README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170

Ansible Playbooks for Personal DragonFly BSD Server
===================================================

**Aaron LI**

Created: 2018-02-14

Ansible: 2.7.7 (Python 3.7.3)

Introduction
------------
An Ansible playbook to manage a very small (read 512MB RAM) VPS to
self-host various services including:
* _DNS_ (NSD for authoritative DNS service)
* _Email_ (Postfix, Dovecot)
* _Web_ (Nginx, acme-client for Let's Encrypt certificates)
* _CalDAV/CardDAV_ (Radicale with uWSGI)
* _Git_ (Web interface via cgit with uWSGI)
* _IRC Bouncer_ (ZNC)

Playbooks
---------
* `bootstrap.yml`:
  Bootstrap the remote host (e.g., a VPS) after installing DragonFly BSD.

  **NOTE**:
  - Use the `bootstrap.sh` script instead.
  - The new host should be configured that allow `root` ssh into it using
    a password. (This will be *disabled* during the bootstrap.)

* `deploy.yml`:
  The main playbook that deploys services on the target host.

Configurations
--------------
* `ansible.cfg`
  Ansible configuration file

* `inventory.yml`
  Remote host specifications

* `group_vars/all/vars.yml`
  Variables for hosts in the `all` group, i.e., all hosts

* `group_vars/all/vault.yml`
  Encrypted variables that will merged into the above `vars.yml` upon
  Ansible playing the playbook.

* `host_vars/vultr`
  Variables specific to this host.

Roles
-----
* `bootstrap`
  Only used in the `bootstrap.yml` playbook to bootstrap a newly installed
  DragonFly BSD host.

* `basic`
  Basic settings, includes:
  - Tune basic services in `/etc/rc.conf`
  - Set some system tunables in `/boot/loader.conf`
  - Enable `/var/log/console.log` in syslog
  - Tune csh/tcsh
  - Tweak pkg and install basic packages

* `security`
  - Setup PF firewall
  - Enable `sshlockout`

* `dns`
  - Setup local DNS cache with [Unbound](https://www.nlnetlabs.nl/projects/unbound/about/)
  - Configure [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) as
    the authoritative name server in *hidden master* mode for several
    personal domains

* `web`
  - Obtain SSL/TLS certificates from *Let's Encrypt*, as well as for other
    services (SMTP, IMAP, CalDAV/CardDAV, ZNC).
  - Serve personal website
  - Serve CalDAV/CardDAV via [Radicale](http://radicale.org/)
  - Serve git repositories via [cgit](https://git.zx2c4.com/cgit/)
  - Useful reverse proxies to popular websites

* `mail`
  - SMTP client & server by [Postfix](http://www.postfix.org/)
  - IMAP server by [Dovecot](https://dovecot.org/)
  - DKIM signing via [OpenDKIM](http://opendkim.org/)
  - SPF, DKIM, DMARC records managed through NSD above
  - Do *not* use database
  - No web interface

* `git`
  - Self-host Git repositories
  - Web interface via [cgit](https://git.zx2c4.com/cgit/)
  - Also manage and deploy the static resources of cgit via a Git repo

* `shadowsocks`
  Setup ShadowSocks-libev for a useful proxy.

* `znc`
  Setup [ZNC](https://wiki.znc.in/ZNC) IRC bouncer connecting to channel
  `#dragonflybsd` on [EFNet](http://www.efnet.org/).

* `radicale`
  Setup [Radicale](http://radicale.org/) as a lightweight CalDAV/CardDAV
  server for personal calendars and contacts.
  Served via Nginx and [uWSGI](http://projects.unbit.it/uwsgi).

Extensions
----------
* `filter_plugins/`
  Custom template filters

Usages
------
* Bootstrap the remote host:

    ```
    $ sh bootstrap.sh
    ```

  **NOTE**:
  The remote host should be configured to allow SSH `root` login,
  which will be disabled later to enhance security.

* Test host connection:

    ```
    $ ansible vultr -m ping
    ```

* List tasks:

    ```
    $ ansible-playbook deploy.yml -v --list-tasks
    ```

* Run (check only but don't make changes) the whole playbook:

    ```
    $ ansible-playbook deploy.yml -vD [--check]
    ```

* Run the playbook from a specific task:

    ```
    $ ansible-playbook deploy.yml -vD --step --start-at-task="..."
    ```

* Run the tasks with specific tags:

    ```
    $ ansible-playbook deploy.yml -vD --tags="..."
    ```

* View and edit the encrypted variables:

    ```
    $ ansible-vault view group_vars/all/vault.yml
    $ ansible-vault edit group_vars/all/vault.yml
    ```

References
----------
* Securing a Server with Ansible
  https://ryaneschinger.com/blog/securing-a-server-with-ansible/

License
-------
[The MIT License](https://opensource.org/licenses/MIT)