Disroot-Ansible/gpg-lacre
10
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request '0.2' (#6) from 0.3 into main

Browse source 
Reviewed-on: #6
This commit is contained in:
muppeth 2024-02-27 22:58:01 +00:00
commit 84177e53a5
15 changed files with 160 additions and 96 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
README.MD
View file

@ -10,14 +10,14 @@ Postfix offers two types of filters. Simple and advanced content filters. Depend
Lacre-webgate is a simple interface for uploading keys. You can decide whether to install it by setting variable `lacre_webgate_deploy`. Default is set to `true`. This frontend depends on php and an sql database. The role defaults to `mariadb`. For Mariadb following variables need to be set. Check following example:
```
lacre_webgate_db_enabled: 'yes'
lacre_webgate_db_backend: 'mysql'
lacre_webgate_db_name: 'gpgmw'
lacre_webgate_db_host: 'localhost'
lacre_webgate_db_username: 'user'
lacre_webgate_db_password: 'password'
lacre_db_enabled: 'yes'
lacre_db_backend: 'mysql'
lacre_db_name: 'lacre'
lacre_db_host: 'localhost'
lacre_db_username: 'user'
lacre_db_password: 'password'
```
The Lacre-webgate can be installed on remote host. You must make sure that mariadb is reachable from host running postfix+gpg-lacre as gpg-lacre needs to be able to pull uploaded keys. You can use this role to install Lacre-webgate on remote host by specifying `tag=webgate`. Make sure to set `lacre_webgate_deploy` to `false` on the `gpg-lacre/postfix` host.
The Lacre-webgate can be installed on remote host. You must make sure that mariadb is reachable from host running postfix+lacre as lacre needs to be able to pull uploaded keys. You can use this role to install Lacre-webgate on remote host by specifying `tag=webgate`. Make sure to set `lacre_webgate_deploy` to `false` on the `lacre/postfix` host.
### Dependency variables
Lacre depends on additional software such as postfix, php-fpm, mariadb, nginx. This software isn't covered by the role and you need to make sure to install and configure them according to your needs. You can use [disroot roles](https://git.disroot.org/org/Disroot-Ansible/dashboard) or any other roles or just set them up manually. Included defaults work with disroot ansible roles.

2
Vagrantfile vendored
View file

@ -8,7 +8,7 @@
Vagrant.configure("2") do |config|
#config.ssh.insert_key = false
config.vm.define "lacre" do |lacre|
lacre.vm.box = "generic/debian11"
lacre.vm.box = "generic/debian12"
lacre.vm.provider :libvirt do |libvirt|
libvirt.memory = 256
end

