|Number of watchers on Github||6866|
|Number of open issues||64|
|Average time to close an issue||about 1 month|
|Average time to merge a PR||7 days|
|Open pull requests||44+|
|Closed pull requests||24+|
|Last commit||almost 2 years ago|
|Repo Created||about 6 years ago|
|Repo Last Updated||over 1 year ago|
|Organization / Author||sovereign|
|Do you use sovereign? Leave a review!|
|View open issues (64)|
|View sovereign activity|
|View on github|
|Fresh, new opensource launches 🚀🚀🚀|
Trendy new open source projects in your inbox! View examples
If youve never used Ansible before, you might find these playbooks useful to learn from, since they show off a fair bit of what the tool can do.
The original author's background and motivations might be of interest. tl;dr: frustrations with Google Apps and concerns about privacy and long-term support.
Sovereign offers useful cloud services while being reasonably secure and low-maintenance. Use it to set up your server, SSH in every couple weeks, but mostly forget about it.
What do you get if you point Sovereign at a server? All kinds of good stuff!
Dont want one or more of the above services? Comment out the relevant role in
site.yml. Or get more granular and comment out the associated
include: directive in one of the playbooks.
You do not need to acquire an SSL certificate. The SSL certificates you need will be obtained from Let's Encrypt automatically when you deploy your server.
The following steps are done on the remote server by
sshing into it and running these commands.
aptitudeis required on Debian
apt-get install sudo python
Create a new machine key for your server:
tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user email@example.com --machine example.com
For goodness sake, change the root password:
Create a user account for Ansible to do its thing through:
useradd deploy passwd deploy mkdir /home/deploy
Authorize your ssh key if you want passwordless ssh login (optional):
mkdir /home/deploy/.ssh chmod 700 /home/deploy/.ssh nano /home/deploy/.ssh/authorized_keys chmod 400 /home/deploy/.ssh/authorized_keys chown deploy:deploy /home/deploy -R echo 'deploy ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/deploy
Your new account will be automatically set up for passwordless
sudo. Or you can just add your
deploy user to the sudo group.
adduser deploy sudo
Ansible (the tool setting up your server) runs locally on your computer and sends commands to the remote server. Download this repository somewhere on your machine, either through
Clone or Download > Download ZIP above,
git as below
git clone https://github.com/sovereign/sovereign.git
Modify the settings in the
group_vars/sovereign folder to your liking. If you want to see how theyre used in context, just search for the corresponding string.
All of the variables in
group_vars/sovereign must be set for sovereign to function.
For Git hosting, copy your public key into place:
cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
Finally, replace the
host.example.net in the file
hosts. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task
Set firewall rules for web traffic and SSH in the file
If youve just bought a new domain name, point it at Linodes DNS Manager or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If youre using an existing domain thats already managed elsewhere, you can probably just modify a few records.
CNAME records which point to your server's IP address:
www.example.com(for Web hosting)
autoconfig.example.com(for email client automatic configuration)
First, make sure youve got Ansible 1.9.3+ installed.
To run the whole dang thing:
ansible-playbook -i ./hosts --ask-sudo-pass site.yml
If you chose to make a passwordless sudo deploy user, you can omit the
To run just one or more piece, use tags. I try to tag all my includes for easy isolated development. For example, to focus in on your firewall setup:
ansible-playbook -i ./hosts --tags=ufw site.yml
You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because theres no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. Ive tried to add comments where manual intervention is necessary.
dependencies tag just installs dependencies, performing no other operations. The tasks associated with the
dependencies tag do not rely on the user-provided settings that live in
group_vars/sovereign. Running the playbook with the
dependencies tag is particularly convenient for working with Docker images.
MX record for
example.com which assigns
mail.example.com as the domains mail server.
To ensure your emails pass DKIM checks you need to add a
txt record. The name field will be
default._domainkey.EXAMPLE.COM. The value field contains the public key used by DKIM. The exact value needed can be found in the file
/var/lib/rspamd/dkim/EXAMPLE.COM.default.txt. It will look something like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKKAQfMwKVx+oJripQI+Ag4uTwYnsXKjgBGtl7Tk6UMTUwhMqnitqbR/ZQEZjcNolTkNDtyKZY2Z6LqvM4KsrITpiMbkV1eX6GKczT8Lws5KXn+6BHCKULGdireTAUr3Id7mtjLrbi/E3248Pq0Zs39hkDxsDcve12WccjafJVwIDAQAB
For DMARC you'll also need to add a
txt record. The name field should be
_dmarc.EXAMPLE.COM and the value should be
v=DMARC1; p=none. More info on DMARC can be found here.
Set up SPF and reverse DNS as per this post. Make sure to validate that its all working, for example, by sending an email to firstname.lastname@example.org and reviewing the report that will be emailed back to you.
Sign in to the ZNC web interface and set things up to your liking. It isnt exposed through the firewall, so you must first set up an SSH tunnel:
ssh email@example.com -L 6643:localhost:6643
Then proceed to http://localhost:6643 in your web browser.
Similarly, to access the server monitoring page, use another SSH tunnel:
ssh firstname.lastname@example.org -L 2812:localhost:2812
Again proceeding to http://localhost:2812 in your web browser.
Finally, sign into ownCloud with a new administrator account to set it
up. You should select PostgreSQL as the configuration backend. Use
owncloud as the database user and the database name. For the
database password ansible has created a set of random passwords for
each service and stores them in your local folder
secret, use the
one in the file
Were collecting known-good client setups on our wiki.
If you run into an errors, please check the wiki page. If the problem you encountered, is not listed, please go ahead and create an issue. If you already have a bugfix and/or workaround, just put them in the issue and the wiki page.
You will need to manually enter the password for any encrypted volumes on reboot. This is not Sovereign-specific, but rather a function of how EncFS works. This will necessitate SSHing into your machine after reboot, or accessing it via a console interface if one is available to you. Once you're in, run this:
encfs /encrypted /decrypted --public
It is possible that some daemons may need to be restarted after you enter your password for the encrypted volume(s). Some services may stall out while looking for resources that will only be available once the
/decrypted volume is available and visible to daemon user accounts.
Ask questions and provide feedback in
#sovereign on Freenode.