Merge pull request #290 from progmaticltd/dev

New version for 2020

Author: arodier

.ansible-lint

@@ -0,0 +1 @@
+config/ansible-lint-default.yml

.gitignore

@@ -1,6 +1,7 @@
 # Ignore everything on the config folder, except sample and default files
 config/*
 !config/defaults.yml
+!config/*-default*.yml
 !config/*-example.yml
 
 # Ignore ansible error files
@@ -20,3 +21,10 @@ sandbox/*
 # Backup folder for deployment files
 backup/*
 !backup/readme.md
+
+# Allow to include modules excluded from the repository
+modules/*
+!modules/readme.md
+
+# Ignore python3 cache directories
+__pycache__/

.travis.yml

@@ -166,6 +166,7 @@ official documentation.
 - Email addresses with recipient delimiter included, e.g. [email protected].
 - Optional master user creation, e.g. for families with children or moderated communities.
 - Server side full text search inside emails, attached documents and files and
+- Detailed weekly, monthly and yearly access report per country, ISP, IP addresses, etc.
   compressed archives, with better results than GMail.
 - Optional Roundcube webmail with sieve filters management, password change form, automatic identity
   creation, master account access, etc.
@@ -195,10 +196,8 @@ official documentation.
 - [Privoxy](https://www.privoxy.org/) easy installation, with adblock rules daily synchronisation, and optional tor
   chaining.
 - Embedded DNS server with DNSSEC and SSHFP (SSH fingerprint) records support
-- Automatic publication of DNS entries to Gandi DNS.
 - External IP address detection.
-- Static web site skeleton configuration, with https certificates.
-- Hugo web site server: [Hugo](https://gohugo.io/) and its [numerous themes](https://themes.gohugo.io/)
+- Static web site skeleton configuration, with https certificates and A+ security grade by default.
 - Personal backup server for each user, using borgbackup.
 - [Gogs git server](https://gogs.io/), a fast and lightweight git server written in Golang.
 - [Transmission daemon](https://transmissionbt.com/), accessible over https, public or private over your LAN. Files can

README.md

@@ -0,0 +1,104 @@
+---
+
+- name: Get the certificates list
+  register: certs
+  find:
+    path: '/etc/letsencrypt/archive/{{ cert_dir }}'
+    recurse: yes
+    patterns: 'cert*,chain*,fullchain*'
+
+- name: Get the keys list
+  register: keys
+  find:
+    path: '/etc/letsencrypt/archive/{{ cert_dir }}'
+    recurse: yes
+    patterns: 'privkey*'
+
+# By default, consider the access to the private key is requested.
+# This might change to be explicitely requested by the caller task.
+- name: Set the default value of the "access_private_key" flag
+  when: access_private_key is not defined
+  set_fact:
+    access_private_key: true
+
+# Posix permissions: files should be readable, by default, only by root.
+# The ACL will extend this to other daemons
+- name: Set the unix mode for the certificate files readable by root only
+  tags: cert
+  file:
+    path: '{{ file.path }}'
+    owner: root
+    group: root
+    mode: '0600'
+  with_items:
+    - '{{ certs.files | selectattr("mode", "ne", "0600") | list }}'
+    - '{{ keys.files | selectattr("mode", "ne", "0600") | list }}'
+  loop_control:
+    loop_var: file
+
+# Now, we set the default acl for this directory: new certificates
+# will be automatically marked as readable by the entity.
+# This doesn't need to be done for nginx, as the certificates
+# are read by root anyway.
+- name: Set the acl and default acl permissions for the directory
+  when: access_private_key
+  tags: cert
+  acl:
+    path: '{{ path }}'
+    entity: '{{ entity_group }}'
+    etype: user
+    permissions: 'r'
+    recursive: false
+    state: present
+    default: true
+  with_items:
+      - '/etc/letsencrypt/archive/{{ cert_dir }}'
+  loop_control:
+    loop_var: path
+
+# Create the list of files to modify. When the entity is nginx,
+# do not include the private key
+- name: Create the list of files to modify
+  when: not access_private_key
+  set_fact:
+    files_list: '{{ certs.files }}'
+
+# In this case, this is a specific entity (e.g. openldap)
+# we include the private key too.
+- name: Create the list of files to modify
+  when: access_private_key
+  set_fact:
+    files_list: '{{ certs.files + keys.files }}'
+
+# Explicitly set the mask for this files as read. Because the parent
+# directory permissions are '0777', any ACL modification would create
+# a mask as executable! This flaw is in the acl command, not ansible.
+- name: Set the acl mask for the files
+  tags: cert
+  acl:
+    path: '{{ file.path }}'
+    etype: mask
+    state: present
+    permissions: 'r'
+  with_items:
+    - '{{ files_list }}'
+  loop_control:
+    loop_var: file
+
+# Finally, we set the existing certificates ACLs to be readable by
+# the entity. This is crucial, especially when restoring certificates
+# Do not recalculate the mask, or the files will be marked as executable!
+# This flaw is done by the acl command, not ansible.
+- name: Set the acl for the files
+  tags: cert
+  acl:
+    path: '{{ file.path }}'
+    etype: user
+    entity: '{{ entity_group }}'
+    state: present
+    permissions: 'r'
+    recalculate_mask: no_mask
+  with_items:
+    - '{{ files_list }}'
+  loop_control:
+    loop_var: file

