Kaynağa Gözat

Merge branch 'feature/modularize-sovereign' of https://github.com/ariddell/sovereign into ariddell-feature/modularize-sovereign

Mike Ashley 8 yıl önce
ebeveyn
işleme
3746e1ea67

+ 1
- 0
.gitignore Dosyayı Görüntüle

1
 .vagrant
1
 .vagrant
2
 vagrant_ansible_inventory_default
2
 vagrant_ansible_inventory_default
3
 tests.pyc
3
 tests.pyc
4
+secret

+ 5
- 4
README.md Dosyayı Görüntüle

99
 
99
 
100
 ### 4. Configure your installation
100
 ### 4. Configure your installation
101
 
101
 
102
-Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
102
+Modify the settings in `group_vars/sovereign` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
103
+All of the variables in `group_vars/sovereign` must be set for sovereign to function.
103
 
104
 
104
 Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
105
 Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
105
 
106
 
147
 
148
 
148
 	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
149
 	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
149
 
150
 
150
-Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
151
+Finally, replace the `host.example.net` in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
151
 
152
 
152
 ### 5. Set up DNS
153
 ### 5. Set up DNS
153
 
154
 
178
 
179
 
179
 You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
180
 You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
180
 
181
 
181
-The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
182
+The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `group_vars/sovereign`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
182
 
183
 
183
 ### 7. Finish DNS set-up
184
 ### 7. Finish DNS set-up
184
 
185
 
206
 
207
 
207
 Again proceeding to http://localhost:2812 in your web browser.
208
 Again proceeding to http://localhost:2812 in your web browser.
208
 
209
 
209
-Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `vars/user.yml`.
210
+Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `group_vars/sovereign`.
210
 
211
 
211
 How To Use Your New Personal Cloud
212
 How To Use Your New Personal Cloud
212
 ----------------------------------
213
 ----------------------------------

+ 62
- 0
group_vars/sovereign Dosyayı Görüntüle

1
+---
2
+################################################################################
3
+# Set your variables here.
4
+################################################################################
5
+
6
+# common
7
+domain: (required)
8
+main_user_name: (required)
9
+
10
+# admin email
11
+# fail2ban reports will be sent to this address
12
+admin_email: "{{ main_user_name }}@{{ domain }}"
13
+
14
+# mail
15
+mail_virtual_domains:
16
+  - name: "{{ domain }}"
17
+    pk_id: 1
18
+mail_virtual_users:
19
+  - account: "{{ main_user_name }}"
20
+    domain: "{{ domain }}"
21
+    password_hash: TODO
22
+    domain_pk_id: 1
23
+mail_virtual_aliases:
24
+  - source: "root@{{ domain }}"
25
+    destination: "{{ admin_email }}"
26
+    domain_pk_id: 1
27
+  - source: "postmaster@{{ domain }}"
28
+    destination: "{{ admin_email }}"
29
+    domain_pk_id: 1
30
+  - source: "webmaster@{{ domain }}"
31
+    destination: "{{ admin_email }}"
32
+    domain_pk_id: 1
33
+
34
+# timezone
35
+# common_timezone will be used in the common and mailserver roles
36
+common_timezone: 'Etc/UTC'
37
+
38
+# znc
39
+irc_nick: (required)
40
+irc_ident: (required)
41
+irc_realname: (required)
42
+irc_quitmsg: (required)
43
+irc_password_hash: (required)
44
+irc_password_salt: (required)
45
+
46
+# xmpp
47
+prosody_admin: "{{ admin_email }}"
48
+prosody_virtual_domain: "{{ domain }}"
49
+prosody_accounts:
50
+  - name: "{{ main_user_name }}"
51
+    password: TODO
52
+
53
+# openvpn
54
+openvpn_key_country:  "US"
55
+openvpn_key_province: "California"
56
+openvpn_key_city: "Beverly Hills"
57
+openvpn_key_org: "ACME CORPORATION"
58
+openvpn_key_ou: "Anvil Department"
59
+openvpn_clients:
60
+  - laptop
61
+  - phone
62
+  - tablet

