From 1789106a39c24be8ca9019feb31c8f93c09b32d8 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 16 Jan 2019 13:23:11 -0800 Subject: minor README and TODO --- README.md | 2 +- TODO | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 0cf5ef4..8e987fd 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ servers and infrastructure. Be sure to keep things compatible with ansible 1.7.2 (the version in Debian jessie). -Check out NOW_WHAT.md for next steps after creating a server with these +Check out `NOW_WHAT.md` for next steps after creating a server with these scripts. Vault: diff --git a/TODO b/TODO index ea1357f..8e065ad 100644 --- a/TODO +++ b/TODO @@ -1,12 +1,16 @@ -- mediagoblin +- logwatch +- firewall: ufw or ferm +- ghost +- sigal +- git-annex + + +x mediagoblin https://issues.mediagoblin.org/ticket/5455 https://issues.mediagoblin.org/ticket/5441 - automate SSL with let's encrypt https://community.letsencrypt.org/t/howto-certificate-renewal-with-ansible/10214 -- docs for postfix+dovecot let's encrypt setup - https://ssl-tools.net/mailservers/ - nginx default config: gzip, sendfile, autoindex, etc -- email... - unattended updates: maybe create new file instead of overwriting? - mediagoblin required double-build to be successful? @@ -14,10 +18,7 @@ => root-title, readme, root-desc, agefile => proper agefile based on commit date? -- prosody -- a workstation target? eg, with "my" package list - gh-mirror (?) - import old cruft/README from nsa commissioning repo - review/refactor to ensure "copy" and "templates" are force=no when appropriate (user-modifiable stuff) -- cgit: front-page README ("about"), logo? -- cgit v1.2.3 From 619285adf88d3ea78a1501108888d0d2d23d0a06 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 16 Jan 2019 13:23:49 -0800 Subject: adze auth flags --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index 1dc5efa..061442f 100644 --- a/hosts +++ b/hosts @@ -2,5 +2,5 @@ # "ansible_sudo=true"), or login as root (in which case, # "ansible_ssh_user=root") -adze.robocracy.org ansible_ssh_user=root +adze.robocracy.org ansible_user=bnewbold ansible_become=true ansible_become_user=root bnewbold.the-nsa.org ansible_sudo=true -- cgit v1.2.3 From 427427ec3bcb58eadaa9c62477f70a5f3c6f39e0 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 16 Jan 2019 13:24:08 -0800 Subject: mailserver role --- playbooks/init_adze.yml | 2 +- roles/mailserver/handlers/main.yml | 8 + roles/mailserver/tasks/dovecot.yml | 39 +++ roles/mailserver/tasks/main.yml | 6 + roles/mailserver/tasks/postfix.yml | 18 ++ roles/mailserver/tasks/rspamd.yml | 52 ++++ .../etc_apache2_sites-available_autoconfig.j2 | 26 ++ .../templates/etc_dovecot_conf.d_10-ssl.conf.j2 | 53 ++++ .../templates/etc_dovecot_conf.d_15-lda.conf.j2 | 48 ++++ .../templates/etc_dovecot_conf.d_20-imap.conf.j2 | 64 +++++ .../templates/etc_dovecot_dovecot-sql.conf.ext.j2 | 138 ++++++++++ roles/mailserver/templates/etc_postfix_main.cf.j2 | 126 +++++++++ .../etc_postfix_mysql-virtual-alias-maps.cf.j2 | 5 + ...etc_postfix_mysql-virtual-mailbox-domains.cf.j2 | 5 + .../etc_postfix_mysql-virtual-mailbox-maps.cf.j2 | 5 + .../etc_postfix_pgsql-virtual-alias-maps.cf.j2 | 5 + ...etc_postfix_pgsql-virtual-mailbox-domains.cf.j2 | 5 + .../etc_postfix_pgsql-virtual-mailbox-maps.cf.j2 | 5 + .../templates/etc_rspamd_local.d_dmarc.conf.j2 | 47 ++++ roles/mailserver/templates/mailserver.sql.j2 | 57 ++++ .../templates/usr_share_z-push_config.php.j2 | 306 +++++++++++++++++++++ .../var_www_autoconfig_mail_config-v1.1.j2 | 29 ++ 22 files changed, 1048 insertions(+), 1 deletion(-) create mode 100644 roles/mailserver/handlers/main.yml create mode 100644 roles/mailserver/tasks/dovecot.yml create mode 100644 roles/mailserver/tasks/main.yml create mode 100644 roles/mailserver/tasks/postfix.yml create mode 100644 roles/mailserver/tasks/rspamd.yml create mode 100644 roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 create mode 100644 roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2 create mode 100644 roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2 create mode 100644 roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2 create mode 100644 roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2 create mode 100644 roles/mailserver/templates/etc_postfix_main.cf.j2 create mode 100644 roles/mailserver/templates/etc_postfix_mysql-virtual-alias-maps.cf.j2 create mode 100644 roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-domains.cf.j2 create mode 100644 roles/mailserver/templates/etc_postfix_mysql-virtual-mailbox-maps.cf.j2 create mode 100644 roles/mailserver/templates/etc_postfix_pgsql-virtual-alias-maps.cf.j2 create mode 100644 roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-domains.cf.j2 create mode 100644 roles/mailserver/templates/etc_postfix_pgsql-virtual-mailbox-maps.cf.j2 