54
defaults/main.yml
View file

@ -1,13 +1,13 @@
---
# Main vars
lacre_pything_version: '3.9'
lacre_python_version: '3.11'
lacre_repo: 'https://git.disroot.org/Disroot/gpg-lacre.git'
lacre_version: 'main'
lacre_app_dir: '/opt/gpg-lacre'
lacre_app_dir: '/opt/lacre'
lacre_username: 'lacre'
lacre_group: 'lacre'
lacre_homedir: '/var/lib/gpg-lacre'
lacre_homedir: '/var/lib/lacre'
lacre_backend_deploy: 'true'
lacre_webgate_deploy: 'true'
lacre_apt:
@ -16,8 +16,10 @@ lacre_apt:
- 'sudo'
- 'python3-pip'
- 'python3-dev'
- 'python3-full'
- 'libssl-dev'
- 'swig'
- 'virtualenv'
lacre_pip_pkgs:
- 'setuptools'
- 'wheel'
@ -25,12 +27,12 @@ lacre_pip_pkgs:
- 'pyyaml'
lacre_daemon: 'false'
lacre_set_content_filter: 'true'
lacre_content_filter: 'gpg-mailgate'
lacre_content_filter: 'lacre'
lacre_postfix_simplefilter: 'true'
lacre_postfix_daemon: 'false'
# Lacre config file
lacre_config_file: '/etc/gpg-mailgate.conf'
lacre_config_file: '/etc/lacre.conf'
lacre_add_header: 'yes'
lacre_enc_keymap_only: 'no'
lacre_dec_keymap_only: 'no'
@ -44,9 +46,9 @@ lacre_cert_path: '{{ lacre_homedir }}/smime'
lacre_register_email: 'register@example.org'
lacre_mail_templates: '{{ lacre_app_dir }}/register_templates'
lacre_webpanel_url: 'http://example.org'
lacre_notification_email: 'gpg-mailgate@example.org'
lacre_notification_email: 'lacre@example.org'
lacre_mail_templates: '{{ lacre_app_dir }}/cron_templates'
lacre_logfile: '/etc/gpg-lacre-logging.conf'
lacre_logfile: '/etc/lacre-logging.conf'
lacre_max_data_bytes: '33554432'
lacre_log_headers: 'no'
lacre_relay: '127.0.0.1'
@ -55,17 +57,23 @@ lacre_enc_port: '25'
lacre_starttls: 'no'
## Lacre database
lacre_webgate_db_enabled: 'yes'
lacre_webgate_db_backend: 'mysql'
lacre_webgate_db_name: 'gpgmw'
lacre_webgate_db_host: 'localhost'
lacre_webgate_db_username: 'user'
lacre_webgate_db_password: 'password'
lacre_db_enabled: 'yes'
lacre_db_backend: 'mysql'
lacre_db_name: 'lacre'
lacre_db_host: 'localhost'
lacre_db_username: 'user'
lacre_db_password: 'password'
## Lacre pooling
lacre_pooling_mode: 'optimistic'
lacre_pooling_maxcon_age: '3600'
lacre_pooling_poolsize: '5'
lacre_pooling_max_overflow: '10'
## Lacre daemon
lacre_daemon_host: '127.0.0.1'
lacre_daemon_port: '10025'
lacre_systemd_execstart: 'python -m lacre.daemon'
lacre_systemd_execstart: '{{ lacre_homedir }}/venv/bin/python{{ lacre_python_version }} -m lacre.daemon'
lacre_systemd_restartsec: '3'
# Lacre logger
@ -103,9 +111,9 @@ lacre_webgate_dir: '/var/www/lacre-webgate'
lacre_webgate_user: 'www-data'
lacre_webgate_group: 'www-data'
lacre_webgate_email_web: 'admin@example.com'
lacre_webgate_email_from: 'gpg-mailgate-web@example.com'
lacre_webgate_email_from: 'lacre@example.com'
lacre_webgate_email_subject_requestpgp: 'Confirm your email address'
lacre_webgate_site_url: 'http://example.com/gpgmw'
lacre_webgate_site_url: 'http://example.com/lacre'
lacre_webgate_site_title: 'PGP key management'
lacre_webgate_site_logo: 'img/logo.png'
lacre_webgate_site_faqurl: 'https://lacre.io/faq'
@ -117,7 +125,7 @@ lacre_webgate_debug: 'enable'
lacre_webgate_mail_smtp: 'false'
lacre_webgate_smtp_host: 'localhost'
lacre_webgate_smtp_port: '25'
lacre_webgate_smtp_username: 'gpgmw'
lacre_webgate_smtp_username: 'lacre'
lacre_webgate_smtp_password: ''
lacre_webgate_pgpverify: 'false'
lacre_webgate_pgpverify_tmpdir: '/tmp'
@ -196,7 +204,7 @@ mariadb_default_config:
- character-set-server = utf8mb4
- collation-server = utf8mb4_unicode_ci
- skip_external_locking = True
- bind_address = {{ lacre_webgate_db_host }}
- bind_address = {{ lacre_db_host }}
- key_buffer = 16M
- max_allowed_packet = 16M
- thread_stack = 192K
@ -249,13 +257,13 @@ mariadb_default_config:
- key_buffer = 16M
mariadb_databases:
- name: '{{ lacre_webgate_db_name }}'
- name: '{{ lacre_db_name }}'
collation: 'utf8mb4_unicode_ci'
encoding: 'utf8mb4'
mariadb_users:
- name: '{{ lacre_webgate_db_username }}'
host: '{{ lacre_webgate_db_host }}'
password: '{{ lacre_webgate_db_password }}'
priv: '{{ lacre_webgate_db_name }}.*:ALL'
- name: '{{ lacre_db_username }}'
host: '{{ lacre_db_host }}'
password: '{{ lacre_db_password }}'
priv: '{{ lacre_db_name }}.*:ALL'

