From 1dff8396d7882a3a14346d5d7b73ed7fc380fd72 Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Wed, 16 Aug 2023 20:41:30 +0200
Subject: [PATCH] first commit

---
 README.md                          |  4 ++
 defaults/main.yml                  |  8 ++++
 handlers/main.yml                  |  2 +
 meta/main.yml                      | 10 +++++
 tasks/database.yml                 | 20 +++++++++
 tasks/install.yml                  | 56 +++++++++++++++++++++++
 tasks/main.yml                     | 16 +++++++
 tasks/phpfpm.yml                   | 47 +++++++++++++++++++
 tasks/user.yml                     | 14 ++++++
 templates/conf.php.j2              | 72 ++++++++++++++++++++++++++++++
 templates/fpmpool.j2               | 25 +++++++++++
 templates/systemd/override.conf.j2 | 10 +++++
 12 files changed, 284 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/database.yml
 create mode 100644 tasks/install.yml
 create mode 100644 tasks/main.yml
 create mode 100644 tasks/phpfpm.yml
 create mode 100644 tasks/user.yml
 create mode 100644 templates/conf.php.j2
 create mode 100644 templates/fpmpool.j2
 create mode 100644 templates/systemd/override.conf.j2

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..20db554
--- /dev/null
+++ b/README.md
@@ -0,0 +1,4 @@
+Ansible Role dmarc-srg
+======================
+
+A role to install [dmarc-srg](https://github.com/liuch/dmarc-srg), a DMARC report analyzer.
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..6368b83
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+dmarcsrg_user: dmarcsrg
+dmarcsrg_home: /opt/dmarc-srg
+overrides_path: "{{ dmarcsrg_home }}/local.d"
+dmarcsrg_github_api_url: https://api.github.com/repos/liuch/dmarc-srg/releases/latest
+
+dmarcsrg_database: dmarcsrg
+dmarcsrg_database_password: "{{ lookup('password', '/tmp/dmarcsrg_db_pwd length=42 chars=ascii_letters,digits') }}"
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..050cdd1
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for .
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..3d2a536
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,10 @@
+galaxy_info:
+  author: Sense.Lab admins
+  description: A role to install dmarc-srg
+  company: Sense.Lab e.V.
+  license: GPLv3
+  min_ansible_version: "2.11"
+  platforms:
+   - name: Debian
+     versions:
+       - bookworm
diff --git a/tasks/database.yml b/tasks/database.yml
new file mode 100644
index 0000000..20e005b
--- /dev/null
+++ b/tasks/database.yml
@@ -0,0 +1,20 @@
+---
+- name: "Database | Crate database"
+  community.mysql.mysql_db:
+    name: "{{ dmarcsrg_database }}"
+    state: present
+    login_unix_socket: "{{ mysql_socket }}"
+    login_user: root
+  register: mariadb_created
+  delegate_to: "{{ database_host }}"
+
+- name: "Database  | Create database user"
+  community.mysql.mysql_user:
+    name: "{{ dmarcsrg_database }}"
+    password: "{{ dmarcsrg_database_password }}"
+    priv: "{{ dmarcsrg_database }}.*:ALL"
+    host: "{{ inventory_hostname }}"
+    state: present
+    login_unix_socket: "{{ mysql_socket }}"
+    login_user: root
+  delegate_to: "{{ database_host }}"
diff --git a/tasks/install.yml b/tasks/install.yml
new file mode 100644
index 0000000..87e8487
--- /dev/null
+++ b/tasks/install.yml
@@ -0,0 +1,56 @@
+---
+- name: "Install | Check for latest version"
+  ansible.builtin.shell:
+    cmd: curl -sL "{{ dmarcsrg_github_api_url }}" | jq -r ".tag_name"
+  changed_when: false
+  register: latest_version
+
+- name: "Install | Get download URL"
+  ansible.builtin.shell:
+    cmd: curl -sL "{{ dmarcsrg_github_api_url }}" | jq -r ".tarball_url"
+  changed_when: false
+  register: download_url
+
+- name: "Install | Create directories"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ dmarcsrg_home }}"
+    - "{{ dmarcsrg_home }}/{{ latest_version.stdout }}"
+    - "{{ overrides_path }}"
+
+- name: "Install | Download install files"