create mode 100644 roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2 create mode 100644 roles/mailserver/templates/mailserver.sql.j2 create mode 100644 roles/mailserver/templates/usr_share_z-push_config.php.j2 create mode 100644 roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2 diff --git a/playbooks/init_adze.yml b/playbooks/init_adze.yml index b1b5d60..8ca3bfe 100644 --- a/playbooks/init_adze.yml +++ b/playbooks/init_adze.yml @@ -21,11 +21,11 @@ - debian_stretch - hostname - common - - nullmailer - nginx - git - mediagoblin - znc + - mailserver tasks: - name: Create main user account diff --git a/roles/mailserver/handlers/main.yml b/roles/mailserver/handlers/main.yml new file mode 100644 index 0000000..5c5caea --- /dev/null +++ b/roles/mailserver/handlers/main.yml @@ -0,0 +1,8 @@ +- name: restart postfix + service: name=postfix state=restarted + +- name: restart dovecot + service: name=dovecot state=restarted + +- name: restart rspamd + service: name=rspamd state=restarted diff --git a/roles/mailserver/tasks/dovecot.yml b/roles/mailserver/tasks/dovecot.yml new file mode 100644 index 0000000..9d2c20e --- /dev/null +++ b/roles/mailserver/tasks/dovecot.yml @@ -0,0 +1,39 @@ +- name: Install Dovecot and related packages + apt: pkg={{ item }} update_cache=yes state=installed + with_items: + - dovecot-core + - dovecot-imapd + - dovecot-lmtpd + - dovecot-antispam + tags: + - dependencies + +#- name: Copy dovecot.conf into place +# copy: src=etc_dovecot_dovecot.conf dest=/etc/dovecot/dovecot.conf + +#- name: Create before.d sieve scripts directory +# file: path=/etc/dovecot/sieve/before.d state=directory owner=vmail group=dovecot recurse=yes mode=0770 +# notify: restart dovecot + +#- name: Configure sieve script moving spam into Junk folder +# copy: src=etc_dovecot_sieve_before.d_no-spam.sieve dest=/etc/dovecot/sieve/before.d/no-spam.sieve owner=vmail group=dovecot +# notify: restart dovecot + +#- name: Copy additional Dovecot configuration files in place +# copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }} +# with_items: +# - 10-auth.conf +# - 10-mail.conf +# - 10-master.conf +# - 90-antispam.conf +# - 90-plugin.conf +# - 90-sieve.conf +# notify: restart dovecot + +#- name: Update post-certificate-renewal task +# copy: +# content: "#!/bin/bash\n\n/etc/init.d/dovecot restart\n" +# dest: /etc/letsencrypt/postrenew/dovecot.sh +# mode: 0755 +# owner: root +# group: root diff --git a/roles/mailserver/tasks/main.yml b/roles/mailserver/tasks/main.yml new file mode 100644 index 0000000..7691288 --- /dev/null +++ b/roles/mailserver/tasks/main.yml @@ -0,0 +1,6 @@ +- include: postfix.yml + tags: postfix +- include: dovecot.yml + tags: dovecot +- include: rspamd.yml + tags: rspamd diff --git a/roles/mailserver/tasks/postfix.yml b/roles/mailserver/tasks/postfix.yml new file mode 100644 index 0000000..a36acd6 --- /dev/null +++ b/roles/mailserver/tasks/postfix.yml @@ -0,0 +1,18 @@ +- name: Install Postfix and related packages + apt: pkg={{ item }} state=installed + with_items: + - libsasl2-modules + - postfix + - postfix-pcre + - sasl2-bin + tags: + - dependencies + +#- name: Copy main.cf +# template: src=etc_postfix_main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root +# notify: restart postfix + +#- name: Copy master.cf +# copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root +# notify: restart postfix + diff --git a/roles/mailserver/tasks/rspamd.yml b/roles/mailserver/tasks/rspamd.yml new file mode 100644 index 0000000..4d870a8 --- /dev/null +++ b/roles/mailserver/tasks/rspamd.yml @@ -0,0 +1,52 @@ +--- +# Installs and configures the Rspamd spam filtering system. + +- name: Ensure repository key for Rspamd is in place + apt_key: url=https://rspamd.com/apt-stable/gpg.key state=present + when: ansible_architecture != "armv7l" + tags: + - dependencies + +- name: Ensure yunohost repository key for Rspamd is in place for ARM + apt_key: url=http://repo.yunohost.org/debian/yunohost.asc state=present + when: ansible_architecture == "armv7l" + tags: + - dependencies + +- name: Add Rspamd repository + apt_repository: repo="deb https://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main" + when: ansible_architecture != "armv7l" + tags: + - dependencies + +- name: Add yunohost Rspamd repository for ARM + apt_repository: repo="deb http://repo.yunohost.org/debian {{ ansible_distribution_release }} stable" + when: ansible_architecture == "armv7l" + tags: + - dependencies + +- name: Install Rspamd and Redis + apt: pkg={{ item }} state=installed update_cache=yes + with_items: + - rspamd + tags: + - dependencies + +#- name: Copy DMARC configuration into place +# template: src=etc_rspamd_local.d_dmarc.conf.j2 dest=/etc/rspamd/local.d/dmarc.conf owner=root group=root