Browse Source

Merge branch 'feature/modularize-sovereign' of https://github.com/ariddell/sovereign into ariddell-feature/modularize-sovereign

Mike Ashley 8 years ago
parent
commit
3746e1ea67

+ 1
- 0
.gitignore View File

@@ -1,3 +1,4 @@
1 1
 .vagrant
2 2
 vagrant_ansible_inventory_default
3 3
 tests.pyc
4
+secret

+ 5
- 4
README.md View File

@@ -99,7 +99,8 @@ Your new account will be automatically set up for passwordless `sudo`.
99 99
 
100 100
 ### 4. Configure your installation
101 101
 
102
-Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
102
+Modify the settings in `group_vars/sovereign` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
103
+All of the variables in `group_vars/sovereign` must be set for sovereign to function.
103 104
 
104 105
 Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
105 106
 
@@ -147,7 +148,7 @@ For Git hosting, copy your public key into place:
147 148
 
148 149
 	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
149 150
 
150
-Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
151
+Finally, replace the `host.example.net` in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
151 152
 
152 153
 ### 5. Set up DNS
153 154
 
@@ -178,7 +179,7 @@ To run just one or more piece, use tags. I try to tag all my includes for easy i
178 179
 
179 180
 You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
180 181
 
181
-The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
182
+The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `group_vars/sovereign`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
182 183
 
183 184
 ### 7. Finish DNS set-up
184 185
 
@@ -206,7 +207,7 @@ Similarly, to access the server monitoring page, use another SSH tunnel:
206 207
 
207 208
 Again proceeding to http://localhost:2812 in your web browser.
208 209
 
209
-Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `vars/user.yml`.
210
+Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `group_vars/sovereign`.
210 211
 
211 212
 How To Use Your New Personal Cloud
212 213
 ----------------------------------

+ 62
- 0
group_vars/sovereign View File

@@ -0,0 +1,62 @@
1
+---
2
+################################################################################
3
+# Set your variables here.
4
+################################################################################
5
+
6
+# common
7
+domain: (required)
8
+main_user_name: (required)
9
+
10
+# admin email
11
+# fail2ban reports will be sent to this address
12
+admin_email: "{{ main_user_name }}@{{ domain }}"
13
+
14
+# mail
15
+mail_virtual_domains:
16
+  - name: "{{ domain }}"
17
+    pk_id: 1
18
+mail_virtual_users:
19
+  - account: "{{ main_user_name }}"
20
+    domain: "{{ domain }}"
21
+    password_hash: TODO
22
+    domain_pk_id: 1
23
+mail_virtual_aliases:
24
+  - source: "root@{{ domain }}"
25
+    destination: "{{ admin_email }}"
26
+    domain_pk_id: 1
27
+  - source: "postmaster@{{ domain }}"
28
+    destination: "{{ admin_email }}"
29
+    domain_pk_id: 1
30
+  - source: "webmaster@{{ domain }}"
31
+    destination: "{{ admin_email }}"
32
+    domain_pk_id: 1
33
+
34
+# timezone
35
+# common_timezone will be used in the common and mailserver roles
36
+common_timezone: 'Etc/UTC'
37
+
38
+# znc
39
+irc_nick: (required)
40
+irc_ident: (required)
41
+irc_realname: (required)
42
+irc_quitmsg: (required)
43
+irc_password_hash: (required)
44
+irc_password_salt: (required)
45
+
46
+# xmpp
47
+prosody_admin: "{{ admin_email }}"
48
+prosody_virtual_domain: "{{ domain }}"
49
+prosody_accounts:
50
+  - name: "{{ main_user_name }}"
51
+    password: TODO
52
+
53
+# openvpn
54
+openvpn_key_country:  "US"
55
+openvpn_key_province: "California"
56
+openvpn_key_city: "Beverly Hills"
57
+openvpn_key_org: "ACME CORPORATION"
58
+openvpn_key_ou: "Anvil Department"
59
+openvpn_clients:
60
+  - laptop
61
+  - phone
62
+  - tablet

