Introduction

Sovereign is a set of Ansible playbooks that you can use to build and maintain your own personal cloud (I know I know). It’s based entirely on open source software, so you’re in control.

If you’ve never used Ansible before, you a) are in for a treat and b) might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.

Background and Motivations

I had been a paying Google Apps customer for personal and corporate use since the service was in beta. Until several weeks ago, that is. I was about to set up another Google Apps account for a new project when I stopped to consider what I would be funding with my USD $50 per user per year:

1. A seriously questionable privacy track record.
2. A dwindling commitment to open standards.
3. A lack of long-term commitment to products.
4. Development of Google+: a cynical and unimaginative Facebook ripoff that’s intruding into progressively more Google products.

To each her/his own, but personally I saw little reason to continue participating in the Google ecosystem. It had been years since I last ran my own server for email and such, but it’s only gotten cheaper and easier to do so. Plus, none of the commercial alternatives I looked at provided all the services I was looking for.

Rather than writing up a long and hard-to-follow set of instructions, I decided to share my server setup in a format that you can more or less just clone, configure, and run. Ansible seemed like the most appropriate way to do that: it’s simple, straightforward, and easy to pick up.

I’ve been using this setup for about a month now and it’s been great. It’s also replaced some non-Google services I used, saving me money and making me feel like I’ve got a little more privacy.

A big chunk of the initial version was inspired by this post by Drew Crawford. Unlike Drew, my goal is not “NSA-proofing” email, just providing a reasonable alternative to Google Apps that isn’t wildly insecure. If you need serious privacy and security (ex: for dissident activities), Sovereign might be useful as a starting point but will require additional work. Be careful out there.

Services Provided

What do you get if you point this thing at a VPS? All kinds of good stuff!

• IMAP over SSL via Dovecot, complete with full text search provided by Solr.
• POP3 over SSL, also via Dovecot
• SMTP over SSL via Postfix, including a nice set of DNSBLs to discard spam before it ever hits your filters.
• Webmail via Roundcube.
• Mobile push notifications via Z-Push.
• Jabber/XMPP instant messaging via Prosody.
• An RSS Reader via Selfoss.
• Virtual domains for your email, backed by PostgreSQL.
• Secure on-disk storage for email and more via EncFS.
• Spam fighting via DSPAM and Postgrey.
• Mail server verification via OpenDKIM, so folks know you’re legit.
• CalDAV and CardDAV to keep your calendars and contacts in sync, via ownCloud.
• Your own private Dropbox, also via ownCloud.
• Your own VPN server via OpenVPN.
• An IRC bouncer via ZNC.
• Monit to keep everything running smoothly (and alert you when it’s not).
• collectd to collect system statistics.
• Web hosting (ex: for your blog) via Apache.
• Firewall management via Uncomplicated Firewall.
• Intrusion prevention via fail2ban and rootkit detection via rkhunter.
• SSH configuration preventing root login and insecure password authentication
• RFC6238 two-factor authentication compatible with Google Authenticator and various hardware tokens
• Nightly backups to Tarsnap.
• Git hosting via cgit and gitolite.
• Newebe, a social network.
• Read-it-later via Wallabag
• A bunch of nice-to-have tools like mosh and htop that make life with a server a little easier.

No setup is perfect, but the general idea is to provide a bunch of useful services while being reasonably secure and low-maintenance. Set it up, SSH in every couple weeks, but mostly forget about it.

Don’t want one or more of the above services? Comment out the relevant role in site.yml. Or get more granular and comment out the associated include: directive in one of the playbooks.

Usage

What You’ll Need

1. A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at Linode. You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
2. 64-bit Debian 7 or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different packaging modules.)
3. A wildcard SSL certificate. You can either buy one or self-sign if you want to save money.
4. A Tarsnap account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.

Installation

1. Get a wildcard SSL certificate

Generate a private key and a certificate signing request (CSR):

openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr

Purchase a wildcard cert from a certificate authority, such as Positive SSL or AlphaSSL. You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in roles/common/files/wildcard_public_cert.crt.

Download your certificate authority’s combined cert to roles/common/files/wildcard_ca.pem. You can also download the intermediate and root certificates separately and concatenate them together in that order.

Lastly, test your certificates using the security program on Mac OS X:

security verify-cert -L -p ssl -s example.com -c roles/common/files/wildcard_public_cert.crt -c roles/common/files/wildcard_ca.pem
...certificate verification successful.

Self-signed SSL certificate

Purchasing SSL certs, and wildcard certs specifically, can be a significant financial burden. It is possible to generate a self-signed SSL certificate (i.e. one that isn’t signed by a Certificate Authority) that is free of charge by nature. However, since a self-signed cert has no CA chain that can confirm its authenticity, some services might behave erratically when using such a certificate.