mode="0644" +# notify: restart rspamd + +#- name: Copy DKIM configuration into place +# copy: src=etc_rspamd_override.d_dkim_signing.conf dest=/etc/rspamd/override.d/dkim_signing.conf owner=root group=root mode="0644" +# notify: restart rspamd + +#- name: Create dkim key directory +# file: path=/var/lib/rspamd/dkim state=directory owner=_rspamd group=_rspamd + +#- name: Generate DKIM keys +# shell: rspamadm dkim_keygen -s default -d {{ item.name }} -k {{ item.name }}.default.key > {{ item.name }}.default.txt +# args: +# creates: /var/lib/rspamd/dkim/{{ item.name }}.default.key +# chdir: /var/lib/rspamd/dkim/ +# with_items: "{{ mail_virtual_domains }}" + diff --git a/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 b/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 new file mode 100644 index 0000000..1c3a07c --- /dev/null +++ b/roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 @@ -0,0 +1,26 @@ +# NOTE: We don't permanently redirect clients to the HTTPS address because some clients, like +# Thunderbird, dont't follow redirections to the HTTPS URL. +# +# Additionally, documentation doesn't say whether the XML file should be served over either HTTP, +# HTTPS or both, even though only the former is mentioned. Still, we allow clients to choose +# between HTTP and HTTPS transports. + + + + ServerName {{ mail_server_autoconfig_hostname }} + + DocumentRoot "/var/www/autoconfig" + Options -Indexes + + HostnameLookups Off + + + + ServerName {{ mail_server_autoconfig_hostname }} + SSLEngine On + + DocumentRoot "/var/www/autoconfig" + Options -Indexes + + HostnameLookups Off + diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2 new file mode 100644 index 0000000..8ba6ae5 --- /dev/null +++ b/roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2 @@ -0,0 +1,53 @@ +## +## SSL settings +## + +# SSL/TLS support: yes, no, required. +ssl = required + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = . +postmaster_address = postmaster@{{domain}} + +# Hostname to use in various parts of sent mails, eg. in Message-Id. +# Default is the system's real hostname. +hostname = {{ mail_server_hostname }} + +# If user is over quota, return with temporary failure instead of +# bouncing the mail. +#quota_full_tempfail = no + +# Binary to use for sending mails. +#sendmail_path = /usr/sbin/sendmail + +# If non-empty, send mails via this SMTP host[:port] instead of sendmail. +#submission_host = + +# Subject: header to use for rejection mails. You can use the same variables +# as for rejection_reason below. +#rejection_subject = Rejected: %s + +# Human readable error message for rejection mails. You can use variables: +# %n = CRLF, %r = reason, %s = original subject, %t = recipient +#rejection_reason = Your message to <%t> was automatically rejected:%n%r + +# Delimiter character between local-part and detail in email address. +#recipient_delimiter = + + +# Header where the original recipient address (SMTP's RCPT TO: address) is taken +# from if not available elsewhere. With dovecot-lda -a parameter overrides this. +# A commonly used header for this is X-Original-To. +#lda_original_recipient_header = + +# Should saving a mail to a nonexistent mailbox automatically create it? +#lda_mailbox_autocreate = no + +# Should automatically created mailboxes be also automatically subscribed? +#lda_mailbox_autosubscribe = no + +protocol lda { + # Space separated list of plugins to load (default is global mail_plugins). + mail_plugins = $mail_plugins sieve +} diff --git a/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2 b/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2 new file mode 100644 index 0000000..fcd59a5 --- /dev/null +++ b/roles/mailserver/templates/etc_dovecot_conf.d_20-imap.conf.j2 @@ -0,0 +1,64 @@ +## +## IMAP specific settings +## + +protocol imap { + # Maximum IMAP command line length. Some clients generate very long command + # lines with huge mailboxes, so you may need to raise this if you get + # "Too long argument" or "IMAP command line too large" errors often. + #imap_max_line_length = 64k + + # Maximum number of IMAP connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. + #mail_max_userip_connections = 10 + + # Space separated list of plugins to load (default is global mail_plugins). + mail_plugins = $mail_plugins antispam fts fts_solr + + # IMAP logout format string: + # %i - total number of bytes read from client + # %o - total number of bytes sent to client + #imap_logout_format = bytes=%i/%o + + # Override the IMAP CAPABILITY response. If the value begins with '+', + # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). + #imap_capability = + + # How long to wait between "OK Still here" notifications when client is + # IDLEing. + #imap_idle_notify_interval = 2 mins + + # ID field names and