Просмотр исходного кода

Convert README from Textile to Markdown

Alex Payne 9 лет назад
Родитель
Сommit
c64f0d9572
2 измененных файлов: 265 добавлений и 247 удалений
  1. 265
    0
      README.md
  2. 0
    247
      README.textile

+ 265
- 0
README.md Просмотреть файл

@@ -0,0 +1,265 @@
1
+[![Build Status](https://travis-ci.org/al3x/sovereign.svg?branch=master)](https://travis-ci.org/al3x/sovereign)
2
+
3
+Introduction
4
+============
5
+
6
+Sovereign is a set of [Ansible](http://ansibleworks.com) playbooks that you can use to build and maintain your own [personal cloud](http://www.urbandictionary.com/define.php?term=clown%20computing) (I know I know). It’s based entirely on open source software, so you’re in control.
7
+
8
+If you’ve never used Ansible before, you a) are in for a treat and b) might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
9
+
10
+Background and Motivations
11
+--------------------------
12
+
13
+I had been a paying Google Apps customer for personal and corporate use since the service was in beta. Until several weeks ago, that is. I was about to set up another Google Apps account for a new project when I stopped to consider what I would be funding with my USD \$50 per user per year:
14
+
15
+1.  [A seriously questionable privacy track record](https://en.wikipedia.org/wiki/Criticism_of_Google#Privacy).
16
+2.  [A dwindling commitment to open standards](https://www.eff.org/deeplinks/2013/05/google-abandons-open-standards-instant-messaging).
17
+3.  [A lack of long-term commitment to products](http://www.quora.com/Google-Products/What-are-all-the-Google-products-that-have-been-shut-down).
18
+4.  Development of Google+: a cynical and [unimaginative Facebook ripoff](http://gigaom.com/2012/03/15/google-plus-the-problem-isnt-design-its-a-lack-of-demand/) that’s [intruding into progressively more Google products](http://bits.blogs.nytimes.com/2012/03/06/google-defending-google-plus-shares-usage-numbers/?_r=0).
19
+
20
+To each her/his own, but personally I saw little reason to continue participating in the Google ecosystem. It had been years since I last ran my own server for email and such, but it’s only gotten cheaper and easier to do so. Plus, none of the commercial alternatives I looked at provided all the services I was looking for.
21
+
22
+Rather than writing up a long and hard-to-follow set of instructions, I decided to share my server setup in a format that you can more or less just clone, configure, and run. Ansible seemed like the most appropriate way to do that: it’s simple, straightforward, and easy to pick up.
23
+
24
+I’ve been using this setup for about a month now and it’s been great. It’s also replaced some non-Google services I used, saving me money and making me feel like I’ve got a little more privacy.
25
+
26
+A big chunk of the initial version was inspired by [this post by Drew Crawford](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Unlike Drew, my goal is not “NSA-proofing” email, just providing a reasonable alternative to Google Apps that isn’t wildly insecure. If you need serious privacy and security (ex: for dissident activities), Sovereign might be useful as a starting point but will require additional work. Be careful out there.
27
+
28
+Services Provided
29
+-----------------
30
+
31
+What do you get if you point this thing at a VPS? All kinds of good stuff!
32
+
33
+-   [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) over SSL via [Dovecot](http://dovecot.org/), complete with full text search provided by [Solr](https://lucene.apache.org/solr/).
34
+-   [POP3](https://en.wikipedia.org/wiki/Post_Office_Protocol) over SSL, also via Dovecot
35
+-   [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) over SSL via Postfix, including a nice set of [DNSBLs](https://en.wikipedia.org/wiki/DNSBL) to discard spam before it ever hits your filters.
36
+-   Webmail via [Roundcube](http://www.roundcube.net/).
37
+-   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
38
+-   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
39
+-   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
40
+-   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
41
+-   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
42
+-   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
43
+-   Spam fighting via [DSPAM](http://dspam.sourceforge.net/) and [Postgrey](http://postgrey.schweikert.ch/).
