-cache.conf 查看文件

@@ -0,0 +1 @@
1
+SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)

+ 13
- 5
roles/common/tasks/main.yml 查看文件

@@ -40,14 +40,22 @@
40 40
   tags:
41 41
     - dependencies
42 42
 
43
-- name: Set timezone to UTC
44
-  action: shell echo Etc/UTC > /etc/timezone
43
+- name: timezone - configure /etc/timezone
44
+  copy:
45
+    content: "{{ common_timezone | regex_replace('$', '\n') }}"
46
+    dest: /etc/timezone
47
+    owner: root
48
+    group: root
49
+    mode: 0644
50
+  register: common_timezone_config
45 51
 
46
-- name: Set localtime to UTC
52
+- name: timezone - Set localtime to UTC
47 53
   file: src=/usr/share/zoneinfo/Etc/UTC dest=/etc/localtime
54
+  when: common_timezone_config.changed
48 55
 
49
-- name: Reconfigure tzdata
50
-  action: command dpkg-reconfigure -f noninteractive tzdata
56
+- name: timezone - reconfigure tzdata
57
+  command: dpkg-reconfigure --frontend noninteractive tzdata
58
+  when: common_timezone_config.changed
51 59
 
52 60
 - name: Apticron email configuration
53 61
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf

+ 41
- 2
roles/common/tasks/ssl.yml 查看文件

@@ -1,24 +1,62 @@
1 1
 - name: Copy SSL private key into place
2 2
   copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
3
+  register: private_key
4
+  notify: restart apache
3 5
 
4 6
 - name: Copy SSL public certificate into place
5 7
   copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
8
+  register: certificate
9
+  notify: restart apache
6 10
 
7 11
 - name: Copy CA combined certificate into place
8 12
   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
13
+  register: ca_certificate
14
+  notify: restart apache
9 15
 
10 16
 - name: Create a combined version of the public cert with intermediate and root CAs
11 17
   shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
12
-    /etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
18
+    /etc/ssl/certs/wildcard_combined.pem
19
+  when: private_key.changed or certificate.changed or ca_certificate.changed
13 20
 
14 21
 - name: Set permissions on combined public cert
15 22
   file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
23
+  notify: restart apache
24
+
25
+- name: Create strong Diffie-Hellman group
26
+  command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
27
+    creates=/etc/ssl/private/dhparam2048.pem
16 28
 
17 29
 - name: Enable Apache SSL module
18 30
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
31
+  notify: restart apache
19 32
 
20 33
 - name: Enable NameVirtualHost for HTTPS
21
-  lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
34
+  lineinfile:
35
+    dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443'
36
+    insertafter='^<IfModule mod_ssl.c>'
37
+    line='    NameVirtualHost *:443'
38
+  notify: restart apache
39
+
40
+- name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache
41
+  command: a2enmod socache_shmcb
42
+    creates=/etc/apache2/mods-enabled/socache_shmcb.load
43
+  notify: restart apache
44
+  when: ansible_distribution_release != 'wheezy'
45
+
46
+- name: Add Apache SSL stapling cache configuration
47
+  copy:
48
+    src=etc_apache2_conf-available_ssl-stapling-cache.conf
49
+    dest=/etc/apache2/conf-available/ssl-stapling-cache.conf
50
+    owner=root
51
+    group=root
52
+  when: ansible_distribution_release != 'wheezy'
53
+  notify: restart apache
54
+
55
+- name: Enable Apache SSL stapling cache configuration
56
+  command: a2enconf ssl-stapling-cache
57
+    creates=/etc/apache2/conf-enabled/ssl-stapling-cache.conf
58
+  when: ansible_distribution_release != 'wheezy'
59
+  notify: restart apache
22 60
 
23 61
 - name: Add common Apache SSL config
24 62
   template:
@@ -26,3 +64,4 @@
26 64
     dest=/etc/apache2/ssl.conf
27 65
     owner=root
28 66
     group=root
67
+  notify: restart apache

+ 7
- 1
roles/common/tasks/ufw.yml 查看文件

@@ -6,15 +6,19 @@
6 6
   apt: pkg=ufw state=present
7 7
   tags:
8 8
     - dependencies
9
+    - ufw
9 10
 
