Automated solution for hosting email, web, DNS, XMPP, and ZNC on OpenBSD.
Hi! This is my ansible playbook for self-hosting your own email, web hosting, XMPP chat,
Matrix Homeserver, Tiny Tiny RSS, Git repos, and and DNS records using OpenBSD.
I use it to host everything on c0ffee.net, but you can easily adapt
it for your own domain by setting a few variables in vars.yml
.
NEW: Read the changelog before running this playbook after updates! There are often breaking changes!!
./scripts/bootstrap_openbsd.sh
cp vars-sample.yml vars.yml && vi vars.yml
ansible-playbook site.yml
./scripts/ds_records.sh YOURDOMAIN
and set DS records at your registrar for DNSSEC.dankctl useradd
.A small and secure OpenBSD platform to host email, DNS, XMPP chat, Matrix, TTRSS, Git, and some web sites.
Use as much of the OpenBSD base system as possible:
Of course, some packages from the ports tree will be necessary:
And some third-party projects not currently in packages:
Encryption Everywhere:
nsd
and cron tasks using ldns-signzone
for daily zone re-signing and slave NOTIFYs
Keep it Simple
wheel
group. Don't use your preferred username for this account - save that for your LDAP username.scripts/bootstrap_openbsd.sh
as root to add a package repo URL and set up doas for your user (required for Ansible).NOTIFYs
and perform zone transfers from your server's IP address.cp vars-sample.yml vars.yml
and edit the configuration to your liking.ansible-playbook site.yml
scripts/ds_records.sh YOURDOMAIN
to generate the records. At Namecheap, this is configured under "Advanced DNS > DNSSEC" in the web portal.dankctl useradd your_username -c "Your Name" -G ssh,sudo -r admin -k "your ssh key"
Login info: the credentials for SMTP (STARTTLS, port 587) and IMAP (SSL, port 993) are simply your username (without the @domain.com portion) and login password. XMPP uses the [email protected]
syntax for logins, but the password is the same. Mail is stored under ~/Maildir
in each user's home directory for easy access using local clients like mutt
.
Email Filtering: any sieve script located at ~/.dovecot.sieve
will automatically apply filters to your incoming mail. You can compile the sieve script and check for syntax errors using sievec ~/.dovecot.sieve
. For example, to filter all your cron emails into a folder called Logs
:
require ["regex", "fileinto", "imap4flags", "mailbox", "envelope", "variables"];
if allof ( address :is "from" "[email protected]",
anyof ( header :contains "subject" "cron",
header :contains "subject" "output" )) {
fileinto :create "Logs";
stop;
}
XMPP Chat: the XMPP server, Prosody, is really slick. As configured here, it supports HTTP file upload for image sharing, delivery to multiple devices via carbons, push notifications, group chats, message history, and basically everything you'd expect from a modern chat solution. XMPP isn't all that bad! The best clients are ChatSecure for iOS, Conversations for Android, and Gajim for *nix and Windows. No decent clients for OS X, sadly. All those clients support end-to-end crypto via OMEMO. Easily federate with others on separate XMPP servers for truly decentralized, open communication!
Account Maintenance: to add, remove, and modify accounts and groups, use the dankctl
command. It's help output should be quite self-explanatory.
IPv6: spamd
does not currently support IPv6, so don't go adding a AAAA record for mail
in the zonefile!
Monitoring spamd: just run spamdb
to see a list of senders currently greylisted/whitelisted.
Virtual Hosts: a default vhost will be created for www.domain.com
, with a bare domain redirect. Shove HTML files into /var/www/htdocs/www.domain.com
to start sharing your worthless opinions with the internet! To add more vhosts, just put a configuration file in /etc/sites
and include it in /etc/httpd.d/sites.conf
.
Greylisting pitfalls: spamd
works by greylisting. Unfortunately, big mailers like GMail often don't retry delivery from the same address, resulting in a greylist black hole described here. To alleviate this, I included a daily cron job that whitelists the IP addresses found in the SPF records for some of the big mailers like GMail and Yahoo. If you notice any other problematic domains, override the to the bigmailers
list defined in roles/spamd/deaults/main.yml to have their IP ranges whitelisted. (And be sure to send me a pull request!)
Password Resets: Passwords can be reset using dankctl resetpass
. Currently, only an administrator can do this, since giving users write access to their LDAP user entry could allow them to write a non-hashed password into their userPassword
field. It's on my todo list to make some kind of web interface for this.
SSH: SSH keys are stored in LDAP and can be added/removed using dankctl usermod
. If a user has a shell on the box, he can run this command with his own credentials. Users must be in the ssh
group to connect.
Backups: another thing I'm leaving up to you, since your requirements will almost certainly be unique. Shouldn't be too difficult:
/etc/{passwd,master.passwd,group}
pg_dump
to save user info and message archives./var/nsd/keys
) and DKIM keys (/etc/mail/dkim
)/var/db/ldap
or save the output of ldap search
as the root DN.How to Run Your Own Mail Server: my original email guide. Written for FreeBSD, but still lots of great info about mail hosting. HN Discussion
DNS Hosting Guide: Hidden Master with DNSSEC: my original guide for running your own DNS. Again, written for FreeBSD, but gives a lot of details about why you'd want a hidden master setup.