44
+-   Mail server verification via [OpenDKIM](http://www.opendkim.org/), so folks know you’re legit.
45
+-   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [ownCloud](http://owncloud.org/).
46
+-   Your own private [Dropbox](https://www.dropbox.com/), also via [ownCloud](http://owncloud.org/).
47
+-   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
48
+-   An IRC bouncer via [ZNC](http://wiki.znc.in/ZNC).
49
+-   [Monit](http://mmonit.com/monit/) to keep everything running smoothly (and alert you when it’s not).
50
+-   [collectd](http://collectd.org/) to collect system statistics.
51
+-   Web hosting (ex: for your blog) via [Apache](https://www.apache.org/).
52
+-   Firewall management via [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall).
53
+-   Intrusion prevention via [fail2ban](http://www.fail2ban.org/) and rootkit detection via [rkhunter](http://rkhunter.sourceforge.net).
54
+-   SSH configuration preventing root login and insecure password authentication
55
+-   [RFC6238](http://tools.ietf.org/html/rfc6238) two-factor authentication compatible with [Google Authenticator](http://en.wikipedia.org/wiki/Google_Authenticator) and various hardware tokens
56
+-   Nightly backups to [Tarsnap](https://www.tarsnap.com/).
57
+-   Git hosting via [cgit](http://git.zx2c4.com/cgit/about/) and [gitolite](https://github.com/sitaramc/gitolite).
58
+-   [Newebe](http://newebe.org), a social network.
59
+-   Read-it-later via [Wallabag](https://www.wallabag.org/)
60
+-   A bunch of nice-to-have tools like [mosh](http://mosh.mit.edu) and [htop](http://htop.sourceforge.net) that make life with a server a little easier.
61
+
62
+No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintenance. Set it up, SSH in every couple weeks, but mostly forget about it.
63
+
64
+Don’t want one or more of the above services? Comment out the relevant role in `site.yml`. Or get more granular and comment out the associated `include:` directive in one of the playbooks.
65
+
66
+Usage
67
+=====
68
+
69
+What You’ll Need
70
+----------------
71
+
72
+1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
73
+2.  [64-bit Debian 7](http://www.debian.org/) or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://www.ansibleworks.com/docs/modules.html#packaging) modules.)
74
+3.  A wildcard SSL certificate. You can either buy one or self-sign if you want to save money.
75
+4.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
76
+
77
+Installation
78
+------------
79
+
80
+### 1. Get a wildcard SSL certificate
81
+
82
+Generate a private key and a certificate signing request (CSR):
83
+
84
+    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
85
+
86
+Purchase a wildcard cert from a certificate authority, such as [Positive SSL](https://positivessl.com) or [AlphaSSL](https://www.alphassl.com). You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in `roles/common/files/wildcard_public_cert.crt`.
87
+
88
+Download your certificate authority’s combined cert to `roles/common/files/wildcard_ca.pem`. You can also download the intermediate and root certificates separately and concatenate them together in that order.
89
+
90
+Lastly, test your certificate:
91
+
92
+    openssl verify -verbose -CAfile roles/common/files/wildcard_ca.pem roles/common/files/wildcard_public_cert.crt
93
+
94
+#### Self-signed SSL certificate
95
+
96
+Purchasing SSL certs, and wildcard certs specifically, can be a significant financial burden. It is possible to generate a self-signed SSL certificate (i.e. one that isn’t signed by a Certificate Authority) that is free of charge by nature. However, since a self-signed cert has no CA chain that can confirm its authenticity, some services might behave erratically when using such a certificate.
97
+
98
+To create a self-signed SSL cert, run the following commands:
99
+
100
+    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
101
+    openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
102
+    cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
103
+
104
+### 2. Get a Tarsnap machine key
105
+
106
+If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com/download.html), or use `brew install tarsnap` if you use [Homebrew](http://brew.sh).
