2023-09-02 20:33:55 +02:00
12 changed files with 240 additions and 86 deletions
--- a/README.MD
+++ b/README.MD
@ -1,8 +1,24 @@
 # GPG - Lacre
-This is a role that deploys GPG-Lacre with all needed dependencies and web frontends. 
+This is a role that deploys GPG-Lacre with all needed dependencies. Additionally takes care of installing a simply key upload web frontend. 
 For set of defaults variables check `defaults/main.yml` file. This role assumes that:
 - You are running Debian based OS
 - You run postfix
-**Warning**
+### Lacre daemon or simple filter
-Due to heavy development of lacre this role may be broken at times. Lacre is currently not recommended for production use. Please use for testing only.
+Postfix offers two types of filters. Simple and advanced content filters. Depending on your use case you can choose between two. Set `lacre_daemon` to `false` for simple filter and `true` for advanced filter (aka daemon). Additionally refer to variable defaults for extra settings needed for either option. Also check [postfix documentation](http://www.postfix.org/FILTER_README.html#simple_filter) for more details on both filter features.  
 ### Lacre Webgate
 Lacre-webgate is a simple interface for uploading keys. You can decide whether to install it by setting variable `lacre_webgate_deploy`. Default is set to `true`. This frontend depends on php and an sql database. The role defaults to `mariadb`. For Mariadb following variables need to be set. Check following example:
 ```
 lacre_webgate_db_enabled: 'yes'
 lacre_webgate_db_backend: 'mysql'
 lacre_webgate_db_name: 'gpgmw'
 lacre_webgate_db_host: 'localhost'
 lacre_webgate_db_username: 'user'
 lacre_webgate_db_password: 'password'
 ```
 The Lacre-webgate can be installed on remote host. You must make sure that mariadb is reachable from host running postfix+gpg-lacre as gpg-lacre needs to be able to pull uploaded keys. You can use this role to install Lacre-webgate on remote host by specifying `tag=webgate`. Make sure to set `lacre_webgate_deploy` to `false` on the `gpg-lacre/postfix` host.
 ### Dependency variables
 Lacre depends on additional software such as postfix, php-fpm, mariadb, nginx. This software isn't covered by the role and you need to make sure to install and configure them according to your needs. You can use [disroot roles](https://git.disroot.org/org/Disroot-Ansible/dashboard) or any other roles or just set them up manually. Included defaults work with disroot ansible roles. 
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,4 +1,6 @@
 ---
 # Main vars
 lacre_pything_version: '3.9'
 lacre_repo: 'https://git.disroot.org/Disroot/gpg-lacre.git'
 lacre_version: 'main'
@ -8,13 +10,19 @@ lacre_group: 'lacre'
 lacre_homedir: '/var/lib/gpg-lacre'
 lacre_backend_deploy: 'true'
 lacre_webgate_deploy: 'true'
 #lacre_
 lacre_apt:
  - 'python3-m2crypto'
  - 'git'
  - 'gnupg'
  - 'sudo'
 lacre_daemon: 'false'
 lacre_set_content_filter: 'true'
-#config file
+lacre_content_filter: 'gpg-mailgate'
 lacre_postfix_simplefilter: 'true'
 lacre_postfix_daemon: 'false'
 # Lacre config file
 lacre_config_file: '/etc/gpg-mailgate.conf'
 lacre_add_header: 'yes'
 lacre_enc_keymap_only: 'no'
 lacre_dec_keymap_only: 'no'
@ -31,18 +39,28 @@ lacre_webpanel_url: 'http://example.org'
 lacre_notification_email: 'gpg-mailgate@example.org'
 lacre_mail_templates: '{{ lacre_app_dir }}/cron_templates'
 lacre_logfile: '/etc/gpg-lacre-logging.conf'
 lacre_max_data_bytes: '33554432'
 lacre_log_headers: 'no'
