Browse Source

removing some unneeded stuff

Thomas Buck 2 years ago
parent
commit
7c5537b78d
3 changed files with 24 additions and 137 deletions
  1. 0
    61
      CONTRIBUTING.md
  2. 17
    74
      README.md
  3. 7
    2
      hosts

+ 0
- 61
CONTRIBUTING.md View File

@@ -1,61 +0,0 @@
1
-# Contributing to Sovereign
2
-
3
-## Intellectual property
4
-
5
-Make sure you agree with the license (GPLv3). See [LICENSE.md](./LICENSE.md) for details.
6
-
7
-Code that is committed to the master branch should work with both Debian 8 "Jessie" and Ubuntu 16.04 LTS "Xenial".
8
-
9
-## Module design principles
10
-
11
-Sovereign is an Ansible playbook that uses the modules in this repository to configure a server. Modules should conform to the following design principles.
12
-
13
-### Naming
14
-
15
-Modules should be named after the software they add (as opposed to the functionality they provide). Soverign is currently inconsistent on this. For example, there are the `ircbouncer` and `blog` modules, but there is also the `owncloud` module. Please name modules after the software used, though, so that it is possible to provide alternatives for functionality.
16
-
17
-### Making decisions
18
-
19
-A module exists to make decisions about how a service should be installed and configured. Make these decisions and minimize or eliminate configuration options exposed to the user. When in doubt, make a decision, and if the community feedback is vocal enough, only then expose an option.
20
-
21
-### Idempotency
22
-
23
-A module must be idempotent. If it's run once or many times, the result should be the same. This means that in some cases the user will be left with post-installation finalization work to do. Post-install finalization should be reduced or eliminated if possible, but not at the cost of idempotency.
24
-
25
-### Databases
26
-
27
-A module that introduces a database-backed service must use PostgreSQL if possible.  In order to minimize server load of having two database servers running, MySQL should not be used unless absolutely necessary. Sqlite may be used if persistent data requirements are bounded for all users and are within Sqlite's design limits.
28
-
29
-### Registrations
30
-
31
-A module should configure the server in a way that minimizes the data posted to other services. This includes names, email addresses, and other personally-identifable information. 
32
-
33
-### Upgrades
34
-
35
-A module's design should anticipate upgrades to the services it provides. Configuration files that work for the current version of the service may become out of date on future versions of the service and lead to difficult-to-find bugs. This also introduces work for maintaining the module.  Whenever possible, design the module to use the service to handle initial configuration and upgrades.
36
-
37
-### Performance
38
-
39
-A module should be designed and implemented to run as quickly as possible in order to minimize the time to run an entire playbook or even the role itself. A small performance penalty here and a small penalty there eventually adds to a very slow deployment system. Performance is important.
40
-
41
-### Design document
42
-
43
-A module should have a design description explaining the approach to implementing a service and what tradeoffs were made when choosing the design that was implemented. Do not leave this for comments in a pull request as we want this close to the code for the sake of future maintainers.
44
-
45
-The design description should be succinct and to the point. Assume the reader is familiar with Sovereign but not your module. As a rule of thumb, 500-1000 words is about the right length for a module design description.
46
-
47
-## Design checklist
48
-
49
-Consider the following checklist when reviewing a module's design.
50
-
51
-- Does the role need an SSL certificate for a new subdomain?  If so, update the letsencrypt tasklist in the common role.
52
-- Does the role add an Apache virtual site?  If so, has somebody knowledgable in Apache configuration and security reviewed the configuration?
53
-- Does README.md need to be updated based on new or changed finalization instructions?
54
-
55
-## Submitting pull requests
56
-
57
-Verify that your changes pass [ansible-lint](https://github.com/willthames/ansible-lint) before submitting a pull request.
58
-
59
-Use good commit practices to document your changes. Don't assume the developer reviewing your commits has access to GitHub. The developer could be a future maintainer in a different environment. Similarly, as you address feedback on the pull request, do not assume the reviewer has access to GitHub.
60
-
61
-When you issue a pull request, please specify what distribution you used for testing (if any).  Code that is committed to the master branch should work with both Debian 7 and Ubuntu 14.04 LTS.  Support for Debian 8 is coming.