107
+
108
+Create a new machine key for your server:
109
+
110
+    tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
111
+
112
+### 3. Prep the server
113
+
114
+For goodness sake, change the root password:
115
+
116
+    passwd
117
+
118
+Create a user account for Ansible to do its thing through:
119
+
120
+    useradd deploy
121
+    passwd deploy
122
+    mkdir /home/deploy
123
+
124
+Authorize your ssh key if you want passwordless ssh login (optional):
125
+
126
+    mkdir /home/deploy/.ssh
127
+    chmod 700 /home/deploy/.ssh
128
+    nano /home/deploy/.ssh/authorized_keys
129
+    chmod 400 /home/deploy/.ssh/authorized_keys
130
+    chown deploy:deploy /home/deploy -R
131
+
132
+This account should be set up for passwordless sudo. Use `visudo` and add this line:
133
+
134
+    deploy  ALL=(ALL) NOPASSWD: ALL
135
+
136
+### 4. Configure your installation
137
+
138
+Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
139
+
140
+Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
141
+
142
+    # doveadm pw -s SHA512-CRYPT
143
+    Enter new password: foo
144
+    Retype new password: foo
145
+    {SHA512-CRYPT}$6$drlIN9fx7Aj7/iLu$XvjeuQh5tlzNpNfs4NwxN7.HGRLglTKism0hxs2C1OvD02d3x8OBN9KQTueTr53nTJwVShtCYiW80SGXAjSyM0
146
+
147
+Remove `{SHA512-CRYPT}` and insert the rest as the `password_hash` value.
148
+
149
+Alternatively, if you don’t already have `doveadm` installed, Python 3.3 or higher on Linux will generate the appropriate string for you (assuming your password is `password`):
150
+
151
+    python3 -c 'import crypt; print(crypt.crypt("password", salt=crypt.METHOD_SHA512))'
152
+
153
+On OS X and other platforms the [passlib](https://pythonhosted.org/passlib/) package may be used to generate the required string:
154
+
155
+    python -c 'import passlib.hash; print(passlib.hash.sha512_crypt.encrypt("password", rounds=5000))'
156
+
157
+Same for the IRC password hash…
158
+
159
+    # znc --makepass
160
+    [ ** ] Type your new password.
161
+    [ ?? ] Enter Password: foo
162
+    [ ?? ] Confirm Password: foo
163
+    [ ** ] Kill ZNC process, if it's running.
164
+    [ ** ] Then replace password in the <User> section of your config with this:
165
+    <Pass password>
166
+            Method = sha256
167
+            Hash = 310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed
168
+            Salt = YdlPM5yjBmc/;JO6cfL5
169
+    </Pass>
170
+    [ ** ] After that start ZNC again, and you should be able to login with the new password.
171
+
172
+Take the strings after `Hash =` and `Salt =` and insert them as the value for `irc_password_hash` and `irc_password_salt` respectively.
173
+
174
+Alternatively, if you don’t already have `znc` installed, Python 3.3 or higher on Linux will generate the appropriate string for you (assuming your password is `password`):
175
+
176
+    python3 -c 'import crypt; print("irc_password_salt: {}\nirc_password_hash: {}".format(*crypt.crypt("password", salt=crypt.METHOD_SHA256).split("$")[2:]))'
177
+
178
+On OS X and other platforms the passlib:https://pythonhosted.org/passlib/ package may be used to generate the required string:
179
+
180
+    python -c 'import passlib.hash; print("irc_password_salt: {}\nirc_password_hash: {}".format(*passlib.hash.sha256_crypt.encrypt("password", rounds=5000).split("$")[2:]))'
181
+
182
+For Git hosting, copy your public key into place:
183
+
184
+	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
185
+
186
+Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
187
+
188
+### 5. Run the Ansible Playbooks
189
+
190
+First, make sure you’ve [got Ansible 1.6+ installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
191
+
192
+To run the whole dang thing:
193
+
194
+    ansible-playbook -i ./hosts site.yml
195
+
196
+To run just one or more piece, use tags. I try to tag all my includes for easy isolated development. For example, to focus in on your firewall setup:
197
+
198
+    ansible-playbook -i ./hosts --tags=ufw site.yml
199
+
200
+You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
