Don't copy the LE certificates. Instead use the ssl-cert group to
manage access to the LE certificates directly. See
https://github.com/letsencrypt/letsencrypt/issues/1425 for a request to
have the LE client do this itself.
Use Let's Encrypt for generating site certificates
This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.
An earlier commit started transitioning opendmarc to use postgres, but
this was incomplete. This patch reverts that change and uses mysql for
the reporting database.
Other changes:
* Do not maintain a copy of the database import schema. A copy is
included in the distribution in /usr/share/doc, so that is used
instead.
* The configuration file is replaced with the distribution's sample
configuration. A second patch will restore the actual configuration.
This will make the changes easier to see if the default configuraton
file changes in future versions of opendmarc.
The server was not starting. As a result, the dnsmasq service failed to
start, and the playbook thus failed to run when using the vpn role.
This patch corrects the configuration per instructions from
https://help.ubuntu.com/community/OpenVPN.
OpenVPN PAM configuration moved up to reduce server bouncing as the
playbook runs. The dependency on service (re)starts between openvpn and
dnsmasq works but feels brittle.
Roundcube is not available on Jessie except in backports. This role is
also out of date and needs reviewed and updated for the release included
in backports. Roundcube could alternatively be installed from source as
recommended by the maintainers.
Take changes to the tomcat6 default configuration and apply to tomcat7
configuration. This was done by review of the diff between sovereign's
tomcat6 configuration and the default tomcat7 configuration.
Avoid using the Include directive. Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.
Writing clarifies thinking and leaves behind guidance for future
maintainers. Design descriptions shouldn't be required, though,
especially for trivial modules.
I probably got this wrong, but I'm putting a stake in the ground based
on work I've done on the Roundcube module and adding Let's Encrypt
support to the common module.
Conflicts:
CONTRIBUTING.md