added daemon and general role update

2023-08-11 08:18:46 +02:00 · 2023-08-11 08:18:46 +02:00 · b2582a75c9
parent ce97975936
commit b2582a75c9
9 changed files with 93 additions and 65 deletions
--- a/README.MD
+++ b/README.MD
@ -1,8 +1,24 @@
 # GPG - Lacre
-This is a role that deploys GPG-Lacre with all needed dependencies and web frontends. 
+This is a role that deploys GPG-Lacre with all needed dependencies. Additionally takes care of installing a simply key upload web frontend. 
 For set of defaults variables check `defaults/main.yml` file. This role assumes that:
 - You are running Debian based OS
 - You run postfix

-**Warning**
-Due to heavy development of lacre this role may be broken at times. Lacre is currently not recommended for production use. Please use for testing only.
+### Lacre daemon or simple filter
+Postfix offers two types of filters. Simple and advanced content filters. Depending on your use case you can choose between two. Set `lacre_daemon` to `false` for simple filter and `true` for advanced filter (aka daemon). Additionally refer to variable defaults for extra settings needed for either option. Also check [postfix documentation](http://www.postfix.org/FILTER_README.html#simple_filter) for more details on both filter features.  
+### Lacre Webgate
+Lacre-webgate is a simple interface for uploading keys. You can decide whether to install it by setting variable `lacre_webgate_deploy`. Default is set to `true`. This frontend depends on php and an sql database. The role defaults to `mariadb`. For Mariadb following variables need to be set. Check following example:
+
+```
+lacre_webgate_db_enabled: 'yes'
+lacre_webgate_db_backend: 'mysql'
+lacre_webgate_db_name: 'gpgmw'
+lacre_webgate_db_host: 'localhost'
+lacre_webgate_db_username: 'user'
+lacre_webgate_db_password: 'password'
+```
+The Lacre-webgate can be installed on remote host. You must make sure that mariadb is reachable from host running postfix+gpg-lacre as gpg-lacre needs to be able to pull uploaded keys. You can use this role to install Lacre-webgate on remote host by specifying `tag=webgate`. Make sure to set `lacre_webgate_deploy` to `false` on the `gpg-lacre/postfix` host.
+
+### Dependency variables
+Lacre depends on additional software such as postfix, php-fpm, mariadb, nginx. This software isn't covered by the role and you need to make sure to install and configure them according to your needs. You can use [disroot roles](https://git.disroot.org/org/Disroot-Ansible/dashboard) or any other roles or just set them up manually. Included defaults work with disroot ansible roles. 
+
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,4 +1,6 @@
 ---
+
+# Main vars
 lacre_pything_version: '3.9'
 lacre_repo: 'https://git.disroot.org/Disroot/gpg-lacre.git'
 lacre_version: 'main'
@ -8,17 +10,18 @@ lacre_group: 'lacre'
 lacre_homedir: '/var/lib/gpg-lacre'
 lacre_backend_deploy: 'true'
 lacre_webgate_deploy: 'true'
-#lacre_
 lacre_apt:
  - 'python3-m2crypto'
  - 'git'
  - 'gnupg'
+  - 'sudo'
 lacre_daemon: 'false'
 lacre_set_content_filter: 'true'
 lacre_content_filter: 'gpg-mailgate'
 lacre_postfix_simplefilter: 'true'
 lacre_postfix_daemon: 'false'
-#config file
+
+# Lacre config file
 lacre_config_file: '/etc/gpg-mailgate.conf'
 lacre_add_header: 'yes'
 lacre_enc_keymap_only: 'no'
@ -36,22 +39,28 @@ lacre_webpanel_url: 'http://example.org'
 lacre_notification_email: 'gpg-mailgate@example.org'
 lacre_mail_templates: '{{ lacre_app_dir }}/cron_templates'
 lacre_logfile: '/etc/gpg-lacre-logging.conf'
-lacre_daemon_host: '127.0.0.1'
-lacre_daemon_port: '10025'
+lacre_max_data_bytes: '33554432'
+lacre_log_headers: 'no'
 lacre_relay: '127.0.0.1'
 lacre_port: '10028'
 lacre_enc_port: '25'
 lacre_starttls: 'no'
+
+## Lacre database
 lacre_webgate_db_enabled: 'yes'
 lacre_webgate_db_backend: 'mysql'
 lacre_webgate_db_name: 'gpgmw'
 lacre_webgate_db_host: 'localhost'
-lacre_webgatedb_username: 'user'
-lacre_webgatedb_password: 'password'   
+lacre_webgate_db_username: 'user'
+lacre_webgate_db_password: 'password'   
+
+## Lacre daemon
+lacre_daemon_host: '127.0.0.1'
+lacre_daemon_port: '10025'
 lacre_systemd_execstart: 'python -m lacre.daemon'
 lacre_systemd_restartsec: '3'

