first commit

README.md

@@ -0,0 +1,4 @@
+Ansible Role dmarc-srg
+======================
+
+A role to install [dmarc-srg](https://github.com/liuch/dmarc-srg), a DMARC report analyzer.

defaults/main.yml

@@ -0,0 +1,8 @@
+---
+dmarcsrg_user: dmarcsrg
+dmarcsrg_home: /opt/dmarc-srg
+overrides_path: "{{ dmarcsrg_home }}/local.d"
+dmarcsrg_github_api_url: https://api.github.com/repos/liuch/dmarc-srg/releases/latest
+
+dmarcsrg_database: dmarcsrg
+dmarcsrg_database_password: "{{ lookup('password', '/tmp/dmarcsrg_db_pwd length=42 chars=ascii_letters,digits') }}"

handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for .

meta/main.yml

@@ -0,0 +1,10 @@
+galaxy_info:
+  author: Sense.Lab admins
+  description: A role to install dmarc-srg
+  company: Sense.Lab e.V.
+  license: GPLv3
+  min_ansible_version: "2.11"
+  platforms:
+   - name: Debian
+     versions:
+       - bookworm

tasks/database.yml

@@ -0,0 +1,20 @@
+---
+- name: "Database | Crate database"
+  community.mysql.mysql_db:
+    name: "{{ dmarcsrg_database }}"
+    state: present
+    login_unix_socket: "{{ mysql_socket }}"
+    login_user: root
+  register: mariadb_created
+  delegate_to: "{{ database_host }}"
+
+- name: "Database  | Create database user"
+  community.mysql.mysql_user:
+    name: "{{ dmarcsrg_database }}"
+    password: "{{ dmarcsrg_database_password }}"
+    priv: "{{ dmarcsrg_database }}.*:ALL"
+    host: "{{ inventory_hostname }}"
+    state: present
+    login_unix_socket: "{{ mysql_socket }}"
+    login_user: root
+  delegate_to: "{{ database_host }}"

tasks/install.yml

@@ -0,0 +1,56 @@
+---
+- name: "Install | Check for latest version"
+  ansible.builtin.shell:
+    cmd: curl -sL "{{ dmarcsrg_github_api_url }}" | jq -r ".tag_name"
+  changed_when: false
+  register: latest_version
+
+- name: "Install | Get download URL"
+  ansible.builtin.shell:
+    cmd: curl -sL "{{ dmarcsrg_github_api_url }}" | jq -r ".tarball_url"
+  changed_when: false
+  register: download_url
+
+- name: "Install | Create directories"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ dmarcsrg_home }}"
+    - "{{ dmarcsrg_home }}/{{ latest_version.stdout }}"
+    - "{{ overrides_path }}"
+
+- name: "Install | Download install files"
+  ansible.builtin.unarchive:
+    src: "{{ download_url.stdout }}"
+    dest: "{{ dmarcsrg_home }}/{{ latest_version.stdout }}"
+    remote_src: true
+    extra_opts:
+      - "--strip-components=1"
+
+- name: "Install | Copy configuration file"
+  ansible.builtin.template:
+    src: conf.php.j2
+    dest: "{{ overrides_path }}/conf.php"
+    mode: "0640"
+    owner: "{{ dmarcsrg_user }}"
+    group: "{{ dmarcsrg_user }}"
+
+- name: "Install | Link data"
+  ansible.builtin.file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: link
+  loop:
+    - src: "{{ dmarcsrg_home }}/{{ latest_version.stdout }}"
+      dest: "{{ dmarcsrg_home }}/current"
+    - src: "{{ overrides_path }}/conf.php"
+      dest: "{{ dmarcsrg_home }}/{{ latest_version.stdout }}/conf.php"
+
+- name: "Install | Initiate database"
+  ansible.builtin.command:
+    cmd: php utils/database_admin.php init
+    chdir: "{{ dmarcsrg_home }}/current"
+  become: true
+  become_user: "{{ dmarcsrg_user }}"

tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Create user
+  ansible.builtin.import_tasks: user.yml
+  tags: user
+
+- name: Create database
+  ansible.builtin.import_tasks: database.yml
+  tags: database
+
+- name: Install dmarc-srg
+  ansible.builtin.import_tasks: install.yml
+  tags: install
+
+- name: Configure PHP-FPM
+  ansible.builtin.import_tasks: phpfpm.yml
+  tags: phpfpm

