An opinionated configuration for running sandstorm with a focus on security and paranoid assumptions
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

Sandcastle

Secure by default Sandstorm installation with nginx reverse proxy and base Debian setup.

Status: alpha, initial release, not to be depended on :)

Requirements

Root access to a Debian Jessie installation.

A wildcard TLS certificate. (must be copied to the box before this role runs, see test.yml)

Role Variables

Sandstorm

  • sandstorm_hostname: defaults to {{ansible_fqdn}}
  • sandstorm_wildcard_host: defaults to *.{{sandstorm_hostname}}, lets us change WILDCARD_HOST in sandstorm.conf
  • sandstorm_port: defaults to 6080
  • sandstorm_dev_accounts: defaults to "false", set to "yes" to enable (note: must be the string "yes", with quotes)
  • sandstorm_verify_installer: defaults to false, set to true to enable gpg verification of sandstorm installer
  • sandstorm_onion: defaults to false for now. still work in progress

SSH

Nginx

  • ssl_certificate_path: path provided to the nginx ssl_certificate config value
  • ssl_certificate_key_path: path provided to the nginx ssl_certificate_key config value
  • ssl_trusted_certificate_path: path provided to the nginx ssl_trusted_certificate config value

See the nginx configuration docs for details on the SSL fields.

Backups

  • backup_target: backup target for duplicity (see the duplicity docs)
  • backup_target_password: if your backup target needs a password
  • backup_enc_key_path: local path of a gpg key to use for encrypting backups
  • backup_sig_key_path: local path of a gpg key to use for signing backups
  • backup_encryption_key_id: the key id of the gpg key to use to encrypt backups
  • backup_signing_key_id: the key id of the gpg key to use to sign backups
  • backup_hour: hour of the day to run the backup
  • backup_minute: minute of the hour to run the backup
  • backup_max_age: delete backups older than this. a full backup will also be performed at this interval to insure that files older than this are not kept around due to subsequent incremental backups. see the TIME FORMATS section of man duplicity for documentation on the format

See test/gen-duplicity-keys.sh for an example of generating the backup keys.

If your backup target uses the scp or sftp targets, the following parameters are needed to configure ssh auth:

  • backup_ssh_key_path: path to an ssh private key
  • backup_ssh_host_name: hostname of the server, for known_hosts config
  • backup_ssh_host_key_path: will be added to known_hosts to identify the backup server correctly. also only needed for targets that require ssh access. you can generate this with ssh-keyscan -H your-backup-server.net, but be sure to check the key you use corresponds with the actual value on your server (in /etc/ssh/*.pub)!

Other

  • open_ports: list of open tcp ports. defaults to [80, 443]. add 22 if you want to ssh directly instead of through Tor

  • enable_mta: defaults to "false", set to true to install and configure exim4. if left false we ensure that exim4 is stopped and remove it. Do not enable if you are using sandstorm_onion. First, doing so would expose the IP address of your server and second, when the Sandstorm hidden service is enabled DNS queries are routed through Tor, which does not return MX records.

Dependencies

  • jnv.unattended-upgrades
  • geerlingguy.firewall
  • hardening.os-hardening

Example Playbook

See test.yml

You can see test.yml in action with Vagrant:

  • ansible-galaxy install -r requirements.yml
  • ./test/gen-duplicity-keys.sh
  • ./test/gen-test-cert.sh
  • Add test/rootCA.pem to your browsers trusted authorities list (note! while this is added to your browser anyone with access to rootCA.key will be able to compromise your TLS connections)
  • vagrant up
  • Navigate to https://sandstorm.172.19.22.22.xip.io/

License

MIT

Author Information

  • Matt Urbanski (iflowfor8hours)
  • Charlie Austin (charltonaustin)
  • Jack Singleton (jacksingleton)
  • Vladimir Zelmanov (vzelmanov)