 lacre_relay: '127.0.0.1'
 lacre_port: '10028'
 lacre_enc_port: '25'
 lacre_starttls: 'no'
 ## Lacre database
 lacre_webgate_db_enabled: 'yes'
 lacre_webgate_db_backend: 'mysql'
 lacre_webgate_db_name: 'gpgmw'
 lacre_webgate_db_host: 'localhost'
-lacre_webgatedb_username: 'user'
+lacre_webgate_db_username: 'user'
-lacre_webgatedb_password: 'password'   
+lacre_webgate_db_password: 'password'   
-#lacre logger
+## Lacre daemon
 lacre_daemon_host: '127.0.0.1'
 lacre_daemon_port: '10025'
 lacre_systemd_execstart: 'python -m lacre.daemon'
 lacre_systemd_restartsec: '3'
 # Lacre logger
 lacre_log_loggers_keys: 'root'
 lacre_log_logger_level: 'NOTSET'
 lacre_logger_handlers: 'syslog'
@ -58,9 +76,11 @@ lacre_log_postfix_format: '%(asctime)s %(module)s[%(process)d]: %(message)s'
 lacre_log_postfix_datefmt: '%b %e %H:%M:%S'
 lacre_log_postfix_style: '%'
 lacre_log_postfix_validate: 'True'
-#lacre webgate
+
 # Lacre webgate
 lacre_smtp_enabled: 'false'
 lacre_smtp_username: 'no-reply'          
-lacre_smtp_password: 'chanfeme'
+lacre_smtp_password: 'changeme'
 lacre_smtp_host: 'example.lan'                       
 lacre_smtp_port: '587'                            
 lacre_smtp_starttls: 'true' 
@ -71,7 +91,7 @@ lacre_webgate_apt:
  - 'python3-mysqldb'
 lacre_webgate_repo: 'https://git.disroot.org/Lacre/lacre-webgate.git'
 lacre_webgate_version: 'main'
-lacre_webgate_dir: '/var/www/lacre-web'
+lacre_webgate_dir: '/var/www/lacre-webgate'
 lacre_webgate_user: 'www-data'
 lacre_webgate_group: 'www-data'
 lacre_webgate_email_web: 'admin@example.com'
@ -79,9 +99,14 @@ lacre_webgate_email_from: 'gpg-mailgate-web@example.com'
 lacre_webgate_email_subject_requestpgp: 'Confirm your email address'
 lacre_webgate_site_url: 'http://example.com/gpgmw' 
 lacre_webgate_site_title: 'PGP key management'
 lacre_webgate_site_logo: 'img/logo.png'
 lacre_webgate_site_faqurl: 'https://lacre.io/faq' 
 lacre_webgate_site_howurl: 'https://learn.lacre.io'
 lacre_webgate_site_contacturl: 'https://lacre.io/contact' 
 lacre_webgate_language: 'english'
 lacre_webgate_debug: 'enable'
-lacre_mail_smtp: 'false'
+lacre_webgate_mail_smtp: 'false'
 lacre_webgate_smtp_host: 'localhost'
 lacre_webgate_smtp_port: '25'
 lacre_webgate_smtp_username: 'gpgmw'
@ -95,15 +120,20 @@ lacre_webgate_lock_cooldown: '900'
 lacre_webgate_lock_reset: '300'
 lacre_webgate_locktime_max: '3600'
-#mailserver vars
+# Lacre dependency variables. Not covered by the role itself and when used with dependent disroot roles (nginx, php-fpm, mariadb, mailserver)
 # Mailserver vars (when used with disroot mailserver role)
 postfix_header_checks: 'false'
 postfix_body_checks: 'false'
 postfix_rbl_whitelist: 'false'
 postfix_postgrey_deploy: 'false'
-#php
+# php & nginx (when used with disroot php-fpm and nginx role)
 install_php: 'true'
-php_version: '7.4'
+php_version: '8.0'
 php_etc_path: '/etc/php'
 install_php: 'true'
 pool_listen: '/var/run/php/php{{ php_version }}-fpm.sock'
 php_pkgs:
  - 'php{{ php_version }}-fpm'
  - 'php{{ php_version }}-mysql'
@ -112,7 +142,7 @@ nginx_vhosts:
     template: 'basephp'
     proto: 'http'
     listen: '80'
-     root: 'gpg-mailgate-web/public_html'
+     root: 'lacre-webgate/public_html'
     index: 'index.php'
     use_access_log: 'true'
     use_error_log: 'true'
@ -122,14 +152,17 @@ nginx_vhosts:
       - 'fastcgi_index index.php;'
       - 'include /etc/nginx/fastcgi_params;'
       - 'fastcgi_pass unix:{{ pool_listen }};'
     custom_locations:
