Ansible Playbooks for Personal DragonFly BSD Server

Aaron LI

Created: 2018-02-14

Ansible: 2.7.7 (Python 3.7.3)

Introduction

An Ansible playbook to manage a very small (read 512MB RAM) VPS to self-host various services including:

• DNS (NSD for authoritative DNS service)
• Email (Postfix, Dovecot)
• Web (Nginx, acme-client for Let's Encrypt certificates)
• CalDAV/CardDAV (Radicale with uWSGI)
• Git (Web interface via cgit with uWSGI)
• IRC Bouncer (ZNC)

Playbooks

• bootstrap.yml: Bootstrap the remote host (e.g., a VPS) after installing DragonFly BSD.

  NOTE:

  • Use the bootstrap.sh script instead.
  • The new host should be configured that allow root ssh into it using a password. (This will be disabled during the bootstrap.)

• deploy.yml: The main playbook that deploys services on the target host.

Configurations

• ansible.cfg Ansible configuration file

• inventory.yml Remote host specifications

• group_vars/all/vars.yml Variables for hosts in the all group, i.e., all hosts

• group_vars/all/vault.yml Encrypted variables that will merged into the above vars.yml upon Ansible playing the playbook.

• host_vars/vultr Variables specific to this host.

Roles

• bootstrap Only used in the bootstrap.yml playbook to bootstrap a newly installed DragonFly BSD host.

• basic Basic settings, includes:

  • Tune basic services in /etc/rc.conf
  • Set some system tunables in /boot/loader.conf
  • Enable /var/log/console.log in syslog
  • Tune csh/tcsh
  • Tweak pkg and install basic packages

• security

  • Setup PF firewall
  • Enable sshlockout

• dns

  • Setup local DNS cache with Unbound
  • Configure NSD as the authoritative name server in hidden master mode for several personal domains

• web

  • Obtain SSL/TLS certificates from Let's Encrypt, as well as for other services (SMTP, IMAP, CalDAV/CardDAV, ZNC).
  • Serve personal website
  • Serve CalDAV/CardDAV via Radicale
  • Serve git repositories via cgit
  • Useful reverse proxies to popular websites

• mail

  • SMTP client & server by Postfix
  • IMAP server by Dovecot
  • DKIM signing via OpenDKIM
  • SPF, DKIM, DMARC records managed through NSD above
  • Do not use database
  • No web interface

• git

  • Self-host Git repositories
  • Web interface via cgit
  • Also manage and deploy the static resources of cgit via a Git repo

• shadowsocks Setup ShadowSocks-libev for a useful proxy.

• znc Setup ZNC IRC bouncer connecting to channel #dragonflybsd on EFNet.

• radicale Setup Radicale as a lightweight CalDAV/CardDAV server for personal calendars and contacts. Served via Nginx and uWSGI.

Extensions

• filter_plugins/ Custom template filters

Usages

• Bootstrap the remote host:

  $ sh bootstrap.sh
  

  NOTE: The remote host should be configured to allow SSH root login, which will be disabled later to enhance security.

• Test host connection:

  $ ansible vultr -m ping
  

• List tasks:

  $ ansible-playbook deploy.yml -v --list-tasks
  

• Run (check only but don't make changes) the whole playbook:

  $ ansible-playbook deploy.yml -vD [--check]
  

• Run the playbook from a specific task:

  $ ansible-playbook deploy.yml -vD --step --start-at-task="..."
  

• Run the tasks with specific tags:

  $ ansible-playbook deploy.yml -vD --tags="..."
  

• View and edit the encrypted variables:

  $ ansible-vault view group_vars/all/vault.yml
  $ ansible-vault edit group_vars/all/vault.yml
  

References

• Securing a Server with Ansible https://ryaneschinger.com/blog/securing-a-server-with-ansible/

License

The MIT License