+ 17
- 74
README.md View File

@@ -1,57 +1,13 @@
1 1
 # Sovereign
2
-# Introduction
3
-
4
-Sovereign is a set of [Ansible](http://ansible.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) based entirely on open source software, so you’re in control.
5
-
6
-If you’ve never used Ansible before, you might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
7
-
8
-The original author's [background and motivations](https://github.com/sovereign/sovereign/wiki/Background-and-Motivations) might be of interest.
9
-tl;dr: frustrations with Google Apps and concerns about privacy and long-term support.
10
-
11
-Sovereign offers useful cloud services while being reasonably secure and low-maintenance.
12
-Use it to set up your server, SSH in every couple weeks, but mostly forget about it.
13
-
14
-## Services Provided
15
-
16
-What do you get if you point Sovereign at a server? All kinds of good stuff!
17
-
18
--   [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) over SSL via [Dovecot](http://dovecot.org/), complete with full text search provided by [Solr](https://lucene.apache.org/solr/).
19
--   [POP3](https://en.wikipedia.org/wiki/Post_Office_Protocol) over SSL, also via Dovecot
20
--   [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) over SSL via Postfix, including a nice set of [DNSBLs](https://en.wikipedia.org/wiki/DNSBL) to discard spam before it ever hits your filters.
21
--   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
22
--   Spam fighting via [Rspamd](https://www.rspamd.com/).
23
--   Mail server verification using [DKIM](http://www.dkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
24
--   Webmail via [Roundcube](http://www.roundcube.net/).
25
--   Mobile push notifications and autodiscovery via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
26
--   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
27
--   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
28
--   [Matrix](https://matrix.org/) via [Riot.im](https://about.riot.im) and [Synapse](https://matrix.org/docs/projects/server/synapse.html).
29
--   The [Mastodon](https://mastodon.social/about) social network.
30
--   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
31
--   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [NextCloud](http://nextcloud.com/).
32
--   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
33
--   An IRC bouncer via [ZNC](http://wiki.znc.in/ZNC).
34
--   Git Repo hosting via [gitea](https://gitea.io/en-us/).
35
--   IoT Dashboard via [Grafana](https://grafana.com) with [InfluxDB](https://www.influxdata.com/time-series-platform/influxdb/) and [Telegraf](https://www.influxdata.com/time-series-platform/telegraf/).
36
--   [Mosquitto](https://mosquitto.org) and [mqtt-admin](https://github.com/hobbyquaker/mqtt-admin) on `iot.domain/mqtt`.
37
--   [Monit](http://mmonit.com/monit/) to keep everything running smoothly (and alert you when it’s not).
38
--   Web hosting (ex: for your blog) via [Apache](https://www.apache.org/).
39
--   Statistics for the website using [Fathom](https://github.com/usefathom/fathom).
40
--   Comments for the website using [Commento](https://gitlab.com/commento/commento).
41
--   Firewall management via [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall).
42
--   Intrusion prevention via [fail2ban](http://www.fail2ban.org/) and rootkit detection via [rkhunter](http://rkhunter.sourceforge.net).
43
--   SSH configuration preventing root login and insecure password authentication
44
--   A bunch of nice-to-have tools like [mosh](http://mosh.mit.edu) and [htop](http://htop.sourceforge.net) that make life with a server a little easier.
45
-
46
-Don’t want one or more of the above services? Comment out the relevant role in `site.yml`.
47
-Or get more granular and comment out the associated `include:` directive in one of the playbooks.
2
+
3
+Forked from [Sovereign on GitHub](https://github.com/sovereign/sovereign).
48 4
 
49 5
 # Usage
50 6
 
51 7
 ## What You’ll Need
52 8
 
53 9
 1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
54
-2.  [64-bit Debian 9](http://www.debian.org/). (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
10
+2.  [64-bit Debian 9 or 10](http://www.debian.org/). (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
55 11
 
56 12
 You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
57 13
 
@@ -61,11 +17,11 @@ You do not need to acquire an SSL certificate.  The SSL certificates you need wi
61 17
 
62 18
 The following steps are done on the remote server by `ssh`ing into it and running these commands.
63 19
 
64
-#### 1. Install required packages
20
+#### Install required packages
65 21
 
66 22
     apt-get install sudo python
67 23
 
68
-#### 2. Prep the server
24
+#### Prep the server
69 25
 
70 26
 For goodness sake, change the root password:
71 27
 
@@ -102,7 +58,7 @@ Or you can just add your `deploy` user to the sudo group.
102 58
 
103 59
 Ansible (the tool setting up your server) runs locally on your computer and sends commands to the remote server.
104 60
 
