jotbe/ansible-selfhosted-services

Fork 0

A repository containing a set of Ansible roles and playbooks to provision self-hosted Open Source services to reduce dependency on big platforms, take back your data and foster decentralisation.

Find a file

Jan Beilicke f4877cea21 Simplifies docker provisioning, fixes issue with docker 7.0 pip packages through downgrade		2023-12-09 19:11:43 +01:00
files	Initial commit	2020-03-24 01:04:18 +01:00
group_vars	Simplifies docker provisioning, fixes issue with docker 7.0 pip packages through downgrade	2023-12-09 19:11:43 +01:00
playbooks	Initial commit	2020-03-24 01:04:18 +01:00
ansible.cfg	Initial commit	2020-03-24 01:04:18 +01:00
collabora-online.yml	Added Collabora Online Developer Edition (CODE)	2020-03-28 18:07:00 +01:00
common.yml	Initial commit	2020-03-24 01:04:18 +01:00
coturn.yml	Added coturn	2022-10-03 21:56:46 +02:00
docker.yml	Simplifies docker provisioning, fixes issue with docker 7.0 pip packages through downgrade	2023-12-09 19:11:43 +01:00
inventory.ini.sample	Windows 10: Added a simpler way to provision a VM just by using Vagrant (no WSL required)	2020-11-26 07:56:51 +00:00
jitsi.yml	Fixed broken group name	2020-03-25 23:38:23 +01:00
nextcloud.yml	Initial commit	2020-03-24 01:04:18 +01:00
onlyoffice.yml	Wrap-up of the ONLYOFFICE service which is now fully functional within Nextcloud	2020-04-16 22:10:36 +02:00
README.md	Added coturn	2022-10-03 21:56:46 +02:00
requirements.yml	Simplifies docker provisioning, fixes issue with docker 7.0 pip packages through downgrade	2023-12-09 19:11:43 +01:00
site.yml	Added coturn	2022-10-03 21:56:46 +02:00
Vagrantfile	Windows 10: Added a simpler way to provision a VM just by using Vagrant (no WSL required)	2020-11-26 07:56:51 +00:00

README.md

SATT: Self-host all the things!

A repository containing a set of Ansible roles and playbooks to provision self-hosted Open Source services.

The main goals of this project are:

regain control of your data,
counter the growing vendor lock-in of big corporations,
foster decentralisation and federation,
enable individuals but also e.g. educational institutions or NGOs to quickly set up their own infrastructure,
provide an overall well integrated set of tools which allows to use one tool together with another.

Key components

Docker Compose services
Traefik reverse proxy, loadbalancer and TLS terminator with automatic Let's Encrypt support via ACME protocol by default
Ansible for provisioning and configuration management

Services

Working

Jitsi Meet
Nextcloud Hub
ONLYOFFICE Document Server (integrates with Nextcloud)
Collabora Online Development Edition (integrates with Nextcloud)
Cryptpad
Coturn TURN/STUN server

WIP

BigBlueButton

Backlog

Mumble
Moodle
Matrix+Riot
Opencast
Auth-Backend (e.g. Keycloak)

Prerequisites

A server running Ubuntu or some other Debian-based distribution and working SSH access. (To try SATT in a local virtual machine, check out the Quickstart with Vagrant below)
Ansible on another Linux machine that will send SSH commands to the target server to provision it

Quickstart: Vagrant

To give SATT a quick spin, you could easily bootstrap a development VM using Vagrant on your local machine.

Vagrant + Ansible on Linux

Obtain Vagrant by downloading the corresponding package for your distribution, assuming Ubuntu in the next steps.

Install the package by opening a Terminal and running:

user@vmhost: ~$ sudo dpkg install <vagrant-package-name>.deb

To check whether Vagrant was installed successfully, try running vagrant --version which must not return an error.
Recommended: Install the Vagrant::Hostsupdate plugin that will automatically add the hostname of the virtual machine to the list of static hosts on your local machine (VM host). This allows you to later open e.g. nextcloud.satt.local in a browser from your local machine. Updates to the hosts file will require entering a sudo password:
```
user@vmhost: ~$ vagrant plugin install vagrant-hostsupdater
```
Note for VM host Windows 10 with WSL: This host update will currently have no effect outside of WSL, as the updated hosts file is only used within the WSL context, not Windows itself.

