Various minor fixes. Added vagrant support for development and testing

README.md

@@ -17,13 +17,17 @@ with some exceptions:
 * no full text search - beacuse it's JAVA
 * added Roundcube - because you might need your email the less you expect it
 * added ddclient - since mobile hardware needs mobile support
+* and as a bonus - there is also a ownCloud installation scripts available
 
 Those rules were written with Debian in mind, and were tested in Jessie (8.0). They should also
 work on Ubuntu, but I didn't try it and [you shouldn't too](https://gnu.org/philosophy/ubuntu-spyware.html).
 Also, by default E-mail and Web servers disables SSLv2, SSLv3, TLSv1 and TLSv1.1. This can cause problems with apps like Apple Mail or MSIE, but if you are concerned in privacy, this shouldn't be a big issue - since you should not use them anyway...
 
 ## Install
 
+Suggestions below would do, but if you like, I also wrote a
+[a blog post with more detailed approach](https://www.rzegocki.pl/blog/2016/05/22/build-your-own-cloud-fast-thanks-to-ansible-and-automation/).
+
 First of all you need [ansible](http://www.ansible.com/home)
 
     brew/apt-get/yum/whatever install ansible
@@ -60,3 +64,15 @@ And you're ready to rock!
     ansible-playbook -s -i ansible-inventory main.yml
 
 Have fun, and don't forget to set your TXT and PTR records for DKIM and SPF!
+
+## Testing and development
+
+For the convenience there is a preconfigured Vagrant configuration, for those who wish to run those scripts on sandbox environment.
+All you have to do is:
+
+```
+vagrant up
+ansible-playbook -s -i ansible-vagrant main.yml
+```
+
+All services will be exposed on 10xxx ports (so email will be on 10025, www on 10080 and 10443 etc.).

Vagrantfile

@@ -0,0 +1,19 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure(2) do |config|
+  config.vm.box = "debian/jessie64"
+
+  config.vm.network "forwarded_port", guest: 22, host: 10022
+  config.vm.network "forwarded_port", guest: 25, host: 10025
+  config.vm.network "forwarded_port", guest: 80, host: 10080
+  config.vm.network "forwarded_port", guest: 443, host: 10443
+  config.vm.network "forwarded_port", guest: 993, host: 10993
+
+  config.vm.provision "shell", inline: <<-SHELL
+    mkdir -p /root/.ssh || true
+    chmod 700 /root/.ssh
+    echo "#{File.read(File.join(Dir.home, '.ssh', 'id_rsa.pub'))}" > /root/.ssh/authorized_keys
+    chmod 600 /root/.ssh/authorized_keys
+  SHELL
+end

ansible-vagrant

@@ -0,0 +1,2 @@
+[local]
+localhost ansible_ssh_user=root ansible_ssh_port=10022

roles/duplicity/tasks/main.yml

@@ -1,5 +1,8 @@
-- name: Install ddclient
+- name: Install duplicity
   apt: pkg=duplicity state=latest
+- name: Set duplicity cache directory
+  file: src="{{ duplicity.cache_directory }}" dest="/root/.cache/duplicity" force=yes
+  when: duplicity.cache_directory
 - name: '/etc/cron.daily/duplicity-inc'
   template: src=roles/duplicity/templates/duplicity-inc.j2 dest=/etc/cron.daily/duplicity-inc
 - name: 'root:root 700 /etc/cron.daily/duplicity-inc'

roles/duplicity/templates/duplicity-full.j2

@@ -9,4 +9,5 @@ export WEBDAV_HOST_PATH
 
 $(which duplicity) full --ssl-no-check-certificate --encrypt-key {{ duplicity.encrypt_key }} /mail/ webdavs://${WEBDAV_USERNAME}:${WEBDAV_PASSWORD}@${WEBDAV_HOST_PATH}/mail-backup
 $(which duplicity) remove-all-but-n-full 2 --ssl-no-check-certificate --force webdavs://${WEBDAV_USERNAME}:${WEBDAV_PASSWORD}@${WEBDAV_HOST_PATH}/mail-backup
-
+$(which duplicity) full --ssl-no-check-certificate --encrypt-key {{ duplicity.encrypt_key }} --include /var/www/owncloud/data/ --exclude '**' /var webdavs://${BOX_USERNAME}:${BOX_PASSWORD}@dav.box.com/dav/owncloud-backup
+$(which duplicity) remove-all-but-n-full 2 --ssl-no-check-certificate --force webdavs://${BOX_USERNAME}:${BOX_PASSWORD}@dav.box.com/dav/owncloud-backup

roles/duplicity/templates/duplicity-inc.j2

@@ -8,3 +8,4 @@ export WEBDAV_PASSWORD
 export WEBDAV_HOST_PATH
 
 $(which duplicity) --ssl-no-check-certificate --encrypt-key {{ duplicity.encrypt_key }} /mail/ webdavs://${WEBDAV_USERNAME}:${WEBDAV_PASSWORD}@${WEBDAV_HOST_PATH}/mail-backup
+$(which duplicity) --ssl-no-check-certificate --encrypt-key {{ duplicity.encrypt_key }} --include /var/www/owncloud/data/ --exclude '**' /var webdavs://${WEBDAV_USERNAME}:${WEBDAV_PASSWORD}@${WEBDAV_HOST_PATH}/owncloud-backup

roles/duplicity/vars/main.yml

@@ -7,3 +7,8 @@ duplicity:
   webdav_password: ""
   # Encrypt key ID - A GnuPG secret key ID, which will be used for encrypting your duplicity backups (8-digit hex number)
   encrypt_key: ""
+  # Set custom duplicity cache directory. This is crucial on filesystems stored on storages which doesn't handle multiple
+  # read/write operations very well (i.e. SDCard). If you plan to store your server on such device (i.e. microSD on Raspberry Pi),
+  # you really, really, REALLY should set it to some directory hosted on different storage (i.e. HDD).
+  # If set to false, uses default /root/.cache/duplicity
+  cache_directory: false