105
-#### 3. Software
61
+#### Software
106 62
 
107 63
 Download this repository somewhere on your machine, either through `Clone or Download > Download ZIP` above, `wget`, or `git` as below.
108 64
 Also install the dependencies for password generation as well as ansible itself.
@@ -115,7 +71,7 @@ Or, if you're on Arch, instead of using pip, install the required stuff manually
115 71
 
116 72
     sudo pacman -Syu ansible python-jmespath python-passlib
117 73
 
118
-#### 4. Configure your installation
74
+#### Configure your installation
119 75
 
120 76
 Modify the settings in the `group_vars/sovereign` folder to your liking.
121 77
 If you want to see how they’re used in context, just search for the corresponding string.
@@ -125,13 +81,13 @@ Finally, replace the `host.example.net` in the file `hosts`.
125 81
 If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address.
126 82
 In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
127 83
 
128
-#### 5. Set up DNS
84
+#### Set up DNS
129 85
 
130 86
 If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar.
131 87
 Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge.
132 88
 If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
133 89
 
134
-Create `A` or `CNAME` records which point to your server's IP address:
90
+Create `A` and `AAAA` or `CNAME` records which point to your server's IP address:
135 91
 
136 92
 * `example.com`
137 93
 * `mail.example.com`
@@ -147,7 +103,7 @@ Create `A` or `CNAME` records which point to your server's IP address:
147 103
 * `comments.example.com` (for commento)
148 104
 * `iot.example.com` (for grafana)
149 105
 
150
-#### 6. Run the Ansible Playbooks
106
+#### Run the Ansible Playbooks
151 107
 
152 108
 First, make sure you’ve [got Ansible installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
153 109
 This should already be done by running the pip requirements.txt from above.
@@ -158,24 +114,7 @@ To run the whole dang thing:
158 114
     
159 115
 If you chose to make a passwordless sudo deploy user, you can omit the `--ask-sudo-pass` argument.
160 116
 
161
-To run just one or more piece, use tags.
162
-I try to tag all my includes for easy isolated development.
163
-For example, to focus in on your firewall setup:
164
-
165
-    ansible-playbook -i ./hosts --tags=ufw site.yml
166
-
167
-You might find that it fails at one point or another.
168
-This is probably because something needs to be done manually, usually because there’s no good way of automating it,
169
-or because something changed in the upstream packages or you're not using Debian 9.
170
-Fortunately, all the tasks are clearly named so you should be able to find out where it stopped.
171
-I’ve tried to add comments where manual intervention is necessary.
172
-In the best case scenario, no manual steps should be needed, everything is done via the sovereign config vars.
173
-
174
-The `dependencies` tag just installs dependencies, performing no other operations.
175
-The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `group_vars/sovereign`.
176
-Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
177
-
178
-#### 7. Finish DNS set-up
117
+#### Finish DNS set-up
179 118
 
180 119
 Create an `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
181 120
 To ensure your emails pass DKIM checks you need to add a `txt` record.
@@ -197,12 +136,16 @@ Correctly set up reverse DNS for your server and make sure to validate that it
197 136
 for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a>
198 137
 and reviewing the report that will be emailed back to you.
199 138
 
200
-#### 8. Miscellaneous Configuration
139
+#### Miscellaneous Configuration
201 140
 
202 141
 Sign in to the ZNC web interface and set things up to your liking.
203 142
 It isn’t exposed through the firewall, so you must first set up an SSH tunnel:
204 143
 
205
-	ssh deploy@example.com -L 6643:localhost:6643
144
+    ssh deploy@example.com -L 6643:localhost:6643
206 145
 
207 146
 Then proceed to http://localhost:6643 in your web browser.
208 147
 The same goes for the RSpamD web interface on port 11334.
148
+
149
+To access the gitea admin CLI, execute it like this:
150
+
151
+    sudo -u git /usr/local/bin/gitea admin create-user --admin --config /etc/gitea/app.ini --name USERNAME --password PASSWORD --email MAIL

+ 7
- 2
hosts View File

@@ -1,4 +1,9 @@
1
+# hosts in the 'sovereign' group use vars defined in 'group_vars/sovereign'
2
+# all hosts use vars defined in 'host_vars/HOST'
3
+# define common settings in the sovereign group_vars,
4
+# server-specific ones in the host_vars
5
+# create custom groups here to control which roles are
6
+# installed on which host within site.yml.
7
+
1 8
 [sovereign]
2
-# hosts in the `sovereign` group  use vars defined in `group_vars/sovereign`
3
-# put your host's IP address or domain name below
4 9
 host.example.net

Loading…
Cancel
Save