|
@@ -1,2 +1,70 @@
|
1
|
1
|
# dank-selfhosted
|
2
|
|
-Ansible playbook for hosting email, web, DNS, and XMPP on OpenBSD.
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+Hi! This is my ansible playbook for self-hosting your own email, web hosting, XMPP chat,
|
|
6
|
+and DNS records using [OpenBSD](https://www.openbsd.org/). I use it to host everything on
|
|
7
|
+[c0ffee.net](https://www.c0ffee.net), but you can easily adapt it for your own domain by
|
|
8
|
+setting a few variables in `vars.yml`.
|
|
9
|
+
|
|
10
|
+## Assumptions
|
|
11
|
+
|
|
12
|
+- You have a public-facing server (probably a VPS) running OpenBSD, with an IPv4 and IPv6 address. I recommend [Vultr](https://www.vultr.com/?ref=6845125).
|
|
13
|
+- You have your own domain name, and a registrar that supports DNSSEC. I recommend [Namecheap](https://affiliate.namecheap.com/?affId=108349).
|
|
14
|
+- You have a secondary DNS provider that supports DNSSEC. I recommend [DNS Made Easy](https://cp.dnsmadeeasy.com/u/122648). ([Why do I need this?](https://www.c0ffee.net/blog/dns-hidden-master/))
|
|
15
|
+- You're crazy enough to run your own mail server :-)
|
|
16
|
+
|
|
17
|
+## Goals
|
|
18
|
+
|
|
19
|
+- Use as much of the OpenBSD base system as possible:
|
|
20
|
+ - [acme-client(1)](https://man.openbsd.org/acme-client.1) for [LetsEncrypt](https://letsencrypt.org/) certificates
|
|
21
|
+ - [smtpd(8)](https://man.openbsd.org/smtpd.8) for mail handling
|
|
22
|
+ - [spamd(8)](https://man.openbsd.org/spamd) for spam filtering
|
|
23
|
+ - [nsd(8)](https://man.openbsd.org/nsd.8) for authoritative DNS server
|
|
24
|
+ - [httpd(8)](https://man.openbsd.org/httpd.8) for web server
|
|
25
|
+ - basic [passwd(5)](https://man.openbsd.org/passwd.5) authentication for all services (maybe I should look into [ldapd(8)](https://man.openbsd.org/ldapd.8)?)
|
|
26
|
+
|
|
27
|
+- Of course, some packages from the ports tree will be necessary:
|
|
28
|
+ - [prosody](http://prosody.im/) for XMPP chat
|
|
29
|
+ - [postgresql](https://www.postgresql.org/) for Prosody data storage
|
|
30
|
+ - [ldns-utils](https://www.nlnetlabs.nl/projects/ldns/about/) for DNSSEC zone signing
|
|
31
|
+ - [dovecot](https://dovecot.org/) for IMAP access
|
|
32
|
+ - [dkimproxy](http://dkimproxy.sourceforge.net/) for [DKIM](http://www.dkim.org/) signing of outgoing mail
|
|
33
|
+
|
|
34
|
+- Encryption Everywhere:
|
|
35
|
+ - Automated DNSSEC with cron tasks using `nsd` and `ldns-signzone` for daily zone re-signing and slave `NOTIFY`s
|
|
36
|
+ - TLS for all public-facing services using LetsEncrypt certificates with automated renewal and daemon reload hooks
|
|
37
|
+ - Automatic publishing of [SSHFP](https://tools.ietf.org/html/rfc4255) records for authoritative SSH fingerprints
|
|
38
|
+ - Automatic publishing of [TLSA](https://tools.ietf.org/html/rfc6698) records for [DANE email encryption](https://halon.io/blog/what-is-dane/)
|
|
39
|
+ - Automatic publishing of DKIM records for outgoing email verification
|
|
40
|
+
|
|
41
|
+- Keep it Simple
|
|
42
|
+ - Unopinionated baseline for what most people want from a personal domain
|
|
43
|
+ - Keep dependencies to a minimum and stick to UNIX conventions (simple `passwd` auth, mail stored in `~/Maildir`, etc)
|
|
44
|
+ - Automate the tedious stuff, so you can focus on hacking!
|
|
45
|
+
|
|
46
|
+## Usage
|
|
47
|
+
|
|
48
|
+1. Boot up your OpenBSD server.
|
|
49
|
+2. Create at least one user account. You will use this account to administer the system, so make sure to add yourself to the `wheel` group.
|
|
50
|
+3. Run `scripts/boostrap_openbsd.sh` as root to add a package repo URL and set up [doas](http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1) for your user (required for Ansible).
|
|
51
|
+4. Configure your secondary DNS provider to accept `NOTIFY`s and perform zone transfers from your server's IP address.
|
|
52
|
+5. `cp vars-sample.yml vars.yml` and edit the configuration to your liking.
|
|
53
|
+6. Run the playbook! `ansible-playbook site.yml`
|
|
54
|
+7. Ensure you have reverse DNS in place for your server's IP address. This is a critical step to avoid your outgoing mail being flagged as spam. At Vultr, this is configured under "Settings > IPv4". You should set one for your primary IPv6 address as well.
|
|
55
|
+8. The last step is to configure DS records for DNSSEC at your domain registrar. Run `scripts/ds_records.sh` to generate the records. At Namecheap, this is configured under "Advanced DNS > DNSSEC" in the web portal.
|
|
56
|
+9. Yell at me on [Twitter](https://twitter.com/cullumsmith) when you inevitably find bugs in my code.
|
|
57
|
+
|
|
58
|
+## Operational Notes
|
|
59
|
+
|
|
60
|
+- **Login info:** the credentials for SMTP (STARTTLS, port 587) and IMAP (SSL, port 993) are simply your username (*without* the @domain.com portion) and login password. XMPP uses the `username@domain.com` syntax for logins, but the password is the same. Mail is stored under `~/Maildir` in each user's home directory for easy access using local clients like `mutt`.
|
|
61
|
+
|
|
62
|
+- **Additional accounts**: to add more accounts, just use `adduser`. Unless they need a shell, it's probably best to set their shell to `/sbin/nologin`.
|
|
63
|
+
|
|
64
|
+- **IPv6:** `spamd` does not currently support IPv6, so don't go adding a AAAA record for `mail` in the zonefile!
|
|
65
|
+
|
|
66
|
+- **Monitoring spamd**: just run `spamdb` to see a list of senders currently greylisted/whitelisted.
|
|
67
|
+
|
|
68
|
+- **Virtual Hosts**: a default vhost will be created for `www.domain.com`, with a bare domain redirect. Shove HTML files into `/var/www/htdocs/www.domain.com` to start sharing your worthless opinions with the internet! To add more vhosts, just put a configuration file in `/etc/sites` and include it in `/etc/httpd.d/sites.conf`.
|
|
69
|
+
|
|
70
|
+- **Greylisting pitfalls:** `spamd` works by [greylisting](https://www.greylisting.org/). Unfortunately, big mailers like GMail often don't retry delivery from the same address, resulting in a greylist black hole described [here](https://poolp.org/posts/2018-01-08/spfwalk/). To alleviate this, I included a daily cron job that whitelists the IP addresses found in the SPF records for some of the big mailers like GMail and Yahoo. If you notice any other problematic domains, add them to the `bigmailers` list in `roles/spamd/vars/main.yml` to have their IP ranges whitelisted. (And be sure to send me a pull request!)
|