Skip to content

Setting up on DigitalOcean with Debian 7 (INCOMPLETE)

Jump to bottom Edit New page
Tim edited this page May 13, 2014 · 1 revision

Preparing the server

  • Buy a domain name if you do not have one.
  • Set the domain name's nameservers to ns1.digitalocean.com, ns2.digitalocean.com, and ns3.digitalocean.com. It may take a while for the DNS to propagate, which is why we do this first.
  • Create a new droplet in your DigitalOcean control panel. I use the basic 512 one right now and it seems to work fine. In the hostname field, type in mail.DOMAIN.TLD where DOMAIN.TLD is your domain name. This is important as DigitalOcean's reverse DNS system uses this hostname to set it up. Pick whatever region you'd like. For distribution, choose Debian 7.0 x64. Enable VirtIO and if you want, backups, but I recommend getting a Tarsnap account and setting that up with Sovereign instead of using DigitalOcean's backups. Click the big button that says Create Droplet! Wait for the email to be sent with your root password, or if you login with an SSH key then you know the drill.
  • Login into your server with the instructions in your email. Change the root password by typing passwd. Now we're going to create a new user for sovereign to work with and set up SSH access for it.
useradd deploy
passwd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh

If you don't have a public/private SSH key pair on your connecting computer, generate one now

  • Once you have your public/private key pair, open up your public key and copy the contents into a file called /home/deploy/.ssh/authorized_keys on your server with nano /home/deploy/.ssh/authorized_keys. Set the permissions for the file and own your home directory:
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R

  • Now we need to set up passwordless sudo. On your server, type visudo and comment out the line that reads %sudo ALL=(ALL:ALL) ALL but add a line under root ALL=(ALL:ALL) ALL that reads deploy ALL=(ALL) NOPASSWD: ALL. Press Ctrl+O then Ctrl+X and then type exit to end the SSH session.

  • Log back in to SSH, but this time log in with the username deploy. So it would be ssh deploy@YOURIP. If everything was successful, you should have automatically logged in.

  • Let's update the server even though sovereign does this for us. There's a kernel upgrade and it's better if we take care of this ourselves before sovereign tries and updates everything. So:

sudo apt-get update
sudo apt-get upgrade
sudo init 6

Wait a few minutes and SSH back in to make sure the server's booted up. After you've made sure it's on, exit out.

Configuring sovereign

  • If you haven't already, clone the sovereign repository on your local machine: git clone https://github.com/al3x/sovereign.git. Open up vars/user.yml in a text editor. Most of the file should be self explanatory. Make sure that you replace EVERYTHING that says TODO and carefully go over all of the settings in here to make sure you you're not leaving in a default password or anything. There are a couple of steps that need some explaining...
  • For ZNC, you're going to need to install znc first in order to make a password for it. I don't know what distribution you're using, so that's up to you to figure out how you're going to do that. I'm on Arch Linux, and ZNC is included in the main repositories, so I installed it through my package manager. Once you have it installed, make the password: znc --makepass. Take the string beginning with sha256# and insert it as the value for irc_password_hash.
  • For Dovecot, again, you'll need to install it. After: doveadm pw -s SHA512. Remove {SHA512-CRYPT} and insert the rest as the password_hash value.
  • For Selfoss, sha512 didn't work for me. Instead visit news.DOMAIN.TLD/password (replacing DOMAIN.TLD with your own) and generate a password. You can update the password in /var/www/selfoss/config.ini to get it working right away, and be sure to update it in user.yml as well.
  • If you're going to run Tarsnap, make a machine key. Remove the one that comes with sovereign: rm roles/tarsnap/files/root_tarsnap.key. Now, generate a new one: tarsnap-keygen --keyfile roles/tarsnap/files/root_tarsnap.key --user me@example.com --machine DOMAIN.TLD. Again, replace DOMAIN.TLD with whatever domain you have, and replace me@example.com with whatever email you used to sign up to Tarsnap.
  • Generate a self signed wildcard SSL certificate. If you want to be really classy and buy one then be my guest, but I can't cover that as I've never done it.
openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
  • Open up the hosts file and delete everything in it. Put your server's IP in there.

Run sovereign

  • Run the command ansible-playbook -i ./hosts site.yml. Ignore the encfs error. There will be an error on "Enable ufw", at which point you want to run ansible-playbook -i ./hosts site.yml again. There will be another error when it tries and builds ZNC. This should be the last error. Run ansible-playbook -i ./hosts site.yml again. If anything else errors out, keep running ansible-playbook -i ./hosts site.yml.

Set up DNS

  • Go to the DNS section of the DigitalOcean control panel. Click "add record" and replicate what you see in this image: DigitalOcean DNS Where /etc/opendkim/keys/*/default.txt is, you're going to need to SSH into your server and read what that file is. So SSH in and go into a fake root shell by typing sudo -s and issue the command more /etc/opendkim/keys/*/default.txt. Copy and paste the stuff in quotes, quotes included.
Add a custom footer
Add a custom sidebar
Clone this wiki locally