values to send to clients. Using * as the value makes + # Dovecot use the default value. The following fields have default values + # currently: name, version, os, os-version, support-url, support-email. + #imap_id_send = + + # ID fields sent by client to log. * means everything. + #imap_id_log = + + # Workarounds for various client bugs: + # delay-newmail: + # Send EXISTS/RECENT new mail notifications only when replying to NOOP + # and CHECK commands. Some clients ignore them otherwise, for example OSX + # Mail (. +* +* Consult LICENSE file for details +************************************************/ + +/********************************************************************************** + * Default settings + */ + // Defines the default time zone, change e.g. to "Europe/London" if necessary + define('TIMEZONE', '{{ zpush_timezone }}'); + + // Defines the base path on the server + define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/'); + + // Try to set unlimited timeout + define('SCRIPT_TIMEOUT', 0); + + // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP + define('USE_X_FORWARDED_FOR_HEADER', false); + + // When using client certificates, we can check if the login sent matches the owner of the certificate. + // This setting specifies the owner parameter in the certificate to look at. + define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN"); + +/********************************************************************************** + * Default FileStateMachine settings + */ + define('STATE_DIR', '/decrypted/zpush-state/'); + + +/********************************************************************************** + * Logging settings + * Possible LOGLEVEL and LOGUSERLEVEL values are: + * LOGLEVEL_OFF - no logging + * LOGLEVEL_FATAL - log only critical errors + * LOGLEVEL_ERROR - logs events which might require corrective actions + * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future + * LOGLEVEL_INFO - usually completed actions + * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers + * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device + * LOGLEVEL_DEVICEID - also prints the device id for every log entry + * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack + * + * The verbosity increases from top to bottom. More verbose levels include less verbose + * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, + * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. + */ + define('LOGFILEDIR', '/var/log/z-push/'); + define('LOGFILE', LOGFILEDIR . 'z-push.log'); + define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log'); + define('LOGLEVEL', LOGLEVEL_INFO); + define('LOGAUTHFAIL', false); + + + // To save e.g. WBXML data only for selected users, add the usernames to the array + // The data will be saved into a dedicated file per user in the LOGFILEDIR + // Users have to be encapusulated in quotes, several users are comma separated, like: + // $specialLogUsers = array('info@domain.com', 'myusername'); + define('LOGUSERLEVEL', LOGLEVEL_DEVICEID); + $specialLogUsers = array(); + + // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem' + // Uncomment and modify the following line if the validation of the certificates fails. + // define('CAINFO', '/etc/ssl/certs/EmailCA.pem'); + +/********************************************************************************** + * Mobile settings + */ + // Device Provisioning + define('PROVISIONING', true); + + // This option allows the 'loose enforcement' of the provisioning policies for older + // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution + // false (default) - Enforce provisioning for all devices + // true - allow older devices, but enforce policies on devices which support it + define('LOOSE_PROVISIONING', false); + + // Default conflict preference + // Some devices allow to set if the server or PIM (mobile) + // should win in case of a synchronization conflict + // SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins + // SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default) + define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM); + + // Global limitation of items to be synchronized + // The mobile can define a sync back period for calendar and email items + // For large stores with many items the time period could be limited to a max value + // If the mobile transmits a wider time period, the defined max value is used + // Applicable values: + // SYNC_FILTERTYPE_ALL (default, no limitation) + // SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS, + // SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS + define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_3MONTHS); + + // Interval in seconds before checking if there are changes on the server when in Ping. + // It means