Secure by default Sandstorm installation with nginx reverse proxy and base Debian setup.
Status: alpha, initial release, not to be depended on :)
Root access to a Debian Jessie installation.
A wildcard TLS certificate. (must be copied to the box before this role runs, see test.yml)
- sandstorm_hostname: defaults to
{{ansible_fqdn}} - sandstorm_wildcard_host: defaults to
*.{{sandstorm_hostname}}, lets us changeWILDCARD_HOSTinsandstorm.conf - sandstorm_port: defaults to
6080 - sandstorm_dev_accounts: defaults to
"false", set to"yes"to enable (note: must be the string "yes", with quotes) - sandstorm_verify_installer: defaults to
false, set totrueto enable gpg verification of sandstorm installer - sandstorm_onion: defaults to
falsefor now. still work in progress
- ssh_onion: defaults to
true. only allow ssh access through a tor hidden service (tor and ssh client setup required, see https://stribika.github.io/2015/01/04/secure-secure-shell.html#traffic-analysis-resistance) - ssh_debug: defaults to
false. always bind ssh to0.0.0.0, even if ssh_onion istrue
- ssl_certificate_path: path provided to the nginx ssl_certificate config value
- ssl_certificate_key_path: path provided to the nginx ssl_certificate_key config value
- ssl_trusted_certificate_path: path provided to the nginx ssl_trusted_certificate config value
See the nginx configuration docs for details on the SSL fields.
- backup_target: backup target for
duplicity(see the duplicity docs) - backup_target_password: if your backup target needs a password
- backup_enc_key_path: local path of a gpg key to use for encrypting backups
- backup_sig_key_path: local path of a gpg key to use for signing backups
- backup_encryption_key_id: the key id of the gpg key to use to encrypt backups
- backup_signing_key_id: the key id of the gpg key to use to sign backups
- backup_hour: hour of the day to run the backup
- backup_minute: minute of the hour to run the backup
- backup_max_age: delete backups older than this. a full
backup will also be performed at this interval to insure that
files older than this are not kept around due to subsequent
incremental backups. see the
TIME FORMATSsection ofman duplicityfor documentation on the format
See test/gen-duplicity-keys.sh for an example of generating the backup keys.
If your backup target uses the scp or sftp targets, the following parameters are needed to configure ssh auth:
- backup_ssh_key_path: path to an ssh private key
- backup_ssh_host_name: hostname of the server, for known_hosts config
- backup_ssh_host_key_path: will be added to known_hosts to identify
the backup server correctly. also only needed for targets that
require ssh access. you can generate this with
ssh-keyscan -H your-backup-server.net, but be sure to check the key you use corresponds with the actual value on your server (in /etc/ssh/*.pub)!
-
open_ports: list of open tcp ports. defaults to
[80, 443]. add22if you want to ssh directly instead of through Tor -
enable_mta: defaults to
"false", set to true to install and configure exim4. if leftfalsewe ensure that exim4 is stopped and remove it. Do not enable if you are usingsandstorm_onion. First, doing so would expose the IP address of your server and second, when the Sandstorm hidden service is enabled DNS queries are routed through Tor, which does not return MX records.
- jnv.unattended-upgrades
- geerlingguy.firewall
- hardening.os-hardening
See test.yml
You can see test.yml in action with Vagrant:
ansible-galaxy install -r requirements.yml./test/gen-duplicity-keys.sh./test/gen-test-cert.sh- Add
test/rootCA.pemto your browsers trusted authorities list (note! while this is added to your browser anyone with access to rootCA.key will be able to compromise your TLS connections) vagrant up- Navigate to https://sandstorm.172.19.22.22.xip.io/
MIT
- Matt Urbanski (iflowfor8hours)
- Charlie Austin (charltonaustin)
- Jack Singleton (jacksingleton)
- Vladimir Zelmanov (vzelmanov)