added daemon and general role update

README.MD

@@ -1,8 +1,24 @@
 # GPG - Lacre
-This is a role that deploys GPG-Lacre with all needed dependencies and web frontends. 
+This is a role that deploys GPG-Lacre with all needed dependencies. Additionally takes care of installing a simply key upload web frontend. 
 For set of defaults variables check `defaults/main.yml` file. This role assumes that:
  - You are running Debian based OS
  - You run postfix
 
-**Warning**
-Due to heavy development of lacre this role may be broken at times. Lacre is currently not recommended for production use. Please use for testing only.
+### Lacre daemon or simple filter
+Postfix offers two types of filters. Simple and advanced content filters. Depending on your use case you can choose between two. Set `lacre_daemon` to `false` for simple filter and `true` for advanced filter (aka daemon). Additionally refer to variable defaults for extra settings needed for either option. Also check [postfix documentation](http://www.postfix.org/FILTER_README.html#simple_filter) for more details on both filter features.  
+### Lacre Webgate
+Lacre-webgate is a simple interface for uploading keys. You can decide whether to install it by setting variable `lacre_webgate_deploy`. Default is set to `true`. This frontend depends on php and an sql database. The role defaults to `mariadb`. For Mariadb following variables need to be set. Check following example:
+
+```
+lacre_webgate_db_enabled: 'yes'
+lacre_webgate_db_backend: 'mysql'
+lacre_webgate_db_name: 'gpgmw'
+lacre_webgate_db_host: 'localhost'
+lacre_webgate_db_username: 'user'
+lacre_webgate_db_password: 'password'
+```
+The Lacre-webgate can be installed on remote host. You must make sure that mariadb is reachable from host running postfix+gpg-lacre as gpg-lacre needs to be able to pull uploaded keys. You can use this role to install Lacre-webgate on remote host by specifying `tag=webgate`. Make sure to set `lacre_webgate_deploy` to `false` on the `gpg-lacre/postfix` host.
+
+### Dependency variables
+Lacre depends on additional software such as postfix, php-fpm, mariadb, nginx. This software isn't covered by the role and you need to make sure to install and configure them according to your needs. You can use [disroot roles](https://git.disroot.org/org/Disroot-Ansible/dashboard) or any other roles or just set them up manually. Included defaults work with disroot ansible roles. 
+

defaults/main.yml

@@ -1,4 +1,6 @@
 ---
+
+# Main vars
 lacre_pything_version: '3.9'
 lacre_repo: 'https://git.disroot.org/Disroot/gpg-lacre.git'
 lacre_version: 'main'
@@ -8,17 +10,18 @@ lacre_group: 'lacre'
 lacre_homedir: '/var/lib/gpg-lacre'
 lacre_backend_deploy: 'true'
 lacre_webgate_deploy: 'true'
-#lacre_
 lacre_apt:
   - 'python3-m2crypto'
   - 'git'
   - 'gnupg'
+  - 'sudo'
 lacre_daemon: 'false'
 lacre_set_content_filter: 'true'
 lacre_content_filter: 'gpg-mailgate'
 lacre_postfix_simplefilter: 'true'
 lacre_postfix_daemon: 'false'
-#config file
+
+# Lacre config file
 lacre_config_file: '/etc/gpg-mailgate.conf'
 lacre_add_header: 'yes'
 lacre_enc_keymap_only: 'no'
@@ -36,22 +39,28 @@ lacre_webpanel_url: 'http://example.org'
 lacre_notification_email: 'gpg-mailgate@example.org'
 lacre_mail_templates: '{{ lacre_app_dir }}/cron_templates'
 lacre_logfile: '/etc/gpg-lacre-logging.conf'
-lacre_daemon_host: '127.0.0.1'
-lacre_daemon_port: '10025'
+lacre_max_data_bytes: '33554432'
+lacre_log_headers: 'no'
 lacre_relay: '127.0.0.1'
 lacre_port: '10028'
 lacre_enc_port: '25'
 lacre_starttls: 'no'
+
+## Lacre database
 lacre_webgate_db_enabled: 'yes'
 lacre_webgate_db_backend: 'mysql'
 lacre_webgate_db_name: 'gpgmw'
 lacre_webgate_db_host: 'localhost'
-lacre_webgatedb_username: 'user'
-lacre_webgatedb_password: 'password'   
+lacre_webgate_db_username: 'user'
+lacre_webgate_db_password: 'password'   
+
+## Lacre daemon
+lacre_daemon_host: '127.0.0.1'
+lacre_daemon_port: '10025'
 lacre_systemd_execstart: 'python -m lacre.daemon'
 lacre_systemd_restartsec: '3'
 