-#lacre logger
+# Lacre logger
 lacre_log_loggers_keys: 'root'
 lacre_log_logger_level: 'NOTSET'
 lacre_logger_handlers: 'syslog'
@ -67,9 +76,11 @@ lacre_log_postfix_format: '%(asctime)s %(module)s[%(process)d]: %(message)s'
 lacre_log_postfix_datefmt: '%b %e %H:%M:%S'
 lacre_log_postfix_style: '%'
 lacre_log_postfix_validate: 'True'
-#lacre webgate
+
+# Lacre webgate
+lacre_smtp_enabled: 'false'
 lacre_smtp_username: 'no-reply'          
-lacre_smtp_password: 'chanfeme'
+lacre_smtp_password: 'changeme'
 lacre_smtp_host: 'example.lan'                       
 lacre_smtp_port: '587'                            
 lacre_smtp_starttls: 'true' 
@ -80,7 +91,7 @@ lacre_webgate_apt:
  - 'python3-mysqldb'
 lacre_webgate_repo: 'https://git.disroot.org/Lacre/lacre-webgate.git'
 lacre_webgate_version: 'main'
-lacre_webgate_dir: '/var/www/lacre-web'
+lacre_webgate_dir: '/var/www/lacre-webgate'
 lacre_webgate_user: 'www-data'
 lacre_webgate_group: 'www-data'
 lacre_webgate_email_web: 'admin@example.com'
@ -90,7 +101,7 @@ lacre_webgate_site_url: 'http://example.com/gpgmw'
 lacre_webgate_site_title: 'PGP key management'
 lacre_webgate_language: 'english'
 lacre_webgate_debug: 'enable'
-lacre_mail_smtp: 'false'
+lacre_webgate_mail_smtp: 'false'
 lacre_webgate_smtp_host: 'localhost'
 lacre_webgate_smtp_port: '25'
 lacre_webgate_smtp_username: 'gpgmw'
@ -104,15 +115,20 @@ lacre_webgate_lock_cooldown: '900'
 lacre_webgate_lock_reset: '300'
 lacre_webgate_locktime_max: '3600'

-#mailserver vars
+# Lacre dependency variables. Not covered by the role itself and when used with dependent disroot roles (nginx, php-fpm, mariadb, mailserver)
+
+# Mailserver vars (when used with disroot mailserver role)
 postfix_header_checks: 'false'
 postfix_body_checks: 'false'
 postfix_rbl_whitelist: 'false'
 postfix_postgrey_deploy: 'false'

-#php
+# php & nginx (when used with disroot php-fpm and nginx role)
 install_php: 'true'
-php_version: '7.4'
+php_version: '8.0'
+php_etc_path: '/etc/php'
+install_php: 'true'
+pool_listen: '/var/run/php/php{{ php_version }}-fpm.sock'
 php_pkgs:
  - 'php{{ php_version }}-fpm'
  - 'php{{ php_version }}-mysql'
@ -121,7 +137,7 @@ nginx_vhosts:
     template: 'basephp'
     proto: 'http'
     listen: '80'
-     root: 'gpg-mailgate-web/public_html'
+     root: 'lacre-webgate/public_html'
     index: 'index.php'
     use_access_log: 'true'
     use_error_log: 'true'
@ -131,14 +147,17 @@ nginx_vhosts:
       - 'fastcgi_index index.php;'
       - 'include /etc/nginx/fastcgi_params;'
       - 'fastcgi_pass unix:{{ pool_listen }};'
+     custom_locations:
+       - name: '/config\.*'
+         options:
+           - 'deny all;'
     state: 'enable'
     letsencrypt: 'false'

 nginx_default_vhost_ssl: 'example.org'
 nginx_default_vhost: 'example.org'