the highest time span before a change is pushed to a mobile. Set it to + // a higher value if you have a high load on the server. + define('PING_INTERVAL', 30); + + // Interval in seconds to force a re-check of potentially missed notifications when + // using a changes sink. Default are 300 seconds (every 5 min). + // This can also be disabled by setting it to false + define('SINK_FORCERECHECK', 300); + + // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook. + // It will only affect new/modified contacts on the mobile which then are synced to the server. + // Possible values are: + // SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname" + // SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename" + // SYNC_FILEAS_COMPANYONLY - fileas will be "Company" + // SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)" + // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)" + // SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)" + // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)" + // The company-fileas will only be set if a contact has a company set. If one of + // company-fileas is selected and a contact doesn't have a company set, it will default + // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first + // option is selected for company). + // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set + // SYNC_FILEAS_LASTFIRST will be used + define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST); + + // Amount of items to be synchronized per request + // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100. + // Exporting too much items can cause mobile timeout on busy systems. + // Z-Push will use the lowest value, either set here or by the mobile. + // default: 100 - value used if mobile does not limit amount of items + define('SYNC_MAX_ITEMS', 100); + + // The devices usually send a list of supported properties for calendar and contact + // items. If a device does not includes such a supported property in Sync request, + // it means the property's value will be deleted on the server. + // However some devices do not send a list of supported properties. It is then impossible + // to tell if a property was deleted or it was not set at all if it does not appear in Sync. + // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with + // supported properties. + // See also https://jira.zarafa.com/browse/ZP-302. + // Possible values: + // false - do not unset properties which are not sent during Sync (default) + // true - unset properties which are not sent during Sync + define('UNSET_UNDEFINED_PROPERTIES', false); + + // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked + // in the semantic sanity checks and contacts with larger photos are not synchronized. + // This limitation is not being followed by the ActiveSync clients which set much bigger + // contact photos. You can override the default value of the max photo size. + // default: 49152 - 48 KB default max photo size in bytes + define('SYNC_CONTACTS_MAXPICTURESIZE', 49152); + +/********************************************************************************** + * Backend settings + */ + // the backend data provider + define('BACKEND_PROVIDER', 'BackendIMAP'); + + + // ************************ + // BackendZarafa settings + // ************************ + // Defines the server to which we want to connect + define('MAPI_SERVER', 'file:///var/run/zarafa'); + + + // ************************ + // BackendIMAP settings + // ************************ + // Defines the server to which we want to connect + define('IMAP_SERVER', 'localhost'); + // connecting to default port (143) + define('IMAP_PORT', 993); + // best cross-platform compatibility (see http://php.net/imap_open for options) + define('IMAP_OPTIONS', '/ssl/novalidate-cert'); + // overwrite the "from" header if it isn't set when sending emails + // options: 'username' - the username will be set (usefull if your login is equal to your emailaddress) + // 'domain' - the value of the "domain" field is used + // '@mydomain.com' - the username is used and the given string will be appended + define('IMAP_DEFAULTFROM', ''); + // copy outgoing mail to this folder. If not set d-push will try the default folders + define('IMAP_SENTFOLDER', 'Sent'); + // forward messages inline (default false - as attachment) + define('IMAP_INLINE_FORWARD', false); + // don't use imap_mail() to send emails. + // true (default, uses imap_mail, which is broken - false uses mail(), + // which handles cc and from in a more sane way) + define('IMAP_USE_IMAPMAIL', false); + + + // ************************ + // BackendMaildir settings + // ************************ + define('MAILDIR_BASE', '/tmp'); + define('MAILDIR_SUBDIR', 'Maildir'); + + // ********************** + // BackendVCardDir settings + // ********************** + define('VCARDDIR_DIR', '/home/%u/.kde/share/apps/kabc/stdvcf'); + + +/********************************************************************************** + * Search provider settings + * + * Alternative backend to perform SEARCH requests (GAL search) + * By default the main Backend defines the preferred search functionality. + * If set, the Search Provider will always be preferred. + * Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php) + */ + define('SEARCH_PROVIDER', ''); + // Time in seconds for the server search. Setting it too high might result in timeout. + // Setting it too low might not return all results. Default is 10. + define('SEARCH_WAIT', 10); + // The maximum number of results to send to the client. Setting it too high + // might result in timeout. Default is 10. + define('SEARCH_MAXRESULTS', 10); + + +/********************************************************************************** + * Synchronize additional folders to all mobiles + * + * With this feature, special folders can be synchronized to all mobiles. + * This is useful for e.g. global company contacts. + * + * This feature is supported only by certain devices, like iPhones. + * Check the compatibility list for supported devices: + * http://z-push.sf.net/compatibility + * + * To synchronize a folder, add a section setting all parameters as below: + * store: the ressource where the folder is located. + * Zarafa users use 'SYSTEM' for the 'Public Folder' + * folderid: folder id of the folder to be synchronized + * name: name to be displayed on the mobile device + * type: supported types are: + * SYNC_FOLDER_TYPE_USER_CONTACT + * SYNC_FOLDER_TYPE_USER_APPOINTMENT + * SYNC_FOLDER_TYPE_USER_TASK + * SYNC_FOLDER_TYPE_USER_MAIL + * + * Additional notes: + * - on Zarafa systems use backend/zarafa/listfolders.php script to get a list + * of available folders + * + * - all Z-Push users must have full writing permissions (secretary rights) so + * the configured folders can be synchronized to the mobile + * + * - this feature is only partly suitable for multi-tenancy environments, + * as ALL users from ALL tenents need access to the configured store & folder. + * When configuring a public folder, this will cause problems, as each user has + * a different public folder in his tenant, so the folder are not available. + + * - changing this configuration could cause HIGH LOAD on the system, as all + * connected devices will be updated and load the data contained in the + * added/modified folders. + */ + + $additionalFolders = array( + // demo entry for the synchronization of contacts from the public folder. + // uncomment (remove '/*' '*/') and fill in the folderid +/* + array( + 'store' => "SYSTEM", + 'folderid' => "", + 'name' => "Public Contacts", + 'type' => SYNC_FOLDER_TYPE_USER_CONTACT, + ), +*/ + ); + +?> \ No newline at end of file diff --git a/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2 b/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2 new file mode 100644 index 0000000..8ca98ab --- /dev/null +++ b/roles/mailserver/templates/var_www_autoconfig_mail_config-v1.1.j2 @@ -0,0 +1,29 @@ + + + + {{ domain }} + {{ domain }} + {{ domain }} + + {{ mail_server_hostname }} + 993 + SSL + password-cleartext + %EMAILADDRESS% + + + {{ mail_server_hostname }} + 995 + SSL + password-cleartext + %EMAILADDRESS% + + + {{ mail_server_hostname }} + 587 + STARTTLS + password-cleartext + %EMAILADDRESS% + + + -- cgit v1.2.3 From 24efe54e54edbdae1ce3261da92deb22d2bafe7b Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 16 Jan 2019 13:25:12 -0800 Subject: not actually using mediagoblin (sigal instead) --- playbooks/init_adze.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/playbooks/init_adze.yml b/playbooks/init_adze.yml index 8ca3bfe..326aa70 100644 --- a/playbooks/init_adze.yml +++ b/playbooks/init_adze.yml @@ -11,11 +11,8 @@ - admin_email: "root@robocracy.org" - main_user_name: bnewbold - hostname_fqdn: adze.robocracy.org - - mediagoblin_hostname: goblin.bnewbold.net - cgit_hostname: git.bnewbold.net - gitolite_hostname: git.bnewbold.net - - mediagoblin_email_sender: goblin@bnewbold.net - - mediagoblin_basedir: /srv/http/goblin.bnewbold.net roles: - debian_stretch @@ -23,7 +20,6 @@ - common - nginx - git - - mediagoblin - znc - mailserver -- cgit v1.2.3 From 26a75ca0c035034aae6e15852916fbb320b066c8 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 22 Jun 2022 12:28:26 -0700 Subject: update letsencrypt for bnewbold.the-nsa.org (old) --- roles/nginx/HOWTO_letsencrypt.