Change default root password on the server
passwd
Update and upgrade all installed apt-get packages
apt-get update
apt-get upgrade
Create a new user for ansible
useradd ansible
Create home and .ssh directories for ansible
mkdir /home/ansible
mkdir /home/ansible/.ssh
chmod 700 /home/ansible/.ssh
Allow your local machine to login to the server
vi /home/ansible/.ssh/authorized_keys
Paste the contents of your local ~/.ssh/id_dsa.pub file into the new authorized_keys file on the server and save it.
Update ownership and permissions of the ansible user home directory.
chmod 400 /home/ansible/.ssh/authorized_keys
chown ansible:ansible /home/ansible -R
Change the password for the ansible user.
passwd ansible
Give the ansible user root sudo access, first open the sudoers file
visudo
Update the file so you only have the following two users.
root ALL=(ALL) ALL
ansible ALL=(ALL) NOPASSWD:ALL
Lock down ssh and allow the ansible user to ssh in
vi /etc/ssh/sshd_config
Make sure the following lines are in the file
PermitRootLogin no
PasswordAuthentication no
AllowUsers ansible
This will allow ansible to login from any IP address, to restrict to an IP address update the last line to the following
AllowUsers ansible@(your-ip) ansible@(another-ip-if-any)
Save that file then restart ssh
service ssh restart
Open up a new terminal window (don't close your current root session) and try to login.
ssh ansible@(your-server)
You should be able to login to the server with no password needed.
git clone git://github.com/ansible/ansible.git
cd ./ansible
source ./hacking/env-setup
Head over to Github and fork the Sovereign repository and checkout a local copy of your new fork.
https://github.com/al3x/sovereign
Update the hosts file with your server's IP address and change the user value in site.yml to ansible
---
# This is the top-level playbook that defines our entire infrastructure.
- hosts: all
user: ansible
sudo: True
gather_facts: False
roles:
- common
- mailserver
- blog
- ircbouncer
- monitoring
- owncloud
- vpn
From within your local Sovereign directory run the following
ansible all -m ping -i ./hosts -u ansible
You should see something like this which means you can sucessfully hit your server using ansible
xx.xx.xx.xx | success >> {
"changed": false,
"ping": "pong"
}
apt-get install mysql-server mysql-client
apt-get install encfs
mkdir /encrypted-mail /decrypted-mail
Note: I had existing /encrypted-mail and /decrypted-mail directories so I need to move (or delete) those before I could continue.
chgrp mail /decrypted-mail/
chmod -R g+rw /decrypted-mail/
gpasswd -a mail fuse
chgrp fuse /dev/fuse; chmod g+rw /dev/fuse
encfs /encrypted-mail /decrypted-mail --public
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p
New Encfs Password:
Verify Encfs Password:
Make sure you have the dependencies installed
apt-get install gcc make libssl-dev zlib1g-dev e2fslibs-dev
Download the latest Tarsnap tarball from the download page.
wget https://www.tarsnap.com/download/tarsnap-autoconf-1.0.35.tgz
Extract and install Tarsnap
tar -xvzf tarsnap-autoconf-1.0.35.tgz
cd tarsnap-autoconf-1.0.35/
./configure
make all install clean
Register your server as a Tarsnap client
tarsnap-keygen --keyfile /root/tarsnap.key --user (your-tarsnap-account-email) --machine (server-name)
Copy the contents of /root/tarsnap.key into your local root_tarsnap.key file which you will find in you local Sovereign repository.
apt-get install openssl
mkdir /etc/ssl/localcerts
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
chmod 600 /etc/ssl/localcerts/apache*