cloudbox.md

The cloudbox

Background

Inspired by Drew Crawford's post, and al3x's sovereign repo, I have created a similarly complete set that gives you a personal (mail/web/...)server.

The set-up of the scripts are different (mainly because I recycled what I had + I have a slightly different approach so I there is a better fallback mechanism for default values), as is the content of what it installs (nginx instead of apache, no owncloud due to some nasty experiences with it in the past, ...)

What's included

If you deploy this as-is on a Server/VPS/... you get

• a bunch of tools that make server management easier (htop, iftop, nmap, tshark, tmux, ...)
• a set of security related services (fail2ban for intrusion prevention, lynis for security auditing, rkhunter for rootkit detection)
• monit which keeps everything running properly
• an nginx webserver, fully configurable with packages (if you decide to build it from source)
• a locked-down mysql server, which will power authentication and virtual domains of your mailserver
• a complete mailserver (inspired by Drew Crawford's post):
  • SMTP over SSL via Postfix
  • IMAP over SSL via Dovecot
  • Postfix rules that will mask your IP & mail-agent
  • Full-text search in your imbox powered by solr
  • DNSBLs to redirect spam even before it hits your filters
  • DSPAM and Postgrey doing the spam-fencing
  • OpenDKIM mail server verification
  • Encrypted on-disk storage through EncFS
• EncFS to encrypt data on disk
• A private VPN Server via OpenVPN
• ZNC to keep your IRC chat sessions open and secure
• A firewall through iptables & ferm

Off course, you're free to add some of the other ansible roles to tweak your setup (and increase it's level of awesomeness), but that's up to you. Make sure you take into account that this might require you to change your ferm configuration file as well!

Currently missing are a good CalDAV/CardDAV solution, but all of the ones I tested currently failed my expectations for smooth operation (mainly: allowing encryption & being fully and flawlessly compatible with Apple Calendar & Contacts). I'm sure I haven't tested all of them, and am happy to accept suggestions, but even happier if you send me some pull-requests.

Tutorial

Requirements:

1. A server/host/vps with sudo/root access, running Ubuntu. I tested it on both DigitalOcean's and Linode's smallest offerings, and encountered zero issues, which means you can get all of this goodness for just $5 a month. (I'm based in APAC, for which Digital Ocean's latency kind of sucked, so I stuck with the linode instance).
2. A set of SSL wildcard crt/key/pem. You can buy them, or save some money by self-signing them (more info on how you do this can be found here).

Before you start:

Unfortunately, it still isn't a one-click solution, but we're getting close :-). If you follow these instructions, you should not face major difficulties. Make sure to have the following information/variables before you start (I will be using them throughout the instructions, so do replace it):

<IP>      your host's IP-address
<RA_USER> a user that has root/passwordless sudo access to the machine
<USER>    a user that has sudo access to the machine. This can be the same as the user above, but it cannot be root anymore (if that was the case)

1. Put the content of the SSL files in roles/ssl/files/wildcard directory. You can reuse the pem for your ZNC and put it in roles/znc/files or create and self-sign a new one (same instructions). Both need to be present.

2. Run through host_vars/cloudbox replace the variables as you feel necessary (the required ones are marked with TODO, including the required type). All possible options are marked in the <role-name>/defaults/main.yml files if you want additional tweaking. (In that case, you should copy the lines and put them in the host_vars/cloudbox file, where you edit them.) Some need to be computed. Follow the instructions to see how:

• auth_vars configuration: passwd
• mail: password_hash
• ZNC: Pass

3. Change the filename of host_vars/cloudbox to <IP>. At the same time, change the second line of cloudbox to <IP> as well. (Adding additional roles can be done in the cloudbox.yml file).

4. Review the firewall rules in roles/firewall/files/etc_ferm_ferm.conf. They are configured for exactly this install, but it is always wise to check whether all of this is correct.

Provisioning

1. Make sure you can ssh passwordless into the machine (cf. ssh-copy-id ...)

2. Point the first part of your ansible setup to the machine:

ansible-playbook -i cloudbox cloudbox.yml -u <RA_USER> --sudo --tags step1

3. ssh into the machine, and setup the on-disk encryption for your mail. Instructions can be found here.

4. Point the second part of your ansible setup to the machine:

ansible-playbook -i cloudbox cloudbox.yml -u <USER> --sudo (--ask-sudo-pass) --tags step2

Post-install

1. OpenVPN needs a bit of manual configuration. It's easy though: follow the instructions. Same for mail.

2. Reboot the machine.

3. Further customization? Maybe some dotfiles to get you started? (shameless plug)

Feedback, bug-reports, requests, ...

Are welcome! Everyone benefits, really...