Add schleuder role

galaxy.yml

@@ -44,6 +44,7 @@ tags:
 # range specifiers can be set and are separated by ','
 dependencies:
   community.mysql: '1.2.0'
+  community.crypto: '1.5.0'
 
 # The URL of the originating SCM repository
 repository: https://gitlab.com/s3lph/ansible-collection-mailserver

roles/schleuder/defaults/main.yml

@@ -0,0 +1,84 @@
+---
+schleuder_lists_dir: /var/lib/schleuder/lists
+schleuder_listlogs_dir: /var/log/schleuder/lists
+schleuder_plugins_dir: /etc/schleuder/plugins
+schleuder_filters_dir: /usr/local/lib/schleuder/filters
+schleuder_log_level: warn
+schleuder_superadmin: root@localhost
+
+# Debian stretch (and all future versions) ship(s) with sensible
+# keyserver defaults, therefore, use these:
+schleuder_keyserver: ""
+
+schleuder_smtp_address: localhost
+schleuder_smtp_port: 25
+schleuder_smtp_auto_starttls: no
+schleuder_smtp_openssl_verify_mode: peer
+schleuder_smtp_authentication: plain
+schleuder_sqlite3_database: /var/lib/schleuder/db.sqlite
+schleuder_sqlite3_timeout: 5000
+
+schleuder_api_host: localhost
+schleuder_api_port: 4443
+schleuder_api_tls_cert_file: /etc/schleuder/schleuder-certificate.pem
+schleuder_api_tls_key_file: /etc/schleuder/schleuder-private-key.pem
+schleuder_valid_api_keys: []
+
+
+
+schleuder_defaults_send_encrypted_only: true
+schleuder_defaults_receive_encrypted_only: false
+schleuder_defaults_receive_signed_only: false
+schleuder_defaults_receive_authenticated_only: false
+schleuder_defaults_receive_from_subscribed_emailaddresses_only: false
+schleuder_defaults_receive_admin_only: false
+schleuder_defaults_headers_to_meta:
+  - from
+  - to
+  - cc
+  - date
+  - sig
+  - enc
+schleuder_defaults_keep_msgid: true
+schleuder_defaults_keywords_admin_only:
+  - subscribe
+  - unsubscribe
+  - delete-key
+schleuder_defaults_keywords_admin_notify:
+  - add-key
+schleuder_defaults_internal_footer: ""
+schleuder_defaults_public_footer: ""
+schleuder_defaults_subject_prefix: ""
+schleuder_defaults_subject_prefix_in: ""
+schleuder_defaults_subject_prefix_out: ""
+schleuder_defaults_bounces_drop_all: false
+schleuder_defaults_bounces_drop_on_headers:
+  x-spam-flag: yes
+schleuder_defaults_bounces_notify_admins: true
+schleuder_defaults_include_list_headers: true
+schleuder_defaults_include_openpgpg_header: true
+schleuder_defaults_openpgpg_header_signencrypt: signencrypt
+schleuder_defaults_max_message_size_kb: 10240
+schleuder_defaults_log_level: warn
+schleuder_defaults_logfiles_to_keep: 2
+schleuder_defaults_language: en
+schleuder_defaults_forward_all_incoming_to_admins: false
+
+
+
+# This is the last commit before schleuder 3.5 was required
+schleuder_web_commitish: 7bf1b2f39d15bf05c3eb198c5b0f6dfea97b0cee
+schleuder_web_hostname: schleuder.example.org
+schleuder_web_mailfrom: noreply@schleuder.example.org
+schleuder_web_delivery_method: sendmail
+schleuder_web_sendmail_arguments: "-i"
+schleuder_web_smtp_host: localhost
+schleuder_web_smtp_port: 25
+schleuder_web_smtp_auto_starttls: false
+schleuder_web_smtp_openssl_verify_mode: peer
+schleuder_web_smtp_authentication: plain
+schleuder_web_superadmins: [root@localhost]
+schleuder_web_lists_on_which_subscribers_may_delete_keys: ["*"]
+
+schleuder_web_db_file: /var/lib/schleuder-web/schleuder-web.sqlite3
+

roles/schleuder/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: systemctl daemon-reload
+  systemd:
+    daemon_reload: yes
+
+- name: systemctl restart schleuder-web
+  service:
+    name: schleuder-web
+    state: restarted
+    