+  ansible.builtin.unarchive:
+    src: "{{ download_url.stdout }}"
+    dest: "{{ dmarcsrg_home }}/{{ latest_version.stdout }}"
+    remote_src: true
+    extra_opts:
+      - "--strip-components=1"
+
+- name: "Install | Copy configuration file"
+  ansible.builtin.template:
+    src: conf.php.j2
+    dest: "{{ overrides_path }}/conf.php"
+    mode: "0640"
+    owner: "{{ dmarcsrg_user }}"
+    group: "{{ dmarcsrg_user }}"
+
+- name: "Install | Link data"
+  ansible.builtin.file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: link
+  loop:
+    - src: "{{ dmarcsrg_home }}/{{ latest_version.stdout }}"
+      dest: "{{ dmarcsrg_home }}/current"
+    - src: "{{ overrides_path }}/conf.php"
+      dest: "{{ dmarcsrg_home }}/{{ latest_version.stdout }}/conf.php"
+
+- name: "Install | Initiate database"
+  ansible.builtin.command:
+    cmd: php utils/database_admin.php init
+    chdir: "{{ dmarcsrg_home }}/current"
+  become: true
+  become_user: "{{ dmarcsrg_user }}"
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..7416f8b
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Create user
+  ansible.builtin.import_tasks: user.yml
+  tags: user
+
+- name: Create database
+  ansible.builtin.import_tasks: database.yml
+  tags: database
+
+- name: Install dmarc-srg
+  ansible.builtin.import_tasks: install.yml
+  tags: install
+
+- name: Configure PHP-FPM
+  ansible.builtin.import_tasks: phpfpm.yml
+  tags: phpfpm
diff --git a/tasks/phpfpm.yml b/tasks/phpfpm.yml
new file mode 100644
index 0000000..1cb4672
--- /dev/null
+++ b/tasks/phpfpm.yml
@@ -0,0 +1,47 @@
+---
+- name: "PHPFPM | Create logfile"
+  ansible.builtin.file:
+    path: "{{ php_fpm_log_dir }}/{{ dmarcsrg_user }}.log"
+    state: touch
+    mode: "0644"
+    owner: "{{ dmarcsrg_user }}"
+    group: "{{ dmarcsrg_user }}"
+
+- name: "PHPFPM | Copy configuration"
+  ansible.builtin.template:
+    src: fpmpool.j2
+    dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ dmarcsrg_user }}.cfg"
+    mode: "0644"
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "PHPFPM | Create systemd override directory"
+  ansible.builtin.file:
+    path: "/etc/systemd/system/php-fpm@{{ dmarcsrg_user }}.service.d"
+    state: directory
+    mode: "0755"
+
+- name: "PHPFPM | Copy systemd override configuration"
+  ansible.builtin.template:
+    src: systemd/override.conf.j2
+    dest: "/etc/systemd/system/php-fpm@{{ dmarcsrg_user }}.service.d/override.conf"
+    mode: "0644"
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "PHPFPM | Enable systemd socket"
+  ansible.builtin.systemd:
+    name: "php-fpm@{{ dmarcsrg_user }}.socket"
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: "PHPFPM | Enable systemd service"
+  ansible.builtin.systemd:
+    name: "php-fpm@{{ dmarcsrg_user }}.service"
+    enabled: true
+    daemon-reload: true
diff --git a/tasks/user.yml b/tasks/user.yml
new file mode 100644
index 0000000..28489ba
--- /dev/null
+++ b/tasks/user.yml
@@ -0,0 +1,14 @@
+---
+- name: "User | Create system user"
+  ansible.builtin.user:
+    name: "{{ dmarcsrg_user }}"
+    shell: /bin/false
+    create_home: false
+    password_lock: true
+    system: true
+
+- name: "User | Add www-data to user group"
+  ansible.builtin.user:
+    name: www-data
+    groups: "{{ dmarcsrg }}"
+    append: true
diff --git a/templates/conf.php.j2 b/templates/conf.php.j2
new file mode 100644
index 0000000..16a03fa
--- /dev/null
+++ b/templates/conf.php.j2
@@ -0,0 +1,72 @@
+<?php
+
+// {{ ansible_managed }}
+
+$debug = 0;
+$database = [
+    'host'         => '{{ database_host }}',
+    'type'         => 'mysql',
+    'name'         => '{{ dmarcsrg_database }}',
+    'user'         => '{{ dmarcsrg_datababse }}',
+    'password'     => '{{ dmarcsrg_datababse_password }}',
+    'table_prefix' => ''
+];
+
+/**
+ * It is only required if you want to get reports from a mailbox automatically.