common/ansible-travis.cfg

@@ -2,105 +2,36 @@
 
 ################################################################################
 # Get the external IP address, from configuration file,
-# or automatically through a script
-
-# Automatic IP detection (IPv4 & IPv6)
-- name: Get the external IP address automatically
-  tags: facts
-  when: network.external_ip == "auto"
-  get_url:
-    url: https://api.ipify.org?format=text
-    dest: /tmp/external_ip.txt
-
-- name: Get the external IP address automatically (IPv6)
-  tags: facts
-  when: network.external_ip == "auto_ipv6"
-  get_url:
-    url: https://api6.ipify.org?format=text
-    dest: /tmp/external_ip.txt
-
-- name: Read the IP address detected
-  register: external_ip_facts
-  tags: facts
-  when: network.external_ip is search("auto")
-  shell: "cat /tmp/external_ip.txt"
-
-- name: Store the IP address detected
-  tags: facts
-  when: network.external_ip is search("auto")
-  set_fact:
-    external_ip: '{{ external_ip_facts.stdout }}'
+# Check if a backup IP address is used
+# Detect both types of IP addresses
+# Detect if IPv6 is used
+################################################################################
 
-# Manual IP specification
+# First IP address, mandatory
 - name: Store the extenal IP address specified manually
   tags: facts
-  when: not network.external_ip is search("auto")
   set_fact:
     external_ip: '{{ network.external_ip }}'
 
-# Detect the main IP address type (IPv4 or IPv6)
-- name: Detect the external IP address type (IPv4 or IPv6 / A or AAAA)
-  tags: facts
-  register: main_ip_type
-  shell:
-    echo {{ external_ip }}
-    | grep -E '^[0-9\.]+$' 2>&1 >/dev/null
-    && echo A || echo AAAA
-
-- name: Store the external IP address type detected
+- name: Set external IP address type (A or AAAA)
   tags: facts
   set_fact:
-    external_ip_type: '{{ (main_ip_type.stdout) }}'
-
-
+    external_ip_type: '{{ external_ip | ipv6 | ternary("AAAA", "A") }}'
 
-################################################################################
-# Backup IP address
-- name: Get the backup IP address automatically
-  tags: facts
-  when: network.backup_ip == "auto"
-  get_url:
-    url: https://api.ipify.org?format=text
-    dest: /tmp/backup_ip.txt
-
-- name: Get the backup IP address automatically (IPv6)
-  tags: facts
-  when: network.backup_ip == "auto_ipv6"
-  get_url:
-    url: https://api6.ipify.org?format=text
-    dest: /tmp/backup_ip.txt
-
-- name: Read the backup IP address detected
-  register: backup_ip_facts
-  tags: facts
-  when: network.backup_ip is search("auto")
-  shell: "cat /tmp/backup_ip.txt"
-
-- name: Store the backup IP address detected
-  tags: facts
-  when: network.backup_ip is search("auto")
-  set_fact:
-    backup_ip: '{{ backup_ip_facts.stdout }}'
-
-# Manual IP specification
-- name: Get the backup IP address specified manually
-  when: network.backup_ip != None and not network.backup_ip is search("auto")
+# Backup IP address if defined
+- name: Get the backup IP address
+  when: network.backup_ip != None and (network.backup_ip | length > 0)
   tags: facts
   set_fact:
     backup_ip: '{{ network.backup_ip }}'
 
