From b2582a75c9b9032abecc96e25e8f1fd65b551cde Mon Sep 17 00:00:00 2001 From: muppeth Date: Fri, 11 Aug 2023 08:18:46 +0200 Subject: [PATCH] added daemon and general role update --- README.MD | 22 ++++++- defaults/main.yml | 65 ++++++++++++------- handlers/main.yml | 6 ++ tasks/daemon | 0 tasks/git.yml | 2 + tasks/main.yml | 21 +++--- tasks/webgate.yml | 2 +- templates/etc/gpg-mailgate.conf.j2 | 38 ++++------- .../config.php.j2 | 2 +- 9 files changed, 93 insertions(+), 65 deletions(-) create mode 100644 handlers/main.yml delete mode 100644 tasks/daemon rename templates/{lacre-web => lacre-webgate}/config.php.j2 (98%) diff --git a/README.MD b/README.MD index d968617..8f28af3 100644 --- a/README.MD +++ b/README.MD @@ -1,8 +1,24 @@ # GPG - Lacre -This is a role that deploys GPG-Lacre with all needed dependencies and web frontends. +This is a role that deploys GPG-Lacre with all needed dependencies. Additionally takes care of installing a simply key upload web frontend. For set of defaults variables check `defaults/main.yml` file. This role assumes that: - You are running Debian based OS - You run postfix -**Warning** -Due to heavy development of lacre this role may be broken at times. Lacre is currently not recommended for production use. Please use for testing only. +### Lacre daemon or simple filter +Postfix offers two types of filters. Simple and advanced content filters. Depending on your use case you can choose between two. Set `lacre_daemon` to `false` for simple filter and `true` for advanced filter (aka daemon). Additionally refer to variable defaults for extra settings needed for either option. Also check [postfix documentation](http://www.postfix.org/FILTER_README.html#simple_filter) for more details on both filter features. +### Lacre Webgate +Lacre-webgate is a simple interface for uploading keys. You can decide whether to install it by setting variable `lacre_webgate_deploy`. Default is set to `true`. This frontend depends on php and an sql database. The role defaults to `mariadb`. For Mariadb following variables need to be set. Check following example: + +``` +lacre_webgate_db_enabled: 'yes' +lacre_webgate_db_backend: 'mysql' +lacre_webgate_db_name: 'gpgmw' +lacre_webgate_db_host: 'localhost' +lacre_webgate_db_username: 'user' +lacre_webgate_db_password: 'password' +``` +The Lacre-webgate can be installed on remote host. You must make sure that mariadb is reachable from host running postfix+gpg-lacre as gpg-lacre needs to be able to pull uploaded keys. You can use this role to install Lacre-webgate on remote host by specifying `tag=webgate`. Make sure to set `lacre_webgate_deploy` to `false` on the `gpg-lacre/postfix` host. + +### Dependency variables +Lacre depends on additional software such as postfix, php-fpm, mariadb, nginx. This software isn't covered by the role and you need to make sure to install and configure them according to your needs. You can use [disroot roles](https://git.disroot.org/org/Disroot-Ansible/dashboard) or any other roles or just set them up manually. Included defaults work with disroot ansible roles. + diff --git a/defaults/main.yml b/defaults/main.yml index 3839d7e..e9a17bc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,6 @@ --- + +# Main vars lacre_pything_version: '3.9' lacre_repo: 'https://git.disroot.org/Disroot/gpg-lacre.git' lacre_version: 'main' @@ -8,17 +10,18 @@ lacre_group: 'lacre' lacre_homedir: '/var/lib/gpg-lacre' lacre_backend_deploy: 'true' lacre_webgate_deploy: 'true' -#lacre_ lacre_apt: - 'python3-m2crypto' - 'git' - 'gnupg' + - 'sudo' lacre_daemon: 'false' lacre_set_content_filter: 'true' lacre_content_filter: 