       - name: '/config\.*'
         options:
           - 'deny all;'
     state: 'enable'
     letsencrypt: 'false'
 nginx_default_vhost_ssl: 'example.org'
 nginx_default_vhost: 'example.org'
-#mariadb
+# Mariadb (when using disroot mariadb role)
 # MARIADB CONFIG
 mariadb_root_password: 'changeme'
 mariadb_default_config:
  - name: 'client'
@ -155,7 +188,7 @@ mariadb_default_config:
      - character-set-server = utf8mb4
      - collation-server = utf8mb4_unicode_ci
      - skip_external_locking = True
-      - bind_address = {{ lacre_db_host }}
+      - bind_address = {{ lacre_webgate_db_host }}
      - key_buffer = 16M
      - max_allowed_packet = 16M
      - thread_stack = 192K
@ -208,13 +241,13 @@ mariadb_default_config:
      - key_buffer = 16M
 mariadb_databases:
-  - name: '{{ lacre_db_name }}'
+  - name: '{{ lacre_webgate_db_name }}'
    collation: 'utf8mb4_unicode_ci'
    encoding: 'utf8mb4'
 mariadb_users:
-  - name: '{{ lacre_db_username }}'
+  - name: '{{ lacre_webgate_db_username }}'
-    host: '{{ lacre_db_host }}'
+    host: '{{ lacre_webgate_db_host }}'
-    password: '{{ lacre_db_password }}'
+    password: '{{ lacre_webgate_db_password }}'
-    priv: '{{ lacre_db_name }}.*:ALL'
+    priv: '{{ lacre_webgate_db_name }}.*:ALL'
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,6 @@
 ---
 - name: restart gpg-lacre
  systemd:
    name: gpg-lacre
    state: restarted
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@ -3,7 +3,7 @@
 - name: '[LACRE] - Configure lacre'
  template:
    src: 'etc/gpg-mailgate.conf.j2'
-    dest: '/etc/gpg-mailgate.conf'
+    dest: '{{ lacre_config_file }}'
    owner: '{{ lacre_username }}'
    group: '{{ lacre_group }}'
    mode: 0644
@ -11,34 +11,9 @@
 - name: '[LACRE] - Configure lacre logger'
  template:
    src: 'etc/gpg-lacre-logging.conf.j2'
-    dest: '/etc/gpg-lacre-logging.conf'
+    dest: '{{ lacre_logfile }}'
    owner: '{{ lacre_username }}'
    group: '{{ lacre_group }}'
    mode: 0644
 - name: '[LACRE] - Add lacre config to postfix'
  blockinfile:
    dest: '/etc/postfix/master.cf'
    backup: yes
    marker: '# {mark} LACRE config block (Ansible)'
    block: |
       gpg-mailgate    unix    -   n   n   -   -   pipe
         flags= user=lacre argv={{ lacre_app_dir }}/gpg-mailgate.py ${recipient}
       127.0.0.1:10028 inet    n   -   n   -   10  smtpd
         -o content_filter=
         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
         -o smtpd_helo_restrictions=
         -o smtpd_client_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o mynetworks=127.0.0.0/8
         -o smtpd_authorized_xforward_hosts=127.0.0.0/8
 - name: '[LACRE] - Replace content_filter setting in postfix'
  replace:
    path: '/etc/postfix/main.cf'
    regexp: 'content_filter = .*'
    replace: 'content_filter = gpg-mailgate'
  when: lacre_set_content_filter == 'true'
--- a/tasks/daemon.yml
+++ b/tasks/daemon.yml
@ -0,0 +1,57 @@
 ---
 - name: '[Lacre Daemon] - Deploy systemd config'
  template:
    src: etc/systemd/system/gpg-lacre.service.j2
    dest: /etc/systemd/system/gpg-lacre.service
    owner: root
    group: root
    mode: 0644
  register: lacre_systemd
 - name: '[Lacre Daemon] - Enable systemd config'
  systemd:
    name: gpg-lacre
    enabled: yes
    daemon_reload: yes
  notify:
    restart gpg-lacre
 - name: '[LACRE] - Add lacre daemon to postfix'
  blockinfile:
    dest: '/etc/postfix/master.cf'
    backup: yes
    marker: '# {mark} LACRE config block (Ansible)'
