Merge remote-tracking branch 'upstream/master' into jp-readlater

Conflicts: README.textile site.yml vars/defaults.yml
sovereign · May 16, 2014 · 8bd44ef · 8bd44ef
2 parents d1073d0 + f787400
commit 8bd44ef
Show file tree

Hide file tree

Showing 19 changed files with 199 additions and 32 deletions.
diff --git a/README.textile b/README.textile
@@ -50,6 +50,7 @@ What do you get if you point this thing at a VPS? All kinds of good stuff!
 * "RFC6238":http://tools.ietf.org/html/rfc6238 two-factor authentication compatible with "Google Authenticator":http://en.wikipedia.org/wiki/Google_Authenticator and various hardware tokens
 * Nightly backups to "Tarsnap":https://www.tarsnap.com/.
 * Git hosting via "cgit":http://git.zx2c4.com/cgit/about/ and "gitolite":https://github.com/sitaramc/gitolite.
+* "Newebe":http://newebe.org, a social network.
 * Read-it-later via "Wallabag":https://www.wallabag.org/
 * A bunch of nice-to-have tools like "mosh":http://mosh.mit.edu and "htop":http://htop.sourceforge.net that make life with a server a little easier.
 
@@ -99,7 +100,7 @@ If you haven't already, "download and install Tarsnap":https://www.tarsnap.com/d
 
 Create a new machine key for your server:
 
-bc. tarsnap-keygen --keyfile roles/tarsnap/files/root_tarsnap.key --user me@example.com --machine example.com
+bc. tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
 
 h3. 3. Prep the server
 
@@ -152,7 +153,7 @@ For git hosting, copy your public key into place. @cp ~/.ssh/id_rsa.pub roles/gi
 
 h3. 5. Run the Ansible Playbooks
 
-First, make sure you've "got Ansible installed":http://docs.ansible.com/intro_installation.html#getting-ansible.
+First, make sure you've "got Ansible 1.6+ installed":http://docs.ansible.com/intro_installation.html#getting-ansible.
 
 To run the whole dang thing:
 

diff --git a/roles/common/tasks/ufw.yml b/roles/common/tasks/ufw.yml
@@ -5,39 +5,27 @@
 - name: Install ufw
   apt: pkg=ufw state=present
 
-- name: Set firewall rules
-  command: ufw allow {{ item }}
-  register: ufw_result
-  changed_when: "ufw_result.stdout.startswith('Rule')"
-  with_items:
-    - smtp/tcp
-    - domain
-    - http/tcp
-    - https/tcp
-    - ssh/tcp
-    - ssmtp/tcp
-    - pop3s/tcp
-    - imaps/tcp
-    - 5222/tcp  # xmpp c2s
-    - 5269/tcp  # xmpp s2s
-    - 6697/tcp  # znc
-    - "{{ openvpn_port }}/{{ openvpn_protocol }}"
-    - 60000:61000/udp  # mosh udp packets
+- name: Deny everything and enable UFW
+  ufw: state=enabled policy=deny
 
-- name: Check status of ufw
-  command: ufw status
-  register: ufw_status
-  changed_when: False  # never report as "changed"
+- name: Set firewall rule for DNS
+  ufw: rule=allow port=domain
+
+- name: Set firewall rule for mosh
+  ufw: rule=allow port=60000:61000 proto=udp
+
+- name: Set firewall rules for web traffic and SSH
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - ssh
+    - http
+    - https
 
 - name: Check config of ufw
   command: cat /etc/ufw/ufw.conf
   register: ufw_config
   changed_when: False  # never report as "changed"
 
 - name: Disable logging (workaround for known bug in Debian 7)
-  command: ufw logging off
+  ufw: logging=off
   when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
-
-- name: Enable ufw
-  command: ufw --force enable
-  when: "ufw_status.stdout.startswith('Status: inactive') or 'ENABLED=yes' not in ufw_config.stdout"
diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml
@@ -4,6 +4,7 @@
   with_items:
     - groff
     - python-pip
+    - libssl-dev
 
 - name: Install cgit pip dependencies
   pip: name={{ item }}
@@ -38,10 +39,14 @@
             owner=www-data
   notify: restart apache
 
+- name: Enable Apache cgi module
+  command: a2enmod cgi creates=/etc/apache2/mods-enabled/cgi.load
+  notify: restart apache
+
 - name: Enable Apache rewrite module
   command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load
   notify: restart apache
 
 - name:  Enable cgit site
   command: a2ensite cgit creates=/etc/apache2/sites-enabled/cgit
-  notify: restart apache
+  notify: restart apache
diff --git a/roles/ircbouncer/tasks/znc.yml b/roles/ircbouncer/tasks/znc.yml
@@ -54,5 +54,8 @@
   template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
   when: znc_config.rc != 0
 