'gpg-mailgate' lacre_postfix_simplefilter: 'true' lacre_postfix_daemon: 'false' -#config file + +# Lacre config file lacre_config_file: '/etc/gpg-mailgate.conf' lacre_add_header: 'yes' lacre_enc_keymap_only: 'no' @@ -36,22 +39,28 @@ lacre_webpanel_url: 'http://example.org' lacre_notification_email: 'gpg-mailgate@example.org' lacre_mail_templates: '{{ lacre_app_dir }}/cron_templates' lacre_logfile: '/etc/gpg-lacre-logging.conf' -lacre_daemon_host: '127.0.0.1' -lacre_daemon_port: '10025' +lacre_max_data_bytes: '33554432' +lacre_log_headers: 'no' lacre_relay: '127.0.0.1' lacre_port: '10028' lacre_enc_port: '25' lacre_starttls: 'no' + +## Lacre database lacre_webgate_db_enabled: 'yes' lacre_webgate_db_backend: 'mysql' lacre_webgate_db_name: 'gpgmw' lacre_webgate_db_host: 'localhost' -lacre_webgatedb_username: 'user' -lacre_webgatedb_password: 'password' +lacre_webgate_db_username: 'user' +lacre_webgate_db_password: 'password' + +## Lacre daemon +lacre_daemon_host: '127.0.0.1' +lacre_daemon_port: '10025' lacre_systemd_execstart: 'python -m lacre.daemon' lacre_systemd_restartsec: '3' -#lacre logger +# Lacre logger lacre_log_loggers_keys: 'root' lacre_log_logger_level: 'NOTSET' lacre_logger_handlers: 'syslog' @@ -67,9 +76,11 @@ lacre_log_postfix_format: '%(asctime)s %(module)s[%(process)d]: %(message)s' lacre_log_postfix_datefmt: '%b %e %H:%M:%S' lacre_log_postfix_style: '%' lacre_log_postfix_validate: 'True' -#lacre webgate + +# Lacre webgate +lacre_smtp_enabled: 'false' lacre_smtp_username: 'no-reply' -lacre_smtp_password: 'chanfeme' +lacre_smtp_password: 'changeme' lacre_smtp_host: 'example.lan' lacre_smtp_port: '587' lacre_smtp_starttls: 'true' @@ -80,7 +91,7 @@ lacre_webgate_apt: - 'python3-mysqldb' lacre_webgate_repo: 'https://git.disroot.org/Lacre/lacre-webgate.git' lacre_webgate_version: 'main' -lacre_webgate_dir: '/var/www/lacre-web' +lacre_webgate_dir: '/var/www/lacre-webgate' lacre_webgate_user: 'www-data' lacre_webgate_group: 'www-data' lacre_webgate_email_web: 'admin@example.com' @@ -90,7 +101,7 @@ lacre_webgate_site_url: 'http://example.com/gpgmw' lacre_webgate_site_title: 'PGP key management' lacre_webgate_language: 'english' lacre_webgate_debug: 'enable' -lacre_mail_smtp: 'false' +lacre_webgate_mail_smtp: 'false' lacre_webgate_smtp_host: 'localhost' lacre_webgate_smtp_port: '25' lacre_webgate_smtp_username: 'gpgmw' @@ -104,15 +115,20 @@ lacre_webgate_lock_cooldown: '900' lacre_webgate_lock_reset: '300' lacre_webgate_locktime_max: '3600' -#mailserver vars +# Lacre dependency variables. Not covered by the role itself and when used with dependent disroot roles (nginx, php-fpm, mariadb, mailserver) + +# Mailserver vars (when used with disroot mailserver role) postfix_header_checks: 'false' postfix_body_checks: 'false' postfix_rbl_whitelist: 'false' postfix_postgrey_deploy: 'false' -#php +# php & nginx (when used with disroot php-fpm and nginx role) install_php: 'true' -php_version: '7.4' +php_version: '8.0' +php_etc_path: '/etc/php' +install_php: 'true' +pool_listen: '/var/run/php/php{{ php_version }}-fpm.sock' php_pkgs: - 'php{{ php_version }}-fpm' - 'php{{ php_version }}-mysql' @@ -121,7 +137,7 @@ nginx_vhosts: template: 'basephp' proto: 'http' listen: '80' - root: 'gpg-mailgate-web/public_html' + root: 'lacre-webgate/public_html' index: 'index.php' use_access_log: 'true' use_error_log: 'true' @@ -131,14 +147,17 @@ nginx_vhosts: - 'fastcgi_index index.php;' - 'include /etc/nginx/fastcgi_params;' - 'fastcgi_pass unix:{{ pool_listen }};' + custom_locations: + - name: '/config\.