201
+
202
+### 6. Set up DNS
203
+
204
+If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
205
+
206
+Create `A` records which point to your server's IP address:
207
+
208
+* `example.com`
209
+* `mail.example.com`
210
+* `autoconfig.example.com` (for email client automatic configuration)
211
+* `read.example.com` (for Wallabag)
212
+* `news.example.com` (for Selfoss)
213
+* `cloud.example.com` (for ownCloud)
214
+* `git.example.com` (for cgit)
215
+
216
+Create a `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
217
+
218
+To ensure your emails pass DKIM checks you need to add a `txt` record. The name field will be `default._domainkey.EXAMPLE.COM.` The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file `/etc/opendkim/keys/EXAMPLE.COM/default.txt` it’ll look something like this:
219
+
220
+    v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKKAQfMwKVx+oJripQI+Ag4uTwYnsXKjgBGtl7Tk6UMTUwhMqnitqbR/ZQEZjcNolTkNDtyKZY2Z6LqvM4KsrITpiMbkV1eX6GKczT8Lws5KXn+6BHCKULGdireTAUr3Id7mtjLrbi/E3248Pq0Zs39hkDxsDcve12WccjafJVwIDAQAB
221
+
222
+Set up SPF and reverse DNS [as per this post](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Make sure to validate that it’s all working, for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
223
+
224
+### 7. Miscellaneous Configuration
225
+
226
+Sign in to the ZNC web interface and set things up to your liking. It isn’t exposed through the firewall, so you must first set up an SSH tunnel:
227
+
228
+	ssh deploy@example.com -L 6643:localhost:6643
229
+
230
+Then proceed to http://localhost:6643 in your web browser.
231
+
232
+Finally, sign into ownCloud to set it up. You should select PostgreSQL as the configuration backend.
233
+
234
+How To Use Your New Personal Cloud
235
+----------------------------------
236
+
237
+We’re collecting known-good client setups [on our wiki](https://github.com/al3x/sovereign/wiki/Usage).
238
+
239
+Troubleshooting
240
+---------------
241
+
242
+If you run into an errors, please check the [wiki page](https://github.com/al3x/sovereign/wiki/Troubleshooting). If the problem you encountered, is not listed, please go ahead and [create an issue](https://github.com/al3x/sovereign/issues/new). If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
243
+
244
+### Reboots
245
+
246
+You will need to manually enter the password for any encrypted volumes on reboot. This is not Sovereign-specific, but rather a function of how EncFS works. This will necessitate SSHing into your machine after reboot, or accessing it via a console interface if one is available to you.
247
+
248
+It is possible that some daemons may need to be restarted after you enter your password for the encrypted volume(s). Some services may stall out while looking for resources that will only be available once the `/decrypted` volume is available and visible to daemon user accounts.
249
+
250
+IRC
251
+===
252
+
253
+Ask questions and provide feedback in `#sovereign` on [Freenode](http://freenode.net).
254
+
255
+Contributing
256
+============
257
+
258
+You may want to set up a [local development environment](https://github.com/al3x/sovereign/wiki/Development-Environment) so that you don’t have to test on your real server.
259
+
260
+If you improve one of the provided playbooks or add an exciting new one, send a pull request. Everyone benefits.
261
+
262
+License
263
+-------
264
+
265
+Original content is [GPLv3](http://gplv3.fsf.org), same as Ansible. All files and templates based on third-party software should be considered under their respective licenses.

+ 0
- 247
README.textile Просмотреть файл

@@ -1,247 +0,0 @@
1
-!https://travis-ci.org/al3x/sovereign.png?branch=master!:https://travis-ci.org/al3x/sovereign
2
-
3
-h1. Introduction
4
-
5
-Sovereign is a set of "Ansible":http://ansibleworks.com playbooks that you can use to build and maintain your own "personal cloud":http://www.urbandictionary.com/define.php?term=clown%20computing (I know I know). It's based entirely on open source software, so you're in control.
