| files | ||
| group_vars | ||
| playbooks | ||
| ansible.cfg | ||
| collabora-online.yml | ||
| common.yml | ||
| docker.yml | ||
| inventory.ini.sample | ||
| jitsi.yml | ||
| nextcloud.yml | ||
| README.md | ||
| requirements.yml | ||
| site.yml | ||
| Vagrantfile | ||
SATT: Self-host all the things!
A repository containing a set of Ansible roles and playbooks to provision self-hosted Open Source services.
The main goals of this project are:
- regain control of your data,
- counter the growing vendor lock-in of big corporations,
- foster decentralisation and federation,
- enable individuals but also e.g. educational institutions or NGOs to quickly set up their own infrastructure,
- provide an overall well integrated set of tools which allows to use one tool together with another.
Key components
- Docker Compose services
- Traefik reverse proxy, loadbalancer and TLS terminator with automatic Let's Encrypt support via ACME protocol by default
- Ansible for provisioning and configuration management
Services
Working
- Nextcloud Hub
- Jitsi Meet
- Collabora Online Development Edition (integrates with Nextcloud)
WIP
Backlog
Prerequisites
- A server running Ubuntu or some other Debian-based distribution and working SSH access. (To try SATT in a local virtual machine, check out the Quickstart with Vagrant below)
- Ansible on another Linux machine that will send SSH commands to the target server to provision it
Quickstart: Vagrant
To give SATT a quick spin, you could easily bootstrap a development VM using Vagrant on your local machine.
Vagrant + Ansible on Windows 10 using Windows Subsystem for Linux
-
Download and install Virtualbox (Documentation)
-
Follow the guide to install the Windows Subsystem for Linux. This SATT guide assumes Ubuntu 18.04 LTS
-
Open Ubuntu through the Windows Start Menu
-
Inside the Ubuntu Terminal, continue the setup by following the next section.
Vagrant + Ansible on Linux
-
Obtain Vagrant by downloading the corresponding package for your distribution, assuming Ubuntu in the next steps.
-
Install the package by opening a Terminal and running:
user@vmhost: ~$ sudo dpkg install <vagrant-package-name>.deb -
To check whether Vagrant was installed successfully, try running
vagrant --versionwhich must not return an error. -
Recommended: Install the Vagrant::Hostsupdate plugin that will automatically add the hostname of the virtual machine to the list of static hosts on your local machine (VM host). This allows you to later open e.g.
nextcloud.satt.localin a browser from your local machine. Updates to the hosts file will require entering a sudo password:user@vmhost: ~$ vagrant plugin install vagrant-hostsupdaterNote for VM host Windows 10 with WSL: This host update will currently have no effect outside of WSL, as the updated hosts file is only used within the WSL context, not Windows itself.
-
Install Ansible:
user@vmhost: ~$ sudo apt update && sudo apt upgrade user@vmhost: ~$ sudo apt install python3 python3-pip user@vmhost: ~$ pip3 install --user ansible -
Test ansible by running
ansible --version -
Clone the SATT repo:
user@vmhost: ~$ git clone https://git.jotbe.io/jotbe/ansible-selfhosted-services.git -
Change to the local copy and try bootstrapping the VM (this will take a while and you might be asked for a sudo password):
user@vmhost: ~$ cd ansible-selfhosted-services user@vmhost: ~/ansible-selfhosted-services$ vagrant up -
If everything went fine, you should be able to SSH into the machine by running
vagrant sshfrom within the same directory and services should be up and running. -
If you installed the Vagrant::Hostsupdate plugin in step (4) and didn't change the configuration, you should be able to open some services in a browser:
- Nextcloud: https://nextcloud.satt.local
- Jitsi: https://jitsi.satt.local
By default, a vagrant user will be provisioned (if not already available) and used throughout the provisioning.
Quickstart: Regular server/VM
- Clone this repo
- Install dependencies (roles):
ansible-galaxy install -r requirements.yml - Adapt the inventory and choose the services
- Configure each desired service by following the README of its role.
- Run the playbook
site.ymlor one of the service playbooks.
How does it work?
The provisioning and configuration management tool Ansible is used to access a Linux server (VM, bare-metal) using SSH and provisions a set of roles. Each role consists of Docker Compose services (each containing one or more Docker containers).
Traefik is used as a reverse proxy and TLS terminator. The Docker Compose services feature labels that are recognised and processed by Traefik, resulting in a simple yet effective service discovery. Each service has at least a label stating the desired virtual host under which it is going to respond. Traefik will create required Let's Encrypt certificates for TLS and forward requests for that host to the corresponding service.
Persistent data and backups
Docker containers are ephemeral by nature. If data should survive when a container gets replaced, it has to stored outside the container and mounted into the container. SATT uses Docker volumes to make persistance easy. Compared to host mounts, with volume mounts you don't have to deal e.g. with permission and owner issues in the container.
Backups are currently only supported for Nextcloud and provided by Restic, specifically restic-compose-backup (rcb). With rcb you can backup static volumes but also the relational databases MySQL, MariaDB and Postgres using the corresponding DB dump commands.
Persistent volumes that need to be backed up will be labeled in a way that rcb will find them and also whether it is one of the DBs above which should be backed up.
Restic assumes untrusted environments, hence backups are always encrypted using modern algorithms. See their website for further details.