To create a self-signed SSL cert, run the following commands:

openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem

2. Get a Tarsnap machine key

If you haven’t already, download and install Tarsnap, or use brew install tarsnap if you use Homebrew.

Create a new machine key for your server:

tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com

3. Prep the server

For goodness sake, change the root password:

passwd

Create a user account for Ansible to do its thing through:

useradd deploy
passwd deploy
mkdir /home/deploy

Authorize your ssh key if you want passwordless ssh login (optional):

mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
nano /home/deploy/.ssh/authorized_keys
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R

This account should be set up for passwordless sudo. Use visudo and add this line:

deploy  ALL=(ALL) NOPASSWD: ALL

4. Configure your installation

Modify the settings in vars/user.yml to your liking. If you want to see how they’re used in context, just search for the corresponding string.

Setting password_hash for your mail users is a bit tricky. You can generate one using doveadm-pw.

# doveadm pw -s SHA512-CRYPT
Enter new password: foo
Retype new password: foo
{SHA512-CRYPT}$6$drlIN9fx7Aj7/iLu$XvjeuQh5tlzNpNfs4NwxN7.HGRLglTKism0hxs2C1OvD02d3x8OBN9KQTueTr53nTJwVShtCYiW80SGXAjSyM0

Remove {SHA512-CRYPT} and insert the rest as the password_hash value.

Same for the IRC password hash…

# znc --makepass
[ ?? ] Enter Password: foo
[ ?? ] Confirm Password: foo
[ ** ] Use this in the <User> section of your config:
[ ** ] Pass = sha256#4bfc209c5e19874337fd89c80675ad194836efea5efd4189b7f73cd9e0a6094f#,i*Msa0B;w9yR23nm1ZB#

Take the string beginning with sha256# and insert it as the value for irc_password_hash.

For git hosting, copy your public key into place. cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub or similar.

Finally, replace the TODOs in the file hosts. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address.
In that case you also need to add your custom port to the task Set firewall rules for web traffic and SSH in the file roles/common/tasks/ufw.yml.

5. Run the Ansible Playbooks

First, make sure you’ve got Ansible 1.6+ installed.

To run the whole dang thing:

ansible-playbook -i ./hosts site.yml

To run just one or more piece, use tags. I try to tag all my includes for easy isolated development. For example, to focus in on your firewall setup:

ansible-playbook -i ./hosts --tags=ufw site.yml

You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.

6. Set up DNS

If you’ve just bought a new domain name, point it at Linode’s DNS Manager or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.

Create an A records which point to your server IP for:

• example.com
• mail.example.com
• read.example.com (for wallabe)
• news.example.com (for selfoss)
• cloud.example.com (for owncloud)
• git.example.com (for cgit)

Create a MX record for example.com which assigns mail.example.com as the domain’s mail server.

To ensure your emails pass DKIM checks you need to add a txt record. The name field will be default._domainkey.EXAMPLE.COM. The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file /etc/opendkim/keys/EXAMPLE.COM/default.txt it’ll look something like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKKAQfMwKVx+oJripQI+Ag4uTwYnsXKjgBGtl7Tk6UMTUwhMqnitqbR/ZQEZjcNolTkNDtyKZY2Z6LqvM4KsrITpiMbkV1eX6GKczT8Lws5KXn+6BHCKULGdireTAUr3Id7mtjLrbi/E3248Pq0Zs39hkDxsDcve12WccjafJVwIDAQAB

Set up SPF and reverse DNS as per this post. Make sure to validate that it’s all working, for example by sending an email to check-auth@verifier.port25.com and reviewing the report that will be emailed back to you.

7. Miscellaneous Configuration

• Sign in to the ZNC web interface and set things up to your liking. It isn’t exposed through the firewall, so you must first set up an SSH tunnel ssh deployexample.com -L 6643:localhost:6643@ and then proceed to http://localhost:6643 in your web browser.
• Sign into ownCloud to set it up. You should select postgresql as the configuration backend.

How To Use Your New Personal Cloud

We’re collecting known-good client setups on our wiki.

Troubleshooting

If you run into an errors, please check the wiki page. If the problem you encountered, is not listed, please go ahead and create an issue. If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.

IRC

#sovereign on Freenode

Contributing

You may want to set up a local development environment so that you don’t have to test on your real server.

If you improve one of the provided playbooks or add an exciting new one, send a pull request. Everyone benefits.

License

Original content is GPLv3, same as Ansible. All files and templates based on third-party software should be considered under their respective licenses.