-
Notifications
You must be signed in to change notification settings - Fork 826
Setting up on DigitalOcean with Debian 7 (INCOMPLETE)
- Buy a domain name if you do not have one.
- Set the domain name's nameservers to
ns1.digitalocean.com
,ns2.digitalocean.com
, andns3.digitalocean.com
. It may take a while for the DNS to propagate, which is why we do this first. - Create a new droplet in your DigitalOcean control panel. I use the basic 512 one right now and it seems to work fine. In the hostname field, type in
mail.DOMAIN.TLD
whereDOMAIN.TLD
is your domain name. This is important as DigitalOcean's reverse DNS system uses this hostname to set it up. Pick whatever region you'd like. For distribution, choose Debian 7.0 x64. Enable VirtIO and if you want, backups, but I recommend getting a Tarsnap account and setting that up with Sovereign instead of using DigitalOcean's backups. Click the big button that says Create Droplet! Wait for the email to be sent with your root password, or if you login with an SSH key then you know the drill. - Login into your server with the instructions in your email. Change the root password by typing
passwd
. Now we're going to create a new user for sovereign to work with and set up SSH access for it.
useradd deploy
passwd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
If you don't have a public/private SSH key pair on your connecting computer, generate one now
- Once you have your public/private key pair, open up your public key and copy the contents into a file called
/home/deploy/.ssh/authorized_keys
on your server withnano /home/deploy/.ssh/authorized_keys
. Set the permissions for the file and own your home directory:
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R
-
Now we need to set up passwordless sudo. On your server, type
visudo
and comment out the line that reads%sudo ALL=(ALL:ALL) ALL
but add a line underroot ALL=(ALL:ALL) ALL
that readsdeploy ALL=(ALL) NOPASSWD: ALL
. PressCtrl+O
thenCtrl+X
and then typeexit
to end the SSH session. -
Log back in to SSH, but this time log in with the username deploy. So it would be
ssh deploy@YOURIP
. If everything was successful, you should have automatically logged in. -
Let's update the server even though sovereign does this for us. There's a kernel upgrade and it's better if we take care of this ourselves before sovereign tries and updates everything. So:
sudo apt-get update
sudo apt-get upgrade
sudo init 6
Wait a few minutes and SSH back in to make sure the server's booted up. After you've made sure it's on, exit out.
- If you haven't already, clone the sovereign repository on your local machine:
git clone https://github.com/al3x/sovereign.git
. Open upvars/user.yml
in a text editor. Most of the file should be self explanatory. Make sure that you replace EVERYTHING that says TODO and carefully go over all of the settings in here to make sure you you're not leaving in a default password or anything. There are a couple of steps that need some explaining... - For ZNC, you're going to need to install znc first in order to make a password for it. I don't know what distribution you're using, so that's up to you to figure out how you're going to do that. I'm on Arch Linux, and ZNC is included in the main repositories, so I installed it through my package manager. Once you have it installed, make the password:
znc --makepass
. Take the string beginning withsha256#
and insert it as the value forirc_password_hash
. - For Dovecot, again, you'll need to install it. After:
doveadm pw -s SHA512
. Remove{SHA512-CRYPT}
and insert the rest as thepassword_hash
value. - For Selfoss, sha512 didn't work for me. Instead visit
news.DOMAIN.TLD/password
(replacingDOMAIN.TLD
with your own) and generate a password. You can update the password in/var/www/selfoss/config.ini
to get it working right away, and be sure to update it inuser.yml
as well. - If you're going to run Tarsnap, make a machine key. Remove the one that comes with sovereign:
rm roles/tarsnap/files/root_tarsnap.key
. Now, generate a new one:tarsnap-keygen --keyfile roles/tarsnap/files/root_tarsnap.key --user me@example.com --machine DOMAIN.TLD
. Again, replaceDOMAIN.TLD
with whatever domain you have, and replaceme@example.com
with whatever email you used to sign up to Tarsnap. - Generate a self signed wildcard SSL certificate. If you want to be really classy and buy one then be my guest, but I can't cover that as I've never done it.
openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
- Open up the
hosts
file and delete everything in it. Put your server's IP in there.
- Run the command
ansible-playbook -i ./hosts site.yml
. Ignore the encfs error. There will be an error on "Enable ufw", at which point you want to runansible-playbook -i ./hosts site.yml
again. There will be another error when it tries and builds ZNC. This should be the last error. Runansible-playbook -i ./hosts site.yml
again. If anything else errors out, keep runningansible-playbook -i ./hosts site.yml
.
- Go to the DNS section of the DigitalOcean control panel. Click "add record" and replicate what you see in this image:
Where
/etc/opendkim/keys/*/default.txt
is, you're going to need to SSH into your server and read what that file is. So SSH in and go into a fake root shell by typingsudo -s
and issue the commandmore /etc/opendkim/keys/*/default.txt
. Copy and paste the stuff in quotes, quotes included.