Lots of updates, first test of VPN.

README.md

@@ -104,6 +104,10 @@ Also install the dependencies for password generation as well as ansible itself.
     cd sovereign
     sudo pip install -r ./requirements.txt
 
+Or, if you're on Arch, instead of using pip, install the required stuff manually:
+
+    sudo pacman -Syu ansible python-jmespath python-passlib
+
 #### 4. Configure your installation
 
 Modify the settings in the `group_vars/sovereign` folder to your liking.

roles/common/defaults/main.yml

@@ -13,7 +13,7 @@ db_admin_username: 'postgres'
 db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
 
 # let's encrypt
-letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
+letsencrypt_server: "https://acme-v02.api.letsencrypt.org/directory"
 
 # ssh
 # Following https://infosec.mozilla.org/guidelines/openssh

roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf

@@ -9,5 +9,5 @@
 plugin {
   # FTS (full text search with Solr)
   fts = solr
-  fts_solr = break-imap-search url=http://localhost:8080/solr/
+  fts_solr = url=http://localhost:8080/solr/
 }

roles/mailserver/files/etc_dovecot_sieve_before.d_no-spam.sieve

@@ -2,13 +2,11 @@ require "fileinto";
 require "imap4flags";
 
 if header :contains "X-Spam-Flag" "YES" {
-    setflag "\\seen";
     fileinto "Junk";
     stop;
 }
 
 if header :is "X-Spam" "Yes" {
-    setflag "\\seen";
     fileinto "Junk";
     stop;
 }

roles/mailserver/tasks/checkrbl.yml

@@ -1,8 +1,8 @@
 - name: Download check-rbl
   get_url:
-    url=https://raw.githubusercontent.com/lukecyca/check-rbl/e2bd60f5e5175375cd2f7f1b1b752473e3a23640/check-rbl.pl
+    url=https://raw.githubusercontent.com/lukecyca/check-rbl/479c1d5aa57543ba4c495ef06028fd9092ffdf43/check-rbl.pl
     dest=/opt/check-rbl.pl
-    sha256sum=22093bd59ed84cb7ee6e336fb2a4ab73dbe3a05837d2bab9b491a21df16b35d8
+    sha256sum=0968ea1991b500a2bb39b4aefb05c6bf42a62994774f2c46de5d426d5094508b
 
 - name: Install nightly check-rbl cronjob
   cron:

roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2

@@ -9,7 +9,7 @@ actions = {
 
 # From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
 # send_reports MUST be true
-send_reports = true;
+send_reports = false;
 
 # report_settings MUST be present
 report_settings {

roles/monitoring/files/etc_monit_conf.d_dnsmasq

@@ -0,0 +1,6 @@
+check process dnsmasq with pidfile "/run/dnsmasq/dnsmasq.pid"
+  group system
+  start program = "/bin/systemctl start dnsmasq"
+  stop program = "/bin/systemctl stop dnsmasq"
+  if failed port 53 type udp protocol dns then alert
+  if failed port 53 type udp protocol dns for 5 cycles then restart

roles/monitoring/files/etc_monit_conf.d_openvpn

@@ -0,0 +1,6 @@
+check process openvpn with pidfile "/run/openvpn/server.pid"
+  group system
+  start program = "/bin/systemctl start openvpn@server"
+  stop program = "/bin/systemctl stop openvpn@server"
+  if failed port 1194 type udp then alert
+  if failed port 1194 type udp for 5 cycles then restart

roles/monitoring/tasks/monit.yml

@@ -68,6 +68,10 @@
   stat: path=/etc/mosquitto/mosquitto.conf
   register: mosquitto_config_file
 
+- name: Determine if OpenVPN is installed
+  stat: path=/etc/openvpn/server.conf
+  register: openvpn_config_file
+
 - name: Copy ZNC monit service config files into place
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
   notify: restart monit
@@ -133,6 +137,16 @@
   notify: restart monit
   when: mosquitto_config_file.stat.exists == True
 
+- name: Copy OpenVPN monit service config files into place
+  copy: src=etc_monit_conf.d_openvpn dest=/etc/monit/conf.d/openvpn
+  notify: restart monit
+  when: openvpn_config_file.stat.exists == True
+
+- name: Copy dnsmasq monit service config files into place
+  copy: src=etc_monit_conf.d_dnsmasq dest=/etc/monit/conf.d/dnsmasq
+  notify: restart monit
+  when: openvpn_config_file.stat.exists == True
+
 - name: Copy monit service config files into place
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
   with_items:

roles/vpn/defaults/main.yml

@@ -1,11 +1,13 @@
 # Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
 # Check privacy: http://witch.valdikss.org.ru/
 