+ 4
- 2
hosts Dosyayı Görüntüle

1
-[TODO]
2
-TODO # put your host's IP here
1
+[sovereign]
2
+# hosts in the `sovereign` group  use vars defined in `group_vars/sovereign`
3
+# put your host's IP address or domain name below
4
+host.example.net

+ 34
- 0
roles/common/defaults/main.yml Dosyayı Görüntüle

1
+common_timezone: 'Etc/UTC'
2
+admin_email: "{{ main_user_name }}@{{ domain }}"
3
+main_user_shell: "/bin/bash"
4
+friendly_networks:
5
+  - ""
6
+
7
+# encfs
8
+secret_root: '{{ inventory_dir | realpath }}'
9
+secret_name: 'secret'
10
+secret: '{{ secret_root + "/" + secret_name }}'
11
+encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
12
+
13
+
14
+# let's encrypt
15
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
16
+
17
+# ssh
18
+kex_algorithms: "diffie-hellman-group-exchange-sha256"
19
+ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
20
+macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
21
+
22
+# ntp
23
+ntp_servers:
24
+  # use nearby ntp servers by default
25
+  - 0.pool.ntp.org
26
+  - 1.pool.ntp.org
27
+  - 2.pool.ntp.org
28
+  - 3.pool.ntp.org
29
+  # use servers tailored to the server location
30
+  # See http://www.pool.ntp.org/en/use.html
31
+  # - 0.north-america.pool.ntp.org
32
+  # - 1.north-america.pool.ntp.org
33
+  # - 2.north-america.pool.ntp.org
34
+  # - 3.north-america.pool.ntp.org

+ 3
- 0
roles/git/defaults/main.yml Dosyayı Görüntüle

1
+cgit_version: 0.12
2
+cgit_domain: "git.{{ domain }}"
3
+gitolite_version: 3.6.4

+ 29
- 0
roles/mailserver/defaults/main.yml Dosyayı Görüntüle

1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+db_admin_username: 'postgres'
6
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"
7
+
8
+mail_db_username: 'mailuser'
9
+mail_db_password: "{{ lookup('password', secret + '/' + 'mail_db_password', length=32) }}"
10
+mail_db_database: 'mailserver'
11
+
12
+mail_server_hostname: "mail.{{ domain }}"
13
+mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
14
+mail_header_privacy: 1
15
+
16
+# virtual domains
17
+mail_virtual_domains: []
18
+mail_virtual_users: []
19
+mail_virtual_aliases: []
20
+
21
+# opendmarc
22
+mail_db_opendmarc_username: opendmarc
23
+mail_db_opendmarc_database: opendmarc
24
+mail_db_opendmarc_password: "{{ lookup('password', secret + '/' + 'mail_db_opendmarc_password', length=32) }}"
25
+
26
+# zpush
27
+zpush_version: 2.1.1-1788
28
+# common_timezone is a sovereign variable
29
+zpush_timezone: "{{ common_timezone|default('Etc/UTC') }}"

+ 4
- 0
roles/monitoring/defaults/main.yml Dosyayı Görüntüle

1
+collectd_version: 5.4.1
2
+collectd_librato_version: 0.0.10
3
+collectd_librato_email: "" # (optional)
4
+collectd_librato_api_token: "" # (optional)

+ 17
- 0
roles/news/defaults/main.yml Dosyayı Görüntüle

1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+selfoss_domain: "news.{{ domain }}"
6
+selfoss_db_username: selfoss
7
+selfoss_db_password: "{{ lookup('password', secret + '/' + 'selfoss_db_password', length=32) }}"
8
+selfoss_db_database: selfoss
9
+selfoss_version: 2.14
10
+
11
+selfoss_username: "{{ main_user_name }}"
12
+# this is the sha512 hash of the desired password
13
+selfoss_password_hash: "{{ lookup('password', secret + '/' + 'selfoss_password_hash', length=32, crypt='sha512')|hash('sha512') }}"
14
+
15
+# must match values in roles/mailserver
16
+db_admin_username: 'postgres'
17
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"