-#mariadb
-# MARIADB CONFIG
+# Mariadb (when using disroot mariadb role)
 mariadb_root_password: 'changeme'
 mariadb_default_config:
  - name: 'client'
@ -164,7 +183,7 @@ mariadb_default_config:
      - character-set-server = utf8mb4
      - collation-server = utf8mb4_unicode_ci
      - skip_external_locking = True
-      - bind_address = {{ lacre_db_host }}
+      - bind_address = {{ lacre_webgate_db_host }}
      - key_buffer = 16M
      - max_allowed_packet = 16M
      - thread_stack = 192K
@ -217,13 +236,13 @@ mariadb_default_config:
      - key_buffer = 16M

 mariadb_databases:
-  - name: '{{ lacre_db_name }}'
+  - name: '{{ lacre_webgate_db_name }}'
    collation: 'utf8mb4_unicode_ci'
    encoding: 'utf8mb4'

 mariadb_users:
-  - name: '{{ lacre_db_username }}'
-    host: '{{ lacre_db_host }}'
-    password: '{{ lacre_db_password }}'
-    priv: '{{ lacre_db_name }}.*:ALL'
+  - name: '{{ lacre_webgate_db_username }}'
+    host: '{{ lacre_webgate_db_host }}'
+    password: '{{ lacre_webgate_db_password }}'
+    priv: '{{ lacre_webgate_db_name }}.*:ALL'

--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,6 @@
+---
+
+- name: restart gpg-lacre
+  systemd:
+    name: gpg-lacre
+    state: restarted
--- a/tasks/daemon
+++ b/tasks/daemon
--- a/tasks/git.yml
+++ b/tasks/git.yml
@ -7,4 +7,6 @@
    force: yes
    update: yes
    version: "{{ lacre_version }}"
+  become: 'yes'
+  become_user: "{{ lacre_username }}"

--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,25 +1,25 @@
 ---

- name: 'Clone / Update repository'
-  include: git.yml
+- name: 'Create user'
+  include: 'user.yml'
  tags: 
    - 'backend'
  when: lacre_backend_deploy == 'true'

- name: 'Create user'
-  include: user.yml
+- name: 'Clone / Update repository'
+  include: 'git.yml'
  tags: 
    - 'backend'
  when: lacre_backend_deploy == 'true'

 - name: 'Install Lacre'
-  include: install.yml
+  include: 'install.yml'
  tags:
    - 'backend'
  when: lacre_backend_deploy == 'true'

 - name: 'Configure Lacre'
-  include: configure.yml
+  include: 'configure.yml'
  tags:
    - 'config'
    - 'configure'
@ -27,22 +27,19 @@
  when: lacre_backend_deploy == 'true'

 - name: 'Use simple filter'
-  include: simple_filter.yml
+  include: 'simple_filter.yml'
  when: lacre_daemon == 'false'

- name: 'Use advanced daemon'
-  include: daemon.yml
-  when: lacre_daemon == 'true'
-
 - name: 'Deploy Advanced filter'
  include: 'daemon.yml'
  tags:
    - 'backend'
    - 'config'
    - 'daemon'
+  when: lacre_daemon == 'true'

 - name: 'Deploy Lacre Webgate'
-  include: webgate.yml
+  include: 'webgate.yml'
  tags:
    - 'webgate'
  when: lacre_webgate_deploy == 'true'
--- a/tasks/webgate.yml
+++ b/tasks/webgate.yml
@ -31,7 +31,7 @@

 - name: '[Lacre-webgate] - Deploy config'
  template:
-    src: 'lacre-web/config.php.j2'
+    src: 'lacre-webgate/config.php.j2'
    dest: "{{ lacre_webgate_dir }}/public_html/config.php"
    owner: "{{ lacre_webgate_user }}"
    group: "{{ lacre_webgate_group }}"
--- a/templates/etc/gpg-mailgate.conf.j2
+++ b/templates/etc/gpg-mailgate.conf.j2
@ -8,16 +8,6 @@ add_header = {{ lacre_add_header }}
 # This means gpg-mailgate won't automatically detect PGP recipients for encrypting
 enc_keymap_only = {{ lacre_enc_keymap_only }}