*' + options: + - 'deny all;' state: 'enable' letsencrypt: 'false' nginx_default_vhost_ssl: 'example.org' nginx_default_vhost: 'example.org' -#mariadb -# MARIADB CONFIG +# Mariadb (when using disroot mariadb role) mariadb_root_password: 'changeme' mariadb_default_config: - name: 'client' @@ -164,7 +183,7 @@ mariadb_default_config: - character-set-server = utf8mb4 - collation-server = utf8mb4_unicode_ci - skip_external_locking = True - - bind_address = {{ lacre_db_host }} + - bind_address = {{ lacre_webgate_db_host }} - key_buffer = 16M - max_allowed_packet = 16M - thread_stack = 192K @@ -217,13 +236,13 @@ mariadb_default_config: - key_buffer = 16M mariadb_databases: - - name: '{{ lacre_db_name }}' + - name: '{{ lacre_webgate_db_name }}' collation: 'utf8mb4_unicode_ci' encoding: 'utf8mb4' mariadb_users: - - name: '{{ lacre_db_username }}' - host: '{{ lacre_db_host }}' - password: '{{ lacre_db_password }}' - priv: '{{ lacre_db_name }}.*:ALL' + - name: '{{ lacre_webgate_db_username }}' + host: '{{ lacre_webgate_db_host }}' + password: '{{ lacre_webgate_db_password }}' + priv: '{{ lacre_webgate_db_name }}.*:ALL' diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..5f8860b --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart gpg-lacre + systemd: + name: gpg-lacre + state: restarted diff --git a/tasks/daemon b/tasks/daemon deleted file mode 100644 index e69de29..0000000 diff --git a/tasks/git.yml b/tasks/git.yml index 42bcfc7..e7972c7 100644 --- a/tasks/git.yml +++ b/tasks/git.yml @@ -7,4 +7,6 @@ force: yes update: yes version: "{{ lacre_version }}" + become: 'yes' + become_user: "{{ lacre_username }}" diff --git a/tasks/main.yml b/tasks/main.yml index 4f81565..fc2cd51 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,25 +1,25 @@ --- -- name: 'Clone / Update repository' - include: git.yml +- name: 'Create user' + include: 'user.yml' tags: - 'backend' when: lacre_backend_deploy == 'true' -- name: 'Create user' - include: user.yml +- name: 'Clone / Update repository' + include: 'git.yml' tags: - 'backend' when: lacre_backend_deploy == 'true' - name: 'Install Lacre' - include: install.yml + include: 'install.yml' tags: - 'backend' when: lacre_backend_deploy == 'true' - name: 'Configure Lacre' - include: configure.yml + include: 'configure.yml' tags: - 'config' - 'configure' @@ -27,22 +27,19 @@ when: lacre_backend_deploy == 'true' - name: 'Use simple filter' - include: simple_filter.yml + include: 'simple_filter.yml' when: lacre_daemon == 'false' -- name: 'Use advanced daemon' - include: daemon.yml - when: lacre_daemon == 'true' - - name: 'Deploy Advanced filter' include: 'daemon.yml' tags: - 'backend' - 'config' - 'daemon' + when: lacre_daemon == 'true' - name: 'Deploy Lacre Webgate' - include: webgate.yml + include: 'webgate.yml' tags: - 'webgate' when: lacre_webgate_deploy == 'true' diff --git a/tasks/webgate.yml b/tasks/webgate.yml index 1d32105..6be11f2 100644 --- a/tasks/webgate.yml +++ b/tasks/webgate.yml @@ -31,7 +31,7 @@ - name: '[Lacre-webgate] - Deploy config' template: - src: 'lacre-web/config.php.j2' + src: 'lacre-webgate/config.php.j2' dest: "{{ lacre_webgate_dir }}/public_html/config.php" owner: "{{ lacre_webgate_user }}" group: "{{ lacre_webgate_group }}" diff --git a/templates/etc/gpg-mailgate.conf.j2 b/templates/etc/gpg-mailgate.conf.j2 index 66abed0..cdcd918 100644 --- a/templates/etc/gpg-mailgate.conf.j2 +++ b/templates/etc/gpg-mailgate.conf.j2 @@ -8,16 +8,6 @@ add_header = {{ lacre_add_header }} # This means gpg-mailgate won't automatically detect PGP recipients for encrypting enc_keymap_only = {{ lacre_enc_keymap_only }} -# Whether we should only decrypt emails if they are explicitly defined in -# the key mappings below ([dec_keymap] section) -# This