6
-
7
-If you've never used Ansible before, you a) are in for a treat and b) might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
8
-
9
-h2. Background and Motivations
10
-
11
-I had been a paying Google Apps customer for personal and corporate use since the service was in beta. Until several weeks ago, that is. I was about to set up another Google Apps account for a new project when I stopped to consider what I would be funding with my USD $50 per user per year:
12
-
13
-# "A seriously questionable privacy track record":https://en.wikipedia.org/wiki/Criticism_of_Google#Privacy.
14
-# "A dwindling commitment to open standards":https://www.eff.org/deeplinks/2013/05/google-abandons-open-standards-instant-messaging.
15
-# "A lack of long-term commitment to products":http://www.quora.com/Google-Products/What-are-all-the-Google-products-that-have-been-shut-down.
16
-# Development of Google+: a cynical and "unimaginative Facebook ripoff":http://gigaom.com/2012/03/15/google-plus-the-problem-isnt-design-its-a-lack-of-demand/ that's "intruding into progressively more Google products":http://bits.blogs.nytimes.com/2012/03/06/google-defending-google-plus-shares-usage-numbers/?_r=0.
17
-
18
-To each her/his own, but personally I saw little reason to continue participating in the Google ecosystem. It had been years since I last ran my own server for email and such, but it's only gotten cheaper and easier to do so. Plus, none of the commercial alternatives I looked at provided all the services I was looking for.
19
-
20
-Rather than writing up a long and hard-to-follow set of instructions, I decided to share my server setup in a format that you can more or less just clone, configure, and run. Ansible seemed like the most appropriate way to do that: it's simple, straightforward, and easy to pick up.
21
-
22
-I've been using this setup for about a month now and it's been great. It's also replaced some non-Google services I used, saving me money and making me feel like I've got a little more privacy.
23
-
24
-A big chunk of the initial version was inspired by "this post by Drew Crawford":http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/. Unlike Drew, my goal is not "NSA-proofing" email, just providing a reasonable alternative to Google Apps that isn't wildly insecure. If you need serious privacy and security (ex: for dissident activities), Sovereign might be useful as a starting point but will require additional work. Be careful out there.
25
-
26
-h2. Services Provided
27
-
28
-What do you get if you point this thing at a VPS? All kinds of good stuff!
29
-
30
-* "IMAP":https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol over SSL via "Dovecot":http://dovecot.org/, complete with full text search provided by "Solr":https://lucene.apache.org/solr/.
31
-* "POP3":https://en.wikipedia.org/wiki/Post_Office_Protocol over SSL, also via Dovecot
32
-* "SMTP":https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol over SSL via Postfix, including a nice set of "DNSBLs":https://en.wikipedia.org/wiki/DNSBL to discard spam before it ever hits your filters.
33
-* Webmail via "Roundcube":http://www.roundcube.net/.
34
-* Mobile push notifications via "Z-Push":http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home.
35
-* Email client "automatic configuration":https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration.
36
-* Jabber/"XMPP":http://xmpp.org/ instant messaging via "Prosody":http://prosody.im/.
37
-* An RSS Reader via "Selfoss":http://selfoss.aditu.de/.
38
-* Virtual domains for your email, backed by "PostgreSQL":http://www.postgresql.org/.
39
-* Secure on-disk storage for email and more via "EncFS":http://www.arg0.net/encfs.
40
-* Spam fighting via "DSPAM":http://dspam.sourceforge.net/ and "Postgrey":http://postgrey.schweikert.ch/.
41
-* Mail server verification via "OpenDKIM":http://www.opendkim.org/, so folks know you're legit.
42
-* "CalDAV":https://en.wikipedia.org/wiki/CalDAV and "CardDAV":https://en.wikipedia.org/wiki/CardDAV to keep your calendars and contacts in sync, via "ownCloud":http://owncloud.org/.
43
-* Your own private "Dropbox":https://www.dropbox.com/, also via "ownCloud":http://owncloud.org/.
44
-* Your own VPN server via "OpenVPN":http://openvpn.net/index.php/open-source.html.
45
-* An IRC bouncer via "ZNC":http://wiki.znc.in/ZNC.