Install Ansible:

user@vmhost: ~$ sudo apt update && sudo apt upgrade
user@vmhost: ~$ sudo apt install python3 python3-pip
user@vmhost: ~$ pip3 install --user ansible

Test ansible by running ansible --version

Clone the SATT repo:

user@vmhost: ~$ git clone https://git.jotbe.io/jotbe/ansible-selfhosted-services.git

Change to the local copy and try bootstrapping the VM (this will take a while and you might be asked for a sudo password):
```
user@vmhost: ~$ cd ansible-selfhosted-services
user@vmhost: ~/ansible-selfhosted-services$ vagrant up
```
If everything went fine, you should be able to SSH into the machine by running vagrant ssh from within the same directory and services should be up and running.
If you installed the Vagrant::Hostsupdate plugin in step (4) and didn't change the configuration, you should be able to open some services in a browser:
- Nextcloud: https://nextcloud.satt.local
- Jitsi: https://jitsi.satt.local

By default, a vagrant user will be provisioned (if not already available) and used throughout the provisioning.

IMPORTANT: Pay attention to the Firewall section below.

Vagrant on Windows 10 (no Ansible required)

Vagrant will bootstrap a VM, install Ansible und run the provisioning from within the VM, i.e. the Vagrant host does not need to have any Ansible installed.

Download and install Virtualbox (Documentation)
Obtain Vagrant by downloading and installing the corresponding package
Clone this repository with Git or download and extract an archive
Open a Command Prompt or Powershell window and navigate to the checked out repository / extracted archive.
Run Vagrant with: vagrant up and wait patiently.

Vagrant on Windows 10 using Windows Subsystem for Linux + Ansible

This approach will install Vagrant and Ansible in a Linux box using WSL. Vagrant will provision the VM with Ansible from the Vagrant host over SSH.

Download and install Virtualbox (Documentation)
Follow the guide to install the Windows Subsystem for Linux. This SATT guide assumes Ubuntu 18.04 LTS
Open Ubuntu through the Windows Start Menu
Inside the Ubuntu Terminal, continue the setup by following the next section.

Quickstart: Regular Linux server/VM

Clone this repo
Install dependencies (roles): ansible-galaxy install -r requirements.yml
Adapt the inventory and choose the services
Configure each desired service by following the README of its role.
Run the playbook site.yml or one of the service playbooks.

IMPORTANT: Pay attention to the Firewall section below.

How does it work?

The provisioning and configuration management tool Ansible is used to access a Linux server (VM, bare-metal) using SSH and provisions a set of roles. Each role consists of Docker Compose services (each containing one or more Docker containers).

Traefik is used as a reverse proxy and TLS terminator. The Docker Compose services feature labels that are recognised and processed by Traefik, resulting in a simple yet effective service discovery. Each service has at least a label stating the desired virtual host under which it is going to respond. Traefik will create required Let's Encrypt certificates for TLS and forward requests for that host to the corresponding service.

Persistent data and backups

Docker containers are ephemeral by nature. If data should survive when a container gets replaced, it has to stored outside the container and mounted into the container. SATT uses Docker volumes to make persistance easy. Compared to host mounts, with volume mounts you don't have to deal e.g. with permission and owner issues in the container.

Backups are currently only supported for Nextcloud and provided by Restic, specifically restic-compose-backup (rcb). With rcb you can backup static volumes but also the relational databases MySQL, MariaDB and Postgres using the corresponding DB dump commands.

Persistent volumes that need to be backed up will be labeled in a way that rcb will find them and also whether it is one of the DBs above which should be backed up.

Restic assumes untrusted environments, hence backups are always encrypted using modern algorithms. See their website for further details.

Firewall

The common role comes with a firewall based on iptables. If you don't allow SSH (usually port 22) then you might lock yourself out. Have a look at group_vars/vagrant.yml for an example config. Add the corresponding firewall parameters to your host_vars and adapt them according to your needs.