diff --git a/README.MD b/README.MD index d968617..8f28af3 100644 --- a/README.MD +++ b/README.MD @@ -1,8 +1,24 @@ # GPG - Lacre -This is a role that deploys GPG-Lacre with all needed dependencies and web frontends. +This is a role that deploys GPG-Lacre with all needed dependencies. Additionally takes care of installing a simply key upload web frontend. For set of defaults variables check `defaults/main.yml` file. This role assumes that: - You are running Debian based OS - You run postfix -**Warning** -Due to heavy development of lacre this role may be broken at times. Lacre is currently not recommended for production use. Please use for testing only. +### Lacre daemon or simple filter +Postfix offers two types of filters. Simple and advanced content filters. Depending on your use case you can choose between two. Set `lacre_daemon` to `false` for simple filter and `true` for advanced filter (aka daemon). Additionally refer to variable defaults for extra settings needed for either option. Also check [postfix documentation](http://www.postfix.org/FILTER_README.html#simple_filter) for more details on both filter features. +### Lacre Webgate +Lacre-webgate is a simple interface for uploading keys. You can decide whether to install it by setting variable `lacre_webgate_deploy`. Default is set to `true`. This frontend depends on php and an sql database. The role defaults to `mariadb`. For Mariadb following variables need to be set. Check following example: + +``` +lacre_webgate_db_enabled: 'yes' +lacre_webgate_db_backend: 'mysql' +lacre_webgate_db_name: 'gpgmw' +lacre_webgate_db_host: 'localhost' +lacre_webgate_db_username: 'user' +lacre_webgate_db_password: 'password' +``` +The Lacre-webgate can be installed on remote host. You must make sure that mariadb is reachable from host running postfix+gpg-lacre as gpg-lacre needs to be able to pull uploaded keys. You can use this role to install Lacre-webgate on remote host by specifying `tag=webgate`. Make sure to set `lacre_webgate_deploy` to `false` on the `gpg-lacre/postfix` host. + +### Dependency variables +Lacre depends on additional software such as postfix, php-fpm, mariadb, nginx. This software isn't covered by the role and you need to make sure to install and configure them according to your needs. You can use [disroot roles](https://git.disroot.org/org/Disroot-Ansible/dashboard) or any other roles or just set them up manually. Included defaults work with disroot ansible roles. + diff --git a/defaults/main.yml b/defaults/main.yml index 3ec9758..19fda6f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,6 @@ --- + +# Main vars lacre_pything_version: '3.9' lacre_repo: 'https://git.disroot.org/Disroot/gpg-lacre.git' lacre_version: 'main' @@ -8,13 +10,19 @@ lacre_group: 'lacre' lacre_homedir: '/var/lib/gpg-lacre' lacre_backend_deploy: 'true' lacre_webgate_deploy: 'true' -#lacre_ lacre_apt: - 'python3-m2crypto' - 'git' - 'gnupg' + - 'sudo' +lacre_daemon: 'false' lacre_set_content_filter: 'true' -#config file +lacre_content_filter: 'gpg-mailgate' +lacre_postfix_simplefilter: 'true' +lacre_postfix_daemon: 'false' + +# Lacre config file +lacre_config_file: '/etc/gpg-mailgate.conf' lacre_add_header: 'yes' lacre_enc_keymap_only: 'no' lacre_dec_keymap_only: 'no' @@ -31,18 +39,28 @@ lacre_webpanel_url: 'http://example.org' lacre_notification_email: 'gpg-mailgate@example.org' lacre_mail_templates: '{{ lacre_app_dir }}/cron_templates' lacre_logfile: '/etc/gpg-lacre-logging.conf' +lacre_max_data_bytes: '33554432' +lacre_log_headers: 'no' lacre_relay: '127.0.0.1' lacre_port: '10028' lacre_enc_port: '25' lacre_starttls: 'no' + +## Lacre database lacre_webgate_db_enabled: 'yes' lacre_webgate_db_backend: 'mysql' lacre_webgate_db_name: 'gpgmw' lacre_webgate_db_host: 'localhost' -lacre_webgatedb_username: 'user' -lacre_webgatedb_password: 