    block: |
      gpg-lacre     unix    -       -       -       -       -       smtp
        -o smtp_tls_security_level=none
      127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o smtpd_tls_security_level=none
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
  when: lacre_postfix_daemon == 'true'
 - name: '[LACRE] - Replace content_filter setting in postfix'
  replace:
    path: '/etc/postfix/main.cf'
    regexp: 'content_filter = .*'
    replace: 'content_filter = {{ lacre_content_filter }}'
  when: lacre_set_content_filter == 'true'
--- a/tasks/git.yml
+++ b/tasks/git.yml
@ -7,4 +7,6 @@
    force: yes
    update: yes
    version: "{{ lacre_version }}"
  become: 'yes'
  become_user: "{{ lacre_username }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,33 +1,45 @@
 ---
- name: 'Clone / Update repository'
+- name: 'Create user'
-  include: git.yml
+  include: 'user.yml'
  tags: 
    - 'backend'
  when: lacre_backend_deploy == 'true'
- name: 'Create user'
+- name: 'Clone / Update repository'
-  include: user.yml
+  include: 'git.yml'
  tags: 
    - 'backend'
  when: lacre_backend_deploy == 'true'
 - name: 'Install Lacre'
-  include: install.yml
+  include: 'install.yml'
  tags:
    - 'backend'
  when: lacre_backend_deploy == 'true'
 - name: 'Configure Lacre'
-  include: configure.yml
+  include: 'configure.yml'
  tags:
    - 'config'
    - 'configure'
    - 'backend'
-   when: lacre_backend_deploy == 'true'
+  when: lacre_backend_deploy == 'true'
 - name: 'Use simple filter'
  include: 'simple_filter.yml'
  when: lacre_daemon == 'false'
 - name: 'Deploy Advanced filter'
  include: 'daemon.yml'
  tags:
    - 'backend'
    - 'config'
    - 'daemon'
  when: lacre_daemon == 'true'
 - name: 'Deploy Lacre Webgate'
-  include: webgate.yml
+  include: 'webgate.yml'
  tags:
    - 'webgate'
  when: lacre_webgate_deploy == 'true'
--- a/tasks/simple_filter.yml
+++ b/tasks/simple_filter.yml
@ -0,0 +1,29 @@
 ---
 - name: '[LACRE] - Add lacre simple filter to postfix'
  blockinfile:
    dest: '/etc/postfix/master.cf'
    backup: yes
    marker: '# {mark} LACRE config block (Ansible)'
    block: |
       gpg-mailgate    unix    -   n   n   -   -   pipe
         flags= user=lacre argv={{ lacre_app_dir }}/gpg-mailgate.py ${recipient}
       127.0.0.1:10028 inet    n   -   n   -   10  smtpd
         -o content_filter=
         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
         -o smtpd_helo_restrictions=
         -o smtpd_client_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o mynetworks=127.0.0.0/8
         -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  when: lacre_postfix_simplefilter == 'true'
 - name: '[LACRE] - Replace content_filter setting in postfix'
  replace:
    path: '/etc/postfix/main.cf'
    regexp: 'content_filter = .*'
    replace: 'content_filter = {{ lacre_content_filter }}'
  when: lacre_set_content_filter == 'true'
--- a/tasks/webgate.yml
+++ b/tasks/webgate.yml
@ -27,11 +27,11 @@
    login_user: "{{ lacre_webgate_db_username }}"
    login_password: "{{ lacre_webgate_db_password }}"
    target: "{{ lacre_webgate_dir }}/schema.sql"
-  when: lacre_webgate_installed.stdout != '3'
+  when: lacre_webgate_installed.stdout < "0"
 - name: '[Lacre-webgate] - Deploy config'
  template:
-    src: 'lacre-web/config.php.j2'
+    src: 'lacre-webgate/config.php.j2'
    dest: "{{ lacre_webgate_dir }}/public_html/config.php"
    owner: "{{ lacre_webgate_user }}"
    group: "{{ lacre_webgate_group }}"