+- name: Set firewall rule for znc
+  ufw: rule=allow port=6697 proto=tcp
+
 - name: Ensure znc is a system service
   service: name=znc state=started enabled=true
diff --git a/roles/mailserver/tasks/dovecot.yml b/roles/mailserver/tasks/dovecot.yml
@@ -48,3 +48,9 @@
   file: state=directory path=/etc/dovecot
           group=dovecot owner=vmail mode=770 recurse=yes
   notify: restart dovecot
+
+- name: Set firewall rules for dovecot
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - pop3s
+    - imaps
diff --git a/roles/mailserver/tasks/postfix.yml b/roles/mailserver/tasks/postfix.yml
@@ -49,3 +49,9 @@
     - pgsql-virtual-mailbox-maps.cf
     - pgsql-virtual-alias-maps.cf
   notify: restart postfix
+
+- name: Set firewall rules for postfix
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - smtp
+    - ssmtp
diff --git a/roles/mailserver/templates/etc_postfix_main.cf.j2 b/roles/mailserver/templates/etc_postfix_main.cf.j2
@@ -106,7 +106,6 @@ postscreen_dnsbl_sites =
   bl.spamcop.net*2
   dnsbl.sorbs.net*1
   spam.spamrats.com*2
-  dnsbl.ahbl.org*2
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_action = enforce
 postscreen_greet_action = enforce

diff --git a/roles/newebe/files/newebe.conf b/roles/newebe/files/newebe.conf
@@ -0,0 +1,5 @@
+[program:newebe]
+autorestart=false
+command=newebe_server.py --configfile=/usr/local/etc/newebe/config.yaml
+redirect_stderr=true
+user=newebe
diff --git a/roles/newebe/files/supervisor.conf b/roles/newebe/files/supervisor.conf
@@ -0,0 +1,7 @@
+; supervisor config file
+
+[supervisord]
+nodaemon=true
+
+[include]
+files = /etc/supervisor/conf.d/*.conf
diff --git a/roles/newebe/handlers/main.yml b/roles/newebe/handlers/main.yml
diff --git a/roles/newebe/tasks/main.yml b/roles/newebe/tasks/main.yml
@@ -0,0 +1,84 @@
+- name: Install Python
+  apt: pkg=python,python-setuptools,python-pip,python-dev
+
+- name: Install Python tools
+  apt: pkg=python-imaging,python-pycurl
+
+- name: Install build tools
+  apt: pkg=build-essential,git
+
+- name: Install Python libs
+  apt: pkg=libxml2-dev,libxslt-dev,python-imaging
+
+- name: Install Supervisor
+  apt: pkg=supervisor
+
+- name: Install CouchDB
+  apt: pkg=couchdb
+
+- name: Install Newebe
+  pip: name='git+https://github.com/gelnior/newebe.git#egg=newebe'
+
+- name: Add group Newebe
+  group: name=newebe
+
+- name: Add user Newebe
+  user: name=newebe shell=/bin/bash groups=newebe
+
+- name: Create Newebe Config folder
+  file: path=/usr/local/etc/newebe/ 
+        owner=newebe 
+        group=newebe 
+        state=directory
+
+- name: Create Newebe folder
+  file: path=/usr/local/var/newebe/ 
+        owner=newebe 
+        group=newebe 
+        state=directory
+
+- name: Create Newebe log folder
+  file: path=/usr/local/var/log/newebe/ 
+        owner=newebe 
+        group=newebe 
+        state=directory
+
+- name: Set Newebe config file
+  template: src=usr_local_etc_newebe_config.j2
+            dest=/usr/local/etc/newebe/config.yaml 
+            owner=newebe 
+            group=newebe
+
+- name: Set Supervisor config file
+  copy: src=newebe.conf dest=/etc/supervisor/conf.d/newebe.conf
+
+- name: Set Newebe Supervisor config file
+  copy: src=supervisor.conf dest=/etc/supervisor/supervisor.conf
+
+- name: Reload Supervisor and start Newebe
+  command: /usr/bin/supervisorctl update
+
+- name: Ensure that newebe is started
+  supervisorctl: name=newebe state=started
+
+- name: Add mod_proxy module to Apache
+  raw: a2enmod proxy
+# When Ansible 1.6 will be available  
+# apache2_module: state=present name=proxy
+
+- name: Add proxy_http module to Apache
+  raw: a2enmod proxy_http
+# When Ansible 1.6 will be available  
+# apache2_module: state=present name=proxy_http
+#
+- name: Configure the Apache HTTP server for Newebe
+  template: src=etc_apache2_sites-available_newebe.j2
+            dest=/etc/apache2/sites-available/newebe
+            group=www-data
+            owner=www-data
+  notify: restart apache
+
+- name: Enable the site
+  command: a2ensite newebe
+           creates=/etc/apache2/sites-enabled/newebe
+  notify: restart apache
diff --git a/roles/newebe/templates/etc_apache2_sites-available_newebe.j2 b/roles/newebe/templates/etc_apache2_sites-available_newebe.j2
@@ -0,0 +1,27 @@
+<VirtualHost *:80>
+    ServerName {{ newebe_domain }}
+
+    Redirect permanent / https://{{ newebe_domain }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+
+    ServerName {{ newebe_domain }}
+    SSLEngine On
+
+    SSLProtocol ALL -SSLv2
+    SSLHonorCipherOrder On
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
+    SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
+    SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
+    SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+
+    ErrorLog /var/log/apache2/newebe.info-error_log
+    CustomLog /var/log/apache2/newebe.info-access_log common
+
+
+    ProxyPass / http://127.0.0.1:8282/
+    ProxyPassReverse / http://127.0.0.1:8282/
+
+</VirtualHost>
diff --git a/roles/newebe/templates/usr_local_etc_newebe_config.j2 b/roles/newebe/templates/usr_local_etc_newebe_config.j2
@@ -0,0 +1,7 @@
+main:
+    port: 8282
+    debug: False
+    ssl: False
+    path: "/usr/local/var/newebe/"
+    logpath: "/usr/local/var/log/newebe"
+    timezone: {{ zpush_timezone }}
diff --git a/roles/tarsnap/files/tarsnap.sh b/roles/tarsnap/files/tarsnap.sh
@@ -25,7 +25,7 @@ MONTHLY_DAY=01
 TARSNAP="/usr/local/bin/tarsnap"
 