+ 4
- 2
hosts View File

@@ -1,2 +1,4 @@
1
-[TODO]
2
-TODO # put your host's IP here
1
+[sovereign]
2
+# hosts in the `sovereign` group  use vars defined in `group_vars/sovereign`
3
+# put your host's IP address or domain name below
4
+host.example.net

+ 34
- 0
roles/common/defaults/main.yml View File

@@ -0,0 +1,34 @@
1
+common_timezone: 'Etc/UTC'
2
+admin_email: "{{ main_user_name }}@{{ domain }}"
3
+main_user_shell: "/bin/bash"
4
+friendly_networks:
5
+  - ""
6
+
7
+# encfs
8
+secret_root: '{{ inventory_dir | realpath }}'
9
+secret_name: 'secret'
10
+secret: '{{ secret_root + "/" + secret_name }}'
11
+encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
12
+
13
+
14
+# let's encrypt
15
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
16
+
17
+# ssh
18
+kex_algorithms: "diffie-hellman-group-exchange-sha256"
19
+ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
20
+macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
21
+
22
+# ntp
23
+ntp_servers:
24
+  # use nearby ntp servers by default
25
+  - 0.pool.ntp.org
26
+  - 1.pool.ntp.org
27
+  - 2.pool.ntp.org
28
+  - 3.pool.ntp.org
29
+  # use servers tailored to the server location
30
+  # See http://www.pool.ntp.org/en/use.html
31
+  # - 0.north-america.pool.ntp.org
32
+  # - 1.north-america.pool.ntp.org
33
+  # - 2.north-america.pool.ntp.org
34
+  # - 3.north-america.pool.ntp.org

+ 3
- 0
roles/git/defaults/main.yml View File

@@ -0,0 +1,3 @@
1
+cgit_version: 0.12
2
+cgit_domain: "git.{{ domain }}"
3
+gitolite_version: 3.6.4

+ 29
- 0
roles/mailserver/defaults/main.yml View File

@@ -0,0 +1,29 @@
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+db_admin_username: 'postgres'
6
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"
7
+
8
+mail_db_username: 'mailuser'
9
+mail_db_password: "{{ lookup('password', secret + '/' + 'mail_db_password', length=32) }}"
10
+mail_db_database: 'mailserver'
11
+
12
+mail_server_hostname: "mail.{{ domain }}"
13
+mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
14
+mail_header_privacy: 1
15
+
16
+# virtual domains
17
+mail_virtual_domains: []
18
+mail_virtual_users: []
19
+mail_virtual_aliases: []
20
+
21
+# opendmarc
22
+mail_db_opendmarc_username: opendmarc
23
+mail_db_opendmarc_database: opendmarc
24
+mail_db_opendmarc_password: "{{ lookup('password', secret + '/' + 'mail_db_opendmarc_password', length=32) }}"
25
+
26
+# zpush
27
+zpush_version: 2.1.1-1788
28
+# common_timezone is a sovereign variable
29
+zpush_timezone: "{{ common_timezone|default('Etc/UTC') }}"

+ 4
- 0
roles/monitoring/defaults/main.yml View File

@@ -0,0 +1,4 @@
1
+collectd_version: 5.4.1
2
+collectd_librato_version: 0.0.10
3
+collectd_librato_email: "" # (optional)
4
+collectd_librato_api_token: "" # (optional)

+ 17
- 0
roles/news/defaults/main.yml View File

@@ -0,0 +1,17 @@
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+selfoss_domain: "news.{{ domain }}"
6
+selfoss_db_username: selfoss
7
+selfoss_db_password: "{{ lookup('password', secret + '/' + 'selfoss_db_password', length=32) }}"
8
+selfoss_db_database: selfoss
9
+selfoss_version: 2.14
10
+
11
+selfoss_username: "{{ main_user_name }}"
12
+# this is the sha512 hash of the desired password
13
+selfoss_password_hash: "{{ lookup('password', secret + '/' + 'selfoss_password_hash', length=32, crypt='sha512')|hash('sha512') }}"
14
+
15
+# must match values in roles/mailserver
16
+db_admin_username: 'postgres'
17
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"

