Browse Source

add readme

Cullum Smith 3 years ago
parent
commit
67e2d3126a
2 changed files with 70 additions and 1 deletions
  1. 1
    0
      .gitignore
  2. 69
    1
      README.md

+ 1
- 0
.gitignore View File

@@ -0,0 +1 @@
1
+vars.yml

+ 69
- 1
README.md View File

@@ -1,2 +1,70 @@
1 1
 # dank-selfhosted
2
-Ansible playbook for hosting email, web, DNS, and XMPP on OpenBSD.
2
+
3
+![puffy deal with it](https://i.imgur.com/A46hkpd.gif)
4
+
5
+Hi! This is my ansible playbook for self-hosting your own email, web hosting, XMPP chat,
6
+and DNS records using [OpenBSD](https://www.openbsd.org/). I use it to host everything on
7
+[c0ffee.net](https://www.c0ffee.net), but you can easily adapt it for your own domain by
8
+setting a few variables in `vars.yml`.
9
+
10
+## Assumptions
11
+
12
+- You have a public-facing server (probably a VPS) running OpenBSD, with an IPv4 and IPv6 address. I recommend [Vultr](https://www.vultr.com/?ref=6845125).
13
+- You have your own domain name, and a registrar that supports DNSSEC. I recommend [Namecheap](https://affiliate.namecheap.com/?affId=108349).
14
+- You have a secondary DNS provider that supports DNSSEC. I recommend [DNS Made Easy](https://cp.dnsmadeeasy.com/u/122648). ([Why do I need this?](https://www.c0ffee.net/blog/dns-hidden-master/))
15
+- You're crazy enough to run your own mail server :-)
16
+
17
+## Goals
18
+
19
+- Use as much of the OpenBSD base system as possible:
20
+    - [acme-client(1)](https://man.openbsd.org/acme-client.1) for [LetsEncrypt](https://letsencrypt.org/) certificates
21
+    - [smtpd(8)](https://man.openbsd.org/smtpd.8) for mail handling
22
+    - [spamd(8)](https://man.openbsd.org/spamd) for spam filtering
23
+    - [nsd(8)](https://man.openbsd.org/nsd.8) for authoritative DNS server
24
+    - [httpd(8)](https://man.openbsd.org/httpd.8) for web server
25
+    - basic [passwd(5)](https://man.openbsd.org/passwd.5) authentication for all services (maybe I should look into [ldapd(8)](https://man.openbsd.org/ldapd.8)?)
26
+
27
+- Of course, some packages from the ports tree will be necessary:
28
+    - [prosody](http://prosody.im/) for XMPP chat
29
+    - [postgresql](https://www.postgresql.org/) for Prosody data storage
30
+    - [ldns-utils](https://www.nlnetlabs.nl/projects/ldns/about/) for DNSSEC zone signing
31
+    - [dovecot](https://dovecot.org/) for IMAP access
32
+    - [dkimproxy](http://dkimproxy.sourceforge.net/) for [DKIM](http://www.dkim.org/) signing of outgoing mail
33
+
34
+- Encryption Everywhere:
35
+    - Automated DNSSEC with cron tasks using `nsd` and `ldns-signzone` for daily zone re-signing and slave `NOTIFY`s
36
+    - TLS for all public-facing services using LetsEncrypt certificates with automated renewal and daemon reload hooks
37
+    - Automatic publishing of [SSHFP](https://tools.ietf.org/html/rfc4255) records for authoritative SSH fingerprints
38
+    - Automatic publishing of [TLSA](https://tools.ietf.org/html/rfc6698) records for [DANE email encryption](https://halon.io/blog/what-is-dane/)
39
+    - Automatic publishing of DKIM records for outgoing email verification
40
+
41
+- Keep it Simple
42
+    - Unopinionated baseline for what most people want from a personal domain
43
+    - Keep dependencies to a minimum and stick to UNIX conventions (simple `passwd` auth, mail stored in `~/Maildir`, etc)
44
+    - Automate the tedious stuff, so you can focus on hacking!
45
+
46
+## Usage
47
+
48
+1. Boot up your OpenBSD server.
49
+2. Create at least one user account. You will use this account to administer the system, so make sure to add yourself to the `wheel` group.
50
+3. Run `scripts/boostrap_openbsd.sh` as root to add a package repo URL and set up [doas](http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1) for your user (required for Ansible).
51
+4. Configure your secondary DNS provider to accept `NOTIFY`s and perform zone transfers from your server's IP address.
52
+5. `cp vars-sample.yml vars.yml` and edit the configuration to your liking.
53
+6. Run the playbook! `ansible-playbook site.yml`
54
+7. Ensure you have reverse DNS in place for your server's IP address. This is a critical step to avoid your outgoing mail being flagged as spam. At Vultr, this is configured under "Settings > IPv4". You should set one for your primary IPv6 address as well.
55
+8. The last step is to configure DS records for DNSSEC at your domain registrar. Run `scripts/ds_records.sh` to generate the records. At Namecheap, this is configured under "Advanced DNS > DNSSEC" in the web portal.
56
+9. Yell at me on [Twitter](https://twitter.com/cullumsmith) when you inevitably find bugs in my code.
57
+
58
+## Operational Notes
59
+
60
+- **Login info:** the credentials for SMTP (STARTTLS, port 587) and IMAP (SSL, port 993) are simply your username (*without* the @domain.com portion) and login password. XMPP uses the `username@domain.com` syntax for logins, but the password is the same. Mail is stored under `~/Maildir` in each user's home directory for easy access using local clients like `mutt`.
61
+
62
+- **Additional accounts**: to add more accounts, just use `adduser`. Unless they need a shell, it's probably best to set their shell to `/sbin/nologin`.
63
+
64
+- **IPv6:** `spamd` does not currently support IPv6, so don't go adding a AAAA record for `mail` in the zonefile!
65
+
66
+- **Monitoring spamd**: just run `spamdb` to see a list of senders currently greylisted/whitelisted.
67
+
68
+- **Virtual Hosts**: a default vhost will be created for `www.domain.com`, with a bare domain redirect. Shove HTML files into `/var/www/htdocs/www.domain.com` to start sharing your worthless opinions with the internet! To add more vhosts, just put a configuration file in `/etc/sites` and include it in `/etc/httpd.d/sites.conf`.
69
+
70
+- **Greylisting pitfalls:** `spamd` works by [greylisting](https://www.greylisting.org/). Unfortunately, big mailers like GMail often don't retry delivery from the same address, resulting in a greylist black hole described [here](https://poolp.org/posts/2018-01-08/spfwalk/). To alleviate this, I included a daily cron job that whitelists the IP addresses found in the SPF records for some of the big mailers like GMail and Yahoo. If you notice any other problematic domains, add them to the `bigmailers` list in `roles/spamd/vars/main.yml` to have their IP ranges whitelisted. (And be sure to send me a pull request!)

Loading…
Cancel
Save