+ 8
- 0
roles/owncloud/defaults/main.yml Dosyayı Görüntüle

1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+owncloud_domain: "cloud.{{ domain }}"
6
+owncloud_db_username: owncloud
7
+owncloud_db_password: "{{ lookup('password', secret + '/' + 'owncloud_db_password', length=32) }}"
8
+owncloud_db_database: owncloud

+ 10
- 0
roles/readlater/defaults/main.yml Dosyayı Görüntüle

1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+wallabag_version: 1.9.1
6
+wallabag_domain: "read.{{ domain }}"
7
+wallabag_salt: "{{ lookup('password', secret + '/' + 'wallabag_salt', length=32) }}"
8
+wallabag_db_username: wallabag
9
+wallabag_db_password: "{{ lookup('password', secret + '/' + 'wallabag_db_password', length=32) }}"
10
+wallabag_db_database: wallabag

+ 1
- 0
roles/tarsnap/defaults/main.yml Dosyayı Görüntüle

1
+tarsnap_version: 1.0.36.1

+ 26
- 0
roles/vpn/defaults/main.yml Dosyayı Görüntüle

1
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
2
+# Check privacy: http://witch.valdikss.org.ru/
3
+
4
+openvpn_key_country:  "US"
5
+openvpn_key_province: "California"
6
+openvpn_key_city: "Beverly Hills"
7
+openvpn_key_org: "ACME CORPORATION"
8
+openvpn_key_ou: "Anvil Department"
9
+openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
10
+
11
+openvpn_days_valid: "1825"
12
+openvpn_key_size: "2048"
13
+openvpn_cipher: "AES-256-CBC"
14
+openvpn_auth_digest: "SHA512"
15
+openvpn_path: "/etc/openvpn"
16
+openvpn_ca: "{{ openvpn_path }}/ca"
17
+openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
18
+openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
19
+openvpn_server: "{{ domain }}"
20
+openvpn_port: "1194"
21
+openvpn_protocol: "udp"
22
+openvpn_mtu: "1300"
23
+openvpn_verb: "3" # "0" for anonymity
24
+openvpn_tls_version_min: "tls-version-min 1.2"
25
+openvpn_tls_cipher: "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
26
+openvpn_clients: []

+ 3
- 0
roles/xmpp/defaults/main.yml Dosyayı Görüntüle

1
+prosody_admin: "{{ admin_email }}"
2
+prosody_virtual_domain: "{{ domain }}"
3
+prosody_accounts: []

+ 0
- 3
site.yml Dosyayı Görüntüle

5
   user: deploy
5
   user: deploy
6
   become: True
6
   become: True
7
   gather_facts: True
7
   gather_facts: True
8
-  vars_files:
9
-    - vars/defaults.yml
10
-    - vars/{{ 'testing' if testing is defined else 'user' }}.yml
11
 
