Secure by default Sandstorm installation with nginx reverse proxy and base Debian setup.
Status: alpha, initial release, not to be depended on :)
Root access to a Debian Jessie installation.
A wildcard TLS certificate. (must be copied to the box before this role runs, see test.yml)
{{ansible_fqdn}}
*.{{sandstorm_hostname}}
, lets us change WILDCARD_HOST
in
sandstorm.conf
6080
"false"
, set to "yes"
to enable
(note: must be the string "yes", with quotes)false
, set to
true
to enable gpg verification of sandstorm installerfalse
for now. still work in progresstrue
. only allow ssh access through
a tor hidden service (tor and ssh client setup required, see
https://stribika.github.io/2015/01/04/secure-secure-shell.html#traffic-analysis-resistance)false
. always bind ssh to 0.0.0.0
, even if ssh_onion is true
See the nginx configuration docs for details on the SSL fields.
duplicity
(see the duplicity
docs)TIME FORMATS
section of man duplicity
for documentation on the formatSee test/gen-duplicity-keys.sh
for an example of generating the backup keys.
If your backup target uses the scp or sftp targets, the following parameters are needed to configure ssh auth:
ssh-keyscan -H your-backup-server.net
, but be sure to check the key you use
corresponds with the actual value on your server (in
/etc/ssh/*.pub)!open_ports: list of open tcp ports. defaults to [80, 443]
. add
22
if you want to ssh directly instead of through Tor
enable_mta: defaults to "false"
, set to true to install
and configure exim4. if left false
we ensure that exim4 is
stopped and remove it. Do not enable if you are using sandstorm_onion
.
First, doing so would expose the IP address of your server and second, when
the Sandstorm hidden service is enabled DNS queries are routed through Tor,
which does not return MX records.
See test.yml
You can see test.yml
in action with Vagrant:
ansible-galaxy install -r requirements.yml
./test/gen-duplicity-keys.sh
./test/gen-test-cert.sh
test/rootCA.pem
to your browsers trusted authorities list (note!
while this is added to your browser anyone with access to rootCA.key will be
able to compromise your TLS connections)vagrant up
MIT