Project to manage my services. https://viyurz.fr
Find a file
2024-03-29 19:12:21 +01:00
playbooks Move nftables to its own playbook. 2024-03-02 12:03:14 +01:00
roles Hedgedoc: Add missing backups tasks before updating container. 2024-03-26 18:43:35 +01:00
.gitignore The Great Ansible Update. 2024-02-17 19:01:04 +01:00
ansible-playbook-selector.sh The Great Ansible Update. 2024-02-17 19:01:04 +01:00
ansible.cfg The Great Ansible Update. 2024-02-17 19:01:04 +01:00
env.yml Syncthing: Change TCP port to 18880 from 5432. 2024-03-29 19:12:21 +01:00
README.md README: Add note for SMTP port 25 listener. 2024-03-18 09:27:58 +01:00
secrets.yml.example Add email support for Matrix/Synapse. 2024-03-16 20:34:38 +01:00

vps

This repository contains all the files I use to manage services hosted on viyurz.fr.

Requirements

Ansible

Install Ansible:

sudo apt install -y ansible

SSL certificates

Install Certbot:

sudo apt install -y certbot python3-certbot-dns-ovh python3-certbot-nginx

Request certificates:

# For the NGINX reverse proxy
sudo certbot certonly --nginx -d viyurz.fr,*.viyurz.fr

# For Coturn
bash <(wget -q -O - https://github.com/zerossl/zerossl-bot/raw/master/get-zerosslbot.sh)
sudo zerossl-bot certonly --nginx -m viyurz@viyurz.fr -d turn.viyurz.fr

# For the mailserver
sudo certbot certonly --nginx -d mail.viyurz.fr

Secrets

Copy the existing secrets.yml.example to secrets.yml, run ansible-vault encrypt secrets.yml to encrypt the file with a password, and finally edit the newly encrypted file with ansible-vault edit secrets.yml.

If you want to change the vault password run ansible-vault rekey secrets.yml.

Backups

Run the backup-services.yml playbook once to setup the passphrase file.

After that, you can create a root cronjob to run this playbook without requiring interactivity:

0 4 * * * export ANSIBLE_ROLES_PATH=/home/viyurz/vps/roles/; /usr/bin/ansible-playbook /home/viyurz/vps/playbooks/backup-services.yml -e include_secrets=false -e selected_projects=''

Here we leave selected_projects empty to backup all projects.

Mailserver

When starting the container for the first time, run the initial setup:

docker exec -it mailserver /bin/sh /usr/local/bin/configure.sh

After that you need to tell Stalwart where the SSL certificate files are in:

/opt/stalwart-mail/etc/common/tls.toml

[certificate."default"]
cert = "file:///etc/fullchain.pem"
private-key = "file:///etc/privkey.pem"

And configure the user Stalwart will run as:

/opt/stalwart-mail/etc/common/server.toml

[server.run-as]
user = "mail"
group = "mail"

Then follow the end of the Official Installation Guide.

Note: Explicitely disable implicit TLS for the smtp listener or it may listen for implicit SSL connections instead of StartTLS.

[server.listener."smtp"]
bind = ["[::]:25"]
protocol = "smtp"
tls.implicit = false