roles/nginx/tasks/main.yml

@@ -15,7 +15,7 @@
 - name: '/etc/nginx/extra/security'
   template: src=roles/nginx/templates/security.j2 dest=/etc/nginx/extra/security
 - name: 'enable HPKP'
-  shell: echo "add_header Public-Key-Pins 'pin-sha256=\"$(openssl x509 -in /etc/ssl/certs/this-machine.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64)\" pin-sha256=\"{{ nginx.hpkp_sha256 }}\"; max-age=86400';" >> /etc/nginx/extra/security
+  shell: echo "add_header Public-Key-Pins 'pin-sha256=\"$(openssl x509 -in /etc/ssl/certs/this-machine.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64)\"; pin-sha256=\"{{ nginx.hpkp_sha256 }}\"; max-age=2592000';" >> /etc/nginx/extra/security
   when: nginx.hpkp_sha256
 - name: 'blacklist.conf'
   template: src=roles/nginx/templates/blacklist.conf.j2 dest=/tmp/blacklist.conf

roles/postfix/tasks/main.yml

@@ -2,8 +2,12 @@
   apt: pkg=postfix state=latest
 - name: Install postfix-mysql
   apt: pkg=postfix-mysql state=latest
+- name: Install postgrey
+  apt: pkg=postgrey state=latest
 - name: Install python-mysqldb
   apt: pkg=python-mysqldb state=latest
+- name: Install sasl modules
+  apt: pkg=libsasl2-modules state=latest
 - name: "/etc/postfix/main.cf: smtpd_tls_cert_file=/etc/ssl/certs/this-machine.pem"
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_tls_cert_file\s*=" line="smtpd_tls_cert_file=/etc/ssl/certs/this-machine.pem"
 - name: "/etc/postfix/main.cf: smtpd_tls_key_file=/etc/ssl/private/this-machine.pem"
@@ -32,8 +36,6 @@
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_sasl_type\s*=" line="smtpd_sasl_type = dovecot"
 - name: "/etc/postfix/main.cf: smtpd_sasl_path = private/auth"
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_sasl_path\s*=" line="smtpd_sasl_path = private/auth"
-- name: "/etc/postfix/main.cf: smtpd_sasl_auth_enable = yes"
-  lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_sasl_auth_enable\s*=" line="smtpd_sasl_auth_enable = yes"
 - name: "/etc/postfix/main.cf: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain"
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_recipient_restrictions\s*=" line="smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain"
 - name: "/etc/postfix/main.cf: mydestination = localhost"
@@ -61,7 +63,7 @@
 - name: "/etc/postfix/main.cf: smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname"
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_helo_restrictions\s=" line="smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname"
 - name: "/etc/postfix/main.cf: smtpd_sender_restrictions = reject_unknown_address"
-  lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_sender_restrictions\s=" line="smtpd_helo_restrictions = reject_unknown_address"
+  lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_sender_restrictions\s=" line="smtpd_sender_restrictions = reject_unknown_address"
 - name: "/etc/postfix/main.cf: disable_vrfy_command = yes"
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*disable_vrfy_command\s=" line="disable_vrfy_command = yes"
 - name: "/etc/postfix/main.cf: strict_rfc821_envelopes = yes"
@@ -87,6 +89,9 @@
 - name: "/etc/postfix/main.cf: smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtp_tls_CAfile\s=" line="smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"
 
+- name: "/etc/postfix/main.cf: smtpd_sasl_auth_enable = yes"
+  lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtpd_sasl_auth_enable\s*=" line="smtpd_sasl_auth_enable = yes"
+  when: postfix.relay_host
 - name: "/etc/postfix/main.cf: smtp_sasl_password_maps = hash:/etc/postfix/relay_password"
   lineinfile: dest=/etc/postfix/main.cf regexp="^#?\s*smtp_sasl_password_maps\s=" line="smtp_sasl_password_maps = hash:/etc/postfix/relay_password"
   when: postfix.relay_host

roles/security/tasks/main.yml

@@ -7,15 +7,15 @@
 - name: Install logwatch
   apt: pkg=logwatch state=latest
 - name: Add default user
-  user: name="{{ security.user_login }}"
+  user: name="{{ security.user_login }}" shell=/bin/bash
 - name: Set user password
   shell: "echo \"{{ security.user_login }}:{{ security.user_password }}\" | chpasswd"
 - name: Create user .ssh directory
   file: path="~{{ security.user_login }}/.ssh" mode=0700 state=directory owner="{{ security.user_login }}"
 - name: Create user authorized_keys
   template: src=roles/security/templates/authorized_keys.j2 dest="~{{ security.user_login }}/.ssh/authorized_keys" owner="{{ security.user_login }}" mode=0400
-- name: "/etc/sudoers"
-  template: src=roles/security/templates/sudoers.j2 dest=/etc/sudoers
+- name: "/etc/sudoers.d/user"
+  template: src=roles/security/templates/sudoers.j2 dest=/etc/sudoers.d/user
 - name: "/etc/ssh/sshd_config: Protocol 2"
   lineinfile: dest=/etc/ssh/sshd_config regexp="^Protocol " line="Protocol 2"
 - name: "/etc/ssh/sshd_config: PermitRootLogin no"

roles/security/templates/sudoers.j2

@@ -1,2 +1 @@
-root    ALL=(ALL) ALL
 {{ security.user_login }} ALL=(ALL) ALL