--- a/templates/etc/gpg-mailgate.conf.j2
+++ b/templates/etc/gpg-mailgate.conf.j2
@ -8,16 +8,6 @@ add_header = {{ lacre_add_header }}
 # This means gpg-mailgate won't automatically detect PGP recipients for encrypting
 enc_keymap_only = {{ lacre_enc_keymap_only }}
 # Whether we should only decrypt emails if they are explicitly defined in
 # the key mappings below ([dec_keymap] section)
 # This means gpg-mailgate won't automatically detect PGP recipients for decrypting
 dec_keymap_only = {{ lacre_dec_keymap_only }}
 # If dec_keymap_only is set to yes and recipients have private keys present for decrypting
 # but are not on in the keymap, this can cause that mails for them will be
 # encrypted. Set this to no if you want this behaviour.
 failsave_dec = {{ lacre_failsave_dec }}
 # Convert encrypted text/plain email to MIME-attached encrypt style.
 # (Default is to use older inline-style PGP encoding.)
 mime_conversion = {{ lacre_mime_conversion }}
@ -29,20 +19,6 @@ mime_conversion = {{ lacre_mime_conversion }}
 # recipients all ignore the RFC you could this to yes.
 mail_case_insensitive = {{ lacre_mail_case_insensitive }}
 # This setting disables PGP/INLINE decryption completely. However,
 # PGP/MIME encrypted mails will still be decrypted if possible. PGP/INLINE
 # decryption has to be seen as experimental and could have some negative
 # side effects. So if you want to take the risk set this to no.
 no_inline_dec = {{ lacre_no_inline_dec }}
 # Here you can define a regex for which the gateway should try to decrypt mails.
 # It could be used to define that decryption should be used for a wider range of
 # mail addresses e.g. a whole domain. No key is needed here. It is even active if 
 # dec_keymap is set to yes. If this feature should be disabled, don't leave it blank.
 # Set it to None. For further regex information please have a look at
 # https://docs.python.org/2/library/re.html
 dec_regex = {{ lacre_dec_regex }}
 [gpg]
 # the directory where gpg-mailgate public keys are stored
 # (see INSTALL for details)
@ -69,6 +45,24 @@ mail_templates = {{ lacre_mail_templates }}
 # path to the logging configuration; see documentation for details:
 # https://docs.python.org/3/library/logging.config.html#logging-config-fileformat
 config = {{ lacre_logfile }}
 {% if lacre_daemon == 'true' %} 
 [daemon]
 # Advanced Content Filter section.
 #
 # Advanced filters differ from Simple ones by providing a daemon that handles
 # requests, instead of starting a new process each time a message arrives.
 host = {{ lacre_daemon_host }}
 port = {{ lacre_daemon_port }}
 # Maximum size (in bytes) of message body, i.e. data provided after DATA
 # message.  Following value comes from aiosmtpd module's default for this
 # setting.
 max_data_bytes = {{ lacre_max_data_bytes }}33554432
 # Sometimes it may make sense to log additional information from mail headers.
 # This should never be PII, but information like encoding, content types, etc.
 log_headers = {{ lacre_log_headers }}no
 {% endif %}
 [relay]
 # the relay settings to use for Postfix
@ -94,6 +88,8 @@ port = {{ lacre_smtp_port }}
 starttls = {{ lacre_smtp_starttls }}
 [database]
 # edit the settings below if you want to read keys from a
 # gpg-mailgate-web database other than SQLite
 enabled = {{ lacre_webgate_db_enabled }}
 {% if lacre_webgate_db_backend == 'sqlite' %}
 url = sqlite://{{ lacre_webgate_db_name }}
--- a/templates/etc/systemd/system/gpg-lacre.service.j2
+++ b/templates/etc/systemd/system/gpg-lacre.service.j2
@ -0,0 +1,17 @@
 [Unit]
 Description=GPG Lacre mailgate daemon
 After=syslog.target network.target
 [Service]
 Type=simple
 User={{ lacre_username }}
 Group={{ lacre_group }}
 WorkingDirectory={{ lacre_app_dir }}
 Environment=GPG_MAILGATE_CONFIG={{ lacre_config_file }}
 ExecStart={{ lacre_systemd_execstart }}
 Restart=always
 RestartSec={{ lacre_systemd_restartsec }}
 [Install]
 WantedBy=multi-user.target
--- a/templates/lacre-webgate/config.php.j2
+++ b/templates/lacre-webgate/config.php.j2
@ -37,6 +37,17 @@ $config['email_subject_requestpgp'] = '{{ lacre_webgate_email_subject_requestpgp
 //site URL, without trailing slash
 $config['site_url'] = '{{ lacre_webgate_site_url }}';
 //site logo
 $config['site_logo'] = '{{ lacre_webgate_site_logo }}';
 //link to FAQ page
 $config['site_faqurl'] = '{{ lacre_webgate_site_faqurl }}';
 //link to tutorial website
 $config['site_howurl'] = '{{ lacre_webgate_site_howurl }}';
 //link to contact page
 $config['site_contacturl'] = '{{ lacre_webgate_site_contacturl }}';
 //title of the website (displayed on home page)
 $config['site_title'] = '{{ lacre_webgate_site_title }}';
@ -52,7 +63,7 @@ $config['debug'] = '{{ lacre_webgate_debug }}';
 //
 //whether to send mail through SMTP (instead of PHP mail function)
-$config['mail_smtp'] = {{ lacre_mail_smtp }};
+$config['mail_smtp'] = {{ lacre_webgate_mail_smtp }};
 //SMTP settings, if mail_smtp is enabled
 //this requires Net_SMTP from http://pear.php.net/package/Net_SMTP/ to be installed