roles/schleuder/tasks/config.yml

@@ -0,0 +1,17 @@
+---
+
+- name: render /etc/schleuder/schleuder.yml
+  template:
+    src: etc/schleuder/schleuder.yml.j2
+    dest: /etc/schleuder/schleuder.yml
+    owner: root
+    group: schleuder
+    mode: 0640
+
+- name: render /etc/schleuder/list-defaults.yml
+  template:
+    src: etc/schleuder/list-defaults.yml.j2
+    dest: /etc/schleuder/list-defaults.yml
+    owner: root
+    group: schleuder
+    mode: 0640

roles/schleuder/tasks/install.yml

@@ -0,0 +1,8 @@
+---
+
+- name: install schleuder packages
+  apt:
+    name:
+      - schleuder
+      - schleuder-cli
+      - haveged

roles/schleuder/tasks/install_web.yml

@@ -0,0 +1,110 @@
+---
+
+- name: install schleuder-web dependencies
+  apt:
+    name:
+      - bundler
+      - libxml2-dev
+      - zlib1g-dev
+      - libsqlite3-dev
+      - acl  # only needed so ansible can become_user=cryptpad
+
+- name: create schleuder-web user
+  user:
+    name: schleuder-web
+    group: nogroup
+    home: /var/lib/schleuder-web
+    system: yes
+    shell: /usr/sbin/nologin
+  
+- name: gather service facts
+  service_facts:
+
+- name: stop schleuder-web service
+  service:
+    name: schleuder-web
+    state: stopped
+  when: "'schleuder-web.service' in ansible_facts.services"
+  
+- name: clone schleuder-web git repo
+  become: yes
+  become_user: schleuder-web
+  command:
+    cmd: git clone https://0xacab.org/schleuder/schleuder-web /var/lib/schleuder-web/schleuder-web
+    creates: /var/lib/schleuder-web/schleuder-web
+    
+- name: fetch schleuder-webupstream
+  become: yes
+  become_user: schleuder-web
+  command:
+    cmd: git fetch origin
+    chdir: /var/lib/schleuder-web/schleuder-web
+
+- name: checkout requested schleuder-web version
+  become: yes
+  become_user: schleuder-web
+  command:
+    cmd: git checkout "{{ schleuder_web_commitish }}"
+    chdir: /var/lib/schleuder-web/schleuder-web
+
+- name: render /var/lib/schleuder-web/schleuder-web.yml
+  template:
+    src: var/lib/schleuder-web/schleuder-web.j2
+    dest: /var/lib/schleuder-web/schleuder-web
+    owner: schleuder-web
+    group: root
+    mode: 0600
+  notify: systemctl restart schleuder-web
+
+- name: get schleuder api tls fingerprint
+  community.crypto.x509_certificate_info:
+    path: /etc/schleuder/schleuder-certificate.pem
+  register: schleuder_register_apicert_info
+
+- name: render /etc/default/schleuder-web
+  template:
+    src: etc/default/schleuder-web.j2
+    dest: /etc/default/schleuder-web
+    owner: root
+    group: root
+    mode: 0600
+  vars:
+    tls_fingerprint: "{{ schleuder_register_apicert_info.fingreprints.sha256 | replace(':', '') }}"
+  notify: systemctl restart schleuder-web
+
+- name: render systemd service unit
+  template:
+    src: etc/systemd/system/schleuder-web.service.j2
+    dest: /etc/systemd/system/schleuder-web.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: systemctl daemon-reload
+
+- name: run bundle install
+  become: yes
+  become_user: schleuder-web
+  command:
+    cmd: /usr/bin/bundle install --without deployment
+    chdir: /var/lib/schleuder-web/schleuder-web
+
+- name: run bundle db setup
+  become: yes
+  become_user: schleuder-web
+  command:
+    cmd: /usr/bin/bundle exec rake db:setup
+    chdir: /var/lib/schleuder-web/schleuder-web
+  environment:
+    RAILS_ENV: production
+  tags:
+    - "never"
+    - "role::schleuder:bootstrap"
+
+- name: flush systemd daemon-reload
+  meta: flush_handlers
+
+- name: start and enable schleuder-web
+  service:
+    name: schleuder-web
+    state: started
+    enabled: true

