# vps
This repository contains all the files I use to manage services hosted on [viyurz.fr](https://viyurz.fr).


## Requirements
### Ansible
Install Ansible:
```
sudo apt install -y ansible
```

### SSL certificates
Install Certbot:
```
sudo apt install -y certbot python3-certbot-dns-ovh python3-certbot-nginx
```

Request certificates:
```
# For the NGINX reverse proxy
sudo certbot certonly --nginx -d viyurz.fr,*.viyurz.fr

# For Coturn
bash <(wget -q -O - https://github.com/zerossl/zerossl-bot/raw/master/get-zerosslbot.sh)
sudo zerossl-bot certonly --nginx -m viyurz@viyurz.fr -d turn.viyurz.fr

# For the mailserver
sudo certbot certonly --nginx -d mail.viyurz.fr
```


## Secrets
Copy the existing `secrets.yml.example`  to `secrets.yml`, run `ansible-vault encrypt secrets.yml` to encrypt the file with a password, and finally edit the newly encrypted file with `ansible-vault edit secrets.yml`.

If you want to change the vault password run `ansible-vault rekey secrets.yml`.


## Backups
Run the `backup-services.yml` playbook once to setup the passphrase file.

After that, you can create a root cronjob to run this playbook without requiring interactivity:

```
0 4 * * * export ANSIBLE_ROLES_PATH=/home/viyurz/vps/roles/; /usr/bin/ansible-playbook /home/viyurz/vps/playbooks/backup-services.yml -e include_secrets=false -e selected_projects=''
```

Here we leave `selected_projects` empty to backup all projects.


## Mailserver
When starting the container for the first time, run the initial setup:
```
docker exec -it mailserver /bin/sh /usr/local/bin/configure.sh
```

After that you need to tell Stalwart where the SSL certificate files are in:
```
/opt/stalwart-mail/etc/common/tls.toml

[certificate."default"]
cert = "file:///etc/fullchain.pem"
private-key = "file:///etc/privkey.pem"
```

And configure the user Stalwart will run as:
```
/opt/stalwart-mail/etc/common/server.toml

[server.run-as]
user = "mail"
group = "mail"
```

Then follow the end of the [Official Installation Guide](https://stalw.art/docs/install/docker#take-note-of-the-administrator-password).

Note: Explicitely disable implicit TLS for the smtp listener
or it may listen for implicit SSL connections instead of StartTLS.
```
[server.listener."smtp"]
bind = ["[::]:25"]
protocol = "smtp"
tls.implicit = false
```