+ 8
- 0
roles/owncloud/defaults/main.yml View File

@@ -0,0 +1,8 @@
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+owncloud_domain: "cloud.{{ domain }}"
6
+owncloud_db_username: owncloud
7
+owncloud_db_password: "{{ lookup('password', secret + '/' + 'owncloud_db_password', length=32) }}"
8
+owncloud_db_database: owncloud

+ 10
- 0
roles/readlater/defaults/main.yml View File

@@ -0,0 +1,10 @@
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+wallabag_version: 1.9.1
6
+wallabag_domain: "read.{{ domain }}"
7
+wallabag_salt: "{{ lookup('password', secret + '/' + 'wallabag_salt', length=32) }}"
8
+wallabag_db_username: wallabag
9
+wallabag_db_password: "{{ lookup('password', secret + '/' + 'wallabag_db_password', length=32) }}"
10
+wallabag_db_database: wallabag

+ 1
- 0
roles/tarsnap/defaults/main.yml View File

@@ -0,0 +1 @@
1
+tarsnap_version: 1.0.36.1

+ 26
- 0
roles/vpn/defaults/main.yml View File

@@ -0,0 +1,26 @@
1
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
2
+# Check privacy: http://witch.valdikss.org.ru/
3
+
4
+openvpn_key_country:  "US"
5
+openvpn_key_province: "California"
6
+openvpn_key_city: "Beverly Hills"
7
+openvpn_key_org: "ACME CORPORATION"
8
+openvpn_key_ou: "Anvil Department"
9
+openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
10
+
11
+openvpn_days_valid: "1825"
12
+openvpn_key_size: "2048"
13
+openvpn_cipher: "AES-256-CBC"
14
+openvpn_auth_digest: "SHA512"
15
+openvpn_path: "/etc/openvpn"
16
+openvpn_ca: "{{ openvpn_path }}/ca"
17
+openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
18
+openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
19
+openvpn_server: "{{ domain }}"
20
+openvpn_port: "1194"
21
+openvpn_protocol: "udp"
22
+openvpn_mtu: "1300"
23
+openvpn_verb: "3" # "0" for anonymity
24
+openvpn_tls_version_min: "tls-version-min 1.2"
25
+openvpn_tls_cipher: "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
26
+openvpn_clients: []

+ 3
- 0
roles/xmpp/defaults/main.yml View File

@@ -0,0 +1,3 @@
1
+prosody_admin: "{{ admin_email }}"
2
+prosody_virtual_domain: "{{ domain }}"
3
+prosody_accounts: []

+ 0
- 3
site.yml View File

@@ -5,9 +5,6 @@
5 5
   user: deploy
6 6
   become: True
7 7
   gather_facts: True
8
-  vars_files:
9
-    - vars/defaults.yml
10
-    - vars/{{ 'testing' if testing is defined else 'user' }}.yml
11 8
 