tasks/phpfpm.yml

@@ -0,0 +1,47 @@
+---
+- name: "PHPFPM | Create logfile"
+  ansible.builtin.file:
+    path: "{{ php_fpm_log_dir }}/{{ dmarcsrg_user }}.log"
+    state: touch
+    mode: "0644"
+    owner: "{{ dmarcsrg_user }}"
+    group: "{{ dmarcsrg_user }}"
+
+- name: "PHPFPM | Copy configuration"
+  ansible.builtin.template:
+    src: fpmpool.j2
+    dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ dmarcsrg_user }}.cfg"
+    mode: "0644"
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "PHPFPM | Create systemd override directory"
+  ansible.builtin.file:
+    path: "/etc/systemd/system/php-fpm@{{ dmarcsrg_user }}.service.d"
+    state: directory
+    mode: "0755"
+
+- name: "PHPFPM | Copy systemd override configuration"
+  ansible.builtin.template:
+    src: systemd/override.conf.j2
+    dest: "/etc/systemd/system/php-fpm@{{ dmarcsrg_user }}.service.d/override.conf"
+    mode: "0644"
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "PHPFPM | Enable systemd socket"
+  ansible.builtin.systemd:
+    name: "php-fpm@{{ dmarcsrg_user }}.socket"
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: "PHPFPM | Enable systemd service"
+  ansible.builtin.systemd:
+    name: "php-fpm@{{ dmarcsrg_user }}.service"
+    enabled: true
+    daemon-reload: true

tasks/user.yml

@@ -0,0 +1,14 @@
+---
+- name: "User | Create system user"
+  ansible.builtin.user:
+    name: "{{ dmarcsrg_user }}"
+    shell: /bin/false
+    create_home: false
+    password_lock: true
+    system: true
+
+- name: "User | Add www-data to user group"
+  ansible.builtin.user:
+    name: www-data
+    groups: "{{ dmarcsrg }}"
+    append: true

templates/conf.php.j2

@@ -0,0 +1,72 @@
+<?php
+
+// {{ ansible_managed }}
+
+$debug = 0;
+$database = [
+    'host'         => '{{ database_host }}',
+    'type'         => 'mysql',
+    'name'         => '{{ dmarcsrg_database }}',
+    'user'         => '{{ dmarcsrg_datababse }}',
+    'password'     => '{{ dmarcsrg_datababse_password }}',
+    'table_prefix' => ''
+];
+
+/**
+ * It is only required if you want to get reports from a mailbox automatically.
+ * In order to collect reports from several mailboxes, you should put each
+ * mailbox settings in an array.
+ */
+$mailboxes = [
+    'name'            => 'Dmarc-Rua',
+    'host'            => 'yourdomain.net',
+    'encryption'      => 'ssl',
+    'novalidate-cert' => false,
+    'username'        => 'dmarc-rua@yourdomain.net',
+    'password'        => 'password',
+    'mailbox'         => 'INBOX',
+    'auth_exclude'    => []
+];
+
+$admin = [
+    'password' => 'null',
+    'user_management' => false
+];
+
+//
+$fetcher = [
+    'mailboxes' => [
+        'messages_maximum' => 10,
+        'when_done' => 'mark_seen',
+        'when_failed' => 'move_to:failed'
+    ],
+    'allowed_domains' => ''
+];
+
+$mailer = [
+    'from'    => 'postmaster@yourdomain.net',
+    'default' => 'user@yourdomain.net'
+];
+
+//
+$cleaner = [
+    'mailboxes' => [
+        'days_old'       => 30,
+        'delete_maximum' => 50,
+        'leave_minimum'  => 100,
+        'done'           => 'seen',
+        'failed'         => 'none'
+    ],
+
+    'reports' => [
+        'days_old'       => 30,
+        'delete_maximum' => 50,
+        'leave_minimum'  => 100
+    ],
+
+    'reportlog' => [
+        'days_old'       => 30,
+        'delete_maximum' => 50,
+        'leave_minimum'  => 100
+    ]
+];

templates/fpmpool.j2

@@ -0,0 +1,25 @@
+;{{ ansible_managed }}
+
+[global]
+error_log = ${FPM_ERROR_LOG}
+
+[{{ dmarcsrg_user }}]
+listen = ${FPM_SOCKET_PATH}
+pm = ondemand
+pm.max_children = 5
+pm.process_idle_timeout = 10s
+pm.max_requests = 200
+pm.status_path = /status
+chdir = /
+clear_env = no
+security.limit_extensions = .php .php3 .php4 .php5
+php_admin_value[opcache.validate_permission] = 1
+php_admin_value[opcache.validate_root] = 1
+php_admin_value[session.cookie_samesite] = Lax
+php_admin_value[openssl.capath] = /etc/ssl/certs
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[memory_limit] = 256M
+php_admin_value[upload_max_filesize] = {{ postfix_message_size_limit | human_readable(unit='M') | replace (' MB','') | int | round }}M
+php_admin_value[post_max_size] = {{ postfix_message_size_limit | human_readable(unit='M') | replace (' MB','') | int | round }}M
+php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_nice,proc_terminate,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo

templates/systemd/override.conf.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+[Service]
+LockPersonality=true
+NoNewPrivileges=true
+ProtectSystem=strict
+ReadWritePaths=-{{ php_fpm_log_dir }}/
+ReadWritePaths=-/var/run/
+ReadWritePaths=-/run/
+InaccessiblePaths=-/root/