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt index ada7075..bf9d0d7 100644 --- a/roles/nginx/HOWTO_letsencrypt.txt +++ b/roles/nginx/HOWTO_letsencrypt.txt @@ -39,6 +39,21 @@ cert), do something like this: -d static.bnewbold.net \ -d git.bnewbold.net + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email bnewbold@the-nsa.org \ + --webroot -w /var/www/letsencrypt \ + -d bnewbold.the-nsa.org \ + -d files.bnewbold.the-nsa.org \ + -d hashbase.bnewbold.the-nsa.org \ + -d modelthing.the-nsa.org \ + -d obscurity.bnewbold.the-nsa.org \ + -d repro.bnewbold.the-nsa.org \ + -d perf.bnewbold.the-nsa.org --expand + + # formerly: very-flat.com + The above will yield a cert at the following path (presumably path has the first domain name): -- cgit v1.2.3 From 8fc74c4691f81a3aad54995b49b94d8779d0e24b Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 22 Jun 2022 12:29:12 -0700 Subject: debian bullseye role --- playbooks/init_adze.yml | 2 +- roles/debian_bullseye/defaults/main.yml | 2 + roles/debian_bullseye/tasks/main.yml | 10 +++ .../templates/etc_apt_apt_confd_20auto_upgrades.j2 | 4 + .../etc_apt_apt_confd_50unattended_upgrades.j2 | 94 ++++++++++++++++++++++ .../templates/etc_apt_sources_list.j2 | 15 ++++ 6 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 roles/debian_bullseye/defaults/main.yml create mode 100644 roles/debian_bullseye/tasks/main.yml create mode 100644 roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 create mode 100644 roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 create mode 100644 roles/debian_bullseye/templates/etc_apt_sources_list.j2 diff --git a/playbooks/init_adze.yml b/playbooks/init_adze.yml index 326aa70..6850327 100644 --- a/playbooks/init_adze.yml +++ b/playbooks/init_adze.yml @@ -15,7 +15,7 @@ - gitolite_hostname: git.bnewbold.net roles: - - debian_stretch + - debian_bullseye - hostname - common - nginx diff --git a/roles/debian_bullseye/defaults/main.yml b/roles/debian_bullseye/defaults/main.yml new file mode 100644 index 0000000..3703452 --- /dev/null +++ b/roles/debian_bullseye/defaults/main.yml @@ -0,0 +1,2 @@ + +admin_email: "root" diff --git a/roles/debian_bullseye/tasks/main.yml b/roles/debian_bullseye/tasks/main.yml new file mode 100644 index 0000000..6ca1691 --- /dev/null +++ b/roles/debian_bullseye/tasks/main.yml @@ -0,0 +1,10 @@ + +- name: Configure sources.list for bullseye + template: src=etc_apt_sources_list.j2 dest=/etc/apt/sources.list + +- name: Enable automatic upgrades + template: src=etc_apt_apt_confd_20auto_upgrades.j2 dest=/etc/apt/apt.conf.d/20auto-upgrades + +- name: Configure unattended upgrades for bullseye + template: src=etc_apt_apt_confd_50unattended_upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades + diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 new file mode 100644 index 0000000..c75a5d7 --- /dev/null +++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 new file mode 100644 index 0000000..967abb1 --- /dev/null +++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 @@ -0,0 +1,94 @@ +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +// +// {{ ansible_managed }} +// +// Lines below have the format format is "keyword=value,...". A +// package will be upgraded only if the values in its metadata match +// all the supplied keywords in a line. (In other words, omitted +// keywords are wild cards.) The keywords originate from the Release +// file, but several aliases are accepted. The accepted keywords are: +// a,archive,suite (eg, "stable") +// c,component (eg, "main", "crontrib", "non-free") +// l,label (eg, "Debian", "Debian-Security") +// o,origin (eg, "Debian", "Unofficial Multimedia Packages") +// n,codename (eg, "bullseye", "bullseye-updates") +// site (eg, "http.debian.net") +// The available values on the system are printed by the command +// "apt-cache policy", and can be debugged by running +// "unattended-upgrades -d" and looking at the log file. +// +// Within lines unattended-upgrades allows 2 macros whose values are +// derived from /etc/debian_version: +// ${distro_id} Installed origin. +// ${distro_codename} Installed codename (eg, "bullseye") +Unattended-Upgrade::Origins-Pattern { + // Codename based matching: + // This will follow the migration of a release through different + // archives (e.g. from testing to stable and later oldstable). + "o=Debian,n=bullseye"; + "o=Debian,n=bullseye-updates"; +// "o=Debian,n=bullseye-proposed-updates"; + "o=Debian,n=bullseye,l=Debian-Security"; + + // Archive or Suite based matching: + // Note that this will silently match a different release after + // migration to the specified archive (e.g. testing becomes the + // new stable). +// "o=Debian,a=stable"; +// "o=Debian,a=stable-updates"; +// "o=Debian,a=proposed-updates"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; +}; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { + "vim"; + "libc6"; + "libc6-dev"; + "libc6-i686"; +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +//Unattended-Upgrade::AutoFixInterruptedDpkg "false"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "true"; + +// Install all unattended-upgrades when the machine is shuting down +// instead of doing it in the background while the machine is running +// This will (obviously) make shutdown slower +//Unattended-Upgrade::InstallOnShutdown "true"; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +Unattended-Upgrade::Mail "{{ admin_email }}"; + +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +Unattended-Upgrade::MailOnlyOnError "true"; + +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +//Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +// Automatically reboot *WITHOUT CONFIRMATION* if +// the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "false"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; + +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +//Acquire::http::Dl-Limit "70"; diff --git a/roles/debian_bullseye/templates/etc_apt_sources_list.j2 b/roles/debian_bullseye/templates/etc_apt_sources_list.j2 new file mode 100644 index 0000000..b0644bb --- /dev/null +++ b/roles/debian_bullseye/templates/etc_apt_sources_list.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} + +deb http://http.debian.net/debian/ bullseye main +deb-src http://http.debian.net/debian/ bullseye main + +deb http://security.debian.org/debian-security bullseye-security main +deb-src http://security.debian.org/debian-security bullseye-security main + +# bullseye-updates, previously known as 'volatile' +deb http://http.debian.net/debian/ bullseye-updates main +deb-src http://http.debian.net/debian/ bullseye-updates main + +# bullseye-backports, previously on backports.debian.org +deb http://http.debian.net/debian/ bullseye-backports main +deb-src http://http.debian.net/debian/ bullseye-backports main -- cgit v1.2.3 From f7a4a71c4c2c91ff701d166ca3a4335eff581df6 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 22 Jun 2022 12:29:43 -0700 Subject: more default-install ('common') apt packages --- roles/common/tasks/main.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a4818b0..a1f4500 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -13,28 +13,35 @@ - name: Install necessities and nice-to-haves apt: pkg={{ item }} state=installed with_items: + # fail2ban in security + # rkhunter in security - apt-transport-https - apticron - aptitude + - bash-completion - bzip2 - ca-certificates - curl - debian-goodies - dialog - dnsutils + - dstat - etckeeper - # fail2ban in security + - fd-find - file - git - htop + - httpie - iftop - ifupdown - iotop - iproute - iputils-ping - isc-dhcp-client + - jq - less - libui-dialog-perl + - lnav - locales - locales-all - lsof @@ -42,27 +49,32 @@ - man-db - manpages-dev - molly-guard + - moreutils - mosh - mtr-tiny + - net-tools - netbase - netcat - - net-tools - ngrep - openssh-server - openssl + - parallel + - pigz - pv - python - python-software-properties - # rkhunter in security + - ripgrep - screen + - sqlite3 - sudo - tcpdump - tree - - unzip - unattended-upgrades + - unzip - util-linux - vim-nox - wget + - zip tags: - dependencies -- cgit v1.2.3 From f6d3dac3b7b125f825c4a67d8f5dfeb22cd5dcc2 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 22 Jun 2022 12:30:03 -0700 Subject: nginx: updated SSL config --- roles/nginx/HOWTO_new_site.txt | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/roles/nginx/HOWTO_new_site.txt b/roles/nginx/HOWTO_new_site.txt index 1834e93..777665b 100644 --- a/roles/nginx/HOWTO_new_site.txt +++ b/roles/nginx/HOWTO_new_site.txt @@ -21,6 +21,11 @@ For a reverse proxied website: listen [::]:80; server_name ; + location = /favicon.ico { + access_log off; + log_not_found off; + } + location /theme_static/ { alias /some/static/files/dir/theme_static/; } @@ -35,19 +40,32 @@ For a reverse proxied website: For SSL stuff, add this to the body: - listen 443 ssl spdy; - listen [::]:443 ssl spdy; + listen 443 ssl http2; + listen [::]:443 ssl http2; ssl_certificate /etc/letsencrypt/live//fullchain.pem; ssl_certificate_key /etc/letsencrypt/live//privkey.pem; add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; + #add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"; add_header X-Frame-Options "SAMEORIGIN"; # 'always' if nginx > 1.7.5 add_header X-Content-Type-Options "nosniff"; # 'always' if nginx > 1.7.5 add_header X-Xss-Protection "1"; # Enable STS with one year period (breaks http; optional) #add_header Strict-Transport-Security "max-age=31557600; includeSubDomains"; + + if ($scheme = http) { + return 301 https://$server_name$request_uri; + } + + # Let's Encrypt SSL Certs + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + autoindex off; + } + + If your site is going to have inline Javascript (pretty common), you might need to swith the Content-Security-Policy line to: -- cgit v1.2.3