 # Extra flags to pass to tarsnap
-EXTRA_FLAGS="-C /"
+EXTRA_FLAGS="-L -C /"
 
 # end of config
 

diff --git a/roles/tarsnap/tasks/tarsnap.yml b/roles/tarsnap/tasks/tarsnap.yml
@@ -1,50 +1,66 @@
+- name: Check if tarsnap {{ tarsnap_version }} is installed
+  shell: tarsnap --version | grep {{ tarsnap_version }} --color=never
+  register: tarnsap_installed
+  changed_when: "tarnsap_installed.stderr != ''"
+  ignore_errors: yes
+
 - name: Install dependencies for Tarsnap
+  when: tarnsap_installed|failed
   apt: pkg={{ item }} state=installed
   with_items:
     - libssl-dev
     - zlib1g-dev
     - e2fslibs-dev
 
 - name: Download the current tarsnap code signing key
+  when: tarnsap_installed|failed
   get_url:
     url=https://www.tarsnap.com/tarsnap-signing-key.asc
     dest=/root/tarsnap-signing-key.asc
 
 - name: Add the tarsnap code signing key to your list of keys
+  when: tarnsap_installed|failed
   command:
     gpg --import tarsnap-signing-key.asc
     chdir=/root/
 
 - name: Download tarsnap SHA file
+  when: tarnsap_installed|failed
   get_url:
     url="https://www.tarsnap.com/download/tarsnap-sigs-{{ tarsnap_version }}.asc"
     dest="/root/tarsnap-sigs-{{ tarsnap_version }}.asc"
 
 - name: Make the command that gets the current sha
+  when: tarnsap_installed|failed
   template:
     src=getSha.sh
     dest=/root/getSha.sh
     mode=0755
 
 - name: get the SHA256sum for this tarsnap release
+  when: tarnsap_installed|failed
   command:
     ./getSha.sh
     chdir=/root
   register: tarsnap_sha
 
 - name: Download Tarsnap source
+  when: tarnsap_installed|failed
   get_url:
     url="https://www.tarsnap.com/download/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
     dest="/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
     sha256sum={{ tarsnap_sha.stdout_lines[0] }}
 
 - name: Decompress Tarsnap source
+  when: tarnsap_installed|failed
   command: tar xzf /root/tarsnap-autoconf-{{ tarsnap_version }}.tgz chdir=/root creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/COPYING
 
 - name: Configure Tarsnap for local build
+  when: tarnsap_installed|failed
   command: ./configure chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/Makefile
 
 - name: Build and install Tarsnap
+  when: tarnsap_installed|failed
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
 
 - name: Copy Tarsnap key file into place

diff --git a/roles/vpn/tasks/openvpn.yml b/roles/vpn/tasks/openvpn.yml
@@ -131,6 +131,9 @@
     - iptables -A FORWARD -j REJECT
     - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
 
+- name: Allow OpenVPN through ufw
+  ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
+
 - name: Copy OpenVPN configuration file into place
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
   notify: restart openvpn

diff --git a/roles/xmpp/tasks/prosody.yml b/roles/xmpp/tasks/prosody.yml
@@ -20,3 +20,9 @@
 - name: Create Prosody accounts
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
   with_items: prosody_accounts
+
+- name: Set firewall rules for Prosody
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - 5222  # xmpp c2s
+    - 5269  # xmpp s2s
diff --git a/site.yml b/site.yml
@@ -22,4 +22,5 @@
     - tarsnap
     - news
     - git
+    - newebe
     - readlater
diff --git a/vars/defaults.yml b/vars/defaults.yml
@@ -106,6 +106,9 @@ cgit_version: 0.10.1
 cgit_domain: "git.{{ domain }}"
 gitolite_version: 3.5.3.1
 
+# newebe
+newebe_domain: "newebe.{{ domain }}"
+
 # wallabag
 wallabag_version: 1.6.1b
 wallabag_domain: "read.{{ domain }}"