-# Whether we should only decrypt emails if they are explicitly defined in
-# the key mappings below ([dec_keymap] section)
-# This means gpg-mailgate won't automatically detect PGP recipients for decrypting
-dec_keymap_only = {{ lacre_dec_keymap_only }}
-
-# If dec_keymap_only is set to yes and recipients have private keys present for decrypting
-# but are not on in the keymap, this can cause that mails for them will be
-# encrypted. Set this to no if you want this behaviour.
-failsave_dec = {{ lacre_failsave_dec }}
-
 # Convert encrypted text/plain email to MIME-attached encrypt style.
 # (Default is to use older inline-style PGP encoding.)
 mime_conversion = {{ lacre_mime_conversion }}
@ -29,20 +19,6 @@ mime_conversion = {{ lacre_mime_conversion }}
 # recipients all ignore the RFC you could this to yes.
 mail_case_insensitive = {{ lacre_mail_case_insensitive }}

-# This setting disables PGP/INLINE decryption completely. However,
-# PGP/MIME encrypted mails will still be decrypted if possible. PGP/INLINE
-# decryption has to be seen as experimental and could have some negative
-# side effects. So if you want to take the risk set this to no.
-no_inline_dec = {{ lacre_no_inline_dec }}
-
-# Here you can define a regex for which the gateway should try to decrypt mails.
-# It could be used to define that decryption should be used for a wider range of
-# mail addresses e.g. a whole domain. No key is needed here. It is even active if 
-# dec_keymap is set to yes. If this feature should be disabled, don't leave it blank.
-# Set it to None. For further regex information please have a look at
-# https://docs.python.org/2/library/re.html
-dec_regex = {{ lacre_dec_regex }}
-
 [gpg]
 # the directory where gpg-mailgate public keys are stored
 # (see INSTALL for details)
@ -69,7 +45,7 @@ mail_templates = {{ lacre_mail_templates }}
 # path to the logging configuration; see documentation for details:
 # https://docs.python.org/3/library/logging.config.html#logging-config-fileformat
 config = {{ lacre_logfile }}
- 
+{% if lacre_daemon == 'true' %} 
 [daemon]
 # Advanced Content Filter section.
 #
@ -78,6 +54,16 @@ config = {{ lacre_logfile }}
 host = {{ lacre_daemon_host }}
 port = {{ lacre_daemon_port }}

+# Maximum size (in bytes) of message body, i.e. data provided after DATA
+# message.  Following value comes from aiosmtpd module's default for this
+# setting.
+max_data_bytes = {{ lacre_max_data_bytes }}33554432
+
+# Sometimes it may make sense to log additional information from mail headers.
+# This should never be PII, but information like encoding, content types, etc.
+log_headers = {{ lacre_log_headers }}no
+{% endif %}
+
 [relay]
 # the relay settings to use for Postfix
 # gpg-mailgate will submit email to this relay after it is done processing
@ -102,6 +88,8 @@ port = {{ lacre_smtp_port }}
 starttls = {{ lacre_smtp_starttls }}

 [database]
+# edit the settings below if you want to read keys from a
+# gpg-mailgate-web database other than SQLite
 enabled = {{ lacre_webgate_db_enabled }}
 {% if lacre_webgate_db_backend == 'sqlite' %}
 url = sqlite://{{ lacre_webgate_db_name }}
--- a/templates/lacre-webgate/config.php.j2
+++ b/templates/lacre-webgate/config.php.j2
@ -52,7 +52,7 @@ $config['debug'] = '{{ lacre_webgate_debug }}';
 //

 //whether to send mail through SMTP (instead of PHP mail function)
-$config['mail_smtp'] = {{ lacre_mail_smtp }};
+$config['mail_smtp'] = {{ lacre_webgate_mail_smtp }};

 //SMTP settings, if mail_smtp is enabled
 //this requires Net_SMTP from http://pear.php.net/package/Net_SMTP/ to be installed