46
-* "Monit":http://mmonit.com/monit/ to keep everything running smoothly (and alert you when it's not).
47
-* "collectd":http://collectd.org/ to collect system statistics.
48
-* Web hosting (ex: for your blog) via "Apache":https://www.apache.org/.
49
-* Firewall management via "Uncomplicated Firewall (ufw)":https://wiki.ubuntu.com/UncomplicatedFirewall.
50
-* Intrusion prevention via "fail2ban":http://www.fail2ban.org/ and rootkit detection via "rkhunter":http://rkhunter.sourceforge.net.
51
-* SSH configuration preventing root login and insecure password authentication
52
-* "RFC6238":http://tools.ietf.org/html/rfc6238 two-factor authentication compatible with "Google Authenticator":http://en.wikipedia.org/wiki/Google_Authenticator and various hardware tokens
53
-* Nightly backups to "Tarsnap":https://www.tarsnap.com/.
54
-* Git hosting via "cgit":http://git.zx2c4.com/cgit/about/ and "gitolite":https://github.com/sitaramc/gitolite.
55
-* "Newebe":http://newebe.org, a social network.
56
-* Read-it-later via "Wallabag":https://www.wallabag.org/
57
-* A bunch of nice-to-have tools like "mosh":http://mosh.mit.edu and "htop":http://htop.sourceforge.net that make life with a server a little easier.
58
-
59
-No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintenance. Set it up, SSH in every couple weeks, but mostly forget about it.
60
-
61
-Don't want one or more of the above services? Comment out the relevant role in @site.yml@. Or get more granular and comment out the associated @include:@ directive in one of the playbooks.
62
-
63
-h1. Usage
64
-
65
-h2. What You'll Need
66
-
67
-# A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at "Linode":http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b. You'll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
68
-# "64-bit Debian 7":http://www.debian.org/ or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible's different "packaging":http://www.ansibleworks.com/docs/modules.html#packaging modules.)
69
-# A wildcard SSL certificate. You can either buy one or self-sign if you want to save money.
70
-# A "Tarsnap":http://www.tarsnap.com account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
71
-
72
-h2. Installation
73
-
74
-h3. 1. Get a wildcard SSL certificate
75
-
76
-Generate a private key and a certificate signing request (CSR):
77
-
78
-bc. openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
79
-
80
-Purchase a wildcard cert from a certificate authority, such as "Positive SSL":https://positivessl.com or "AlphaSSL":https://www.alphassl.com. You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in @roles/common/files/wildcard_public_cert.crt@.
81
-
82
-Download your certificate authority's combined cert to @roles/common/files/wildcard_ca.pem@. You can also download the intermediate and root certificates separately and concatenate them together in that order.
83
-
84
-Lastly, test your certificate:
85
-
86
-bc. openssl verify -verbose -CAfile roles/common/files/wildcard_ca.pem roles/common/files/wildcard_public_cert.crt
87
-
88
-h4. Self-signed SSL certificate
89
-
90
-Purchasing SSL certs, and wildcard certs specifically, can be a significant financial burden. It is possible to generate a self-signed SSL certificate (i.e. one that isn't signed by a Certificate Authority) that is free of charge by nature. However, since a self-signed cert has no CA chain that can confirm its authenticity, some services might behave erratically when using such a certificate.
91
-
92
-To create a self-signed SSL cert, run the following commands:
93
-
94
-bc. openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
95
-openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
96
-cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
97
-
98
-h3. 2. Get a Tarsnap machine key
99
-
100
-If you haven't already, "download and install Tarsnap":https://www.tarsnap.com/download.html, or use @brew install tarsnap@ if you use "Homebrew":http://brew.sh.