-#lacre logger
+# Lacre logger
 lacre_log_loggers_keys: 'root'
 lacre_log_logger_level: 'NOTSET'
 lacre_logger_handlers: 'syslog'
@@ -67,9 +76,11 @@ lacre_log_postfix_format: '%(asctime)s %(module)s[%(process)d]: %(message)s'
 lacre_log_postfix_datefmt: '%b %e %H:%M:%S'
 lacre_log_postfix_style: '%'
 lacre_log_postfix_validate: 'True'
-#lacre webgate
+
+# Lacre webgate
+lacre_smtp_enabled: 'false'
 lacre_smtp_username: 'no-reply'          
-lacre_smtp_password: 'chanfeme'
+lacre_smtp_password: 'changeme'
 lacre_smtp_host: 'example.lan'                       
 lacre_smtp_port: '587'                            
 lacre_smtp_starttls: 'true' 
@@ -80,7 +91,7 @@ lacre_webgate_apt:
   - 'python3-mysqldb'
 lacre_webgate_repo: 'https://git.disroot.org/Lacre/lacre-webgate.git'
 lacre_webgate_version: 'main'
-lacre_webgate_dir: '/var/www/lacre-web'
+lacre_webgate_dir: '/var/www/lacre-webgate'
 lacre_webgate_user: 'www-data'
 lacre_webgate_group: 'www-data'
 lacre_webgate_email_web: 'admin@example.com'
@@ -90,7 +101,7 @@ lacre_webgate_site_url: 'http://example.com/gpgmw'
 lacre_webgate_site_title: 'PGP key management'
 lacre_webgate_language: 'english'
 lacre_webgate_debug: 'enable'
-lacre_mail_smtp: 'false'
+lacre_webgate_mail_smtp: 'false'
 lacre_webgate_smtp_host: 'localhost'
 lacre_webgate_smtp_port: '25'
 lacre_webgate_smtp_username: 'gpgmw'
@@ -104,15 +115,20 @@ lacre_webgate_lock_cooldown: '900'
 lacre_webgate_lock_reset: '300'
 lacre_webgate_locktime_max: '3600'
 
-#mailserver vars
+# Lacre dependency variables. Not covered by the role itself and when used with dependent disroot roles (nginx, php-fpm, mariadb, mailserver)
+
+# Mailserver vars (when used with disroot mailserver role)
 postfix_header_checks: 'false'
 postfix_body_checks: 'false'
 postfix_rbl_whitelist: 'false'
 postfix_postgrey_deploy: 'false'
 
-#php
+# php & nginx (when used with disroot php-fpm and nginx role)
 install_php: 'true'
-php_version: '7.4'
+php_version: '8.0'
+php_etc_path: '/etc/php'
+install_php: 'true'
+pool_listen: '/var/run/php/php{{ php_version }}-fpm.sock'
 php_pkgs:
   - 'php{{ php_version }}-fpm'
   - 'php{{ php_version }}-mysql'
@@ -121,7 +137,7 @@ nginx_vhosts:
      template: 'basephp'
      proto: 'http'
      listen: '80'
-     root: 'gpg-mailgate-web/public_html'
+     root: 'lacre-webgate/public_html'
      index: 'index.php'
      use_access_log: 'true'
      use_error_log: 'true'
@@ -131,14 +147,17 @@ nginx_vhosts:
        - 'fastcgi_index index.php;'
        - 'include /etc/nginx/fastcgi_params;'
        - 'fastcgi_pass unix:{{ pool_listen }};'
+     custom_locations:
+       - name: '/config\.*'
+         options:
+           - 'deny all;'
      state: 'enable'
      letsencrypt: 'false'
 
 nginx_default_vhost_ssl: 'example.org'
 nginx_default_vhost: 'example.org'
 