4
handlers/main.yml
View file

@ -1,6 +1,6 @@
---
- name: restart gpg-lacre
- name: restart lacre
systemd:
name: gpg-lacre
name: lacre
state: restarted

4
tasks/configure.yml
View file

@ -2,7 +2,7 @@
- name: '[LACRE] - Configure lacre'
template:
src: 'etc/gpg-mailgate.conf.j2'
src: 'etc/lacre.conf.j2'
dest: '{{ lacre_config_file }}'
owner: '{{ lacre_username }}'
group: '{{ lacre_group }}'
@ -10,7 +10,7 @@
- name: '[LACRE] - Configure lacre logger'
template:
src: 'etc/gpg-lacre-logging.conf.j2'
src: 'etc/lacre-logging.conf.j2'
dest: '{{ lacre_logfile }}'
owner: '{{ lacre_username }}'
group: '{{ lacre_group }}'

10
tasks/daemon.yml
View file

@ -2,8 +2,8 @@
- name: '[Lacre Daemon] - Deploy systemd config'
template:
src: etc/systemd/system/gpg-lacre.service.j2
dest: /etc/systemd/system/gpg-lacre.service
src: etc/systemd/system/lacre.service.j2
dest: /etc/systemd/system/lacre.service
owner: root
group: root
mode: 0644
@ -11,11 +11,11 @@
- name: '[Lacre Daemon] - Enable systemd config'
systemd:
name: gpg-lacre
name: lacre
enabled: yes
daemon_reload: yes
notify:
restart gpg-lacre
restart lacre
- name: '[LACRE] - Add lacre daemon to postfix'
@ -24,7 +24,7 @@
backup: yes
marker: '# {mark} LACRE config block (Ansible)'
block: |
gpg-lacre unix - - - - - smtp
lacre unix - - - - - smtp
-o smtp_tls_security_level=none
127.0.0.1:10025 inet n - - - - smtpd

22
tasks/install.yml
View file

@ -30,25 +30,27 @@
- name: '[Install] - Create a symbolic link to python binary'
file:
src: '/usr/bin/python3.9'
src: '/usr/bin/python{{ lacre_python_version }}'
dest: '/usr/bin/python'
state: 'link'
- name: '[INSTALL] - Install lacre backend requirenments'
pip:
requirements: "{{ lacre_app_dir }}/requirements.txt"
virtualenv: '{{ lacre_homedir }}/venv'
virtualenv_site_packages: yes
- name: '[Install] - Link GnuPG Lacre to global python modules'
file:
src: '{{ lacre_app_dir }}/GnuPG'
dest: '/usr/local/lib/python{{ lacre_pything_version }}/dist-packages/GnuPG'
dest: '{{ lacre_homedir }}/venv/lib/python{{ lacre_python_version }}/site-packages/GnuPG'
state: link
- name: '[Install] - Link Lacre module to global python modules'
file:
src: '{{ lacre_app_dir }}/lacre'
dest: '/usr/local/lib/python{{ lacre_pything_version }}/dist-packages/lacre'
dest: '{{ lacre_homedir }}/venv/lib/python{{ lacre_python_version }}/site-packages/lacre'
state: link
- name: '[INSTALL] - Set cron file permission'
@ -72,3 +74,17 @@
user: "{{ lacre_username }}"
job: '{{ lacre_app_dir }}/webgate-cron.py > /dev/null'
when: lacre_webgate_cron == 'true'
- name: Check if the database exists
shell:
cmd: mysql -h {{ lacre_db_host }} -u {{ lacre_db_username }} -p{{ lacre_db_password }} {{ lacre_db_name }} -se "SHOW TABLES;" | wc -l
register: lacre_db_info
ignore_errors: yes
- name: '[INSTALL] - Run dbschema'
shell:
cmd: '{{ lacre_homedir }}/venv/bin/python{{ lacre_python_version }} -m {{ lacre_app_dir }}/lacre/admin.py db -i'
become: 'yes'
become_user: '{{ lacre_username }}'
when: lacre_db_info.stdout != '3'