roles/schleuder/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- import_tasks: install.yml
+  tags:
+    - "role::schleuder"
+    - "role::schleuder:install"
+
+- import_tasks: install_web.yml
+  tags:
+    - "role::schleuder"
+    - "role::schleuder:install_web"
+
+- import_tasks: config.yml
+  tags:
+    - "role::schleuder"
+    - "role::schleuder:config"

roles/schleuder/templates/etc/default/schleuder-web.j2

@@ -0,0 +1,11 @@
+{{ ansible_managed | comment }}
+
+SCHLEUDERWEB_CONFIG_FILE=/var/lib/schleuder-web/schleuder-web.yml
+SCHLEUDERWEB_DB_FILE={{ schleuder_web_db_file }}
+SCHLEUDER_API_HOST={{ schleuder_api_host }}
+SCHLEUDER_API_PORT={{ schleuder_api_port }}
+SCHLEUDER_TLS_FINGERPRINT={{ tls_fingerprint }}
+SCHLEUDER_API_KEY={{ schleuder_web_api_key }}
+SECRET_KEY_BASE={{ schleuder_web_secret_key_base }}
+
+RAILS_LOG_TO_STDOUT=true

roles/schleuder/templates/etc/schleuder/list-defaults.yml.j2

@@ -0,0 +1,129 @@
+---
+{{ ansible_managed | comment }}
+
+# Setting default values for newly generated lists. Once a list is created it
+# is not affected by these settings but has its own set of options in the
+# database.
+#
+# The configuration format is yaml (http://www.yaml.org).
+#
+# Options are listed with the behaviour encoded in the database schema.
+
+# Only send out encrypted emails to subscriptions?
+# (This setting does not affect resend-messages.)
+send_encrypted_only: {{ schleuder_defaults_send_encrypted_only }}
+
+# Allow only encrypted emails? If true, any other email will be bounced.
+receive_encrypted_only: {{ schleuder_defaults_receive_encrypted_only }}
+
+# Allow only emails that are validly signed? If true, any other email will be
+# bounced.
+receive_signed_only: {{ schleuder_defaults_receive_signed_only }}
+
+# Allow only emails that are validly signed by a subscriber's key?  If true,
+# any other email will be bounced.
+receive_authenticated_only: {{ schleuder_defaults_receive_authenticated_only }}
+
+# Allow only emails being sent from subscribed addresses? If true, any other
+# email will be bounced.
+# NOTE: This is a very weak restriction mechanism on which you should not rely,
+#       as sending addresses can easily be faked! We recommend you to rather
+#       rely on the `receive_authenticated_only` option. Setting the
+#       `receive_authenticated_only` option to true, will authenticate senders
+#       based on the signature on the mail, which is the strongest
+#       authentication mechanism you can get.
+#       This option could be useful, if you would like to have a closed
+#       mailinglist, but could not yet get all subscribers to properly use GPG.
+receive_from_subscribed_emailaddresses_only: {{ schleuder_defaults_receive_from_subscribed_emailaddresses_only }}
+
+# Allow only emails that are validly signed by a list-admin's key.
+# This is useful for newsletters, announce or notification lists
+receive_admin_only: {{ schleuder_defaults_receive_admin_only }}
+
+# Which headers to include from the original mail.
+headers_to_meta:
+{% for header in schleuder_defaults_headers_to_meta %}
+  - {{ header }}
+{% endfor %}
+
+# Preserve the Message-IDs (In-Reply-To, References) from the incoming email.
+# This setting can lead to information leakage, as replies are connectable
