/provision-linode

Provision a Linode webserver using Terraform and Ansible

Primary LanguageHTML

Provision

This project provisions a nano 1G Linode server for hosting basic web and email services.

Before you begin, ensure both Terraform and Ansible are installed locally.

You will also need a Linode API access key.

Provisioning the server

Generate SSH keypairs for the root and primary user accounts:

  • ssh-keygen -N "" -C root@example.com -f keys/example-root
  • ssh-keygen -N "" -C user@example.com -f keys/example-user

Then execute these commands to provision the server:

  • cd terraform
  • cp terraform.tfvars.example terraform.tfvars
  • Update the values in terraform.tfvars accordingly
  • terraform init
  • terraform apply

The server must be reachable via DNS for generating SSL/TLS certificates to succeed. Terraform will create the necessary records but setup will fail if these records have not propegated yet. If this happens, wait a short while and run terraform apply again.

Post-provisioning

The primary user account is configured for certificate-based SSH login. You may wish to set a password once the server is provisioned to allow for recovery/console login.

The password for the primary email address is "password". Execute the following to change it:

doveadm pw -s SHA512-CRYPT
sudo sqlite3 /etc/postfix/accounts.sqlite

UPDATE users SET password = "{SHA512-CRYPT}xxx" WHERE user = "<username>" AND domain = "<domain>";

Additional email users can be added with:

INSERT INTO users VALUES ("<username>", "<domain>", "{SHA512-CRYPT}xxx", "Y");

What's installed

  • Ubuntu (18.04 LTS)
  • Nginx (1.14)
  • PHP (7.2) - also Composer
  • MySQL (8.0)
  • Let's Encrypt SSL/TLS certificates
  • Dovecot (2.2)
  • Postfix (3.3)
  • OpenDKIM (2.11)
  • SpamAssassin (3.4)

Nginx configuration scores A+ in SSL Labs grading as of Feb 17, 2019.

Security audits are welcome.