'password' +lacre_webgate_db_username: 'user' +lacre_webgate_db_password: 'password' -#lacre logger +## Lacre daemon +lacre_daemon_host: '127.0.0.1' +lacre_daemon_port: '10025' +lacre_systemd_execstart: 'python -m lacre.daemon' +lacre_systemd_restartsec: '3' + +# Lacre logger lacre_log_loggers_keys: 'root' lacre_log_logger_level: 'NOTSET' lacre_logger_handlers: 'syslog' @@ -58,9 +76,11 @@ lacre_log_postfix_format: '%(asctime)s %(module)s[%(process)d]: %(message)s' lacre_log_postfix_datefmt: '%b %e %H:%M:%S' lacre_log_postfix_style: '%' lacre_log_postfix_validate: 'True' -#lacre webgate + +# Lacre webgate +lacre_smtp_enabled: 'false' lacre_smtp_username: 'no-reply' -lacre_smtp_password: 'chanfeme' +lacre_smtp_password: 'changeme' lacre_smtp_host: 'example.lan' lacre_smtp_port: '587' lacre_smtp_starttls: 'true' @@ -71,7 +91,7 @@ lacre_webgate_apt: - 'python3-mysqldb' lacre_webgate_repo: 'https://git.disroot.org/Lacre/lacre-webgate.git' lacre_webgate_version: 'main' -lacre_webgate_dir: '/var/www/lacre-web' +lacre_webgate_dir: '/var/www/lacre-webgate' lacre_webgate_user: 'www-data' lacre_webgate_group: 'www-data' lacre_webgate_email_web: 'admin@example.com' @@ -79,9 +99,14 @@ lacre_webgate_email_from: 'gpg-mailgate-web@example.com' lacre_webgate_email_subject_requestpgp: 'Confirm your email address' lacre_webgate_site_url: 'http://example.com/gpgmw' lacre_webgate_site_title: 'PGP key management' +lacre_webgate_site_logo: 'img/logo.png' +lacre_webgate_site_faqurl: 'https://lacre.io/faq' +lacre_webgate_site_howurl: 'https://learn.lacre.io' +lacre_webgate_site_contacturl: 'https://lacre.io/contact' + lacre_webgate_language: 'english' lacre_webgate_debug: 'enable' -lacre_mail_smtp: 'false' +lacre_webgate_mail_smtp: 'false' lacre_webgate_smtp_host: 'localhost' lacre_webgate_smtp_port: '25' lacre_webgate_smtp_username: 'gpgmw' @@ -95,15 +120,20 @@ lacre_webgate_lock_cooldown: '900' lacre_webgate_lock_reset: '300' lacre_webgate_locktime_max: '3600' -#mailserver vars +# Lacre dependency variables. Not covered by the role itself and when used with dependent disroot roles (nginx, php-fpm, mariadb, mailserver) + +# Mailserver vars (when used with disroot mailserver role) postfix_header_checks: 'false' postfix_body_checks: 'false' postfix_rbl_whitelist: 'false' postfix_postgrey_deploy: 'false' -#php +# php & nginx (when used with disroot php-fpm and nginx role) install_php: 'true' -php_version: '7.4' +php_version: '8.0' +php_etc_path: '/etc/php' +install_php: 'true' +pool_listen: '/var/run/php/php{{ php_version }}-fpm.sock' php_pkgs: - 'php{{ php_version }}-fpm' - 'php{{ php_version }}-mysql' @@ -112,7 +142,7 @@ nginx_vhosts: template: 'basephp' proto: 'http' listen: '80' - root: 'gpg-mailgate-web/public_html' + root: 'lacre-webgate/public_html' index: 'index.php' use_access_log: 'true' use_error_log: 'true' @@ -122,14 +152,17 @@ nginx_vhosts: - 'fastcgi_index index.php;' - 'include /etc/nginx/fastcgi_params;' - 'fastcgi_pass unix:{{ pool_listen }};' + custom_locations: + - name: '/config\.*' + options: + - 'deny all;' state: 'enable' letsencrypt: 'false' nginx_default_vhost_ssl: 'example.org' nginx_default_vhost: 'example.org' -#mariadb -# MARIADB CONFIG +# Mariadb (when using disroot mariadb role) mariadb_root_password: 'changeme' mariadb_default_config: - name: 'client' @@ -155,7 +188,7 @@ mariadb_default_config: - character-set-server = utf8mb4 - collation-server = utf8mb4_unicode_ci - skip_external_locking = True - - bind_address = {{ lacre_db_host }} + - bind_address = {{ lacre_webgate_db_host }} - key_buffer = 16M - max_allowed_packet = 16M - thread_stack = 192K @@ -208,13 +241,13 @@ mariadb_default_config: - key_buffer = 16M mariadb_databases: - - name: '{{ lacre_db_name }}' + - name: '{{ lacre_webgate_db_name }}' collation: 'utf8mb4_unicode_ci' encoding: 'utf8mb4' mariadb_users: - - name: '{{ lacre_db_username }}' - host: '{{ lacre_db_host }}' - password: '{{ lacre_db_password }}' - priv: '{{ lacre_db_name }}.