only sync mail on trusted networks

README.md

@@ -85,6 +85,18 @@ profile file at `/etc/NetworkManager/system-connections/`.
 Spoofing may be disabled entirely by setting the `network.spoof_mac` variable
 to `False`.
 
+## Trusted Networks
+
+Trusted networks are defined using their NetworkManager UUIDs, configured in
+the `network.trusted_uuid` list. NetworkManager UUIDs may be discovered using
+`nmcli con`.
+
+The list of trusted networks is made available at
+`/usr/local/etc/trusted_networks`. Currently this list is only used to start
+and stop mail syncing (see the section below on Syncing and Scheduling Mail),
+however maintaining the list may be useful for starting or stopping other
+services, loading different iptables rules, etc.
+
 ## Mail
 
 ### Receiving Mail
@@ -119,14 +131,23 @@ either isync or OfflineIMAP. Before syncing, the script checks for internet
 connectivity using NetworkMananger. `mailsync` may be called directly by the
 user, ie by configuring a hotkey in Mutt.
 
-A [systemd timer][15] is also included to periodically call `mailsync`. By
-default, the timer starts 5 minutes after boot (to allow time for network
-connectivity to be established, configurable through the `mail.sync_boot_delay`
-variable) and syncs every 15 minutes (configurable through the `mail.sync_time`
-variable).
+A [systemd timer][15] is also included to periodically call `mailsync`. The
+timer includes a 2 minute boot delay (to allow time for network connectivity to
+be established, configurable through the `mail.sync_boot_delay` variable) and
+syncs every 10 minutes (configurable through the `mail.sync_time` variable).
 
-If the `mail.sync_time` variable is not defined, neither the synchronization
-service nor timer will be installed.
+The timer is not started or enabled by default. Instead, a NetworkManager
+dispatcher is installed, which activates the timer whenever a connection is
+established to a trusted network. The timer is stopped when the network goes
+down. This helps to avoid having network tasks that may leak personally
+identifiable information running in the background when connected to untrusted
+networks.
+
+To have the timer activated at boot, change the `mail.sync_on` variable from
+`trusted` to `all`.
+
+If the `mail.sync_on` variable is set to anything other than `trusted` or
+`all`, the timer will never be activated.
 
 ## Known Issues
 

group_vars/all

@@ -25,11 +25,16 @@ ssh:
 
 mail:
     sync_tool: isync
-    sync_time: 15min
-    sync_boot_delay: 5min
+    sync_time: 10min
+    sync_boot_delay: 2min
+    sync_on: trusted
 
 network:
-    randomize_mac: True
+    spoof_mac: True
+    trusted_uuid:
+        - 5eeb3104-5ad5-4072-a342-3691dfbbc27f
+        - 11d2d0a0-d809-406b-b5c1-04bf3837cbf1
+        - e5422190-e8a7-460f-b1ef-196c57036efa
 
 editors:
     - gvim

roles/mail/tasks/mailsync.yml

@@ -6,18 +6,22 @@
 
 - name: Push mailsync service file
   copy: src=mailsync.service dest=/etc/systemd/system/mailsync@.service
-  when: mail.sync_time is defined
   tags:
     - mailsync
 
 - name: Push mailsync timer file
   template: src=mailsync.timer.j2 dest=/etc/systemd/system/mailsync@.timer
-  when: mail.sync_time is defined
   tags:
     - mailsync
 
 - name: Enable and start mailsync timer
   service: name="mailsync@{{ user.name }}.timer" enabled=yes state=started
-  when: mail.sync_time is defined
+  when: mail.sync_on == "all"
+  tags:
+    - mailsync
+
+- name: Push dispatcher to activate mailsync timer on trusted networks
+  template: src=mailsync_dispatcher.sh.j2 dest=/etc/NetworkManager/dispatcher.d/10mailsync mode=0755
+  when: mail.sync_on == "trusted"
   tags:
     - mailsync

roles/mail/templates/mailsync_dispatcher.sh.j2

@@ -0,0 +1,17 @@
+#!/bin/sh
+# {{ ansible_managed }}
+
+action="$2"
+
+case $action in
+    up)
+        if grep -q $CONNECTION_UUID /usr/local/etc/trusted_networks; then
+            systemctl start mailsync@{{ user.name }}.timer
+        fi
+        ;;
+    down)
+        systemctl stop mailsync@{{ user.name }}.timer
+        ;;
+esac
+
+exit 0

roles/network/tasks/main.yml

@@ -1,4 +1,7 @@
 ---
+- name: Push trusted network list
+  template: src=trusted_networks.j2 dest=/usr/local/etc/trusted_networks
+
 - name: Install OpenVPN
   pacman: name=openvpn state=present
 
@@ -43,3 +46,4 @@
 
 - include: pdsh.yml
 - include: firewall.yml
+- include: macchiato.yml

roles/network/templates/trusted_networks.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+{% for network in network.trusted_uuid %}
+{{ network }}
+{% endfor %}