An ansible playbook to set up a GNU/Linux server. Services in docker. Security by default.
The goal is to have a server for a community or personal use that's easy to maintain, secure and easy (and fast) to rebuild from scratch in case of data loss or a migration.
The idea came from a great FLOSS project, sovereign, specially from sovereign 2 issue.
What you'll get with this repo is a recipe based in variables that will setup a working server for your specific needs. You'll have the data stored only in one or two directories depending on your choices, see backup. The docker containers will upgrade themselves automatically every time their service restarts (you can do this periodically or it'll happen anyways when you reboot).
Apart from this, it's easy to extend and doesn't prevent you from using other playbooks apart from this one or installing things manually.
Clone the repo and its submodules with:
git clone --recurse-submodules -j8 [repo]
Then follow the Setup section.
These are the tested GNU/Linux distributions. Maybe it works on some other distributions too or just requires a few changes.
- debian
- stretch
sudo
and python
.
TBD.
Included as submodules in roles/.
- iptables_raw
- anarres-common
- anarres-sec
- letsencrypt-request
- anarres-nginx
- generic_docker_systemd
- add_nginx_proxy_conf
Their data and configuration files will be stored in your hosts data_path
directory, by default /data.
- Docker Registry: A stateless, highly scalable server side application that stores and lets you distribute Docker images. Using library/registry.
- CoreOS Clair: Vulnerability Static Analysis for Containers. Using quay.io/coreos/clair.
- Jessfraz Docker registry web interface: Docker registry v2 command line client and repo listing generator with security checks. Using jessfraz/reg.
- OpenLDAP: Using osixia/openldap.
- phpLDAPadmin: Using osixia/phpldapadmin.
- Prosody IM: A modern XMPP communication server. Using unclev/prosody-docker-extended.
- Gitea: Using gitea/gitea.
- Drone: Using drone/drone. For the self hosted gitea and for GitHub.
- CodiMD: HackMD like realtime collaborative markdown notes service. Using docker-hackmd.
- Transmission: Using linuxserver/transmission or docker-transmission-openvpn.
- Wallabag: Using wallabag/wallabag.
- Syncthing: Using syncthing/syncthing.
- OpenVPN: Using kylemanna/openvpn.
- Radicale: Using tomsquest/docker-radicale.
- Taskwarrior Server: Using andir/docker-taskd.
- Nextcloud: Using nextcloud.
- Taiga: Project management platform for agile developers & designers and project managers. Using docker-taiga.
- NFS Server: Using erichough/nfs-server.
- BIND9 Versatile, classic, complete name server software. Using sameersbn/bind.
- Murmur: Open source, low-latency, high quality voice chat software. Using m0wer/murmur.
- InfluxDB: Scalable datastore for metrics, events, and real-time analytics. Using influxdb.
- Grafana: The open platform for beautiful analytics and monitoring. Using grafana/grafana.
- Home Assistant Open source home automation that puts local control and privacy first. Using homeassistant/home-assistant
- RStudio provides popular open source and enterprise-ready professional software for the R statistical computing environment. Using rocker/rstudio.
- Jellyfin The Free Software Media System. Using jellyfin/jellyfin.
- Portainer Making Docker management easy. Using portainer/portainer.
- Anki sync server This is a personal Anki server, which you can sync against instead of AnkiWeb. Using kuklinistvan/anki-sync-server.
- Moodle Open-source learning plataform. Using moodlehq/moodle-php-apache.
- JupyterHub A multi-user version of the notebook designed for companies, classrooms and research labs. Using m0wer/jupyterhub.
- Jackett API Support for your favorite torrent trackers. Using linuxserver/jackett.
- Sonarr API Support for your favorite torrent trackers. Using linuxserver/sonarr.
- Radarr A fork of Sonarr to work with movies à la Couchpotato. Using linuxserver/radarr.
- Lidarr Looks and smells like Sonarr but made for music. Using linuxserver/lidarr.
- Bazarr is a companion application to Sonarr and Radarr. It manages and downloads subtitles based on your requirements. Using linuxserver/bazarr.
- Ombi Want a Movie or TV Show on Plex or Emby? Use Ombi! Using linuxserver/ombi.
For more info about each service and how to set it up, go to docs/services.
- Install
sudo
andpython
. - Login as root and add your user to sudoers or to the sudo
group with
usermod -a -G sudo [user]
.
The idea is that you run the playbooks with the tags of the services that you want to setup. But, there are some steps that "must" be run first, before deploying the actual services.
An example approach would be:
- Deploy the basic stuff (dependencies, directory creation, security...):
-t init,common,sec
- If everything goes well, deploy the base web server:
-t web
- Now you are ready to deploy the desired services, for example gitea:
-t gitea
-
You can check the available tags with:
ansible-playbook --list-tags full.yml
-
You can create a custom/ folder in the playbook root directory. There you can save your inventory files with your chosen variables for each host. This folder will be ignored thanks to the .gitignore configuration.
-
As some of the variables are passwords, you can encrypt them with ansible-vault
-
Before deploying anything, check the variables and their default values from group_vars/all.yml. Copy and change the required ones to your custom inventory file.
-
Deploy only a few tags with:
ansible-playbook -i custom/[project]/hosts.yml full.yml --extra-vars ansible_become_pass="[sudo_password]" --ask-vault-pass -t gitea
-
By default, the configuration files of the services won't be overridden in most cases, meaning that if they already existed they won't be modified, to preserve their possible manual modifications. To avoid this behaviour and overwrite them, pass the
override=True
extra var.
If you are behind some kind of firewall or you need to setup NAT, you should add the following ports:
- 80 for HTTP connections, used for the
letsencrypt
verification - 443 for HTTPs connections, used by the reverse proxy to serve access to the web services.
- The SSH port you choose, or 2222 by default.
- All the desired ports that some services have.
The main domain cert needs to be obtained using the standalone method since we don't have a working webserver by this point (the server needs the cert). So the webroot path will be empty in /etc/letsencrypt/renewal/{{ base_domain }}.conf. You should manually specify it adding:
authenticator = webroot
webroot_path = /var/www/letsencrypt,
Some services (such as jellyfin and jupyter) can benefit from GPU acceleration.
In order to generally enable nvdia runtime support for the services set the
variable nvidia_runtime
to true
. Note that the nvidia-container-toolkit
must be installed manually, check
nvidia-docker.
Make sure to backup your data_path
(by default /data) and the docker
volumes (used by the databases) from /var/lib/docker/volumes if used.
GPLv3
m0wer: m0wer (at) autistici.org