8
 
12
   roles:
9
   roles:
13
     - common
10
     - common

vars/testing.yml → tests/testing.yml Dosyayı Görüntüle


+ 0
- 137
vars/defaults.yml Dosyayı Görüntüle

1
----
2
-###############################################################################
3
-# DO NOT EDIT. Set your variables in `vars/user.yml` instead.
4
-# This is a reference of all the variables.
5
-###############################################################################
6
-
7
-# # common
8
-common_timezone: 'Etc/UTC'
9
-# domain: (required)
10
-# main_user_name: (required)
11
-admin_email: "{{ main_user_name }}@{{ domain }}"
12
-main_user_shell: "/bin/bash"
13
-# encfs_password: (required)
14
-friendly_networks:
15
-  - ""
16
-letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
17
-
18
-# ssh
19
-kex_algorithms: "diffie-hellman-group-exchange-sha256"
20
-ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
21
-macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
22
-
23
-# ntp
24
-ntp_servers:
25
-  # use nearby ntp servers by default
26
-  - 0.pool.ntp.org
27
-  - 1.pool.ntp.org
28
-  - 2.pool.ntp.org
29
-  - 3.pool.ntp.org
30
-  # use servers tailored to the server location
31
-  # See http://www.pool.ntp.org/en/use.html
32
-  # - 0.north-america.pool.ntp.org
33
-  # - 1.north-america.pool.ntp.org
34
-  # - 2.north-america.pool.ntp.org
35
-  # - 3.north-america.pool.ntp.org
36
-
37
-# collectd
38
-collectd_version: 5.4.1
39
-collectd_librato_version: 0.0.10
40
-collectd_librato_email: "" # (optional)
41
-collectd_librato_api_token: "" # (optional)
42
-
43
-# database
44
-db_admin_username: 'postgres'
45
-# db_admin_password: (required)
46
-
47
-# ircbouncer
48
-# irc_nick: (required)
49
-# irc_ident: (required)
50
-# irc_realname: (required)
51
-# irc_quitmsg: (required)
52
-# irc_password_hash: (required)
53
-# irc_password_salt: (required)
54
-
55
-# mailserver
56
-mail_server_hostname: "mail.{{ domain }}"
57
-mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
58
-mail_db_username: mailuser
59
-# mail_db_password: (required)
60
-mail_db_database: mailserver
61
-# mail_virtual_domains: (required)
62
-# mail_virtual_users: (required)
63
-# mail_virtual_aliases: (required)
64
-mail_db_opendmarc_username: opendmarc
65
-# mail_db_opendmarc_password: (required)
66
-mail_db_opendmarc_database: opendmarc
67
-
68
-# z-push
69
-zpush_version: 2.1.1-1788
70
-
71
-# owncloud
72
-owncloud_domain: "cloud.{{ domain }}"
73
-owncloud_db_username: owncloud
74
-# owncloud_db_password: (required)
75
-owncloud_db_database: owncloud
76
-
77
-# tarsnap
78
-tarsnap_version: 1.0.36.1
79
-
80
-# vpn
81
-# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
82
-# Check privacy: http://witch.valdikss.org.ru/
83
-# openvpn_key_country: (required)
84
-# openvpn_key_province: (required)
85
-# openvpn_key_city: (required)
86
-# openvpn_key_org: (required)
87
-# openvpn_key_ou: (required)
88
-openvpn_days_valid: "1825"
89
-openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
90
-openvpn_key_size: "2048"
91
-openvpn_cipher: "AES-256-CBC"
92
-openvpn_auth_digest: "SHA512"
93
-openvpn_path: "/etc/openvpn"
94
-openvpn_ca: "{{ openvpn_path }}/ca"
95
-openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
96
-openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
97
-openvpn_server: "{{ domain }}"
98
-openvpn_port: "1194"
99
-openvpn_protocol: "udp"
100
-openvpn_mtu: "1300"
101
-openvpn_verb: "3" # "0" for anonymity
102
-# uncomment for openvpn 2.3.3 and >2.3.4
103
-openvpn_tls_version_min: "" # "tls-version-min 1.2"
104
-openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
105
-# openvpn_clients: (required)
106
-
107
-# webmail
108
-webmail_domain: "{{ mail_server_hostname }}"
109
-webmail_db_username: "roundcube"
110
-# webmail_db_password: (required)
111
-webmail_db_database: "roundcube"
112
-carddav_version: "1.0.0"
113
-
114
-# xmpp
115
-prosody_admin: "{{ admin_email }}"
116
-prosody_virtual_domain: "{{ domain }}"
117
-# prosody_accounts: (required)
118
-
119
-# news
120
-selfoss_domain: "news.{{ domain }}"
121
-selfoss_db_username: selfoss
122
-# selfoss_db_password: (required)
123
-selfoss_db_database: selfoss
124
-selfoss_version: 2.14
125
-
126
-# git
127
-cgit_version: 0.12
128
-cgit_domain: "git.{{ domain }}"
129
-gitolite_version: 3.6.4
130
-
131
-# wallabag
132
-wallabag_version: 1.9.1
133
-wallabag_domain: "read.{{ domain }}"
134
-# wallabag_salt: (required)
135
-wallabag_db_username: wallabag
136
-# wallabag_db_password: (required)
137
-wallabag_db_database: wallabag

