Merge pull request #29 from lukecyca/encfs

Automate encfs setup and name mount point more appropriately

README.textile

@@ -60,7 +60,6 @@ h2. Manual Steps
 
 This does a lot for you automatically but there's still some stuff you have to do by hand.
 
-# Set up EncFS as per "these instructions":http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/.
 # Create a user account for Ansible to do its thing through. This account should be set up for passwordless sudo.
 # Put your Tarsnap key in @roles/common/files/root_tarsnap.key@.
 # Put your SSL certificate's components in the respective files that start with @wildcard_ca@ in @roles/common/files@, and a combined version in @roles/ircbouncer/files/etc_ssl_znc-combined.pem@.

roles/common/tasks/encfs.yml

@@ -0,0 +1,34 @@
+- name: Install encfs & fuse
+  apt: pkg=$item state=installed
+  with_items:
+    - encfs
+    - libfuse-dev
+    - fuse-utils
+
+- name: Create encrypted directory
+  file: state=directory path=/encrypted
+
+- name: Create decrypted directory
+  file: state=directory path=/decrypted
+
+- name: Add mail user to fuse group
+  user: name=mail append=yes groups=fuse
+
+# Check if the /encrypted directory is empty
+- name: Check for existing encfs
+  shell: ls /encrypted/*
+  ignore_errors: True
+  register: encfs_check
+
+# If it is empty, we need to create the encfs
+- name: Create encfs
+  shell: printf "p\n${encfs_password}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
+  when: encfs_check.rc > 0
+
+# If it isn't empty, we simply need to mount it (but only if /decrypted/test doesn't exist)
+- name: Mount encfs
+  shell: printf "${encfs_password}" | encfs /encrypted /decrypted --public --stdinpass creates="/decrypted/test"
+  when: encfs_check.rc == 0
+
+- name: Set decrypted directory permissions
+  file: state=directory path=/decrypted group=mail mode=775

roles/common/tasks/main.yml

@@ -12,9 +12,6 @@
     - mosh
     - zsh
     - git
-    - encfs
-    - libfuse-dev
-    - fuse-utils
     - ruby1.9.3
     - screen
     - apache2
@@ -37,6 +34,7 @@
 - name: Disable default Apache site
   command: a2dissite default
 
+- include: encfs.yml tags=encfs
 - include: users.yml tags=users
 - include: ssl.yml tags=ssl
 - include: ferm.yml tags=ferm

roles/common/tasks/tarsnap.yml

@@ -25,4 +25,4 @@
   file: state=directory path=/usr/tarsnap-cache
 
 - name: Install nightly Tarsnap cronjob
-  cron: name="Tarsnap backup" hour="3" minute="0" job="tarsnap --cachedir /usr/tarsnap-cache --keyfile /root/tarsnap.key -c -f backup-`date +\%Y\%m\%d` /home /root /decrypted-mail /var/www /var/log /var/lib/mysql > /dev/null"
+  cron: name="Tarsnap backup" hour="3" minute="0" job="tarsnap --cachedir /usr/tarsnap-cache --keyfile /root/tarsnap.key -c -f backup-`date +\%Y\%m\%d` /home /root /decrypted /var/www /var/log /var/lib/mysql > /dev/null"

roles/common/vars/main.yml

@@ -1,3 +1,4 @@
 main_user_name: TODO
 admin_email: TODO@TODO.com
-tarsnap_version: 1.0.34
+tarsnap_version: 1.0.35
+encfs_password: TODO

roles/mailserver/files/etc_dovecot_conf.d_10-mail.conf

@@ -27,7 +27,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_location = maildir:/decrypted-mail/%d/%n
+mail_location = maildir:/decrypted/%d/%n
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.

roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext

@@ -18,7 +18,7 @@ passdb {
 
 userdb {
   driver = static
-  args = uid=vmail gid=vmail home=/decrypted-mail/%d/%n
+  args = uid=vmail gid=vmail home=/decrypted/%d/%n
 }
 