-#mariadb
-# MARIADB CONFIG
+# Mariadb (when using disroot mariadb role)
 mariadb_root_password: 'changeme'
 mariadb_default_config:
   - name: 'client'
@@ -164,7 +183,7 @@ mariadb_default_config:
       - character-set-server = utf8mb4
       - collation-server = utf8mb4_unicode_ci
       - skip_external_locking = True
-      - bind_address = {{ lacre_db_host }}
+      - bind_address = {{ lacre_webgate_db_host }}
       - key_buffer = 16M
       - max_allowed_packet = 16M
       - thread_stack = 192K
@@ -217,13 +236,13 @@ mariadb_default_config:
       - key_buffer = 16M
 
 mariadb_databases:
-  - name: '{{ lacre_db_name }}'
+  - name: '{{ lacre_webgate_db_name }}'
     collation: 'utf8mb4_unicode_ci'
     encoding: 'utf8mb4'
 
 mariadb_users:
-  - name: '{{ lacre_db_username }}'
-    host: '{{ lacre_db_host }}'
-    password: '{{ lacre_db_password }}'
-    priv: '{{ lacre_db_name }}.*:ALL'
+  - name: '{{ lacre_webgate_db_username }}'
+    host: '{{ lacre_webgate_db_host }}'
+    password: '{{ lacre_webgate_db_password }}'
+    priv: '{{ lacre_webgate_db_name }}.*:ALL'
 

handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart gpg-lacre
+  systemd:
+    name: gpg-lacre
+    state: restarted

tasks/git.yml

@@ -7,4 +7,6 @@
     force: yes
     update: yes
     version: "{{ lacre_version }}"
+  become: 'yes'
+  become_user: "{{ lacre_username }}"
 

tasks/main.yml

@@ -1,25 +1,25 @@
 ---
 
-- name: 'Clone / Update repository'
-  include: git.yml
+- name: 'Create user'
+  include: 'user.yml'
   tags: 
     - 'backend'
   when: lacre_backend_deploy == 'true'
 
-- name: 'Create user'
-  include: user.yml
+- name: 'Clone / Update repository'
+  include: 'git.yml'
   tags: 
     - 'backend'
   when: lacre_backend_deploy == 'true'
 
 - name: 'Install Lacre'
-  include: install.yml
+  include: 'install.yml'
   tags:
     - 'backend'
   when: lacre_backend_deploy == 'true'
 
 - name: 'Configure Lacre'
-  include: configure.yml
+  include: 'configure.yml'
   tags:
     - 'config'
     - 'configure'
@@ -27,22 +27,19 @@
   when: lacre_backend_deploy == 'true'
 
 - name: 'Use simple filter'
-  include: simple_filter.yml
+  include: 'simple_filter.yml'
   when: lacre_daemon == 'false'
 
-- name: 'Use advanced daemon'
-  include: daemon.yml
-  when: lacre_daemon == 'true'
-
 - name: 'Deploy Advanced filter'
   include: 'daemon.yml'
   tags:
     - 'backend'
     - 'config'
     - 'daemon'
+  when: lacre_daemon == 'true'
 
 - name: 'Deploy Lacre Webgate'
-  include: webgate.yml
+  include: 'webgate.yml'
   tags:
     - 'webgate'
   when: lacre_webgate_deploy == 'true'

tasks/webgate.yml

@@ -31,7 +31,7 @@
 
 - name: '[Lacre-webgate] - Deploy config'
   template:
-    src: 'lacre-web/config.php.j2'
+    src: 'lacre-webgate/config.php.j2'
     dest: "{{ lacre_webgate_dir }}/public_html/config.php"
     owner: "{{ lacre_webgate_user }}"
     group: "{{ lacre_webgate_group }}"

templates/etc/gpg-mailgate.conf.j2

@@ -8,16 +8,6 @@ add_header = {{ lacre_add_header }}
 # This means gpg-mailgate won't automatically detect PGP recipients for encrypting
 enc_keymap_only = {{ lacre_enc_keymap_only }}
 