+# and a thread of (encrypted) messages can be built by an eavesdropper.
+keep_msgid: {{ schleuder_defaults_keep_msgid }}
+
+# Which keywords ("email-commands") should be restricted to list-admins?
+keywords_admin_only:
+{% for keyword in schleuder_defaults_keywords_admin_only %}
+  - {{ keyword }}
+{% endfor %}
+
+# For which keywords should the list-admins receive a notice whenever it
+# triggers a command.
+keywords_admin_notify: 
+{% for keyword in schleuder_defaults_keywords_admin_notify %}
+  - {{ keyword }}
+{% endfor %}
+
+# Footer to append to each email that is sent to a subscribed address. Will not
+# be included in messages to non-subscribed addresses.
+internal_footer: {{ schleuder_defaults_internal_footer }}
+
+# Footer to append to each email that is sent to non-subscribed addresses. Will
+# not be included in messages to subscribed addresses.
+public_footer: {{ schleuder_defaults_public_footer }}
+
+# Prefix to be inserted into the subject of every email that is validly signed
+# by a subscribed address.
+subject_prefix: {{ schleuder_defaults_subject_prefix }}
+
+# Prefix to be inserted into the subject of every email that is *not* validly
+# signed by a subscribed address.
+subject_prefix_in: {{ schleuder_defaults_subject_prefix_in }}
+
+# Prefix to be inserted into the subject of every email that has been
+# resent to a non-subscribed address.
+subject_prefix_out: {{ schleuder_defaults_subject_prefix_out }}
+
+# Drop any bounces (incoming emails not passing the receive_*_only-rules)?
+bounces_drop_all: {{ schleuder_defaults_bounces_drop_all }}
+
+# Drop bounces if they match one of these headers. Must be a hash, keys
+# and values are case insensitive.
+bounces_drop_on_headers:
+{% for header, value in schleuder_defaults_bounces_drop_on_headers.items() %}
+  {{ header }}: {{ value }}
+{% endfor %}
+
+# Send a notice to the list-admins whenever an email is bounced or dropped?
+bounces_notify_admins: {{ schleuder_defaults_bounces_notify_admins }}
+
+# Include RFC-compliant List-* Headers into emails?
+include_list_headers: {{ schleuder_defaults_include_list_headers }}
+
+# Include OpenPGP-Header into emails?
+include_openpgp_header: {{ schleuder_defaults_include_openpgpg_header }}
+
+# Preferred way to receive emails to note in OpenPGP-Header
+# ('sign'|'encrypt'|'signencrypt'|'unprotected'|'none')
+openpgp_header_preference: {{ schleuder_defaults_openpgpg_header_signencrypt }}
+
+# Maximum size of emails allowed on the list, in kilobyte. All others will be
+# bounced.
+max_message_size_kb: {{ schleuder_defaults_max_message_size_kb }}
+
+# How verbose to log on the list-level (Notifications will be sent to
+# list-admins)? Error, warn, info, or debug.
+log_level: {{ schleuder_defaults_log_level }}
+
+# How many logfiles to keep, including the current one.
+# Logfiles are rotated daily, so 2 means: delete logfiles older than
+# yesterday.  Values lower than 1 are ignored.
+logfiles_to_keep: {{ schleuder_defaults_logfiles_to_keep }}
+
+# Which language to use for automated replies, error-messages, etc.
+# Available: en, de.
+language: {{ schleuder_defaults_language }}
+
+# Forward a raw copy of all incoming emails to the list-admins?
+# Mainly useful for debugging.
+forward_all_incoming_to_admins: {{ schleuder_defaults_forward_all_incoming_to_admins }}