 # If you don't have any user-specific settings, you can avoid the user_query

roles/mailserver/files/etc_dspam_dspam.conf

@@ -5,7 +5,7 @@
 #
 # DSPAM Home: Specifies the base directory to be used for DSPAM storage
 #
-Home /decrypted-mail/dspam
+Home /decrypted/dspam
 
 #
 # StorageDriver: Specifies the storage driver backend (library) to use.

roles/mailserver/files/etc_solr_conf_solrconfig.xml

@@ -114,7 +114,7 @@
        replication is in use, this should match the replication
        configuration.
     -->
-  <dataDir>/decrypted-mail/solr</dataDir>
+  <dataDir>/decrypted/solr</dataDir>
 
 
   <!-- The DirectoryFactory to use for indexes.

roles/mailserver/tasks/dovecot.yml

@@ -11,10 +11,10 @@
   group: name=vmail state=present gid=5000
 
 - name: Create vmail user
-  user: name=vmail group=vmail state=present uid=5000 home=/decrypted-mail
+  user: name=vmail group=vmail state=present uid=5000 home=/decrypted
 
 - name: Ensure mail directories are in place
-  file: state=directory path=/decrypted-mail/${item.name}/${item.primary_user} owner=vmail group=dovecot
+  file: state=directory path=/decrypted/${item.name}/${item.primary_user} owner=vmail group=dovecot
   with_items:
     - ${mail_virtual_domains}
 

roles/mailserver/tasks/dspam.yml

@@ -6,8 +6,8 @@
     - postfix-pcre
     - dovecot-sieve
 
-- name: Create dspam directory 
-  file: state=directory path=/decrypted-mail/dspam group=dspam owner=dspam
+- name: Create dspam directory
+  file: state=directory path=/decrypted/dspam group=dspam owner=dspam
 
 - name: Put dspam configuration files in place
   copy: src=etc_dspam_default.prefs dest=/etc/dspam/default.prefs owner=dspam group=dspam
@@ -15,7 +15,7 @@
 - copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
 - copy: src=etc_dovecot_conf.d_20-imap.conf dest=/etc/dovecot/conf.d/20-imap.conf owner=vmail group=dovecot
 - copy: src=etc_dovecot_conf.d_90-plugin.conf dest=/etc/dovecot/conf.d/90-plugin.conf owner=vmail group=dovecot
-- copy: src=dot_dovecot.sieve dest=/decrypted-mail/${item.name}/${item.primary_user}/.dovecot.sieve owner=vmail group=dovecot
+- copy: src=dot_dovecot.sieve dest=/decrypted/${item.name}/${item.primary_user}/.dovecot.sieve owner=vmail group=dovecot
   with_items:
     - ${mail_virtual_domains}
   notify:

roles/mailserver/tasks/solr.yml

@@ -12,5 +12,5 @@
 - copy: src=etc_solr_conf_solrconfig.xml dest=/etc/solr/conf/solrconfig.xml group=root owner=root
 
 - name: Create Solr index directory
-  file: state=directory path=/decrypted-mail/solr group=tomcat6 owner=tomcat6
-  notify: restart solr
+  file: state=directory path=/decrypted/solr group=tomcat6 owner=tomcat6
+  notify: restart solr

roles/owncloud/tasks/owncloud.yml

@@ -21,8 +21,8 @@
   apt: pkg=owncloud update_cache=yes
 
 - name: Store ownCloud data securely
-  command: mv /var/www/owncloud/data /decrypted-mail/owncloud-data creates=/decrypted-mail/owncloud-data
-- file: src=/decrypted-mail/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
+  command: mv /var/www/owncloud/data /decrypted/owncloud-data creates=/decrypted/owncloud-data
+- file: src=/decrypted/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
 
 - name: Enable Apache module dependencies for ownCloud
   command: a2enmod $item