*:ALL' + - name: '{{ lacre_webgate_db_username }}' + host: '{{ lacre_webgate_db_host }}' + password: '{{ lacre_webgate_db_password }}' + priv: '{{ lacre_webgate_db_name }}.*:ALL' diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..5f8860b --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart gpg-lacre + systemd: + name: gpg-lacre + state: restarted diff --git a/tasks/configure.yml b/tasks/configure.yml index db202b8..a6d8c99 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -3,7 +3,7 @@ - name: '[LACRE] - Configure lacre' template: src: 'etc/gpg-mailgate.conf.j2' - dest: '/etc/gpg-mailgate.conf' + dest: '{{ lacre_config_file }}' owner: '{{ lacre_username }}' group: '{{ lacre_group }}' mode: 0644 @@ -11,34 +11,9 @@ - name: '[LACRE] - Configure lacre logger' template: src: 'etc/gpg-lacre-logging.conf.j2' - dest: '/etc/gpg-lacre-logging.conf' + dest: '{{ lacre_logfile }}' owner: '{{ lacre_username }}' group: '{{ lacre_group }}' mode: 0644 -- name: '[LACRE] - Add lacre config to postfix' - blockinfile: - dest: '/etc/postfix/master.cf' - backup: yes - marker: '# {mark} LACRE config block (Ansible)' - block: | - gpg-mailgate unix - n n - - pipe - flags= user=lacre argv={{ lacre_app_dir }}/gpg-mailgate.py ${recipient} - - 127.0.0.1:10028 inet n - n - 10 smtpd - -o content_filter= - -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks - -o smtpd_helo_restrictions= - -o smtpd_client_restrictions= - -o smtpd_sender_restrictions= - -o smtpd_recipient_restrictions=permit_mynetworks,reject - -o mynetworks=127.0.0.0/8 - -o smtpd_authorized_xforward_hosts=127.0.0.0/8 - -- name: '[LACRE] - Replace content_filter setting in postfix' - replace: - path: '/etc/postfix/main.cf' - regexp: 'content_filter = .*' - replace: 'content_filter = gpg-mailgate' - when: lacre_set_content_filter == 'true' diff --git a/tasks/daemon.yml b/tasks/daemon.yml new file mode 100644 index 0000000..0d573d0 --- /dev/null +++ b/tasks/daemon.yml @@ -0,0 +1,57 @@ +--- + +- name: '[Lacre Daemon] - Deploy systemd config' + template: + src: etc/systemd/system/gpg-lacre.service.j2 + dest: /etc/systemd/system/gpg-lacre.service + owner: root + group: root + mode: 0644 + register: lacre_systemd + +- name: '[Lacre Daemon] - Enable systemd config' + systemd: + name: gpg-lacre + enabled: yes + daemon_reload: yes + notify: + restart gpg-lacre + + +- name: '[LACRE] - Add lacre daemon to postfix' + blockinfile: + dest: '/etc/postfix/master.cf' + backup: yes + marker: '# {mark} LACRE config block (Ansible)' + block: | + gpg-lacre unix - - - - - smtp + -o smtp_tls_security_level=none + + 127.0.0.1:10025 inet n - - - - smtpd + -o content_filter= + -o smtpd_tls_security_level=none + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions=reject_unauth_pipelining + -o smtpd_end_of_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters + when: lacre_postfix_daemon == 'true' + +- name: '[LACRE] - Replace content_filter setting in postfix' + replace: + path: '/etc/postfix/main.cf' + regexp: 'content_filter = .*' + replace: 'content_filter = {{ lacre_content_filter }}' + when: lacre_set_content_filter == 'true' diff --git a/tasks/git.yml b/tasks/git.yml index 42bcfc7..e7972c7 100644 --- a/tasks/git.yml +++ b/tasks/git.yml @@ -7,4 +7,6 @@ force: yes update: yes version: "{{ lacre_version }}" + become: 'yes' + become_user: "{{ lacre_username }}" diff --git a/tasks/main.yml b/tasks/main.yml index c4e86d2..fc2cd51 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,33 +1,45 @@ --- -- name: 'Clone / Update repository' - include: git.yml +- name: 'Create user' + include: 'user.yml' tags: - 'backend' when: lacre_backend_deploy == 'true' -- name: 'Create user' - include: user.yml +- name: 'Clone / Update repository' + include: 'git.yml' tags: - 'backend' when: lacre_backend_deploy == 'true' - name: 'Install Lacre' - include: install.yml + include: 'install.yml' tags: - 'backend' when: lacre_backend_deploy == 'true' - name: 'Configure Lacre' - include: configure.yml + include: 'configure.yml' tags: - 'config' - 'configure' - 'backend' - when: lacre_backend_deploy == 'true' + when: lacre_backend_deploy == 'true' + +- name: 'Use simple filter' + include: 'simple_filter.yml' + when: lacre_daemon == 'false' + +- name: 'Deploy Advanced filter' + include: 'daemon.yml' + tags: + - 'backend' + - 'config' + - 'daemon' + when: lacre_daemon == 'true' - name: 'Deploy Lacre Webgate' - include: webgate.yml + include: 'webgate.yml' tags: - 'webgate' when: lacre_webgate_deploy == 'true' diff --git a/tasks/simple_filter.yml b/tasks/simple_filter.yml new file mode 100644 index 0000000..3860f33 --- /dev/null +++ b/tasks/simple_filter.yml @@ -0,0 +1,29 @@ +--- + +- name: '[LACRE] - Add lacre simple filter to postfix' + blockinfile: + dest: '/etc/postfix/master.cf' + backup: yes + marker: '# {mark} LACRE config block (Ansible)' + block: | + gpg-mailgate unix - n n - - pipe + flags= user=lacre argv={{ lacre_app_dir }}/gpg-mailgate.py ${recipient} + + 127.0.0.1:10028 inet n - n - 10 smtpd + -o content_filter= + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + when: lacre_postfix_simplefilter == 'true' + +- name: '[LACRE] - Replace content_filter setting in postfix' + replace: + path: '/etc/postfix/main.cf' + regexp: 'content_filter = .*' + replace: 'content_filter = {{ lacre_content_filter }}' + when: lacre_set_content_filter == 'true' + diff --git a/tasks/webgate.yml b/tasks/webgate.yml index 53d89bd..6be11f2 100644 --- a/tasks/webgate.yml +++ b/tasks/webgate.yml @@ -27,11 +27,11 @@ login_user: "{{ lacre_webgate_db_username }}" login_password: "{{ lacre_webgate_db_password }}" target: "{{ lacre_webgate_dir }}/schema.sql" - when: lacre_webgate_installed.stdout != '3' + when: lacre_webgate_installed.stdout < "0" - name: '[Lacre-webgate] - Deploy config' template: - src: 'lacre-web/config.php.j2' + src: 'lacre-webgate/config.php.j2' dest: "{{ lacre_webgate_dir }}/public_html/config.php" owner: "{{ lacre_webgate_user }}" group: "{{ lacre_webgate_group }}" diff --git a/templates/etc/gpg-mailgate.conf.j2 b/templates/etc/gpg-mailgate.conf.j2 index 1e761b6..cdcd918 100644 --- a/templates/etc/gpg-mailgate.conf.j2 +++ b/templates/etc/gpg-mailgate.conf.j2 @@ -8,16 +8,6 @@ add_header = {{ lacre_add_header }} # This means gpg-mailgate won't automatically detect PGP recipients for encrypting enc_keymap_only = {{ lacre_enc_keymap_only }} -# Whether we should only decrypt emails if they are explicitly defined in -# the key mappings below ([dec_keymap] section) -# This means gpg-mailgate won't automatically detect PGP recipients for decrypting -dec_keymap_only = {{ lacre_dec_keymap_only }} - -# If dec_keymap_only is set to yes and recipients have private keys present for decrypting -# but are not on in the keymap, this can cause that mails for them will be -# encrypted. Set this to no if you want this behaviour. -failsave_dec = {{ lacre_failsave_dec }} - # Convert encrypted text/plain email to MIME-attached encrypt style. # (Default is to use older inline-style PGP encoding.) mime_conversion = {{ lacre_mime_conversion }} @@ -29,20 +19,6 @@ mime_conversion = {{ lacre_mime_conversion }} # recipients all ignore the RFC you could this to yes. mail_case_insensitive = {{ lacre_mail_case_insensitive }} -# This setting disables PGP/INLINE decryption completely. However, -# PGP/MIME encrypted mails will still be decrypted if possible. PGP/INLINE -# decryption has to be seen as experimental and could have some negative -# side effects. So if you want to take the risk set this to no. -no_inline_dec = {{ lacre_no_inline_dec }} - -# Here you can define a regex for