24
tasks/main.yml
View file

@ -1,37 +1,37 @@
---
- name: 'Create user'
include: 'user.yml'
include_tasks: 'user.yml'
tags:
- 'backend'
when: lacre_backend_deploy == 'true'
- name: 'Clone / Update repository'
include: 'git.yml'
include_tasks: 'git.yml'
tags:
- 'backend'
when: lacre_backend_deploy == 'true'
- name: 'Install Lacre'
include: 'install.yml'
tags:
- 'backend'
when: lacre_backend_deploy == 'true'
- name: 'Configure Lacre'
include: 'configure.yml'
include_tasks: 'configure.yml'
tags:
- 'config'
- 'configure'
- 'backend'
when: lacre_backend_deploy == 'true'
- name: 'Install Lacre'
include_tasks: 'install.yml'
tags:
- 'backend'
when: lacre_backend_deploy == 'true'
- name: 'Use simple filter'
include: 'simple_filter.yml'
include_tasks: 'simple_filter.yml'
when: lacre_daemon == 'false'
- name: 'Deploy Advanced filter'
include: 'daemon.yml'
include_tasks: 'daemon.yml'
tags:
- 'backend'
- 'config'
@ -39,7 +39,7 @@
when: lacre_daemon == 'true'
- name: 'Deploy Lacre Webgate'
include: 'webgate.yml'
include_tasks: 'webgate.yml'
tags:
- 'webgate'
when: lacre_webgate_deploy == 'true'

28
tasks/simple_filter.yml
View file

@ -1,13 +1,22 @@
---
- name: '[LACRE] - Add simple filter launcher script'
template:
src: templates/usr/local/bin/lacre-simple_filter.sh.j2
dest: /usr/local/bin/lacre-simple_filter.sh
owner: '{{ lacre_username }}'
group: '{{ lacre_group }}'
mode: '0755'
- name: '[LACRE] - Add lacre simple filter to postfix'
blockinfile:
dest: '/etc/postfix/master.cf'
backup: yes
marker: '# {mark} LACRE config block (Ansible)'
block: |
gpg-mailgate unix - n n - - pipe
flags= user=lacre argv={{ lacre_app_dir }}/gpg-mailgate.py ${recipient}
lacre unix - n n - - pipe
flags= user={{ lacre_username }}
argv=bash /usr/local/bin/lacre-simple_filter.sh
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
@ -20,10 +29,23 @@
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
when: lacre_postfix_simplefilter == 'true'
- name: '[LACRE] - Check if content_filter is set in postfix'
shell: "grep -q 'content_filter' /etc/postfix/main.cf"
register: check_filter
ignore_errors: true
- name: '[LACRE] - Add content filter in postfix settings if not exists'
lineinfile:
path: '/etc/postfix/main.cf'
line: 'content_filter = {{ lacre_content_filter }}'
insertafter: EOF
state: present
when: lacre_set_content_filter == 'true' and check_filter.rc !=0
- name: '[LACRE] - Replace content_filter setting in postfix'
replace:
path: '/etc/postfix/main.cf'
regexp: 'content_filter = .*'
replace: 'content_filter = {{ lacre_content_filter }}'
when: lacre_set_content_filter == 'true'
when: lacre_set_content_filter == 'true' and check_filter.rc == 0