12 9
   roles:
13 10
     - common

vars/testing.yml → tests/testing.yml View File


+ 0
- 137
vars/defaults.yml View File

@@ -1,137 +0,0 @@
1
----
2
-###############################################################################
3
-# DO NOT EDIT. Set your variables in `vars/user.yml` instead.
4
-# This is a reference of all the variables.
5
-###############################################################################
6
-
7
-# # common
8
-common_timezone: 'Etc/UTC'
9
-# domain: (required)
10
-# main_user_name: (required)
11
-admin_email: "{{ main_user_name }}@{{ domain }}"
12
-main_user_shell: "/bin/bash"
13
-# encfs_password: (required)
14
-friendly_networks:
15
-  - ""
16
-letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
17
-
18
-# ssh
19
-kex_algorithms: "diffie-hellman-group-exchange-sha256"
20
-ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
21
-macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
22
-
23
-# ntp
24
-ntp_servers:
25
-  # use nearby ntp servers by default
26
-  - 0.pool.ntp.org
27
-  - 1.pool.ntp.org
28
-  - 2.pool.ntp.org
29
-  - 3.pool.ntp.org
30
-  # use servers tailored to the server location
31
-  # See http://www.pool.ntp.org/en/use.html
32
-  # - 0.north-america.pool.ntp.org
33
-  # - 1.north-america.pool.ntp.org
34
-  # - 2.north-america.pool.ntp.org
35
-  # - 3.north-america.pool.ntp.org
36
-
37
-# collectd
38
-collectd_version: 5.4.1
39
-collectd_librato_version: 0.0.10
40
-collectd_librato_email: "" # (optional)
41
-collectd_librato_api_token: "" # (optional)
42
-
43
-# database
44
-db_admin_username: 'postgres'
45
-# db_admin_password: (required)
46
-
47
-# ircbouncer
48
-# irc_nick: (required)
49
-# irc_ident: (required)
50
-# irc_realname: (required)
51
-# irc_quitmsg: (required)
52
-# irc_password_hash: (required)
53
-# irc_password_salt: (required)
54
-
55
-# mailserver
56
-mail_server_hostname: "mail.{{ domain }}"
57
-mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
58
-mail_db_username: mailuser
59
-# mail_db_password: (required)
60
-mail_db_database: mailserver
61
-# mail_virtual_domains: (required)
62
-# mail_virtual_users: (required)
63
-# mail_virtual_aliases: (required)
64
-mail_db_opendmarc_username: opendmarc
65
-# mail_db_opendmarc_password: (required)
66
-mail_db_opendmarc_database: opendmarc
67
-
68
-# z-push
69
-zpush_version: 2.1.1-1788
70
-
71
-# owncloud
72
-owncloud_domain: "cloud.{{ domain }}"
73
-owncloud_db_username: owncloud
74
-# owncloud_db_password: (required)
75
-owncloud_db_database: owncloud
76
-
77
-# tarsnap
78
-tarsnap_version: 1.0.36.1
79
-
80
-# vpn
81
-# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
82
-# Check privacy: http://witch.valdikss.org.ru/
83
-# openvpn_key_country: (required)
84
-# openvpn_key_province: (required)
85
-# openvpn_key_city: (required)
86
-# openvpn_key_org: (required)
87
-# openvpn_key_ou: (required)
88
-openvpn_days_valid: "1825"
89
-openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
90
-openvpn_key_size: "2048"
91
-openvpn_cipher: "AES-256-CBC"
92
-openvpn_auth_digest: "SHA512"
93
-openvpn_path: "/etc/openvpn"
94
-openvpn_ca: "{{ openvpn_path }}/ca"
95
-openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
96
-openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
97
-openvpn_server: "{{ domain }}"
98
-openvpn_port: "1194"
99
-openvpn_protocol: "udp"
100
-openvpn_mtu: "1300"
101
-openvpn_verb: "3" # "0" for anonymity
102
-# uncomment for openvpn 2.3.3 and >2.3.4
103
-openvpn_tls_version_min: "" # "tls-version-min 1.2"
104
-openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
105
-# openvpn_clients: (required)
106
-
107
-# webmail
108
-webmail_domain: "{{ mail_server_hostname }}"
109
-webmail_db_username: "roundcube"
110
-# webmail_db_password: (required)
111
-webmail_db_database: "roundcube"
112
-carddav_version: "1.0.0"
113
-
114
-# xmpp
115
-prosody_admin: "{{ admin_email }}"
116
-prosody_virtual_domain: "{{ domain }}"
117
-# prosody_accounts: (required)
118
-
119
-# news
120
-selfoss_domain: "news.{{ domain }}"
121
-selfoss_db_username: selfoss
122
-# selfoss_db_password: (required)
123
-selfoss_db_database: selfoss
124
-selfoss_version: 2.14
125
-
126
-# git
127
-cgit_version: 0.12
128
-cgit_domain: "git.{{ domain }}"
129
-gitolite_version: 3.6.4
130
-
131
-# wallabag
132
-wallabag_version: 1.9.1
133
-wallabag_domain: "read.{{ domain }}"
134
-# wallabag_salt: (required)
135
-wallabag_db_username: wallabag
136
-# wallabag_db_password: (required)
137
-wallabag_db_database: wallabag