10 11
 - name: Deny everything
11 12
   ufw: policy=deny
13
+  tags: ufw
12 14
 
13 15
 - name: Set firewall rule for DNS
14 16
   ufw: rule=allow port=domain
17
+  tags: ufw
15 18
 
16 19
 - name: Set firewall rule for mosh
17 20
   ufw: rule=allow port=60000:61000 proto=udp
21
+  tags: ufw
18 22
 
19 23
 - name: Set firewall rules for web traffic and SSH
20 24
   ufw: rule=allow port={{ item }} proto=tcp
@@ -22,12 +26,14 @@
22 26
     - http
23 27
     - https
24 28
     - ssh
29
+  tags: ufw
25 30
 
26 31
 - name: Enable UFW
27 32
   ufw: state=enabled
33
+  tags: ufw
28 34
 
29 35
 - name: Check config of ufw
30 36
   command: cat /etc/ufw/ufw.conf
31 37
   register: ufw_config
32 38
   changed_when: False  # never report as "changed"
33
-
39
+  tags: ufw

+ 1
- 0
roles/common/templates/etc_ssh_ssh_config.j2 查看文件

@@ -6,4 +6,5 @@
6 6
     GSSAPIDelegateCredentials no
7 7
     MACs {{ macs }}
8 8
     PasswordAuthentication no
9
+    UseRoaming no
9 10
 

+ 1
- 0
roles/ircbouncer/tasks/znc.yml 查看文件

@@ -30,6 +30,7 @@
30 30
 
31 31
 - name: Set firewall rule for znc
32 32
   ufw: rule=allow port=6697 proto=tcp
33
+  tags: ufw
33 34
 
34 35
 - name: Ensure znc is a system service
35 36
   service: name=znc state=started enabled=true

+ 1
- 0
roles/mailserver/tasks/dovecot.yml 查看文件

@@ -67,3 +67,4 @@
67 67
   with_items:
68 68
     - imaps
69 69
     - pop3s
70
+  tags: ufw

+ 1
- 0
roles/mailserver/tasks/postfix.yml 查看文件

@@ -68,3 +68,4 @@
68 68
   with_items:
69 69
     - smtp
70 70
     - ssmtp
71
+  tags: ufw

+ 1
- 1
roles/mailserver/templates/etc_postfix_main.cf.j2 查看文件

@@ -51,7 +51,7 @@ smtp_tls_note_starttls_offer = yes
51 51
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
52 52
 # http://www.postfix.org/FORWARD_SECRECY_README.html
53 53
 smtp_tls_ciphers = medium
54
-
54
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparam2048.pem
55 55
 
56 56
 smtpd_sasl_type = dovecot
57 57
 smtpd_sasl_path = private/auth

+ 1
- 1
roles/news/files/etc_logrotate_selfoss 查看文件

@@ -4,5 +4,5 @@
4 4
         rotate 5
5 5
         compress
6 6
         notifempty
7
-        create 0644 www-data www-data
7
+	su www-data www-data
8 8
 }

+ 1
- 1
roles/news/tasks/selfoss.yml 查看文件

@@ -34,7 +34,7 @@
34 34
   postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_database }} state=present owner={{ selfoss_db_username }}
35 35
 
36 36
 - name: Install selfoss config.ini
37
-  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=root
37
+  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=root mode=0640
38 38
 
39 39
 - name: Enable Apache rewrite module
40 40
   command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load

+ 1
- 0
roles/vpn/tasks/openvpn.yml 查看文件

@@ -135,6 +135,7 @@
135 135
 
136 136
 - name: Allow OpenVPN through ufw
137 137
   ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
138
+  tags: ufw
138 139
 
139 140
 - name: Copy OpenVPN configuration file into place
140 141
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf

+ 21
- 2
roles/vpn/templates/etc_openvpn_server.conf.j2 查看文件

@@ -187,7 +187,6 @@ ifconfig-pool-persist ipp.txt
187 187
 # (The OpenVPN server machine may need to NAT
188 188
 # or bridge the TUN/TAP interface to the internet
189 189
 # in order for this to work properly).
190
-;push "redirect-gateway def1 bypass-dhcp"
191 190
 push "redirect-gateway def1"
192 191
 push "dhcp-option DNS 10.8.0.1"
193 192
 
