Secure by default Sandstorm installation with nginx reverse proxy and base Debian setup.

Status: alpha, initial release, not to be depended on :)

Root access to a Debian Jessie installation.

A wildcard TLS certificate. (must be copied to the box before this role runs, see test.yml)

• sandstorm_hostname: defaults to {{ansible_fqdn}}
• sandstorm_wildcard_host: defaults to *.{{sandstorm_hostname}}, lets us change WILDCARD_HOST in sandstorm.conf
• sandstorm_port: defaults to 6080
• sandstorm_dev_accounts: defaults to "false", set to "yes" to enable (note: must be the string "yes", with quotes)
• sandstorm_verify_installer: defaults to false, set to true to enable gpg verification of sandstorm installer
• sandstorm_onion: defaults to false for now. still work in progress

• ssh_onion: defaults to true. only allow ssh access through a tor hidden service (tor and ssh client setup required, see https://stribika.github.io/2015/01/04/secure-secure-shell.html#traffic-analysis-resistance)
• ssh_debug: defaults to false. always bind ssh to 0.0.0.0, even if ssh_onion is true

• ssl_certificate_path: path provided to the nginx ssl_certificate config value
• ssl_certificate_key_path: path provided to the nginx ssl_certificate_key config value
• ssl_trusted_certificate_path: path provided to the nginx ssl_trusted_certificate config value

See the nginx configuration docs for details on the SSL fields.

• backup_target: backup target for duplicity (see the duplicity docs)
• backup_target_password: if your backup target needs a password
• backup_enc_key_path: local path of a gpg key to use for encrypting backups
• backup_sig_key_path: local path of a gpg key to use for signing backups
• backup_encryption_key_id: the key id of the gpg key to use to encrypt backups
• backup_signing_key_id: the key id of the gpg key to use to sign backups
• backup_hour: hour of the day to run the backup
• backup_minute: minute of the hour to run the backup
• backup_max_age: delete backups older than this. a full backup will also be performed at this interval to insure that files older than this are not kept around due to subsequent incremental backups. see the TIME FORMATS section of man duplicity for documentation on the format

See test/gen-duplicity-keys.sh for an example of generating the backup keys.

If your backup target uses the scp or sftp targets, the following parameters are needed to configure ssh auth:

• backup_ssh_key_path: path to an ssh private key
• backup_ssh_host_name: hostname of the server, for known_hosts config
• backup_ssh_host_key_path: will be added to known_hosts to identify the backup server correctly. also only needed for targets that require ssh access. you can generate this with ssh-keyscan -H your-backup-server.net, but be sure to check the key you use corresponds with the actual value on your server (in /etc/ssh/*.pub)!

• open_ports: list of open tcp ports. defaults to [80, 443]. add 22 if you want to ssh directly instead of through Tor

• enable_mta: defaults to "false", set to true to install and configure exim4. if left false we ensure that exim4 is stopped and remove it. Do not enable if you are using sandstorm_onion. First, doing so would expose the IP address of your server and second, when the Sandstorm hidden service is enabled DNS queries are routed through Tor, which does not return MX records.

• jnv.unattended-upgrades
• geerlingguy.firewall
• hardening.os-hardening

See test.yml

You can see test.yml in action with Vagrant:

• ansible-galaxy install -r requirements.yml
• ./test/gen-duplicity-keys.sh
• ./test/gen-test-cert.sh
• Add test/rootCA.pem to your browsers trusted authorities list (note! while this is added to your browser anyone with access to rootCA.key will be able to compromise your TLS connections)
• vagrant up
• Navigate to https://sandstorm.172.19.22.22.xip.io/

MIT

• Matt Urbanski (iflowfor8hours)
• Charlie Austin (charltonaustin)
• Jack Singleton (jacksingleton)
• Vladimir Zelmanov (vzelmanov)