which the gateway should try to decrypt mails. -# It could be used to define that decryption should be used for a wider range of -# mail addresses e.g. a whole domain. No key is needed here. It is even active if -# dec_keymap is set to yes. If this feature should be disabled, don't leave it blank. -# Set it to None. For further regex information please have a look at -# https://docs.python.org/2/library/re.html -dec_regex = {{ lacre_dec_regex }} - [gpg] # the directory where gpg-mailgate public keys are stored # (see INSTALL for details) @@ -69,6 +45,24 @@ mail_templates = {{ lacre_mail_templates }} # path to the logging configuration; see documentation for details: # https://docs.python.org/3/library/logging.config.html#logging-config-fileformat config = {{ lacre_logfile }} +{% if lacre_daemon == 'true' %} +[daemon] +# Advanced Content Filter section. +# +# Advanced filters differ from Simple ones by providing a daemon that handles +# requests, instead of starting a new process each time a message arrives. +host = {{ lacre_daemon_host }} +port = {{ lacre_daemon_port }} + +# Maximum size (in bytes) of message body, i.e. data provided after DATA +# message. Following value comes from aiosmtpd module's default for this +# setting. +max_data_bytes = {{ lacre_max_data_bytes }}33554432 + +# Sometimes it may make sense to log additional information from mail headers. +# This should never be PII, but information like encoding, content types, etc. +log_headers = {{ lacre_log_headers }}no +{% endif %} [relay] # the relay settings to use for Postfix @@ -94,6 +88,8 @@ port = {{ lacre_smtp_port }} starttls = {{ lacre_smtp_starttls }} [database] +# edit the settings below if you want to read keys from a +# gpg-mailgate-web database other than SQLite enabled = {{ lacre_webgate_db_enabled }} {% if lacre_webgate_db_backend == 'sqlite' %} url = sqlite://{{ lacre_webgate_db_name }} diff --git a/templates/etc/systemd/system/gpg-lacre.service.j2 b/templates/etc/systemd/system/gpg-lacre.service.j2 new file mode 100644 index 0000000..9fd1a61 --- /dev/null +++ b/templates/etc/systemd/system/gpg-lacre.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=GPG Lacre mailgate daemon +After=syslog.target network.target + +[Service] +Type=simple +User={{ lacre_username }} +Group={{ lacre_group }} +WorkingDirectory={{ lacre_app_dir }} +Environment=GPG_MAILGATE_CONFIG={{ lacre_config_file }} +ExecStart={{ lacre_systemd_execstart }} +Restart=always +RestartSec={{ lacre_systemd_restartsec }} + +[Install] +WantedBy=multi-user.target + diff --git a/templates/lacre-web/config.php.j2 b/templates/lacre-webgate/config.php.j2 similarity index 91% rename from templates/lacre-web/config.php.j2 rename to templates/lacre-webgate/config.php.j2 index e06180c..53cf4d1 100644 --- a/templates/lacre-web/config.php.j2 +++ b/templates/lacre-webgate/config.php.j2 @@ -37,6 +37,17 @@ $config['email_subject_requestpgp'] = '{{ lacre_webgate_email_subject_requestpgp //site URL, without trailing slash $config['site_url'] = '{{ lacre_webgate_site_url }}'; +//site logo +$config['site_logo'] = '{{ lacre_webgate_site_logo }}'; + +//link to FAQ page +$config['site_faqurl'] = '{{ lacre_webgate_site_faqurl }}'; + +//link to tutorial website +$config['site_howurl'] = '{{ lacre_webgate_site_howurl }}'; + +//link to contact page +$config['site_contacturl'] = '{{ lacre_webgate_site_contacturl }}'; //title of the website (displayed on home page) $config['site_title'] = '{{ lacre_webgate_site_title }}'; @@ -52,7 +63,7 @@ $config['debug'] = '{{ lacre_webgate_debug }}'; // //whether to send mail through SMTP (instead of PHP mail function) -$config['mail_smtp'] = {{ lacre_mail_smtp }}; +$config['mail_smtp'] = {{ lacre_webgate_mail_smtp }}; //SMTP settings, if mail_smtp is enabled //this requires Net_SMTP from http://pear.php.net/package/Net_SMTP/ to be installed