+openvpn_ip_start: "10.8.0"
+
 openvpn_key_country:  "US"
 openvpn_key_province: "California"
 openvpn_key_city: "Beverly Hills"
-openvpn_key_org: "ACME CORPORATION"
-openvpn_key_ou: "Anvil Department"
+openvpn_key_org: "{{ domain }}"
+openvpn_key_ou: "{{ server_name }}"
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
 
 openvpn_days_valid: "1825"

roles/vpn/tasks/openvpn.yml

@@ -3,8 +3,11 @@
 # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
 
 - name: Install OpenVPN and dependencies
-  apt: pkg={{ item }} state=present
-  with_items:
+  apt:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
     - dnsmasq
     - openvpn
     - udev
@@ -41,13 +44,13 @@
   command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -days {{ openvpn_days_valid }} -subj "{{ openssl_request_subject }}/CN=sovereign-ca-certificate"
            creates={{ openvpn_ca }}.crt
 
-- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
   # Properly sets the attributes that are described here:
   # openvpn.net/index.php/open-source/documentation/howto.html#mitm
   #
   # This is required in order for the 'ns-cert-type server' option to
   # work, which is enabled by default in most standard client.conf
   # files.
+- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
   template: src=openssl-server-certificate.cnf.j2
             dest={{ openvpn_path }}/openssl-server-certificate.cnf
 
@@ -146,12 +149,12 @@
 - name: Enable OpenVPN server systemd service unit
   service: name=openvpn@server enabled=yes
 
-# OpenVPN must restart first so the 10.8.0.0 interface is available
+# OpenVPN must restart first so the VPN interface is available
 # to dnsmasq
 - meta: flush_handlers
 
 - name: Copy dnsmasq configuration file into place
-  copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
+  template: src=etc_dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
   notify: restart dnsmasq
 
 - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
@@ -164,11 +167,12 @@
 
 - name: Retrieve the files that clients will need in order to connect to the OpenVPN server
   fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
-         dest=/tmp/sovereign-openvpn-files fail_on_missing=yes
+         dest="{{ secret }}/sovereign-openvpn-files"
+         fail_on_missing=yes
   with_nested:
     - "{{ openvpn_clients }}"
     - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
 
 - name: Pause 5s seconds for OpenVPN ready
   pause: seconds=5
-         prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."
+         prompt="You are ready to set up your OpenVPN clients. The files that you need are in {{ secret }}/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."

roles/vpn/files/etc_dnsmasq.conf → roles/vpn/templates/etc_dnsmasq.conf.j2

@@ -94,7 +94,7 @@ bogus-priv
 # Or which to listen on by address (remember to include 127.0.0.1 if
 # you use this.)
 #listen-address=
-listen-address=127.0.0.1,10.8.0.1
+listen-address=127.0.0.1,{{ openvpn_ip_start }}.1
 
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to

roles/vpn/templates/etc_openvpn_server.conf.j2

@@ -96,7 +96,7 @@ dh dh{{ openvpn_key_size }}.pem
 # Each client will be able to reach the server
 # on 10.8.0.1. Comment this line out if you are
 # ethernet bridging. See the man page for more info.
-server 10.8.0.0 255.255.255.0
+server {{ openvpn_ip_start }}.0 255.255.255.0
 
 # Maintain a record of client <-> virtual IP address
 # associations in this file.  If OpenVPN goes down or
@@ -188,7 +188,7 @@ ifconfig-pool-persist ipp.txt
 # or bridge the TUN/TAP interface to the internet
 # in order for this to work properly).
 push "redirect-gateway def1"
-push "dhcp-option DNS 10.8.0.1"
+push "dhcp-option DNS {{ openvpn_ip_start }}.1"
 
 # Certain Windows-specific network settings
 # can be pushed to clients, such as DNS

roles/vpn/templates/rc.local_ansible_openvpn

@@ -6,12 +6,12 @@
 
 iptables -C FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT || \
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-iptables -C FORWARD -s 10.8.0.0/24 -j ACCEPT || \
-iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
+iptables -C FORWARD -s {{ openvpn_ip_start }}.0/24 -j ACCEPT || \
+iptables -A FORWARD -s {{ openvpn_ip_start }}.0/24 -j ACCEPT
 iptables -C FORWARD -j REJECT || \
 iptables -A FORWARD -j REJECT
-iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE || \
-iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
+iptables -t nat -C POSTROUTING -s {{ openvpn_ip_start }}.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE || \
+iptables -t nat -A POSTROUTING -s {{ openvpn_ip_start }}.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
 
 systemctl restart dnsmasq
 

roles/xmpp/tasks/prosody.yml

@@ -30,7 +30,7 @@
   file: state=directory path=/data/prosody owner=prosody group=prosody
 
 - name: Configure Prosody
-  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody
+  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=root mode=0644
   notify: restart prosody
 
 - name: Create Prosody accounts