101
-
102
-Create a new machine key for your server:
103
-
104
-bc. tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
105
-
106
-h3. 3. Prep the server
107
-
108
-For goodness sake, change the root password:
109
-
110
-bc. passwd
111
-
112
-Create a user account for Ansible to do its thing through:
113
-
114
-bc. useradd deploy
115
-passwd deploy
116
-mkdir /home/deploy
117
-
118
-Authorize your ssh key if you want passwordless ssh login (optional):
119
-
120
-bc. mkdir /home/deploy/.ssh
121
-chmod 700 /home/deploy/.ssh
122
-nano /home/deploy/.ssh/authorized_keys
123
-chmod 400 /home/deploy/.ssh/authorized_keys
124
-chown deploy:deploy /home/deploy -R
125
-
126
-This account should be set up for passwordless sudo. Use @visudo@ and add this line:
127
-
128
-bc. deploy  ALL=(ALL) NOPASSWD: ALL
129
-
130
-h3. 4. Configure your installation
131
-
132
-Modify the settings in @vars/user.yml@ to your liking. If you want to see how they're used in context, just search for the corresponding string.
133
-
134
-Setting @password_hash@ for your mail users is a bit tricky. You can generate one using "doveadm-pw":http://wiki2.dovecot.org/Tools/Doveadm/Pw.
135
-
136
-bc. # doveadm pw -s SHA512-CRYPT
137
-Enter new password: foo
138
-Retype new password: foo
139
-{SHA512-CRYPT}$6$drlIN9fx7Aj7/iLu$XvjeuQh5tlzNpNfs4NwxN7.HGRLglTKism0hxs2C1OvD02d3x8OBN9KQTueTr53nTJwVShtCYiW80SGXAjSyM0
140
-
141
-Remove @{SHA512-CRYPT}@ and insert the rest as the @password_hash@ value.
142
-
143
-Alternatively, if you don't already have @doveadm@ installed, Python 3.3 or higher on Linux will generate the appropriate string for you (assuming your password is @password@):
144
-
145
-bc. python3 -c 'import crypt; print(crypt.crypt("password", salt=crypt.METHOD_SHA512))'
146
-
147
-On OS X and other platforms the "passlib":https://pythonhosted.org/passlib/ package may be used to generate the required string:
148
-
149
-bc. python -c 'import passlib.hash; print(passlib.hash.sha512_crypt.encrypt("password", rounds=5000))'
150
-
151
-Same for the IRC password hash...
152
-
153
-bc. # znc --makepass
154
-[ ** ] Type your new password.
155
-[ ?? ] Enter Password: foo
156
-[ ?? ] Confirm Password: foo
157
-[ ** ] Kill ZNC process, if it's running.
158
-[ ** ] Then replace password in the <User> section of your config with this:
159
-<Pass password>
160
-        Method = sha256
161
-        Hash = 310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed
162
-        Salt = YdlPM5yjBmc/;JO6cfL5
163
-</Pass>
164
-[ ** ] After that start ZNC again, and you should be able to login with the new password.
165
-
166
-Take the strings after @Hash =@ and @Salt =@ and insert them as the value for @irc_password_hash@ and @irc_password_salt@ respectively.
167
-
168
-Alternatively, if you don't already have @znc@ installed, Python 3.3 or higher on Linux will generate the appropriate string for you (assuming your password is @password@):
169
-
170
-bc. python3 -c 'import crypt; print("irc_password_salt: {}\nirc_password_hash: {}".format(*crypt.crypt("password", salt=crypt.METHOD_SHA256).split("$")[2:]))'
171
-
172
-On OS X and other platforms the passlib:https://pythonhosted.org/passlib/ package may be used to generate the required string:
173
-
174
-bc. python -c 'import passlib.hash; print("irc_password_salt: {}\nirc_password_hash: {}".format(*passlib.hash.sha256_crypt.encrypt("password", rounds=5000).split("$")[2:]))'
175
-
176
-For git hosting, copy your public key into place. @cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub@ or similar.
177
-
178
-Finally, replace the TODOs in the file @hosts@. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address.
179
-In that case you also need to add your custom port to the task @Set firewall rules for web traffic and SSH@ in the file @roles/common/tasks/ufw.yml@.
180
-
181
-h3. 5. Run the Ansible Playbooks
182
-
183
-First, make sure you've "got Ansible 1.6+ installed":http://docs.ansible.com/intro_installation.html#getting-ansible.