+ * In order to collect reports from several mailboxes, you should put each
+ * mailbox settings in an array.
+ */
+$mailboxes = [
+    'name'            => 'Dmarc-Rua',
+    'host'            => 'yourdomain.net',
+    'encryption'      => 'ssl',
+    'novalidate-cert' => false,
+    'username'        => 'dmarc-rua@yourdomain.net',
+    'password'        => 'password',
+    'mailbox'         => 'INBOX',
+    'auth_exclude'    => []
+];
+
+$admin = [
+    'password' => 'null',
+    'user_management' => false
+];
+
+//
+$fetcher = [
+    'mailboxes' => [
+        'messages_maximum' => 10,
+        'when_done' => 'mark_seen',
+        'when_failed' => 'move_to:failed'
+    ],
+    'allowed_domains' => ''
+];
+
+$mailer = [
+    'from'    => 'postmaster@yourdomain.net',
+    'default' => 'user@yourdomain.net'
+];
+
+//
+$cleaner = [
+    'mailboxes' => [
+        'days_old'       => 30,
+        'delete_maximum' => 50,
+        'leave_minimum'  => 100,
+        'done'           => 'seen',
+        'failed'         => 'none'
+    ],
+
+    'reports' => [
+        'days_old'       => 30,
+        'delete_maximum' => 50,
+        'leave_minimum'  => 100
+    ],
+
+    'reportlog' => [
+        'days_old'       => 30,
+        'delete_maximum' => 50,
+        'leave_minimum'  => 100
+    ]
+];
diff --git a/templates/fpmpool.j2 b/templates/fpmpool.j2
new file mode 100644
index 0000000..7a151da
--- /dev/null
+++ b/templates/fpmpool.j2
@@ -0,0 +1,25 @@
+;{{ ansible_managed }}
+
+[global]
+error_log = ${FPM_ERROR_LOG}
+
+[{{ dmarcsrg_user }}]
+listen = ${FPM_SOCKET_PATH}
+pm = ondemand
+pm.max_children = 5
+pm.process_idle_timeout = 10s
+pm.max_requests = 200
+pm.status_path = /status
+chdir = /
+clear_env = no
+security.limit_extensions = .php .php3 .php4 .php5
+php_admin_value[opcache.validate_permission] = 1
+php_admin_value[opcache.validate_root] = 1
+php_admin_value[session.cookie_samesite] = Lax
+php_admin_value[openssl.capath] = /etc/ssl/certs
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[memory_limit] = 256M
+php_admin_value[upload_max_filesize] = {{ postfix_message_size_limit | human_readable(unit='M') | replace (' MB','') | int | round }}M
+php_admin_value[post_max_size] = {{ postfix_message_size_limit | human_readable(unit='M') | replace (' MB','') | int | round }}M
+php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_nice,proc_terminate,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo
diff --git a/templates/systemd/override.conf.j2 b/templates/systemd/override.conf.j2
new file mode 100644
index 0000000..281f6ad
--- /dev/null
+++ b/templates/systemd/override.conf.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Service]
+LockPersonality=true
+NoNewPrivileges=true
+ProtectSystem=strict
+ReadWritePaths=-{{ php_fpm_log_dir }}/
+ReadWritePaths=-/var/run/
+ReadWritePaths=-/run/
+InaccessiblePaths=-/root/