@@ -298,9 +297,29 @@ status openvpn-status.log
298 297
 # 4 is reasonable for general usage
299 298
 # 5 and 6 can help to debug connection problems
300 299
 # 9 is extremely verbose
301
-verb 3
300
+verb {{ openvpn_verb }}
302 301
 
303 302
 # Silence repeating messages.  At most 20
304 303
 # sequential messages of the same message
305 304
 # category will be output to the log.
306 305
 ;mute 20
306
+
307
+# Openvpn changes length of network packets
308
+# in a way which depends on cipher and hash-sum
309
+# algorithms. This can be used for fingerprinting.
310
+# Mask your settings by using a lower mtu.
311
+# Check your settings here: witch.valdikss.org.ru
312
+tun-mtu {{ openvpn_mtu }}
313
+
314
+# Set TLS settings
315
+# Only for openvpn 2.3.3 and >2.3.4
316
+{{ openvpn_tls_version_min }}
317
+{{ openvpn_tls_cipher }}
318
+
319
+# Change default network buffer size
320
+# Should increase tcp tunnel speed for openvpn < 2.3.9
321
+# https://community.openvpn.net/openvpn/ticket/461
322
+sndbuf 0
323
+rcvbuf 0
324
+push "sndbuf 393216"
325
+push "rcvbuf 393216"

+ 1
- 0
roles/xmpp/tasks/prosody.yml 查看文件

@@ -35,3 +35,4 @@
35 35
   with_items:
36 36
     - 5222  # xmpp c2s
37 37
     - 5269  # xmpp s2s
38
+  tags: ufw

+ 1
- 1
roles/xmpp/templates/prosody.cfg.lua.j2 查看文件

@@ -124,7 +124,7 @@ pidfile = "/var/run/prosody/prosody.pid"
124 124
 -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
125 125
 -- for information about using the hashed backend.
126 126
 
127
-authentication = "internal_plain"
127
+authentication = "internal_hashed"
128 128
 
129 129
 -- Select the storage backend to use. By default Prosody uses flat files
130 130
 -- in its configured data directory, but it also supports more backends

+ 10
- 2
vars/defaults.yml 查看文件

@@ -5,6 +5,7 @@
5 5
 ###############################################################################
6 6
 
7 7
 # # common
8
+common_timezone: 'Etc/UTC'
8 9
 # domain: (required)
9 10
 # main_user_name: (required)
10 11
 admin_email: "{{ main_user_name }}@{{ domain }}"
@@ -80,6 +81,8 @@ owncloud_db_database: owncloud
80 81
 tarsnap_version: 1.0.36.1
81 82
 
82 83
 # vpn
84
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
85
+# Check privacy: http://witch.valdikss.org.ru/
83 86
 # openvpn_key_country: (required)
84 87
 # openvpn_key_province: (required)
85 88
 # openvpn_key_city: (required)
@@ -88,8 +91,8 @@ tarsnap_version: 1.0.36.1
88 91
 openvpn_days_valid: "1825"
89 92
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
90 93
 openvpn_key_size: "2048"
91
-openvpn_cipher: "BF-CBC"
92
-openvpn_auth_digest: "SHA1"
94
+openvpn_cipher: "AES-256-CBC"
95
+openvpn_auth_digest: "SHA512"
93 96
 openvpn_path: "/etc/openvpn"
94 97
 openvpn_ca: "{{ openvpn_path }}/ca"
95 98
 openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
@@ -97,6 +100,11 @@ openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
97 100
 openvpn_server: "{{ domain }}"
98 101
 openvpn_port: "1194"
99 102
 openvpn_protocol: "udp"
103
+openvpn_mtu: "1300"
104
+openvpn_verb: "3" # "0" for anonymity
105
+# uncomment for openvpn 2.3.3 and >2.3.4
106
+openvpn_tls_version_min: "" # "tls-version-min 1.2"
107
+openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
100 108
 # openvpn_clients: (required)
101 109
 
102 110
 # webmail

+ 1
- 0
vars/testing.yml 查看文件

@@ -5,6 +5,7 @@
5 5
 ###############################################################################
6 6
 
7 7
 # common
8
+common_timezone: 'Etc/UTC'
8 9
 domain: sovereign.local
9 10
 main_user_name: sovereign
10 11
 encfs_password: testPassword

正在加载...
取消
保存