184
-
185
-To run the whole dang thing:
186
-
187
-bc. ansible-playbook -i ./hosts site.yml
188
-
189
-To run just one or more piece, use tags. I try to tag all my includes for easy isolated development. For example, to focus in on your firewall setup:
190
-
191
-bc. ansible-playbook -i ./hosts --tags=ufw site.yml
192
-
193
-You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there's no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I've tried to add comments where manual intervention is necessary.
194
-
195
-h3. 6. Set up DNS
196
-
197
-If you've just bought a new domain name, point it at "Linode's DNS Manager":https://library.linode.com/dns-manager or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you're using an existing domain that's already managed elsewhere, you can probably just modify a few records.
198
-
199
-Create an @A@ records which point to your server IP for:
200
- * @example.com@
201
- * @mail.example.com@
202
- * @autoconfig.example.com@ (for email client automatic configuration)
203
- * @read.example.com@ (for wallabe)
204
- * @news.example.com@ (for selfoss)
205
- * @cloud.example.com@ (for owncloud)
206
- * @git.example.com@ (for cgit)
207
-
208
-Create a @MX@ record for @example.com@ which assigns @mail.example.com@ as the domain's mail server.
209
-
210
-To ensure your emails pass DKIM checks you need to add a @txt@ record. The name field will be @default._domainkey.EXAMPLE.COM.@ The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file @/etc/opendkim/keys/EXAMPLE.COM/default.txt@ it'll look something like this:
211
-
212
-bc. v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKKAQfMwKVx+oJripQI+Ag4uTwYnsXKjgBGtl7Tk6UMTUwhMqnitqbR/ZQEZjcNolTkNDtyKZY2Z6LqvM4KsrITpiMbkV1eX6GKczT8Lws5KXn+6BHCKULGdireTAUr3Id7mtjLrbi/E3248Pq0Zs39hkDxsDcve12WccjafJVwIDAQAB
213
-
214
-Set up SPF and reverse DNS "as per this post":http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/. Make sure to validate that it's all working, for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
215
-
216
-h3. 7. Miscellaneous Configuration
217
-
218
-* Sign in to the ZNC web interface and set things up to your liking. It isn't exposed through the firewall, so you must first set up an SSH tunnel @ssh deploy@example.com -L 6643:localhost:6643@ and then proceed to http://localhost:6643 in your web browser.
219
-* Sign into ownCloud to set it up. You should select postgresql as the configuration backend.
220
-
221
-h2. How To Use Your New Personal Cloud
222
-
223
-We're collecting known-good client setups "on our wiki":https://github.com/al3x/sovereign/wiki/Usage.
224
-
225
-h2. Troubleshooting
226
-
227
-If you run into an errors, please check the "wiki page":https://github.com/al3x/sovereign/wiki/Troubleshooting. If the problem you encountered, is not listed, please go ahead and "create an issue":https://github.com/al3x/sovereign/issues/new. If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
228
-
229
-h3. Reboots
230
-
231
-You will need to manually enter the password for any encrypted volumes on reboot. This is not Sovereign-specific, but rather a function of how EncFS works. This will necessitate SSHing into your machine after reboot, or accessing it via a console interface if one is available to you.
232
-
233
-It is possible that some daemons may need to be restarted after you enter your password for the encrypted volume(s). Some services may stall out while looking for resources that will only be available once the @/decrypted@ volume is available and visible to daemon user accounts.
234
-
235
-h1. IRC
236
-
237
-Ask questions and provide feedback in #sovereign on "Freenode":http://freenode.net.
238
-
239
-h1. Contributing
240
-
241
-You may want to set up a "local development environment":https://github.com/al3x/sovereign/wiki/Development-Environment so that you don't have to test on your real server.
242
-
243
-If you improve one of the provided playbooks or add an exciting new one, send a pull request. Everyone benefits.
244
-
245
-h2. License
246
-
247
-Original content is "GPLv3":http://gplv3.fsf.org, same as Ansible. All files and templates based on third-party software should be considered under their respective licenses.

Загрузка…
Отмена
Сохранить