26
tasks/webgate.yml
View file

@ -10,29 +10,15 @@
dest: '{{ lacre_webgate_dir }}'
force: 'yes'
version: '{{ lacre_webgate_version }}'
# become: 'yes'
#become_user: '{{ lacre_webgate_user }}'
become: 'yes'
become_user: '{{ lacre_webgate_user }}'
- name: '[Lacre-webgate] - Make sure webgate is owned by lacre user'
file:
path: '{{ lacre_webgate_dir }}'
owner: '{{ lacre_username }}'
group: '{{ lacre_group }}'
- name: '[Lacre-webgate] - Check if db schema is loaded'
shell:
cmd: mysql -h {{ lacre_webgate_db_host }} -u {{ lacre_webgate_db_username }} -p{{ lacre_webgate_db_password }} {{ lacre_webgate_db_name }} -se "SELECT EXISTS (SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA LIKE '{{ lacre_webgate_db_name }}' AND TABLE_TYPE LIKE 'BASE TABLE' AND TABLE_NAME = 'gpgmw_keys' );"
register: lacre_webgate_installed
ignore_errors: true
- name: '[Lacre-webgate] - Import sql schema'
mysql_db:
state: import
name: "{{ lacre_webgate_db_name }}"
login_host: "{{ lacre_webgate_db_host }}"
login_user: "{{ lacre_webgate_db_username }}"
login_password: "{{ lacre_webgate_db_password }}"
target: "{{ lacre_webgate_dir }}/schema.sql"
when: lacre_webgate_installed.stdout < "0"
owner: '{{ lacre_webgate_user }}'
group: '{{ lacre_webgate_group }}'
recurse: yes
- name: '[Lacre-webgate] - Deploy config'
template:

0
templates/etc/gpg-lacre-logging.conf.j2 → templates/etc/lacre-logging.conf.j2
View file

54
templates/etc/gpg-mailgate.conf.j2 → templates/etc/lacre.conf.j2
View file

@ -1,11 +1,11 @@
[default]
# Whether gpg-mailgate should add a header after it has processed an email
# Whether lacre should add a header after it has processed an email
# This may be useful for debugging purposes
add_header = {{ lacre_add_header }}
# Whether we should only encrypt emails if they are explicitly defined in
# the key mappings below ([enc_keymap] section)
# This means gpg-mailgate won't automatically detect PGP recipients for encrypting
# This means lacre won't automatically detect PGP recipients for encrypting
enc_keymap_only = {{ lacre_enc_keymap_only }}
# Convert encrypted text/plain email to MIME-attached encrypt style.
@ -20,7 +20,7 @@ mime_conversion = {{ lacre_mime_conversion }}
mail_case_insensitive = {{ lacre_mail_case_insensitive }}
[gpg]
# the directory where gpg-mailgate public keys are stored
# the directory where lacre public keys are stored
# (see INSTALL for details)
keyhome = {{ lacre_keyhome }}
@ -32,6 +32,7 @@ cert_path = {{ lacre_cert_path }}
# settings for the register-handler
register_email = {{ lacre_register_email }}
mail_templates = {{ lacre_mail_templates }}
# URL to webpanel. The server should be able to reach it
webpanel_url = {{ lacre_webpanel_url }}
@ -57,21 +58,21 @@ port = {{ lacre_daemon_port }}
# Maximum size (in bytes) of message body, i.e. data provided after DATA
# message. Following value comes from aiosmtpd module's default for this
# setting.
max_data_bytes = {{ lacre_max_data_bytes }}33554432
max_data_bytes = {{ lacre_max_data_bytes }}
# Sometimes it may make sense to log additional information from mail headers.
# This should never be PII, but information like encoding, content types, etc.
log_headers = {{ lacre_log_headers }}no
log_headers = {{ lacre_log_headers }}
{% endif %}
[relay]
# the relay settings to use for Postfix
# gpg-mailgate will submit email to this relay after it is done processing
# lacre will submit email to this relay after it is done processing
# unless you alter the default Postfix configuration, you won't have to modify this
host = {{ lacre_relay }}
port = {{ lacre_relay_port }}
# This is the default port of postfix. It is used to send some
# mails through the GPG-Mailgate so they are encrypted
# mails through the lacre so they are encrypted
enc_port = {{ lacre_enc_port }}
# Set this option to yes to use TLS for SMTP Servers which require TLS.
@ -89,15 +90,42 @@ starttls = {{ lacre_smtp_starttls }}
[database]
# edit the settings below if you want to read keys from a
# gpg-mailgate-web database other than SQLite
enabled = {{ lacre_webgate_db_enabled }}
{% if lacre_webgate_db_backend == 'sqlite' %}
url = sqlite://{{ lacre_webgate_db_name }}
# lacre-webgate database other than SQLite
enabled = {{ lacre_db_enabled }}
{% if lacre_db_backend == 'sqlite' %}
url = sqlite://{{ lacre_db_name }}
{% endif %}
{% if lacre_webgate_db_backend == 'mysql' %}
url = mysql://{{ lacre_webgate_db_username }}:{{ lacre_webgate_db_password }}@{{ lacre_webgate_db_host }}/{{ lacre_webgate_db_name }}
{% if lacre_db_backend == 'mysql' %}
url = mysql://{{ lacre_db_username }}:{{ lacre_db_password }}@{{ lacre_db_host }}/{{ lacre_db_name }}
{% endif %}
# Pooling mode: pessimistic or optimistic (required parameter).
#
# - Pessimistic disconnect-handling: pre_ping. Connection pool will try using
# connection before it executes a SQL query to find out if the connection is
# still alive. If not, it'll just establish a new connection.
#
# - Optimistic distonnect-handling: just avoid using connections after some
# time.
#
pooling_mode = {{ lacre_pooling_mode }}
# For other RDBMS backends, see:
# https://docs.sqlalchemy.org/en/14/core/engines.html#database-urls
# Number of seconds after which an idle connection is recycled. This is
# useful with MySQL servers. This is only used with pooling_mode=optimistic.
# For more information, see:
# https://docs.sqlalchemy.org/en/14/core/engines.html#sqlalchemy.create_engine.params.pool_recycle
max_connection_age = {{ lacre_pooling_maxcon_age }}
# Number of connections stored in the pool.
pool_size = {{ lacre_pooling_poolsize }}
# If the pool size is not enough for current traffic, some connections can be
# made and closed after use, to avoid pool growth and connection rejections.
max_overflow = {{ lacre_pooling_max_overflow }}
[enc_keymap]
# You can find these by running the following command:
# gpg --list-keys --keyid-format long user@example.com