-# Detect the backup IP address type (IPv4 or IPv6)
 - name: Set backup IP address type (A or AAAA)
-  when: network.backup_ip != None
   tags: facts
-  register: backup_ip_type
-  shell:
-    echo {{ backup_ip }}
-    | grep -E '^[0-9\.]+$' 2>&1 >/dev/null
-    && echo A || echo AAAA
+  when: backup_ip is defined and (backup_ip | length > 0)
+  set_fact:
+    backup_ip_type: '{{ backup_ip | ipv6 | ternary("AAAA", "A") }}'
 
-- name: Set backup IP address type (A or AAAA)
-  tags: facts
-  when: network.backup_ip != None
+- name: Check and remember if IPv6 is used
   set_fact:
-    backup_ip_type: '{{ (backup_ip_type.stdout) }}'
+    ipv6_used: '{{ external_ip_type == "AAAA" or
+                   (backup_ip_type is defined and backup_ip_type == "AAAA") }}'

common/roles/cert-perms/tasks/main.yml

@@ -42,13 +42,15 @@
 # Merge user options with default options
 - name: Combine default and user defined password settings
   run_once: true
+  no_log: true
   when: passwords is defined
   tags: defaults
   set_fact:
     passwords: '{{ passwords_default | combine(passwords, recursive=True) }}'
 
 - name: Use default passwords settings
   run_once: true
+  no_log: true
   when: passwords is not defined
   tags: defaults
   set_fact:
@@ -118,7 +120,6 @@
   set_fact:
     dictionaries: '{{ dictionaries_default }}'
 
-################################################################################
 # Merge webmail defaults
 - name: Combine default and user defined webmail settings
   run_once: true
@@ -362,22 +363,6 @@
   set_fact:
     sogo: '{{ sogo_default }}'
 
-################################################################################
-# Merge defaults hugo settings
-- name: Combine default and user defined hugo settings
-  run_once: true
-  when: hugo is defined
-  tags: defaults
-  set_fact:
-    hugo: '{{ hugo_default | combine(hugo, recursive=True) }}'
-
-- name: Use default hugo settings
-  run_once: true
-  when: hugo is not defined
-  tags: defaults
-  set_fact:
-    hugo: '{{ hugo_default }}'
-
 ################################################################################
 # Merge defaults access_check settings
 - name: Combine default and user defined access_check settings

common/roles/external-ip-type/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+
+# This is a temporary ansible-lint file, to be able to start from a clean base.
+# We may uncomment some of the warnings once we find a proper way to fix them
+
+# It is currently used by the CI environment (Jenkins) and the pre-commit hook
+
+# Some files cannot be found by ansible lint, when using include_tasks.
+# See https://github.com/ansible/ansible-lint/issues/507
+# These files are excluded for now
+
+# The current disabled warnings are:
+
+# 701: No 'galaxy_info' found.
+# Not sure yet how to fix this, cannot find doc online yet.
+
+# 503: Tasks that run when changed should likely be handlers.
+# This one should be fixed.
+
+# 305: Use shell only when shell functionality is required
+# For this project, too many commands relies on shell scripts
+
+# 301: Commands should not change things if nothing needs doing
+# Maybe some of the commands can be made as handlers
+
+exclude_paths:
+  - install/playbooks/roles/ldap/tasks/main.yml
+  - install/playbooks/roles/postfix/tasks/main.yml
+  - install/playbooks/roles/dovecot/tasks/main.yml
+parseable: true
+quiet: false
+rulesdir: []
+skip_list:
+  - '701'     # No 'galaxy_info' found
+  - '503'     # Tasks that run when changed should likely be handlers
+  - '305'     # Use shell only when shell functionality is required
+  - '301'     # Commands should not change things if nothing needs doing
+tags: []
+use_default_rules: true
+verbosity: 1