roles/schleuder/templates/etc/schleuder/schleuder.yml.j2

@@ -0,0 +1,73 @@
+---
+{{ ansible_managed | comment }}
+
+# Where are the list-directories stored (contain log-files and GnuPG-keyrings).
+lists_dir: {{ schleuder_lists_dir }}
+
+# Where to write list-logs. The actual log-file will be <lists_logs_base_dir>/<hostname>/<listname>/list.log.
+listlogs_dir: {{ schleuder_listlogs_dir }}
+
+# Schleuder reads plugins also from this directory.
+plugins_dir: {{ schleuder_plugins_dir }}
+
+# Schleuder reads filters also from this directory path,
+# in the specific pre_decryption or post_decryption subdirectory.
+# Filter files must follow the following convention for the
+# filename: \d+_a_name.rb
+# Where \d+ is any number, that defines the place in the
+# list of filters and a_name must match the method name
+# of the filter.
+# The built-in filters are using round numbers for their
+# positioning within the list. Increased by ten.
+filters_dir: {{ schleuder_filters_dir }}
+
+# How verbose should Schleuder log to syslog? (list-specific messages are written to the list's log-file).
+log_level: {{ schleuder_log_level }}
+
+# Which keyserver to refresh keys from (used by `schleuder refresh_keys`, meant
+# to be run from cron weekly).
+# Debian stretch (and all future versions) ship(s) with sensible
+# keyserver defaults, therefore, use these:
+keyserver: {{ schleuder_keyserver }}
+
+# Who is maintaining the overall schleuder installation and should be
+# notified about severe problems with lists.
+# This address should be a postmaster-like account, especially it should
+# not be another schleuder list.
+# Is also used as an envelope sender of admin notifications.
+superadmin: {{ schleuder_superadmin }}
+
+# For these options see documentation for ActionMailer::smtp_settings, e.g. <http://api.rubyonrails.org/classes/ActionMailer/Base.html>.
+smtp_settings:
+  address: {{ schleuder_smtp_address }}
+  port: {{ schleuder_smtp_port }}
+{% if schleuder_smtp_helo_fqdn is defined %}
+  domain: {{ schleuder_smtp_helo_fqdn }}
+{% endif %}
+  enable_starttls_auto: {{ schleuder_smtp_auto_starttls }}
+  openssl_verify_mode: {{ schleuder_smtp_openssl_verify_mode }}
+{% if schleuder_smtp_username is defined %}
+  authentication: {{ schleuder_smtp_authentication }}
+  user_name: {{ schleuder_smtp_username }}
+  password: {{ schleuder_smtp_password }}
+{% endif %}
+
+database:
+  production:
+    adapter:  'sqlite3'
+    database: {{ schleuder_sqlite3_database }}
+    timeout: {{ schleuder_sqlite3_timeout }}
+
+api:
+  host: {{ schleuder_api_host }}
+  port: {{ schleuder_api_port }}
+  # Certificate and key to use. You can create new ones with `schleuder cert generate`.
+  tls_cert_file: {{ schleuder_api_tls_cert_file }}
+  tls_key_file: {{ schleuder_api_tls_key_file }}
+  valid_api_keys:
+{% if schleuder_web_api_key is defined %}
+    - {{ schleuder_web_api_key }}
+{% endif %}
+{% for key schleuder_valid_api_keys %}
+    - {{ key }}
+{% endfor %}

roles/schleuder/templates/etc/systemd/system/schleuder-web.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Web Interface to Administrate Schleuder lists
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=schleuder-web
+WorkingDirectory=/var/lib/schleuder-web/schleuder-web
+EnvironmentFile=/etc/default/schleuder-web
+Environment=RAILS_ENV=production
+ExecStartPre=/usr/bin/bundle exec rake db:migrate
+ExecStartPre=/usr/bin/bundle exec rake assets:precompile
+ExecStart=/usr/bin/bundle exec rails server -e production
+
+[Install]
+WantedBy=multi-user.target

roles/schleuder/templates/var/lib/schleuder-web/schleuder-web.yml.j2

@@ -0,0 +1,37 @@
+---
+{{ ansible_managed | comment }}
+
+production:
+  web_hostname: {{ schleuder_web_hostname }}
+  mailer_from: {{ schleuder_web_mailfrom }}
+  # For delivery_method, sendmail_settings and smtp_settings see
+  # <http://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration>.
+  delivery_method: {{ schleuder_web_delivery_method }}
+{% if schleuder_web_delivery_method == 'sendmail' %}
+  sendmail_settings:
+    arguments: '{{ schleuder_web_sendmail_arguments }}'
+{% elif schleuder_web_delivery_method == 'smtp' %}
+  smtp_settings:
+    address: {{schleuder_web_smtp_host}}
+    port: {{schleuder_web_smtp_port}}
+    enable_starttls_auto: {{ schleuder_web_smtp_auto_starttls }}
+    openssl_verify_mode: {{ schleuder_web_smtp_openssl_verify_mode }}
+    {% if schleuder_web_smtp_username is defined %}
+    authentication: {{ schleuder_web_smtp_authentication }}
+    user_name: {{ schleuder_web_smtp_username }}
+    password: {{ schleuder_web_smtp_password }}
+    {% endif %}
+{% endif %}
+  api:
+    host: <%= ENV["SCHLEUDER_API_HOST"] || 'localhost' %>
+    port: <%= ENV["SCHLEUDER_API_PORT"] || 4443 %>
+    tls_fingerprint: <%= ENV["SCHLEUDER_TLS_FINGERPRINT"] %>
+  api_key: <%= ENV["SCHLEUDER_API_KEY"] %>
+  superadmins:
+{% for admin in schleuder_web_superadmins %}
+    - {{ admin }}
+{% endif %}
+  lists_on_which_subscribers_may_delete_keys:
+{% for list in schleuder_web_lists_on_which_subscribers_may_delete_keys %}
+    - "{{ list }}"
+{% endif %}