means gpg-mailgate won't automatically detect PGP recipients for decrypting -dec_keymap_only = {{ lacre_dec_keymap_only }} - -# If dec_keymap_only is set to yes and recipients have private keys present for decrypting -# but are not on in the keymap, this can cause that mails for them will be -# encrypted. Set this to no if you want this behaviour. -failsave_dec = {{ lacre_failsave_dec }} - # Convert encrypted text/plain email to MIME-attached encrypt style. # (Default is to use older inline-style PGP encoding.) mime_conversion = {{ lacre_mime_conversion }} @@ -29,20 +19,6 @@ mime_conversion = {{ lacre_mime_conversion }} # recipients all ignore the RFC you could this to yes. mail_case_insensitive = {{ lacre_mail_case_insensitive }} -# This setting disables PGP/INLINE decryption completely. However, -# PGP/MIME encrypted mails will still be decrypted if possible. PGP/INLINE -# decryption has to be seen as experimental and could have some negative -# side effects. So if you want to take the risk set this to no. -no_inline_dec = {{ lacre_no_inline_dec }} - -# Here you can define a regex for which the gateway should try to decrypt mails. -# It could be used to define that decryption should be used for a wider range of -# mail addresses e.g. a whole domain. No key is needed here. It is even active if -# dec_keymap is set to yes. If this feature should be disabled, don't leave it blank. -# Set it to None. For further regex information please have a look at -# https://docs.python.org/2/library/re.html -dec_regex = {{ lacre_dec_regex }} - [gpg] # the directory where gpg-mailgate public keys are stored # (see INSTALL for details) @@ -69,7 +45,7 @@ mail_templates = {{ lacre_mail_templates }} # path to the logging configuration; see documentation for details: # https://docs.python.org/3/library/logging.config.html#logging-config-fileformat config = {{ lacre_logfile }} - +{% if lacre_daemon == 'true' %} [daemon] # Advanced Content Filter section. # @@ -78,6 +54,16 @@ config = {{ lacre_logfile }} host = {{ lacre_daemon_host }} port = {{ lacre_daemon_port }} +# Maximum size (in bytes) of message body, i.e. data provided after DATA +# message. Following value comes from aiosmtpd module's default for this +# setting. +max_data_bytes = {{ lacre_max_data_bytes }}33554432 + +# Sometimes it may make sense to log additional information from mail headers. +# This should never be PII, but information like encoding, content types, etc. +log_headers = {{ lacre_log_headers }}no +{% endif %} + [relay] # the relay settings to use for Postfix # gpg-mailgate will submit email to this relay after it is done processing @@ -102,6 +88,8 @@ port = {{ lacre_smtp_port }} starttls = {{ lacre_smtp_starttls }} [database] +# edit the settings below if you want to read keys from a +# gpg-mailgate-web database other than SQLite enabled = {{ lacre_webgate_db_enabled }} {% if lacre_webgate_db_backend == 'sqlite' %} url = sqlite://{{ lacre_webgate_db_name }} diff --git a/templates/lacre-web/config.php.j2 b/templates/lacre-webgate/config.php.j2 similarity index 98% rename from templates/lacre-web/config.php.j2 rename to templates/lacre-webgate/config.php.j2 index e06180c..c16efc3 100644 --- a/templates/lacre-web/config.php.j2 +++ b/templates/lacre-webgate/config.php.j2 @@ -52,7 +52,7 @@ $config['debug'] = '{{ lacre_webgate_debug }}'; // //whether to send mail through SMTP (instead of PHP mail function) -$config['mail_smtp'] = {{ lacre_mail_smtp }}; +$config['mail_smtp'] = {{ lacre_webgate_mail_smtp }}; //SMTP settings, if mail_smtp is enabled //this requires Net_SMTP from http://pear.php.net/package/Net_SMTP/ to be installed