+ 0
- 89
vars/user.yml Dosyayı Görüntüle

1
----
2
-###############################################################################
3
-# Set your variables here.
4
-# For a complete reference look at the `vars/defaults.yml` file.
5
-###############################################################################
6
-
7
-# common
8
-domain: TODO.com
9
-main_user_name: TODO
10
-encfs_password: TODO    # NOTE: must not contain dollar sign characters '$'
11
-
12
-# database
13
-db_admin_username: postgres
14
-db_admin_password: TODO
15
-
16
-# ircbouncer
17
-irc_nick: TODO
18
-irc_ident: TODO
19
-irc_realname: TODO
20
-irc_quitmsg: TODO
21
-irc_password_hash: TODO
22
-irc_password_salt: TODO
23
-irc_timezone: TODO      #Example: "America/New_York"
24
-
25
-# mailserver
26
-mail_db_password: TODO
27
-mail_db_opendmarc_password: TODO
28
-mail_virtual_domains:
29
-  - name: "{{ domain }}"
30
-    pk_id: 1
31
-#  - name: TODO.com
32
-#    pk_id: 2
33
-mail_virtual_users:
34
-  - account: "{{ main_user_name }}"
35
-    domain: "{{ domain }}"
36
-    password_hash: TODO
37
-    domain_pk_id: 1
38
-#  - account: "{{ TODO }}"
39
-#    domain: "{{ domain }}"
40
-#    password_hash: TODO
41
-#    domain_pk_id: 2
42
-mail_virtual_aliases:
43
-  - source: "root@{{ domain }}"
44
-    destination: "{{ admin_email }}"
45
-    domain_pk_id: 1
46
-  - source: "postmaster@{{ domain }}"
47
-    destination: "{{ admin_email }}"
48
-    domain_pk_id: 1
49
-  - source: "webmaster@{{ domain }}"
50
-    destination: "{{ admin_email }}"
51
-    domain_pk_id: 1
52
-mail_header_privacy: 1
53
-
54
-# z-push
55
-zpush_timezone: "TODO"  #Example: "America/New_York"
56
-
57
-# owncloud
58
-owncloud_db_password: TODO
59
-
60
-# vpn
61
-openvpn_key_country:  "US"
62
-openvpn_key_province: "California"
63
-openvpn_key_city: "Beverly Hills"
64
-openvpn_key_org: "ACME CORPORATION"
65
-openvpn_key_ou: "Anvil Department"
66
-openvpn_clients:
67
-  - laptop
68
-  - phone
69
-  - tablet
70
-
71
-# webmail
72
-webmail_db_password: TODO
73
-
74
-# xmpp
75
-prosody_admin: "{{ admin_email }}"
76
-prosody_virtual_domain: "{{ domain }}"
77
-prosody_accounts:
78
-  - name: "{{ main_user_name }}"
79
-    password: TODO
80
-
81
-# selfoss
82
-selfoss_db_password: "TODO"
83
-selfoss_username: "{{ main_user_name }}"
84
-# this is the sha512 hash of the desired password
85
-selfoss_password_hash: "TODO"
86
-
87
-# wallabag
88
-wallabag_salt: TODO
89
-wallabag_db_password: TODO

Loading…
İptal
Kaydet