From 557b285ad6b7f3fcef8021cbb184a911fd6fe789 Mon Sep 17 00:00:00 2001 From: Matt Birkholz <matt@birchwood-abbey.net> Date: Tue, 29 Oct 2024 21:25:53 -0700 Subject: [PATCH] Encrypt emails archiving the public Apache logs. --- README.org | 41 ++++++++++++---------- roles_t/abbey-front/files/logrotate-mailer | 35 ++++++++++-------- 2 files changed, 42 insertions(+), 34 deletions(-) diff --git a/README.org b/README.org index ae69275..8aa7824 100644 --- a/README.org +++ b/README.org @@ -552,9 +552,7 @@ needed because Postfix does not provide an emulation of ~mail(1)~ and some translation to ~sendmail(1)~ was required. Since then the script has learned to compute the date-dependent file name, compress the log, convert it to base64, and encapsulate it in MIME format, before -sending it on to ~sendmail~. Note that there is no encryption (yet). -This is a low priority because much of the data is available to -Droplet's ISP's Mom, the NSA/CIA/NWO. +encrypting and sending to ~sendmail~. #+CAPTION: [[file:roles_t/abbey-front/files/logrotate-mailer][=roles_t/abbey-front/files/logrotate-mailer=]] #+BEGIN_SRC sh :tangle roles_t/abbey-front/files/logrotate-mailer @@ -573,22 +571,27 @@ else fi ( echo "Subject: $2" - echo "Content-Type: multipart/mixed; boundary=\"boundary\"" - echo "MIME-Version: 1.0" echo "" - echo "--boundary" - echo "Content-Type: text/plain" - echo "Content-Transfer-Encoding: 8bit" - echo "" - echo "$F" - echo "--boundary" - echo "Content-Type: application/gzip; name=\"$F\"" - echo "Content-Disposition: attachment; filename=\"$F\"" - echo "Content-Transfer-Encoding: base64" - echo "" - gzip | base64 - echo "" - echo "--boundary--" ) | sendmail "$3" + ( echo "Content-Type: multipart/mixed; boundary=\"boundary\"" + echo "MIME-Version: 1.0" + echo "" + echo "--boundary" + echo "Content-Type: text/plain" + echo "Content-Transfer-Encoding: 8bit" + echo "" + echo "$F" + echo "--boundary" + echo "Content-Type: application/gzip; name=\"$F\"" + echo "Content-Disposition: attachment; filename=\"$F\"" + echo "Content-Transfer-Encoding: base64" + echo "" + gzip | base64 + echo "" + echo "--boundary--" ) \ + | gpg --encrypt --armor \ + --trust-model always --recipient root@core ) \ +| sendmail root \ +|| exit $? #+END_SRC ** Install Let's Encrypt @@ -729,7 +732,7 @@ The following task arranges to rotate Certbot's logs files. ** Archive Let's Encrypt Data A backup copy of Let's Encrypt's data (=/etc/letsencrypt/=) is sent to -~root@core~ in S/MIME encrypted email every time it changes. Changes +~root@core~ in OpenPGP encrypted email every time it changes. Changes are detected by keeping a copy in =/etc/letsencrypt~/= for comparison. #+CAPTION: [[file:roles_t/abbey-front/tasks/main.yml][=roles_t/abbey-front/tasks/main.yml=]] diff --git a/roles_t/abbey-front/files/logrotate-mailer b/roles_t/abbey-front/files/logrotate-mailer index 4505083..f4f47db 100644 --- a/roles_t/abbey-front/files/logrotate-mailer +++ b/roles_t/abbey-front/files/logrotate-mailer @@ -13,19 +13,24 @@ else fi ( echo "Subject: $2" - echo "Content-Type: multipart/mixed; boundary=\"boundary\"" - echo "MIME-Version: 1.0" echo "" - echo "--boundary" - echo "Content-Type: text/plain" - echo "Content-Transfer-Encoding: 8bit" - echo "" - echo "$F" - echo "--boundary" - echo "Content-Type: application/gzip; name=\"$F\"" - echo "Content-Disposition: attachment; filename=\"$F\"" - echo "Content-Transfer-Encoding: base64" - echo "" - gzip | base64 - echo "" - echo "--boundary--" ) | sendmail "$3" + ( echo "Content-Type: multipart/mixed; boundary=\"boundary\"" + echo "MIME-Version: 1.0" + echo "" + echo "--boundary" + echo "Content-Type: text/plain" + echo "Content-Transfer-Encoding: 8bit" + echo "" + echo "$F" + echo "--boundary" + echo "Content-Type: application/gzip; name=\"$F\"" + echo "Content-Disposition: attachment; filename=\"$F\"" + echo "Content-Transfer-Encoding: base64" + echo "" + gzip | base64 + echo "" + echo "--boundary--" ) \ + | gpg --encrypt --armor \ + --trust-model always --recipient root@core ) \ +| sendmail root \ +|| exit $? -- 2.25.1