|
@@ -54,37 +54,15 @@ What You’ll Need
|
54
|
54
|
|
55
|
55
|
1. A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
|
56
|
56
|
2. [64-bit Debian 7](http://www.debian.org/) or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
|
57
|
|
-3. A wildcard SSL certificate. You can either buy one or self-sign if you want to save money.
|
58
|
|
-4. A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
|
|
57
|
+3. A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
|
59
|
58
|
|
60
|
|
-Installation
|
61
|
|
-------------
|
62
|
|
-
|
63
|
|
-### 1. Get a wildcard SSL certificate
|
64
|
|
-
|
65
|
|
-Generate a private key and a certificate signing request (CSR):
|
66
|
|
-
|
67
|
|
- openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
|
68
|
|
-
|
69
|
|
-Purchase a wildcard cert from a certificate authority, such as [Positive SSL](https://positivessl.com) or [AlphaSSL](https://www.alphassl.com). You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in `roles/common/files/wildcard_public_cert.crt`.
|
70
|
|
-
|
71
|
|
-Download your certificate authority’s combined cert to `roles/common/files/wildcard_ca.pem`. You can also download the intermediate and root certificates separately and concatenate them together in that order.
|
72
|
|
-
|
73
|
|
-Lastly, test your certificate:
|
74
|
|
-
|
75
|
|
- openssl verify -verbose -CAfile roles/common/files/wildcard_ca.pem roles/common/files/wildcard_public_cert.crt
|
76
|
|
-
|
77
|
|
-#### Self-signed SSL certificate
|
|
59
|
+You do not need to acquire an SSL certificate. The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
|
78
|
60
|
|
79
|
|
-Purchasing SSL certs, and wildcard certs specifically, can be a significant financial burden. It is possible to generate a self-signed SSL certificate (i.e. one that isn’t signed by a Certificate Authority) that is free of charge by nature. However, since a self-signed cert has no CA chain that can confirm its authenticity, some services might behave erratically when using such a certificate.
|
80
|
61
|
|
81
|
|
-To create a self-signed SSL cert, run the following commands:
|
82
|
|
-
|
83
|
|
- openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
|
84
|
|
- openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
|
85
|
|
- cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
|
|
62
|
+Installation
|
|
63
|
+------------
|
86
|
64
|
|
87
|
|
-### 2. Get a Tarsnap machine key
|
|
65
|
+### 1. Get a Tarsnap machine key
|
88
|
66
|
|
89
|
67
|
If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com/download.html), or use `brew install tarsnap` if you use [Homebrew](http://brew.sh).
|
90
|
68
|
|
|
@@ -92,7 +70,7 @@ Create a new machine key for your server:
|
92
|
70
|
|
93
|
71
|
tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
|
94
|
72
|
|
95
|
|
-### 3. Prep the server
|
|
73
|
+### 2. Prep the server
|
96
|
74
|
|
97
|
75
|
For goodness sake, change the root password:
|
98
|
76
|
|
|
@@ -115,7 +93,7 @@ Authorize your ssh key if you want passwordless ssh login (optional):
|
115
|
93
|
|
116
|
94
|
Your new account will be automatically set up for passwordless `sudo`.
|
117
|
95
|
|
118
|
|
-### 4. Configure your installation
|
|
96
|
+### 3. Configure your installation
|
119
|
97
|
|
120
|
98
|
Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
|
121
|
99
|
|
|
@@ -167,6 +145,22 @@ For Git hosting, copy your public key into place:
|
167
|
145
|
|
168
|
146
|
Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
|
169
|
147
|
|
|
148
|
+### 4. Set up DNS
|
|
149
|
+
|
|
150
|
+If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
|
|
151
|
+
|
|
152
|
+Create `A` or `CNAME` records which point to your server's IP address:
|
|
153
|
+
|
|
154
|
+* `example.com`
|
|
155
|
+* `mail.example.com`
|
|
156
|
+* `autoconfig.example.com` (for email client automatic configuration)
|
|
157
|
+* `read.example.com` (for Wallabag)
|
|
158
|
+* `news.example.com` (for Selfoss)
|
|
159
|
+* `cloud.example.com` (for ownCloud)
|
|
160
|
+* `git.example.com` (for cgit)
|
|
161
|
+
|
|
162
|
+Verify that the `subdomains` variable in `vars/user.yml` matches the list of subdomains you have just set up.
|
|
163
|
+
|
170
|
164
|
### 5. Run the Ansible Playbooks
|
171
|
165
|
|
172
|
166
|
First, make sure you’ve [got Ansible 1.6+ installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
|
|
@@ -183,21 +177,9 @@ You might find that it fails at one point or another. This is probably because s
|
183
|
177
|
|
184
|
178
|
The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
|
185
|
179
|
|
186
|
|
-### 6. Set up DNS
|
187
|
|
-
|
188
|
|
-If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
|
189
|
|
-
|
190
|
|
-Create `A` records which point to your server's IP address:
|
191
|
|
-
|
192
|
|
-* `example.com`
|
193
|
|
-* `mail.example.com`
|
194
|
|
-* `autoconfig.example.com` (for email client automatic configuration)
|
195
|
|
-* `read.example.com` (for Wallabag)
|
196
|
|
-* `news.example.com` (for Selfoss)
|
197
|
|
-* `cloud.example.com` (for ownCloud)
|
198
|
|
-* `git.example.com` (for cgit)
|
|
180
|
+### 6. Finish DNS set-up
|
199
|
181
|
|
200
|
|
-Create a `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
|
|
182
|
+Create an `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
|
201
|
183
|
|
202
|
184
|
To ensure your emails pass DKIM checks you need to add a `txt` record. The name field will be `default._domainkey.EXAMPLE.COM.` The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file `/etc/opendkim/keys/EXAMPLE.COM/default.txt` it’ll look something like this:
|
203
|
185
|
|