Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Secure by default Sandstorm installation with nginx reverse proxy and base Debian setup.

Status: alpha, initial release, not to be depended on :)


Root access to a Debian Jessie installation.

A wildcard TLS certificate. (must be copied to the box before this role runs, see test.yml)

Role Variables


  • sandstorm_hostname: defaults to {{ansible_fqdn}}
  • sandstorm_wildcard_host: defaults to *.{{sandstorm_hostname}}, lets us change WILDCARD_HOST in sandstorm.conf
  • sandstorm_port: defaults to 6080
  • sandstorm_dev_accounts: defaults to "false", set to "yes" to enable (note: must be the string "yes", with quotes)
  • sandstorm_verify_installer: defaults to false, set to true to enable gpg verification of sandstorm installer
  • sandstorm_onion: defaults to false for now. still work in progress



  • ssl_certificate_path: path provided to the nginx ssl_certificate config value
  • ssl_certificate_key_path: path provided to the nginx ssl_certificate_key config value
  • ssl_trusted_certificate_path: path provided to the nginx ssl_trusted_certificate config value

See the nginx configuration docs for details on the SSL fields.


  • backup_target: backup target for duplicity (see the duplicity docs)
  • backup_target_password: if your backup target needs a password
  • backup_enc_key_path: local path of a gpg key to use for encrypting backups
  • backup_sig_key_path: local path of a gpg key to use for signing backups
  • backup_encryption_key_id: the key id of the gpg key to use to encrypt backups
  • backup_signing_key_id: the key id of the gpg key to use to sign backups
  • backup_hour: hour of the day to run the backup
  • backup_minute: minute of the hour to run the backup
  • backup_max_age: delete backups older than this. a full backup will also be performed at this interval to insure that files older than this are not kept around due to subsequent incremental backups. see the TIME FORMATS section of man duplicity for documentation on the format

See test/ for an example of generating the backup keys.

If your backup target uses the scp or sftp targets, the following parameters are needed to configure ssh auth:

  • backup_ssh_key_path: path to an ssh private key
  • backup_ssh_host_name: hostname of the server, for known_hosts config
  • backup_ssh_host_key_path: will be added to known_hosts to identify the backup server correctly. also only needed for targets that require ssh access. you can generate this with ssh-keyscan -H, but be sure to check the key you use corresponds with the actual value on your server (in /etc/ssh/*.pub)!


  • open_ports: list of open tcp ports. defaults to [80, 443]. add 22 if you want to ssh directly instead of through Tor

  • enable_mta: defaults to "false", set to true to install and configure exim4. if left false we ensure that exim4 is stopped and remove it. Do not enable if you are using sandstorm_onion. First, doing so would expose the IP address of your server and second, when the Sandstorm hidden service is enabled DNS queries are routed through Tor, which does not return MX records.


  • jnv.unattended-upgrades
  • geerlingguy.firewall
  • hardening.os-hardening

Example Playbook

See test.yml

You can see test.yml in action with Vagrant:

  • ansible-galaxy install -r requirements.yml
  • ./test/
  • ./test/
  • Add test/rootCA.pem to your browsers trusted authorities list (note! while this is added to your browser anyone with access to rootCA.key will be able to compromise your TLS connections)
  • vagrant up
  • Navigate to



Author Information

  • Matt Urbanski (iflowfor8hours)
  • Charlie Austin (charltonaustin)
  • Jack Singleton (jacksingleton)
  • Vladimir Zelmanov (vzelmanov)


An opinionated configuration for running sandstorm with a focus on security and paranoid assumptions







No releases published


No packages published