-# Whether we should only decrypt emails if they are explicitly defined in
-# the key mappings below ([dec_keymap] section)
-# This means gpg-mailgate won't automatically detect PGP recipients for decrypting
-dec_keymap_only = {{ lacre_dec_keymap_only }}
-
-# If dec_keymap_only is set to yes and recipients have private keys present for decrypting
-# but are not on in the keymap, this can cause that mails for them will be
-# encrypted. Set this to no if you want this behaviour.
-failsave_dec = {{ lacre_failsave_dec }}
-
 # Convert encrypted text/plain email to MIME-attached encrypt style.
 # (Default is to use older inline-style PGP encoding.)
 mime_conversion = {{ lacre_mime_conversion }}
@@ -29,20 +19,6 @@ mime_conversion = {{ lacre_mime_conversion }}
 # recipients all ignore the RFC you could this to yes.
 mail_case_insensitive = {{ lacre_mail_case_insensitive }}
 
-# This setting disables PGP/INLINE decryption completely. However,
-# PGP/MIME encrypted mails will still be decrypted if possible. PGP/INLINE
-# decryption has to be seen as experimental and could have some negative
-# side effects. So if you want to take the risk set this to no.
-no_inline_dec = {{ lacre_no_inline_dec }}
-
-# Here you can define a regex for which the gateway should try to decrypt mails.
-# It could be used to define that decryption should be used for a wider range of
-# mail addresses e.g. a whole domain. No key is needed here. It is even active if 
-# dec_keymap is set to yes. If this feature should be disabled, don't leave it blank.
-# Set it to None. For further regex information please have a look at
-# https://docs.python.org/2/library/re.html
-dec_regex = {{ lacre_dec_regex }}
-
 [gpg]
 # the directory where gpg-mailgate public keys are stored
 # (see INSTALL for details)
@@ -69,7 +45,7 @@ mail_templates = {{ lacre_mail_templates }}
 # path to the logging configuration; see documentation for details:
 # https://docs.python.org/3/library/logging.config.html#logging-config-fileformat
 config = {{ lacre_logfile }}
- 
+{% if lacre_daemon == 'true' %} 
 [daemon]
 # Advanced Content Filter section.
 #
@@ -78,6 +54,16 @@ config = {{ lacre_logfile }}
 host = {{ lacre_daemon_host }}
 port = {{ lacre_daemon_port }}
 
+# Maximum size (in bytes) of message body, i.e. data provided after DATA
+# message.  Following value comes from aiosmtpd module's default for this
+# setting.
+max_data_bytes = {{ lacre_max_data_bytes }}33554432
+
+# Sometimes it may make sense to log additional information from mail headers.
+# This should never be PII, but information like encoding, content types, etc.
+log_headers = {{ lacre_log_headers }}no
+{% endif %}
+
 [relay]
 # the relay settings to use for Postfix
 # gpg-mailgate will submit email to this relay after it is done processing
@@ -102,6 +88,8 @@ port = {{ lacre_smtp_port }}
 starttls = {{ lacre_smtp_starttls }}
 
 [database]
+# edit the settings below if you want to read keys from a
+# gpg-mailgate-web database other than SQLite
 enabled = {{ lacre_webgate_db_enabled }}
 {% if lacre_webgate_db_backend == 'sqlite' %}
 url = sqlite://{{ lacre_webgate_db_name }}

templates/lacre-webgate/config.php.j2

@@ -52,7 +52,7 @@ $config['debug'] = '{{ lacre_webgate_debug }}';
 //
 
 //whether to send mail through SMTP (instead of PHP mail function)
-$config['mail_smtp'] = {{ lacre_mail_smtp }};
+$config['mail_smtp'] = {{ lacre_webgate_mail_smtp }};
 
 //SMTP settings, if mail_smtp is enabled
 //this requires Net_SMTP from http://pear.php.net/package/Net_SMTP/ to be installed