1
templates/etc/systemd/system/gpg-lacre.service.j2 → templates/etc/systemd/system/lacre.service.j2
View file

@ -7,7 +7,6 @@ Type=simple
User={{ lacre_username }}
Group={{ lacre_group }}
WorkingDirectory={{ lacre_app_dir }}
Environment=GPG_MAILGATE_CONFIG={{ lacre_config_file }}
ExecStart={{ lacre_systemd_execstart }}
Restart=always
RestartSec={{ lacre_systemd_restartsec }}

8
templates/lacre-webgate/config.php.j2
View file

@ -77,16 +77,16 @@ $config['mail_smtp_password'] = '{{ lacre_smtp_password }}';
//
//database name (MySQL only); or see include/dbconnect.php
$config['db_name'] = '{{ lacre_webgate_db_name }}';
$config['db_name'] = '{{ lacre_db_name }}';
//database host
$config['db_host'] = '{{ lacre_webgate_db_host }}';
$config['db_host'] = '{{ lacre_db_host }}';
//database username
$config['db_username'] = '{{ lacre_webgate_db_username }}';
$config['db_username'] = '{{ lacre_db_username }}';
//database password
$config['db_password'] = '{{ lacre_webgate_db_password }}';
$config['db_password'] = '{{ lacre_db_password }}';
//
// PGP VERIFICATION SETTINGS

5
templates/usr/local/bin/lacre-simple_filter.sh.j2 Normal file
View file

@ -0,0 +1,5 @@
#!/bin/bash
# A script to launch Lacre for Postfix's simple filter using python virtual environment.
source {{ lacre_homedir }}/venv/bin/activate
{{ lacre_homedir }}/venv/bin/python{{ lacre_python_version }} {{ lacre_app_dir }}/lacre.py