+ 0
- 89
vars/user.yml View File

@@ -1,89 +0,0 @@
1
----
2
-###############################################################################
3
-# Set your variables here.
4
-# For a complete reference look at the `vars/defaults.yml` file.
5
-###############################################################################
6
-
7
-# common
8
-domain: TODO.com
9
-main_user_name: TODO
10
-encfs_password: TODO    # NOTE: must not contain dollar sign characters '$'
11
-
12
-# database
13
-db_admin_username: postgres
14
-db_admin_password: TODO
15
-
16
-# ircbouncer
17
-irc_nick: TODO
18
-irc_ident: TODO
19
-irc_realname: TODO
20
-irc_quitmsg: TODO
21
-irc_password_hash: TODO
22
-irc_password_salt: TODO
23
-irc_timezone: TODO      #Example: "America/New_York"
24
-
25
-# mailserver
26
-mail_db_password: TODO
27
-mail_db_opendmarc_password: TODO
28
-mail_virtual_domains:
29
-  - name: "{{ domain }}"
30
-    pk_id: 1
31
-#  - name: TODO.com
32
-#    pk_id: 2
33
-mail_virtual_users:
34
-  - account: "{{ main_user_name }}"
35
-    domain: "{{ domain }}"
36
-    password_hash: TODO
37
-    domain_pk_id: 1
38
-#  - account: "{{ TODO }}"
39
-#    domain: "{{ domain }}"
40
-#    password_hash: TODO
41
-#    domain_pk_id: 2
42
-mail_virtual_aliases:
43
-  - source: "root@{{ domain }}"
44
-    destination: "{{ admin_email }}"
45
-    domain_pk_id: 1
46
-  - source: "postmaster@{{ domain }}"
47
-    destination: "{{ admin_email }}"
48
-    domain_pk_id: 1
49
-  - source: "webmaster@{{ domain }}"
50
-    destination: "{{ admin_email }}"
51
-    domain_pk_id: 1
52
-mail_header_privacy: 1
53
-
54
-# z-push
55
-zpush_timezone: "TODO"  #Example: "America/New_York"
56
-
57
-# owncloud
58
-owncloud_db_password: TODO
59
-
60
-# vpn
61
-openvpn_key_country:  "US"
62
-openvpn_key_province: "California"
63
-openvpn_key_city: "Beverly Hills"
64
-openvpn_key_org: "ACME CORPORATION"
65
-openvpn_key_ou: "Anvil Department"
66
-openvpn_clients:
67
-  - laptop
68
-  - phone
69
-  - tablet
70
-
71
-# webmail
72
-webmail_db_password: TODO
73
-
74
-# xmpp
75
-prosody_admin: "{{ admin_email }}"
76
-prosody_virtual_domain: "{{ domain }}"
77
-prosody_accounts:
78
-  - name: "{{ main_user_name }}"
79
-    password: TODO
80
-
81
-# selfoss
82
-selfoss_db_password: "TODO"
83
-selfoss_username: "{{ main_user_name }}"
84
-# this is the sha512 hash of the desired password
85
-selfoss_password_hash: "TODO"
86
-
87
-# wallabag
88
-wallabag_salt: TODO
89
-wallabag_db_password: TODO

Loading…
Cancel
Save